[DNSfirewalls] rpz firewall + whitelisting

Bob Harold rharolde at umich.edu
Mon Aug 26 12:45:34 UTC 2019 

On Mon, Aug 26, 2019 at 8:28 AM Lee <ler762 at gmail.com> wrote:

> On 8/26/19, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> > On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
> >> $ cat db.test-rpz
> >> $ORIGIN rpz.test.
> >> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
> >>   IN NS  localhost.
> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> >> 2o7.net CNAME .
> >> *.2o7.net CNAME .
> >> ; === end ===
> >
> >
> >> I'm expecting all of 2o7.net to be blocked except for the one name
> >> that's been whitelisted:
> >>   bcbsks.com.102.112.2o7.net
> >>
> >> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
> >> but all these are also whitelisted:
> >>   foo.bcbsks.com.102.112.2o7.net
> >>   foo.com.102.112.2o7.net
> >>   foo.102.112.2o7.net
> >>   foo.112.2o7.net
> >>
> >
> > DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes
> > com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist, holding
> no
> > data (these are called empty non-terminals). Their presence prevents
> > expansion of the wildcard. If you want to block those names too, you will
> > have to do so explicitly.
>
> wow.. I would never guessed that.  Thank you!
>
> Is there some other way to poke holes in an rpz firewall that doesn't
> require listing _all_ the nodes in the tree?  Even indented so it's
> obvious all the nodes are listed, it looks like a pain to maintain:
>
> $ cat db.test-rpz
> $ORIGIN rpz.test.
> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
>   IN NS  localhost.
>      *.com.102.112.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>          *.102.112.2o7.net CNAME .
>              *.112.2o7.net CNAME .
>                  *.2o7.net CNAME .
>                    2o7.net CNAME .
> ; === end ===
>
>
> Thanks,
> Lee
>

Actually, to be complete:

bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
     *.com.102.112.2o7.net CNAME .
       com.102.112.2o7.net CNAME .
         *.102.112.2o7.net CNAME .
           102.112.2o7.net CNAME .
             *.112.2o7.net CNAME .
               112.2o7.net CNAME .
                 *.2o7.net CNAME .
                   2o7.net CNAME .

Yes, it's a pain, but that is how wildcards work.  Someone should write a
tool to manage them. :)

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20190826/d61387b9/attachment.htm>

More information about the DNSfirewalls mailing list