[DNSfirewalls] rpz firewall + whitelisting

Lee ler762 at gmail.com
Wed Aug 28 15:18:10 UTC 2019


On 8/26/19, Lee wrote:
> On 8/26/19, m3047 wrote:
>> I've always felt best practice was (listed in order of precedence /
>> declaration):
>>
>> 1) A local whitelist.
>>
>> 2) Any third party zones.
>>
>> 3) A local blacklist.
>
> I haven't tried this, but let's pretend that
>   your local blacklist has *.2o7.net
>   a third party blacklist zone adds  bcbsks.com.102.112.2o7.net
> I'm guessing that your blacklist doesn't actually blacklist
> 112.2o7.net & everything below it now.

For the record, my guesses about how rpz works continues at 100% wrong:

$ cat db.rpz*
$ORIGIN rpz.black.
$TTL    10s
@ IN SOA localhost. admin ( 2019082801 6h 15 1d 1s )
  IN NS  localhost.
2o7.net CNAME .
*.2o7.net CNAME .
; === end ===
$ORIGIN rpz.white.
$TTL    10s
@ IN SOA localhost. admin ( 2019082801 6h 15 1d 1s )
  IN NS  localhost.
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
; === end ===

$ grep rpz named.conf
  response-policy { zone "rpz.white"; zone "rpz.black" log yes; }
break-dnssec yes  recursive-only no  qname-wait-recurse no;
zone              "rpz.white" in { type master; notify no; file
"ZONES/db.rpz-white"; };
zone              "rpz.black" in { type master; notify no; file
"ZONES/db.rpz-black"; };

All these are blacklisted:
  $ dig @127.0.0.1 foo.2o7.net
  $ dig @127.0.0.1 foo.112.2o7.net
  $ dig @127.0.0.1 foo.102.112.2o7.net
  $ dig @127.0.0.1 foo.com.102.112.2o7.net
  $ dig @127.0.0.1 bcbsks.102.112.2o7.net

and this isn't
  $ dig @127.0.0.1 bcbsks.com.102.112.2o7.net

Change db.rpz-white to
$ cat db.rpz-white
$ORIGIN rpz.white.
$TTL    10s
@ IN SOA localhost. admin ( 2019082802 6h 15 1d 1s )
  IN NS  localhost.
bcbsks.com.102.112.2o7.net CNAME .
; bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
; === end ===

and the only difference in the results is that
bcbsks.com.102.112.2o7.net is also blocked

Lee


More information about the DNSfirewalls mailing list