[DNSfirewalls] Precedence order of PASSTRHU in RPZ

Vernon Schryver vjs at rhyolite.com
Tue Jun 5 23:43:53 UTC 2018

> From: Fred Morris <m3047 at m3047.net>
> To: Francis Turner <francis at threatstop.com>,
>         "dnsfirewalls at lists.redbarn.org" <dnsfirewalls at lists.redbarn.org>

> 1) RPZs are processed in the order declared ...

Section 5, "Precedence Rules of the RPZ draft RFC at RPZ draft
draft-ietf-dnsop-dns-rpz-00 at
and so forth tries specify the zone application rules in agonizing detail.
I think that text is more complete and accurate than my previous efforts
and their descendents in the BIND ARM.  It might be more readable.

> Best practice IMO is to have a locally managed whitelist declared before
> any externally sourced RPZ,

I agree with that.

>                             and possibly to have a local catchall
> blacklist at the end.

catch-all lists of all kinds including black and white for any
firewall-like scheme tend to be sharp and dangerous tools.  I'm not
smart enough to use RPZ catch-all blacklists.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list