[DNSfirewalls] rpz firewall + whitelisting
Bob Harold
rharolde at umich.edu
Mon Aug 26 20:03:09 UTC 2019
On Mon, Aug 26, 2019 at 3:46 PM Lee <ler762 at gmail.com> wrote:
> On 8/26/19, m3047 <m3047 at m3047.net> wrote:
> > I've always felt best practice was (listed in order of precedence /
> > declaration):
> >
> > 1) A local whitelist.
> >
> > 2) Any third party zones.
> >
> > 3) A local blacklist.
>
> Seems like that would work only if you had a script to regenerate your
> local lists after a third party zone updates.
>
> I haven't tried this, but let's pretend that
> your local blacklist has *.2o7.net
> a third party blacklist zone adds bcbsks.com.102.112.2o7.net
> I'm guessing that your blacklist doesn't actually blacklist
> 112.2o7.net & everything below it now.
>
> & just out of curiosity - how do you troubleshoot something like that?
> .. besides eyeballing the rpz zones.
>
> Thanks
> Lee
>
If your local list and the third party list are separate RPZ zones, then it
should be almost fine, I think. Each zone is processed separately, and the
first zone that matches takes effect. The third party would not match, but
yours would. I know that sounds confusing, you might want to test it.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20190826/a9f14658/attachment.htm>
More information about the DNSfirewalls
mailing list