[DNSfirewalls] rpz firewall + whitelisting
Lee
ler762 at gmail.com
Sun Aug 25 19:51:33 UTC 2019
If I block an entire domain and allow a single host, I'm expecting
just the one host will be whitelisted. That's not what I'm getting,
so what am I missing?
Given a single rpz sone:
$ cat db.test-rpz
$ORIGIN rpz.test.
@ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
IN NS localhost.
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
2o7.net CNAME .
*.2o7.net CNAME .
; === end ===
with these bits in named.conf
options {
response-policy { zone "rpz.test" log yes; } break-dnssec yes
recursive-only no qname-wait-recurse no;
}
zone "rpz.test" in { type master; notify no; file
"ZONES/db.test-rpz"; };
I'm expecting all of 2o7.net to be blocked except for the one name
that's been whitelisted:
bcbsks.com.102.112.2o7.net
What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
but all these are also whitelisted:
foo.bcbsks.com.102.112.2o7.net
foo.com.102.112.2o7.net
foo.102.112.2o7.net
foo.112.2o7.net
I have to get up to foo.2o7.net before I get a NXDOMAIN
$ dig @127.0.0.1 foo.2o7.net
; <<>> DiG 9.11.9 <<>> @127.0.0.1 foo.2o7.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51526
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 34559ebeb1d0d9e6be70fea15d62e2b28fa5d576e9488d0f (good)
;; QUESTION SECTION:
;foo.2o7.net. IN A
;; ADDITIONAL SECTION:
rpz.test. 1 IN SOA localhost.
admin.rpz.test. 2019082415 21600 15 86400 1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 25 20:34:10 ric 2019
;; MSG SIZE rcvd: 127
TIA
Lee
More information about the DNSfirewalls
mailing list