[DNSfirewalls] rpz firewall + whitelisting

Vernon Schryver vjs at rhyolite.com
Tue Aug 27 02:10:14 UTC 2019

>>> I've always felt best practice was [multiple zones]

>> & just out of curiosity - how do you troubleshoot something like that?
>> .. besides eyeballing the rpz zones.
>When you get an RPZ "hit" the zone shows as the authority in the response.

That is the best tactic in general.  It's usually sufficient.

However, if the DNS server in question does not have too much traffic,
you're using of RPZ code I know about in BIND9 or Unbound, 
and you want to know about more than the source of the final policy answer,
then you can turn on varying levels debugging that at the highest level
note every potential trigger and every potental rule checked.

With the base BIND9 RPZ implementation, you can always query the
the policy zones with `dig`, `nslookup`, etc. as if they were
ordinary DNS zones, which they are.  With FastRPZ you can use
`rpztool' to dump all or parts of the database or run queries on
the policy database just as a FastRPZ such as BIND or Unbound would.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list