[DNSfirewalls] Precedence order of PASSTRHU in RPZ

Fred Morris m3047 at m3047.net
Tue Jun 5 17:02:22 UTC 2018

1) RPZs are processed in the order declared in the (BIND) config file,
first one that fires wins.

2) (To my mild surprise) yes apparently within a zone something more
specific appears to take precedence over a more broadly scoped wildcard.

They are just zones after all...

Best practice IMO is to have a locally managed whitelist declared before
any externally sourced RPZ, and possibly to have a local catchall
blacklist at the end.


Fred Morris

On 06/05/2018 08:47 AM, Francis Turner wrote:
> All,
> I've looked in various places and I want to make sure I'm correctly interpreting things
> What happens if I have two RPZ lines in either the same or different zones?
> precise.fqdn.example.com CNAME *.
> *.example.com CNAME  rpz-passthru.
> Which one wins?
> I think it is the more specific one (precise.fqdn.example.com ).
> This is annoying if I want to whitelist the entire example.com domain from being blocked if it is in an RPZ zone that I get from somewhere else.
> In that case is there a way to override the more specific matching rule?
> Regards
> Francis

More information about the DNSfirewalls mailing list