[DNSfirewalls] Precedence order of PASSTRHU in RPZ

Wed Jun 6 13:34:07 UTC 2018

On Tue, Jun 5, 2018 at 12:47 PM Bob Harold <rharolde at umich.edu> wrote:

>
> On Tue, Jun 5, 2018 at 11:47 AM Francis Turner <francis at threatstop.com>
> wrote:
>
>> All,
>>
>>
>>
>> I’ve looked in various places and I want to make sure I’m correctly
>> interpreting things
>>
>>
>>
>> What happens if I have two RPZ lines in either the same or different
>> zones?
>>
>>
>>
>> precise.fqdn.example.com CNAME *.
>> *.example.com CNAME  rpz-passthru.
>>
>>
>>
>> Which one wins?
>>
>> I think it is the more specific one (precise.fqdn.example.com ).
>>
>> This is annoying if I want to whitelist the entire example.com domain
>> from being blocked if it is in an RPZ zone that I get from somewhere else.
>>
>>
>>
>> In that case is there a way to override the more specific matching rule?
>>
>>
>>
>> Regards
>>
>>
>>
>> Francis
>>
>>
>>
>> *Francis Turner *
>>
>> Threat STOP Global SE
>>
>> Office: +1-760-542-1550 | Cell: +1-760-402-7676
>>
>> francis at threatstop.com | www.threatstop.com
>>
>> *Weaponize Your Threat Intelligence*
>>
>> “If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
>>
>
> I think you want to take advantage of the first ordering rule:
> "Choose the triggered record in the zone that appears first in the
> response-policy option."
>
>  response-policy {
> zone "rpz-whitelist.example.com" policy disabled;
> zone "rpz-blacklist.example.com" policy given;
> };
>
> rpz-whitelist will always win.
>
> --
> Bob Harold
>

Reading Vernon's answer, this needs to be "passthru" instead of "disabled"
I have not actually tested this.

 response-policy {
zone "rpz-whitelist.example.com" policy passthru;
zone "rpz-blacklist.example.com" policy given;
};

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20180606/b1b78cf4/attachment.html>