Re: Whitelisting sites using RPZ
> Note, "[ log yes_or_no ]" has been added in BIND 9.12. Sorry, this has been added in BIND 9.11 already. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
On 26.04.18 10:10, Blason R wrote: > 9.12 is not yet stable; i believe? 9.12 is stable. 9.13 is current development. 9.11 is the current Extended Support Version (ESV). You may want to read this: https://www.isc.org/blogs/bind-release-strategy-updated/ https://kb.isc.org/article/AA-01540 Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
9.12 is not yet stable; i believe? On Thu, Apr 26, 2018 at 1:23 PM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > On 26.04.18 09:46, Blason R wrote: > > Oh thats great...in that case general practice would be always whitelist > > the zones first then blacklist? > > I'm using: > > whitelist with "policy passthru log no" > test zones with "policy passthru" > blacklists with "policy cname LANDINGPAGE" > > Note, "[ log yes_or_no ]" has been added in BIND 9.12. > > Daniel > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
On 26.04.18 09:46, Blason R wrote: > Oh thats great...in that case general practice would be always whitelist > the zones first then blacklist? I'm using: whitelist with "policy passthru log no" test zones with "policy passthru" blacklists with "policy cname LANDINGPAGE" Note, "[ log yes_or_no ]" has been added in BIND 9.12. Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
Oh thats great...in that case general practice would be always whitelist
the zones first then blacklist?
On Thu, Apr 26, 2018 at 11:53 AM, Daniel Stirnimann <
daniel.stirnim...@switch.ch> wrote:
> > response-policy { zone "malware.trap"; zone "whitelist.allow" policy
> > passthru; };
>
> ...
>
> > So which one will take precendence in this case?
>
> Policy processing will search the zone files in the order in which they
> appear in the response-policy statement.
>
> So, you need to change the order in your example to achieve the desired
> result.
>
> Daniel
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
> response-policy { zone "malware.trap"; zone "whitelist.allow" policy
> passthru; };
...
> So which one will take precendence in this case?
Policy processing will search the zone files in the order in which they
appear in the response-policy statement.
So, you need to change the order in your example to achieve the desired
result.
Daniel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
