<div dir="ltr">I don't know of any tool. I have not done any searching. <br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br>-- <br>Bob Harold</div><div><br></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 26, 2019 at 1:39 PM Lee <<a href="mailto:ler762@gmail.com">ler762@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 8/26/19, Bob Harold <<a href="mailto:rharolde@umich.edu" target="_blank">rharolde@umich.edu</a>> wrote:<br>
> On Mon, Aug 26, 2019 at 8:28 AM Lee <<a href="mailto:ler762@gmail.com" target="_blank">ler762@gmail.com</a>> wrote:<br>
><br>
>> On 8/26/19, Peter van Dijk <<a href="mailto:peter.van.dijk@powerdns.com" target="_blank">peter.van.dijk@powerdns.com</a>> wrote:<br>
>> > On Sun, 2019-08-25 at 15:51 -0400, Lee wrote:<br>
>> >> $ cat db.test-rpz<br>
>> >> $ORIGIN rpz.test.<br>
>> >> @ IN SOA localhost. admin ( 2019082415 6h 15 1d 1s )<br>
>> >> IN NS localhost.<br>
>> >> <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a> CNAME rpz-passthru.<br>
>> >> <a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
>> >> *.<a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
>> >> ; === end ===<br>
>> ><br>
>> ><br>
>> >> I'm expecting all of <a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> to be blocked except for the one name<br>
>> >> that's been whitelisted:<br>
>> >> <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a><br>
>> >><br>
>> >> What I get is not only <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a> being whitelisted,<br>
>> >> but all these are also whitelisted:<br>
>> >> <a href="http://foo.bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">foo.bcbsks.com.102.112.2o7.net</a><br>
>> >> <a href="http://foo.com.102.112.2o7.net" rel="noreferrer" target="_blank">foo.com.102.112.2o7.net</a><br>
>> >> <a href="http://foo.102.112.2o7.net" rel="noreferrer" target="_blank">foo.102.112.2o7.net</a><br>
>> >> <a href="http://foo.112.2o7.net" rel="noreferrer" target="_blank">foo.112.2o7.net</a><br>
>> >><br>
>> ><br>
>> > DNS is a tree. The presence of <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a> also causes<br>
>> > <a href="http://com.102.112.2o7.net" rel="noreferrer" target="_blank">com.102.112.2o7.net</a>, <a href="http://102.112.2o7.net" rel="noreferrer" target="_blank">102.112.2o7.net</a> and <a href="http://112.2o7.net" rel="noreferrer" target="_blank">112.2o7.net</a> to exist, holding<br>
>> no<br>
>> > data (these are called empty non-terminals). Their presence prevents<br>
>> > expansion of the wildcard. If you want to block those names too, you<br>
>> > will<br>
>> > have to do so explicitly.<br>
>><br>
>> wow.. I would never guessed that. Thank you!<br>
>><br>
>> Is there some other way to poke holes in an rpz firewall that doesn't<br>
>> require listing _all_ the nodes in the tree? Even indented so it's<br>
>> obvious all the nodes are listed, it looks like a pain to maintain:<br>
>><br>
>> $ cat db.test-rpz<br>
>> $ORIGIN rpz.test.<br>
>> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )<br>
>> IN NS localhost.<br>
>> *.<a href="http://com.102.112.2o7.net" rel="noreferrer" target="_blank">com.102.112.2o7.net</a> CNAME .<br>
>> <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a> CNAME rpz-passthru.<br>
>> *.<a href="http://102.112.2o7.net" rel="noreferrer" target="_blank">102.112.2o7.net</a> CNAME .<br>
>> *.<a href="http://112.2o7.net" rel="noreferrer" target="_blank">112.2o7.net</a> CNAME .<br>
>> *.<a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
>> <a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
>> ; === end ===<br>
>><br>
>><br>
>> Thanks,<br>
>> Lee<br>
>><br>
><br>
> Actually, to be complete:<br>
><br>
> <a href="http://bcbsks.com.102.112.2o7.net" rel="noreferrer" target="_blank">bcbsks.com.102.112.2o7.net</a> CNAME rpz-passthru.<br>
> *.<a href="http://com.102.112.2o7.net" rel="noreferrer" target="_blank">com.102.112.2o7.net</a> CNAME .<br>
> <a href="http://com.102.112.2o7.net" rel="noreferrer" target="_blank">com.102.112.2o7.net</a> CNAME .<br>
> *.<a href="http://102.112.2o7.net" rel="noreferrer" target="_blank">102.112.2o7.net</a> CNAME .<br>
> <a href="http://102.112.2o7.net" rel="noreferrer" target="_blank">102.112.2o7.net</a> CNAME .<br>
> *.<a href="http://112.2o7.net" rel="noreferrer" target="_blank">112.2o7.net</a> CNAME .<br>
> <a href="http://112.2o7.net" rel="noreferrer" target="_blank">112.2o7.net</a> CNAME .<br>
> *.<a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
> <a href="http://2o7.net" rel="noreferrer" target="_blank">2o7.net</a> CNAME .<br>
><br>
> Yes, it's a pain, but that is how wildcards work. Someone should write a<br>
> tool to manage them. :)<br>
<br>
Has someone? Because that's what prompted my question :)<br>
<a href="https://github.com/StevenBlack/hosts/issues/451" rel="noreferrer" target="_blank">https://github.com/StevenBlack/hosts/issues/451</a><br>
i'd like to publish this data in RPZ format<br>
<br>
I'd rather block *.domain rather than list each host in the domain &<br>
constantly have to update the list as names are added/removed from the<br>
domain. But there's notes in the file about blocking <this> breaks<br>
<that> site, so it seemed like it'd be a nice option to be able to<br>
whitelist things to keep the site breakage down.<br>
<br>
Thanks<br>
Lee<br>
</blockquote></div>