[DNSfirewalls] rpz firewall + whitelisting

Vernon Schryver vjs at rhyolite.com
Wed Aug 28 15:44:31 UTC 2019

> From: Lee <ler762 at gmail.com>

> ...
> For the record, my guesses about how rpz works continues at 100% wrong:
> ...

Instead of trying to predict RPZ behavior based on what seems like
a reasonable policy mechanism, start by understanding DNS behavior.
In other words:

 1. write down one or more policy zones

 2. "play computer" to look up a test domain such as foo.bar.what.ever.2o7.net
     in the policy zone, but without any policy considerations.
     Simply and only get the DNS resource record (RR) from the zone
     as if the zone were authoritative for 2o7.net using the ancient
     DNS domain look up scheme.

 3. repeat step #2 for all of your zones from step #1 to collect all 
     relevant policy actions.

 4. apply the precedence rules of section 5 of 
     to choose a single action among the RRs or rules found in steps
     #2 and #3.

 5. take the single action from step #4 and interpret it according to
     to sections 3 and 4 of 
If the action you get in step #3 is not what you want, then try to
figure out a way to change what you did in step #1 to give the desired
result in step #5.

If you want to do what I might understand that you want with a single
zone, you probably need to synthesize or generate records.  If you
are trying to whitelist one of your own DNS zones, this might be
messy but not hard,
at least compared to doing the same for someone else's zone.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list