Using blocklistd, and a bind plugin, to manage allowlists?

[Konrad Schroder <perseant%hhhh.org@localhost>]

Hello all,

At $WORK I have a collection of scripts that attempt to allow certain 
hosts through the firewall by name; that is, they periodically look up 
certain hostname(s) and use the results to populate an NPF table.  These 
table is used to allow local hosts to make *outbound* connections to the 
desired hosts; inbound connections are (generally) not allowed at all.

We've run into a problem recently where the round robin lookup for one 
of the hosts turns quickly enough that several subsequent DNS lookup all 
return different IP addresses. It may be that *every* DNS query returns 
a different subset of hosts, and of course I can't make that work with 
my current strategy.  With outbound connections, however, a connection 
attempt will always be preceded by a DNS lookup of the address it will 
then connect to, so in theory there is an opportunity to update the 
table on the fly.  It should be almost trivial to construct a name-based 
firewall for outbound connections using a plugin to named(8) that 
communicates with blocklistd(8), using a blocklist rule that adds the 
hosts to an NPF table for *allow* rather than blocking them.  It seems 
so trivial that someone must have done it already, but googling around 
didn't turn anything up.

Is there a better way to set up a name-based firewall on NetBSD?  Is 
there a package that I missed that already does this?  If I do it 
myself, the packet format that blocklistd uses is private; is it 
possible to expose it in a header for other applications to use?

Thanks,

Konrad Schroder
perseant%hhhh.org@localhost