[DNSfirewalls] rpz firewall + whitelisting

Lee ler762 at gmail.com
Mon Aug 26 17:38:53 UTC 2019 

On 8/26/19, Bob Harold <rharolde at umich.edu> wrote:
> On Mon, Aug 26, 2019 at 8:28 AM Lee <ler762 at gmail.com> wrote:
>
>> On 8/26/19, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
>> > On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
>> >> $ cat db.test-rpz
>> >> $ORIGIN rpz.test.
>> >> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
>> >>   IN NS  localhost.
>> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>> >> 2o7.net CNAME .
>> >> *.2o7.net CNAME .
>> >> ; === end ===
>> >
>> >
>> >> I'm expecting all of 2o7.net to be blocked except for the one name
>> >> that's been whitelisted:
>> >>   bcbsks.com.102.112.2o7.net
>> >>
>> >> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
>> >> but all these are also whitelisted:
>> >>   foo.bcbsks.com.102.112.2o7.net
>> >>   foo.com.102.112.2o7.net
>> >>   foo.102.112.2o7.net
>> >>   foo.112.2o7.net
>> >>
>> >
>> > DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes
>> > com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist, holding
>> no
>> > data (these are called empty non-terminals). Their presence prevents
>> > expansion of the wildcard. If you want to block those names too, you
>> > will
>> > have to do so explicitly.
>>
>> wow.. I would never guessed that.  Thank you!
>>
>> Is there some other way to poke holes in an rpz firewall that doesn't
>> require listing _all_ the nodes in the tree?  Even indented so it's
>> obvious all the nodes are listed, it looks like a pain to maintain:
>>
>> $ cat db.test-rpz
>> $ORIGIN rpz.test.
>> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
>>   IN NS  localhost.
>>      *.com.102.112.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>>          *.102.112.2o7.net CNAME .
>>              *.112.2o7.net CNAME .
>>                  *.2o7.net CNAME .
>>                    2o7.net CNAME .
>> ; === end ===
>>
>>
>> Thanks,
>> Lee
>>
>
> Actually, to be complete:
>
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>      *.com.102.112.2o7.net CNAME .
>        com.102.112.2o7.net CNAME .
>          *.102.112.2o7.net CNAME .
>            102.112.2o7.net CNAME .
>              *.112.2o7.net CNAME .
>                112.2o7.net CNAME .
>                  *.2o7.net CNAME .
>                    2o7.net CNAME .
>
> Yes, it's a pain, but that is how wildcards work.  Someone should write a
> tool to manage them. :)

Has someone?  Because that's what prompted my question :)
  https://github.com/StevenBlack/hosts/issues/451
  i'd like to publish this data in RPZ format

I'd rather block *.domain rather than list each host in the domain &
constantly have to update the list as names are added/removed from the
domain.  But there's notes in the file about blocking <this> breaks
<that> site, so it seemed like it'd be a nice option to be able to
whitelist things to keep the site breakage down.

Thanks
Lee

More information about the DNSfirewalls mailing list