[DNSfirewalls] rpz firewall + whitelisting

Vadim Pavlov pvm_job at mail.ru
Tue Aug 27 16:07:38 UTC 2019 

For RPZ I would recommend a different order based on how bind9 handles it (performance optimization and protection against DNS tunneling/exfiltration)

1. Local whitelist, domains only;
2. Local blacklist, domains only;
3. RPZ feeds, domains only;
4. RPZ feeds, with mixed rules (domains and IPs);
5. Local blacklist, IP and NS based rules only;
6. RPZ feeds with IP and NS based rules only.

Paul, do you know any chance that ISC is going to publish documentation how to use RPS?

Vadim
> On Aug 26, 2019, at 20:53, Paul Vixie <paul at redbarn.org> wrote:
> 
> 
> 
> Brian Dickson wrote on 2019-08-26 14:01:
>>    If your local list and the third party list are separate RPZ zones,
>>    then it should be almost fine, I think.  Each zone is processed
>>    separately, and the first zone that matches takes effect.  The third
>>    party would not match, but yours would.  I know that sounds
>>    confusing, you might want to test it.
>> The implementation I am familiar with, uses a bit-field (32 bits) for zone membership.
>> And, it uses a well-defined ordering on the zones themselves.
> 
> the bit field is immaterial. any conforming ("well defined ordering of the zones") implementation will behave confusingly if there is overlap between treatment of nonterminals.
> 
> as m3047 noted, the recommended usage is:
> 
> first, local whitelist
> then, imported policies
> last, local blacklist
> 
> if there is conflicting treatment of nonterminals among imported policies, then the results will be deterministic, but unintuitive.
> 
>> IIRC there is a modest performance penalty based on the number of zones you use, but not based on the size of the zones themselves except at load/reload time.
> in BIND9 there is no performance penality based on the number of zones, and has not been since 2012 or so.
> 
> any commercial support customer of ISC (BIND9) or NLNetLabs (Unbound), and any passive dns contributor to Farsight (SIE) is entitled to a binary copy licensed for those servers of software called FastRPZ, which removes the load/reload penalty as well. contact me directly for details.
> 
> -- 
> P Vixie
> 
> _______________________________________________
> DNSfirewalls mailing list
> DNSfirewalls at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/dnsfirewalls

More information about the DNSfirewalls mailing list