Re: Whitelisting sites using RPZ
> Note, "[ log yes_or_no ]" has been added in BIND 9.12. Sorry, this has been added in BIND 9.11 already. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
On 26.04.18 10:10, Blason R wrote: > 9.12 is not yet stable; i believe? 9.12 is stable. 9.13 is current development. 9.11 is the current Extended Support Version (ESV). You may want to read this: https://www.isc.org/blogs/bind-release-strategy-updated/ https://kb.isc.org/article/AA-01540 Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
9.12 is not yet stable; i believe? On Thu, Apr 26, 2018 at 1:23 PM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > On 26.04.18 09:46, Blason R wrote: > > Oh thats great...in that case general practice would be always whitelist > > the zones first then blacklist? > > I'm using: > > whitelist with "policy passthru log no" > test zones with "policy passthru" > blacklists with "policy cname LANDINGPAGE" > > Note, "[ log yes_or_no ]" has been added in BIND 9.12. > > Daniel > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
On 26.04.18 09:46, Blason R wrote: > Oh thats great...in that case general practice would be always whitelist > the zones first then blacklist? I'm using: whitelist with "policy passthru log no" test zones with "policy passthru" blacklists with "policy cname LANDINGPAGE" Note, "[ log yes_or_no ]" has been added in BIND 9.12. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
Oh thats great...in that case general practice would be always whitelist the zones first then blacklist? On Thu, Apr 26, 2018 at 11:53 AM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > > response-policy { zone "malware.trap"; zone "whitelist.allow" policy > > passthru; }; > > ... > > > So which one will take precendence in this case? > > Policy processing will search the zone files in the order in which they > appear in the response-policy statement. > > So, you need to change the order in your example to achieve the desired > result. > > Daniel > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
> response-policy { zone "malware.trap"; zone "whitelist.allow" policy > passthru; }; ... > So which one will take precendence in this case? Policy processing will search the zone files in the order in which they appear in the response-policy statement. So, you need to change the order in your example to achieve the desired result. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users