[DNSfirewalls] rpz firewall + whitelisting

Lee ler762 at gmail.com
Tue Aug 27 16:30:09 UTC 2019 

On 8/27/19, Paul Vixie <paul at redbarn.org> wrote:
> On Tuesday, 27 August 2019 15:46:36 UTC Lee wrote:
>> ... instead of me having to do
>>
>> $ cat db.test-rpz
>> $ORIGIN rpz.test.
>> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
>>   IN NS  localhost.
>>                    2o7.net CNAME .
>>                  *.2o7.net CNAME .
>>                112.2o7.net CNAME .
>>              *.112.2o7.net CNAME .
>>            102.112.2o7.net CNAME .
>>          *.102.112.2o7.net CNAME .
>>        com.102.112.2o7.net CNAME .
>>      *.com.102.112.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>> ; === end ===
>>
>> Would it be possible for me to do
>>                    2o7.net CNAME .
>>                  *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>>
>> and for you to automagically fill in the intervening space for me:
>>                112.2o7.net CNAME .
>>              *.112.2o7.net CNAME .
>>            102.112.2o7.net CNAME .
>>          *.102.112.2o7.net CNAME .
>>        com.102.112.2o7.net CNAME .
>>      *.com.102.112.2o7.net CNAME .
>
> no. that would change the meaning of existing policy zones.

First off, let's state the obvious - I _clearly_ do not understand rpz
policy zones.

That said.. my expectation is that if I have
*.2o7.net CNAME rpz-drop.
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

Every <whatever>.2o7.net name will hit the rpz-drop. rule except for
bcbsks.com.102.112.2o7.net hitting the rpz-passthru.

My guess is that people than understand the current implementation will have
>>                    2o7.net CNAME .
>>                  *.2o7.net CNAME .
>>                112.2o7.net CNAME .
>>              *.112.2o7.net CNAME .
>>            102.112.2o7.net CNAME .
>>          *.102.112.2o7.net CNAME .
>>        com.102.112.2o7.net CNAME .
>>      *.com.102.112.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

which would be unaffected by any automagical fill & the noobs like me that do
*.2o7.net CNAME rpz-drop.
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

will get the behavior they expect.

But there's probably a lot more to it than that.. <sigh>

> this expansion
> should be done by the rpz generator or by some preprocessor you'd write in
> python or perl or whatever.

Yeah, I totally get that.
But me having to write a preprocessor + not really understanding rpz
zones changes running a dns firewall from an interesting project to
holding a loaded shotgun aimed at my foot :(

Regards,
Lee

More information about the DNSfirewalls mailing list