[DNSfirewalls] rpz firewall + whitelisting
Vernon Schryver
vjs at rhyolite.com
Wed Aug 28 15:44:31 UTC 2019
> From: Lee <ler762 at gmail.com>
> ...
> For the record, my guesses about how rpz works continues at 100% wrong:
> ...
Instead of trying to predict RPZ behavior based on what seems like
a reasonable policy mechanism, start by understanding DNS behavior.
In other words:
1. write down one or more policy zones
2. "play computer" to look up a test domain such as foo.bar.what.ever.2o7.net
in the policy zone, but without any policy considerations.
Simply and only get the DNS resource record (RR) from the zone
as if the zone were authoritative for 2o7.net using the ancient
DNS domain look up scheme.
3. repeat step #2 for all of your zones from step #1 to collect all
relevant policy actions.
4. apply the precedence rules of section 5 of
https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-rpz-00.txt
to choose a single action among the RRs or rules found in steps
#2 and #3.
5. take the single action from step #4 and interpret it according to
to sections 3 and 4 of
https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-rpz-00.txt
If the action you get in step #3 is not what you want, then try to
figure out a way to change what you did in step #1 to give the desired
result in step #5.
If you want to do what I might understand that you want with a single
zone, you probably need to synthesize or generate records. If you
are trying to whitelist one of your own DNS zones, this might be
messy but not hard,
at least compared to doing the same for someone else's zone.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list