[DNSfirewalls] rpz firewall + whitelisting

Paul Vixie paul at redbarn.org
Tue Aug 27 16:11:02 UTC 2019

On Tuesday, 27 August 2019 16:07:38 UTC Vadim Pavlov wrote:
> For RPZ I would recommend a different order based on how bind9 handles it
> (performance optimization and protection against DNS
> tunneling/exfiltration)
> 1. Local whitelist, domains only;
> 2. Local blacklist, domains only;
> 3. RPZ feeds, domains only;
> 4. RPZ feeds, with mixed rules (domains and IPs);
> 5. Local blacklist, IP and NS based rules only;
> 6. RPZ feeds with IP and NS based rules only.

that's not unreasonable, but it is harder to conceptualize and maintain. 
choose your poison, i guess.

> Paul, do you know any chance that ISC is going to publish documentation how
> to use RPS?

ISC has asked, and farsight is constructing, both RPS API documentation, and 
an example "hello world" implementation which can be used as a template to 
implement more generalized policy filtering, independent of the RPZ system.


More information about the DNSfirewalls mailing list