[DNSfirewalls] rpz firewall + whitelisting

Paul Vixie paul at redbarn.org
Tue Aug 27 03:53:24 UTC 2019

Brian Dickson wrote on 2019-08-26 14:01:
>     If your local list and the third party list are separate RPZ zones,
>     then it should be almost fine, I think.  Each zone is processed
>     separately, and the first zone that matches takes effect.  The third
>     party would not match, but yours would.  I know that sounds
>     confusing, you might want to test it.
> The implementation I am familiar with, uses a bit-field (32 bits) for 
> zone membership.
> And, it uses a well-defined ordering on the zones themselves.

the bit field is immaterial. any conforming ("well defined ordering of 
the zones") implementation will behave confusingly if there is overlap 
between treatment of nonterminals.

as m3047 noted, the recommended usage is:

first, local whitelist
then, imported policies
last, local blacklist

if there is conflicting treatment of nonterminals among imported 
policies, then the results will be deterministic, but unintuitive.

> IIRC there is a modest performance penalty based on the number of zones 
> you use, but not based on the size of the zones themselves except at 
> load/reload time.
in BIND9 there is no performance penality based on the number of zones, 
and has not been since 2012 or so.

any commercial support customer of ISC (BIND9) or NLNetLabs (Unbound), 
and any passive dns contributor to Farsight (SIE) is entitled to a 
binary copy licensed for those servers of software called FastRPZ, which 
removes the load/reload penalty as well. contact me directly for details.

P Vixie

More information about the DNSfirewalls mailing list