[DNSfirewalls] rpz firewall + whitelisting
Peter van Dijk
peter.van.dijk at powerdns.com
Mon Aug 26 11:38:48 UTC 2019
On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
> $ cat db.test-rpz
> $ORIGIN rpz.test.
> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
> IN NS localhost.
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 2o7.net CNAME .
> *.2o7.net CNAME .
> ; === end ===
> I'm expecting all of 2o7.net to be blocked except for the one name
> that's been whitelisted:
> bcbsks.com.102.112.2o7.net
>
> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
> but all these are also whitelisted:
> foo.bcbsks.com.102.112.2o7.net
> foo.com.102.112.2o7.net
> foo.102.112.2o7.net
> foo.112.2o7.net
>
DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist, holding no data (these are called empty non-terminals). Their presence prevents expansion of the wildcard. If you want to block those names too, you will have to do so explicitly.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the DNSfirewalls
mailing list