[DNSfirewalls] rpz firewall + whitelisting

Paul Vixie paul at redbarn.org
Tue Aug 27 17:22:33 UTC 2019 

On Tuesday, 27 August 2019 16:30:09 UTC Lee wrote:
> On 8/27/19, Paul Vixie <paul at redbarn.org> wrote:
...
> > no. that would change the meaning of existing policy zones.
> 
> First off, let's state the obvious - I _clearly_ do not understand rpz
> policy zones.

it's tricky stuff. i hope you have at least read the draft (-04) though.

> That said.. my expectation is that if I have
> *.2o7.net CNAME rpz-drop.
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 
> Every <whatever>.2o7.net name will hit the rpz-drop. rule except for
> bcbsks.com.102.112.2o7.net hitting the rpz-passthru.

yes, that's the intuitive way of seeing/doing this.

> 
> My guess is that people than understand the current implementation will have
> >>                    2o7.net CNAME .
> >>                  *.2o7.net CNAME .
> >>                112.2o7.net CNAME .
> >>              *.112.2o7.net CNAME .
> >>            102.112.2o7.net CNAME .
> >>          *.102.112.2o7.net CNAME .
> >>        com.102.112.2o7.net CNAME .
> >>      *.com.102.112.2o7.net CNAME .
> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 
> which would be unaffected by any automagical fill & the noobs like me that
> do *.2o7.net CNAME rpz-drop.
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 
> will get the behavior they expect.
> 
> But there's probably a lot more to it than that.. <sigh>

yes. violation of the principle of least astonishment is very rarely 
punishable by or answerable by more of the same. we won't break existing 
configurations, in which someone may be reliant, consciously or not, on the 
existing (astonishing) behaviour.

> > this expansion
> > should be done by the rpz generator or by some preprocessor you'd write in
> > python or perl or whatever.
> 
> Yeah, I totally get that.
> But me having to write a preprocessor + not really understanding rpz
> zones changes running a dns firewall from an interesting project to
> holding a loaded shotgun aimed at my foot :(

would it help if i crafted a perl script that did this preprocessing for you?

-- 
Paul

More information about the DNSfirewalls mailing list