Whitelisting domains filtered by RPZ
Carsten Strotmann
carsten at strotmann.de
Tue May 31 11:35:32 UTC 2022
Hi
On 31 May 2022, at 10:23, dns--- via Unbound-users wrote:
>
> Answering my own question here:
>
> It looks like the most reliable solution would be to setup a whitelist RPZ zone where you would put your whitelisted domains.
>
> This might look like this :
>
> rpz:
> name: "whitelist.rpz.zone"
> zonefile: "whitelist.rpz.zone"
> rpz-log: yes
> rpz-log-name: "whitelist"
> tags: "whitelist"
>
>
>
> and in the zone file simply use smthg like :
>
> whitelist.rpz.zone. 86400 IN SOA localhost. root.local. 20220413 604800 86400 2419200 86400
> whitelist.rpz.zone. 86400 IN A x.y.z.t
> whitelist.rpz.zone. 86400 IN NS LOCALHOST.
> twitter.com.whitelist.rpz.zone. 86400 IN CNAME rpz-passthru.
> *.twitter.com.whitelist.rpz.zone. 86400 IN CNAME rpz-passthru.
>
>
>
> If anyone can confirm this is the expected and best / right way to proceed, would be nice.
>
>
yes, to my knowledge this is "best practice". I use this setup in various installations. The order of RPZ zones in the unbound configuration is important, the whitelist RPZ should be the first in the list of configured RPZ zones, as RPZ is a "match first" system.
Greetings
Carsten
More information about the Unbound-users
mailing list