[DNSfirewalls] rpz firewall + whitelisting
Lee
ler762 at gmail.com
Wed Aug 28 15:18:10 UTC 2019
On 8/26/19, Lee wrote:
> On 8/26/19, m3047 wrote:
>> I've always felt best practice was (listed in order of precedence /
>> declaration):
>>
>> 1) A local whitelist.
>>
>> 2) Any third party zones.
>>
>> 3) A local blacklist.
>
> I haven't tried this, but let's pretend that
> your local blacklist has *.2o7.net
> a third party blacklist zone adds bcbsks.com.102.112.2o7.net
> I'm guessing that your blacklist doesn't actually blacklist
> 112.2o7.net & everything below it now.
For the record, my guesses about how rpz works continues at 100% wrong:
$ cat db.rpz*
$ORIGIN rpz.black.
$TTL 10s
@ IN SOA localhost. admin ( 2019082801 6h 15 1d 1s )
IN NS localhost.
2o7.net CNAME .
*.2o7.net CNAME .
; === end ===
$ORIGIN rpz.white.
$TTL 10s
@ IN SOA localhost. admin ( 2019082801 6h 15 1d 1s )
IN NS localhost.
bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
; === end ===
$ grep rpz named.conf
response-policy { zone "rpz.white"; zone "rpz.black" log yes; }
break-dnssec yes recursive-only no qname-wait-recurse no;
zone "rpz.white" in { type master; notify no; file
"ZONES/db.rpz-white"; };
zone "rpz.black" in { type master; notify no; file
"ZONES/db.rpz-black"; };
All these are blacklisted:
$ dig @127.0.0.1 foo.2o7.net
$ dig @127.0.0.1 foo.112.2o7.net
$ dig @127.0.0.1 foo.102.112.2o7.net
$ dig @127.0.0.1 foo.com.102.112.2o7.net
$ dig @127.0.0.1 bcbsks.102.112.2o7.net
and this isn't
$ dig @127.0.0.1 bcbsks.com.102.112.2o7.net
Change db.rpz-white to
$ cat db.rpz-white
$ORIGIN rpz.white.
$TTL 10s
@ IN SOA localhost. admin ( 2019082802 6h 15 1d 1s )
IN NS localhost.
bcbsks.com.102.112.2o7.net CNAME .
; bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
; === end ===
and the only difference in the results is that
bcbsks.com.102.112.2o7.net is also blocked
Lee
More information about the DNSfirewalls
mailing list