[DNSfirewalls] rpz firewall + whitelisting

Bob Harold rharolde at umich.edu
Mon Aug 26 18:18:11 UTC 2019 

I don't know of any tool.  I have not done any searching.

-- 
Bob Harold



On Mon, Aug 26, 2019 at 1:39 PM Lee <ler762 at gmail.com> wrote:

> On 8/26/19, Bob Harold <rharolde at umich.edu> wrote:
> > On Mon, Aug 26, 2019 at 8:28 AM Lee <ler762 at gmail.com> wrote:
> >
> >> On 8/26/19, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> >> > On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:
> >> >> $ cat db.test-rpz
> >> >> $ORIGIN rpz.test.
> >> >> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )
> >> >>   IN NS  localhost.
> >> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> >> >> 2o7.net CNAME .
> >> >> *.2o7.net CNAME .
> >> >> ; === end ===
> >> >
> >> >
> >> >> I'm expecting all of 2o7.net to be blocked except for the one name
> >> >> that's been whitelisted:
> >> >>   bcbsks.com.102.112.2o7.net
> >> >>
> >> >> What I get is not only bcbsks.com.102.112.2o7.net being whitelisted,
> >> >> but all these are also whitelisted:
> >> >>   foo.bcbsks.com.102.112.2o7.net
> >> >>   foo.com.102.112.2o7.net
> >> >>   foo.102.112.2o7.net
> >> >>   foo.112.2o7.net
> >> >>
> >> >
> >> > DNS is a tree. The presence of bcbsks.com.102.112.2o7.net also causes
> >> > com.102.112.2o7.net, 102.112.2o7.net and 112.2o7.net to exist,
> holding
> >> no
> >> > data (these are called empty non-terminals). Their presence prevents
> >> > expansion of the wildcard. If you want to block those names too, you
> >> > will
> >> > have to do so explicitly.
> >>
> >> wow.. I would never guessed that.  Thank you!
> >>
> >> Is there some other way to poke holes in an rpz firewall that doesn't
> >> require listing _all_ the nodes in the tree?  Even indented so it's
> >> obvious all the nodes are listed, it looks like a pain to maintain:
> >>
> >> $ cat db.test-rpz
> >> $ORIGIN rpz.test.
> >> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
> >>   IN NS  localhost.
> >>      *.com.102.112.2o7.net CNAME .
> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> >>          *.102.112.2o7.net CNAME .
> >>              *.112.2o7.net CNAME .
> >>                  *.2o7.net CNAME .
> >>                    2o7.net CNAME .
> >> ; === end ===
> >>
> >>
> >> Thanks,
> >> Lee
> >>
> >
> > Actually, to be complete:
> >
> > bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> >      *.com.102.112.2o7.net CNAME .
> >        com.102.112.2o7.net CNAME .
> >          *.102.112.2o7.net CNAME .
> >            102.112.2o7.net CNAME .
> >              *.112.2o7.net CNAME .
> >                112.2o7.net CNAME .
> >                  *.2o7.net CNAME .
> >                    2o7.net CNAME .
> >
> > Yes, it's a pain, but that is how wildcards work.  Someone should write a
> > tool to manage them. :)
>
> Has someone?  Because that's what prompted my question :)
>   https://github.com/StevenBlack/hosts/issues/451
>   i'd like to publish this data in RPZ format
>
> I'd rather block *.domain rather than list each host in the domain &
> constantly have to update the list as names are added/removed from the
> domain.  But there's notes in the file about blocking <this> breaks
> <that> site, so it seemed like it'd be a nice option to be able to
> whitelist things to keep the site breakage down.
>
> Thanks
> Lee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20190826/1680356a/attachment-0001.htm>

More information about the DNSfirewalls mailing list