[DNSfirewalls] rpz firewall + whitelisting

Lee ler762 at gmail.com
Tue Aug 27 15:46:36 UTC 2019 

On 8/26/19, Vernon Schryver <vjs at rhyolite.com> wrote:
>> From: Brian Dickson <brian.peter.dickson at gmail.com>
>> To: Bob Harold <rharolde at umich.edu>
>> Cc: dnsfirewalls at lists.redbarn.org
>
>> > If your local list and the third party list are separate RPZ zones,
>> > then
>> > it should be almost fine, I think.  Each zone is processed separately,
>> > and
>> > the first zone that matches takes effect.  The third party would not
>> > match,
>> > but yours would.  I know that sounds confusing, you might want to test
>> > it.
>> >
>> The implementation I am familiar with, uses a bit-field (32 bits) for
>> zone
>> membership.
>
> Would that be my second implementation for ISC in BIND9?

Wow!  The guy that wrote the code!!  I have to ask .. instead of me having to do

$ cat db.test-rpz
$ORIGIN rpz.test.
@ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
  IN NS  localhost.
                   2o7.net CNAME .
                 *.2o7.net CNAME .
               112.2o7.net CNAME .
             *.112.2o7.net CNAME .
           102.112.2o7.net CNAME .
         *.102.112.2o7.net CNAME .
       com.102.112.2o7.net CNAME .
     *.com.102.112.2o7.net CNAME .
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
; === end ===

Would it be possible for me to do
                   2o7.net CNAME .
                 *.2o7.net CNAME .
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

and for you to automagically fill in the intervening space for me:
               112.2o7.net CNAME .
             *.112.2o7.net CNAME .
           102.112.2o7.net CNAME .
         *.102.112.2o7.net CNAME .
       com.102.112.2o7.net CNAME .
     *.com.102.112.2o7.net CNAME .

Thanks
Lee

More information about the DNSfirewalls mailing list