[DNSfirewalls] rpz firewall + whitelisting

Lee ler762 at gmail.com
Wed Aug 28 07:00:35 UTC 2019 

On 8/27/19, Paul Vixie <paul at redbarn.org> wrote:
> On Tuesday, 27 August 2019 16:30:09 UTC Lee wrote:
>> On 8/27/19, Paul Vixie <paul at redbarn.org> wrote:
> ...
>> > no. that would change the meaning of existing policy zones.
>>
>> First off, let's state the obvious - I _clearly_ do not understand rpz
>> policy zones.
>
> it's tricky stuff. i hope you have at least read the draft (-04) though.

I looked at draft-vixie-dnsop-dns-rpz-00, but I doubt I understood
even half of it.

Could you point out where in either draft it documents the
non-intuitive behavior one gets by configuring an rpz zone with
*.2o7.net CNAME .
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.

>> That said.. my expectation is that if I have
>> *.2o7.net CNAME rpz-drop.
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>>
>> Every <whatever>.2o7.net name will hit the rpz-drop. rule except for
>> bcbsks.com.102.112.2o7.net hitting the rpz-passthru.
>
> yes, that's the intuitive way of seeing/doing this.
>
>>
>> My guess is that people than understand the current implementation will
>> have
>> >>                    2o7.net CNAME .
>> >>                  *.2o7.net CNAME .
>> >>                112.2o7.net CNAME .
>> >>              *.112.2o7.net CNAME .
>> >>            102.112.2o7.net CNAME .
>> >>          *.102.112.2o7.net CNAME .
>> >>        com.102.112.2o7.net CNAME .
>> >>      *.com.102.112.2o7.net CNAME .
>> >> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>>
>> which would be unaffected by any automagical fill & the noobs like me
>> that do
>> *.2o7.net CNAME rpz-drop.
>> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
>>
>> will get the behavior they expect.
>>
>> But there's probably a lot more to it than that.. <sigh>
>
> yes. violation of the principle of least astonishment is very rarely
> punishable by or answerable by more of the same. we won't break existing
> configurations, in which someone may be reliant, consciously or not, on the
> existing (astonishing) behaviour.

Most of the time I'd agree with that sentiment.

>> > this expansion
>> > should be done by the rpz generator or by some preprocessor you'd write
>> > in
>> > python or perl or whatever.
>>
>> Yeah, I totally get that.
>> But me having to write a preprocessor + not really understanding rpz
>> zones changes running a dns firewall from an interesting project to
>> holding a loaded shotgun aimed at my foot :(
>
> would it help if i crafted a perl script that did this preprocessing for
> you?

Thanks for the offer, but I'll learn a lot more if I do it myself.
And doing it myself will force me to go step-by-step instead of trying
to jump directly to what I think the desired end state is.

Regards,
Lee

More information about the DNSfirewalls mailing list