[DNSfirewalls] rpz firewall + whitelisting

m3047 m3047 at m3047.net
Wed Aug 28 18:43:36 UTC 2019


For better or worse, response policy zones are DNS /zones/. This has use 
cases outside of blocking something. For one thing the domains in an RPZ 
can be managed like the contents of a zone; you're seeing this as a 
negative at the moment. The RPZ can be queried directly (DNS is an awesome 
key/value store in the right environment); RPZs can be managed within the 
DNS ecosystem like other zones.

I don't know that I've ever seen a formal and unambiguous definition of a 
"(BIND) Zone File". I know I informally tried to get some of Mockapetris' 
language in the RFC edited in the BIND ARM without success. But mostly it 
seems to work for people.

The format reflects architectural bias from current and envisioned 
implementations of the time. DNS is a distributed tree thingy, with no 
single entity having actual control over everything but with delegated 

Axiomatically there is only one correct representation of the zone 
functionally speaking.

There have been a number of zone file maintaining projects / products over 
the years. But it might be better to dispense with the notion of 
maintaining the zone /file/ and just focus on the /zone/ (dynamic updates, 
or a database backend; what Vixie said, I personally use a Perl script to 
do dynamic updates). I don't have any recommendations. But I'd invite you 
to find one that does what you want, or that you can fork or send a pull 
request for, and come back here and ask for feedback / assistance: I'd 
love to hear about what you find! Personally I'd prefer Python or Go, I 
used to do a lot of Perl, and I'd find C or Rust to be odd choices; but 
really anything but Java. :-p

It's a conceptual impedance mismatch: the hardware programming manual may 
say you can get some result by writing to a register or address, but any 
way you accomplish it in C is going to be a kludge (notwithstanding 
there's a lot of it going around).

On Wed, 28 Aug 2019, Lee wrote:

> [...]
> For the record, my guesses about how rpz works continues at 100% wrong:
> [...]
>  response-policy { zone "rpz.white"; zone "rpz.black" log yes; }
> [...]
> bcbsks.com.102.112.2o7.net CNAME .
> ; bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> ; === end ===
> and the only difference in the results is that
> bcbsks.com.102.112.2o7.net is also blocked

1) You've got two RPZs, in order of precedence rpz.white and rpz.black [1]

2) "CNAME ." is the idiom which returns NXDOMAIN; "rpz-passthru" is the
    idiom which leaves a query unmolested.

3) In the rpz.black you're declaring *.2o7.net as NXDOMAIN; nothing below
    that is touched (no empty nonterminals). In rpz.white you're declaring
    bcbsks.com.102.112.2o7.net passthru.

*) com.102.112.207.net comes back as NXDOMAIN

*) bcbsks.com.102.112.2o7.net resolves

4) You change the rule in rpz.white for bcbsks.com.102.112.2o7.net to

*) bcbsks.com.102.112.2o7.net comes back as NXDOMAIN

You shouldn't do #4. ;-) Questions:

Why is bcbsks.com.102.112.2o7.net blocked? Because you blocked it. Even if 
you just commented out the rule in rpz.white, the wildcard in rpz.black 
would still catch it.

Why is com.102.112.2o7.net (still) blocked? Because you blocked it.

But doesn't declaring bcbsks.com.102.112.2o7.net create empty 
nonterminals, regardless of what the policy attached to it is? Yes it 
does. I'm not testing with an exact replica of your zones, but I'll wager 
that net.rpz.black is an empty nonterminal.

Why does the impact of empty nonterminals differ depending on which zone I 
declare the domain in? In rpz.black you have an active (wildcard) context.

Best regards...


Fred Morris


[1] You've declared two TLDs, .black and .white. Some of us stubbornly use 
personal network TLDs and build our network defenses accordingly; sane and 
pragmatic people tend to want to declare under namespace they control.

More information about the DNSfirewalls mailing list