[DNSfirewalls] rpz firewall + whitelisting
Paul Vixie
paul at redbarn.org
Tue Aug 27 16:11:02 UTC 2019
On Tuesday, 27 August 2019 16:07:38 UTC Vadim Pavlov wrote:
> For RPZ I would recommend a different order based on how bind9 handles it
> (performance optimization and protection against DNS
> tunneling/exfiltration)
>
> 1. Local whitelist, domains only;
> 2. Local blacklist, domains only;
> 3. RPZ feeds, domains only;
> 4. RPZ feeds, with mixed rules (domains and IPs);
> 5. Local blacklist, IP and NS based rules only;
> 6. RPZ feeds with IP and NS based rules only.
that's not unreasonable, but it is harder to conceptualize and maintain.
choose your poison, i guess.
>
> Paul, do you know any chance that ISC is going to publish documentation how
> to use RPS?
ISC has asked, and farsight is constructing, both RPS API documentation, and
an example "hello world" implementation which can be used as a template to
implement more generalized policy filtering, independent of the RPZ system.
--
Paul
More information about the DNSfirewalls
mailing list