[DNSfirewalls] rpz firewall + whitelisting

Peter van Dijk peter.van.dijk at powerdns.com
Mon Aug 26 11:38:48 UTC 2019


On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
> $ cat db.test-rpz
> $ORIGIN rpz.test.
> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
>   IN NS  localhost.
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 2o7.net CNAME .
> *.2o7.net CNAME .
> ; === end ===


> I'm expecting all of 2o7.net to be blocked except for the one name
> that's been whitelisted:
>   bcbsks.com.102.112.2o7.net
> 
> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
> but all these are also whitelisted:
>   foo.bcbsks.com.102.112.2o7.net
>   foo.com.102.112.2o7.net
>   foo.102.112.2o7.net
>   foo.112.2o7.net
> 

DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist, holding no data (these are called empty non-terminals). Their presence prevents expansion of the wildcard. If you want to block those names too, you will have to do so explicitly.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/



More information about the DNSfirewalls mailing list