[DNSfirewalls] rpz firewall + whitelisting
Lee
ler762 at gmail.com
Mon Aug 26 12:28:26 UTC 2019
On 8/26/19, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
>> $ cat db.test-rpz
>> $ORIGIN rpz.test.
>> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
>> IN NS localhost.
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> ; === end ===
>
>
>> I'm expecting all of 2o7.net to be blocked except for the one name
>> that's been whitelisted:
>> bcbsks.com.102.112.2o7.net
>>
>> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
>> but all these are also whitelisted:
>> foo.bcbsks.com.102.112.2o7.net
>> foo.com.102.112.2o7.net
>> foo.102.112.2o7.net
>> foo.112.2o7.net
>>
>
> DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes
> com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist, holding no
> data (these are called empty non-terminals). Their presence prevents
> expansion of the wildcard. If you want to block those names too, you will
> have to do so explicitly.
wow.. I would never guessed that. Thank you!
Is there some other way to poke holes in an rpz firewall that doesn't
require listing _all_ the nodes in the tree? Even indented so it's
obvious all the nodes are listed, it looks like a pain to maintain:
$ cat db.test-rpz
$ORIGIN rpz.test.
@ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
IN NS localhost.
*.com.102.112.2o7.net CNAME .
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
*.102.112.2o7.net CNAME .
*.112.2o7.net CNAME .
*.2o7.net CNAME .
2o7.net CNAME .
; === end ===
Thanks,
Lee
More information about the DNSfirewalls
mailing list