[DNSfirewalls] Precedence order of PASSTRHU in RPZ
vjs at rhyolite.com
Tue Jun 5 23:43:53 UTC 2018
> From: Fred Morris <m3047 at m3047.net>
> To: Francis Turner <francis at threatstop.com>,
> "dnsfirewalls at lists.redbarn.org" <dnsfirewalls at lists.redbarn.org>
> 1) RPZs are processed in the order declared ...
Section 5, "Precedence Rules of the RPZ draft RFC at RPZ draft
and so forth tries specify the zone application rules in agonizing detail.
I think that text is more complete and accurate than my previous efforts
and their descendents in the BIND ARM. It might be more readable.
> Best practice IMO is to have a locally managed whitelist declared before
> any externally sourced RPZ,
I agree with that.
> and possibly to have a local catchall
> blacklist at the end.
catch-all lists of all kinds including black and white for any
firewall-like scheme tend to be sharp and dangerous tools. I'm not
smart enough to use RPZ catch-all blacklists.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls