<div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 5, 2018 at 12:47 PM Bob Harold <<a href="mailto:rharolde@umich.edu">rharolde@umich.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">On Tue, Jun 5, 2018 at 11:47 AM Francis Turner <<a href="mailto:francis@threatstop.com" target="_blank">francis@threatstop.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div lang="EN-US">
<div class="m_-1556763181740732084gmail-m_7787559485186735751WordSection1">
<p class="MsoNormal">All,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’ve looked in various places and I want to make sure I’m correctly interpreting things<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">What happens if I have two RPZ lines in either the same or different zones?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><a href="http://precise.fqdn.example.com" target="_blank">precise.fqdn.example.com</a> CNAME *.<br>
*.<a href="http://example.com" target="_blank">example.com</a> CNAME  rpz-passthru.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Which one wins?<br>
<br>
I think it is the more specific one (<a href="http://precise.fqdn.example.com" target="_blank">precise.fqdn.example.com</a> ). <u></u><u></u></p>
<p class="MsoNormal">This is annoying if I want to whitelist the entire <a href="http://example.com" target="_blank">example.com</a> domain from being blocked if it is in an RPZ zone that I get from somewhere else.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In that case is there a way to override the more specific matching rule?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Francis<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Francis Turner
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white">Threat STOP Global SE<u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt;color:rgb(89,89,89)">Office: +1-760-542-1550 | Cell: +1-760-402-7676</span><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><span style="font-size:12pt"><a href="mailto:francis@threatstop.com" target="_blank"><span style="color:rgb(5,99,193)">francis@threatstop.com</span></a><span style="color:black"> | </span></span><a href="http://www.threatstop.com/" target="_blank"><span style="font-size:12pt;color:rgb(0,112,192)">www.threatstop.com</span></a><u></u><u></u></p>
<p class="MsoNormal" style="background:white"><b><span style="font-size:12pt;color:rgb(89,89,89)">Weaponize Your Threat Intelligence</span></b><b><span style="font-size:12pt;color:black">  
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="background:white">“If You Don’t Build It, They Definitely Will Not Come” – P. Vixie</p></div></div></blockquote><div><br></div><div>I think you want to take advantage of the first ordering rule:</div><div>"Choose the triggered record in the zone that appears first in the response-policy option."</div><div><br></div><div> response-policy { </div><div><span style="white-space:pre-wrap">     </span>zone "<a href="http://rpz-whitelist.example.com" target="_blank">rpz-whitelist.example.com</a>" policy disabled;</div><div><span style="white-space:pre-wrap">       </span>zone "<a href="http://rpz-blacklist.example.com" target="_blank">rpz-blacklist.example.com</a>" policy given;</div><div>};</div><div><br></div><div>rpz-whitelist will always win.</div><div><br></div><div>-- </div><div>Bob Harold</div></div></div></blockquote><div><br></div><div><span style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Reading Vernon's answer, this needs to be "passthru" instead of "disabled"</span></div><div><span style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I have not actually tested this.</span></div><div><br></div><div><div style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"> response-policy { </div><div style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="white-space:pre-wrap">    </span>zone "<a href="http://rpz-whitelist.example.com/" target="_blank" style="color:rgb(17,85,204)">rpz-whitelist.example.com</a>" policy passthru;</div><div style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="white-space:pre-wrap">     </span>zone "<a href="http://rpz-blacklist.example.com/" target="_blank" style="color:rgb(17,85,204)">rpz-blacklist.example.com</a>" policy given;</div><div style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">};</div><br></div><div>-- </div><div>Bob Harold</div><div><br></div></div></div>