[DNSfirewalls] Precedence order of PASSTRHU in RPZ
Vernon Schryver
vjs at rhyolite.com
Tue Jun 5 23:43:53 UTC 2018
> From: Fred Morris <m3047 at m3047.net>
> To: Francis Turner <francis at threatstop.com>,
> "dnsfirewalls at lists.redbarn.org" <dnsfirewalls at lists.redbarn.org>
> 1) RPZs are processed in the order declared ...
Section 5, "Precedence Rules of the RPZ draft RFC at RPZ draft
draft-ietf-dnsop-dns-rpz-00 at
https://tools.ietf.org/id/draft-ietf-dnsop-dns-rpz-00.html
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-rpz/history/
and so forth tries specify the zone application rules in agonizing detail.
I think that text is more complete and accurate than my previous efforts
and their descendents in the BIND ARM. It might be more readable.
> Best practice IMO is to have a locally managed whitelist declared before
> any externally sourced RPZ,
I agree with that.
> and possibly to have a local catchall
> blacklist at the end.
catch-all lists of all kinds including black and white for any
firewall-like scheme tend to be sharp and dangerous tools. I'm not
smart enough to use RPZ catch-all blacklists.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list