<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 5, 2018 at 11:47 AM Francis Turner <<a href="mailto:francis@threatstop.com">francis@threatstop.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_7787559485186735751WordSection1">
<p class="MsoNormal">All,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’ve looked in various places and I want to make sure I’m correctly interpreting things<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">What happens if I have two RPZ lines in either the same or different zones?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><a href="http://precise.fqdn.example.com" target="_blank">precise.fqdn.example.com</a> CNAME *.<br>
*.<a href="http://example.com" target="_blank">example.com</a> CNAME rpz-passthru.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Which one wins?<br>
<br>
I think it is the more specific one (<a href="http://precise.fqdn.example.com" target="_blank">precise.fqdn.example.com</a> ). <u></u><u></u></p>
<p class="MsoNormal">This is annoying if I want to whitelist the entire <a href="http://example.com" target="_blank">example.com</a> domain from being blocked if it is in an RPZ zone that I get from somewhere else.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In that case is there a way to override the more specific matching rule?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Francis<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Francis Turner
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white">Threat STOP Global SE<u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt;color:rgb(89,89,89)">Office: +1-760-542-1550 | Cell: +1-760-402-7676</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt"><a href="mailto:francis@threatstop.com" target="_blank"><span style="color:rgb(5,99,193)">francis@threatstop.com</span></a><span style="color:black"> | </span></span><a href="http://www.threatstop.com/" target="_blank"><span style="font-size:12pt;color:rgb(0,112,192)">www.threatstop.com</span></a><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Weaponize Your Threat Intelligence</span></b><b><span style="font-size:12pt;color:black">
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white">“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie</p></div></div></blockquote><div><br></div><div>I think you want to take advantage of the first ordering rule:</div><div>"Choose the triggered record in the zone that appears first in the response-policy option."</div><div><br></div><div> response-policy { </div><div><span style="white-space:pre"> </span>zone "<a href="http://rpz-whitelist.example.com">rpz-whitelist.example.com</a>" policy disabled;</div><div><span style="white-space:pre"> </span>zone "<a href="http://rpz-blacklist.example.com">rpz-blacklist.example.com</a>" policy given;</div><div>};</div><div><br></div><div>rpz-whitelist will always win.</div><div><br></div><div>-- </div><div>Bob Harold</div><div><br></div></div></div>