Bugzilla – Bug 1262
Feature request: RPZ
Last modified: 2019-01-04 11:54:26 CET
I've come across https://www.unbound.net/pipermail/unbound-users/2015-December/004143.html and it seems it hasn't been implemented yet. Because of that I've created this feature request.
Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".
The prime motivation for create this feature is to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.
If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.
More information about RPZ can be found over at https://en.wikipedia.org/wiki/Response_policy_zone
This response on the mailing list may be useful
Unbound has gained a lot of features to date that perform actions that could be used to implement a policy that looks like what RPZ specifies. We are looking at what is necessary to complete that picture, and would welcome your suggestion(s).
Perhaps the current setup is fine and all you need is a transformation script that takes some sort of input and creates a config file (that you include: in the main unbound.conf file)?
Best regards, Wouter
When unbound will added to the products that can utilize DNS RPZ at https://dnsrpz.info/ ?
We would like a single infrastructure on different platforms, but the unbound here does not available now? I would not like to change the unbound to anything else.
Have you tried contrib/fastrpz.patch? That should work. Perhaps this is not listed on the website you mention?
Best regards, Wouter
Yes, unbound not listed and I can't find documentation about what I can do after patching, how to configure, examples, etc.
This email might help?
And more explained here?
Best regards, Wouter
I saw these letters, I am interesting that all this must appeared in the public version "out of the box", as well as in the documentation. I understand that all this can be done by scripts, but I think if everything will be unified, everyone will be more comfortable and will help the introduction of the DNS RPZ.
+1 for fixing this RFE
The "fastrpz" package is not open source and it requires to share data with it's creator. This feature request is regarding getting rpz support in unbound and not adding some 3rd party proprietary software.
Adding some other customised scripts is also out of bounds. The support for rpz is already implemented in several other dns servers and I belive that unbound should support it "out of the box" as well.
Rpz is a really easy way to add an additional layer of security for networks.
RPZ is natively integrated in Knot Resolver, PDNS Recursor and of course BIND but not in Unbound.
We are changing our DNS infrastructure and for the recursive service our choice is on Unbound but the non native support of RPZ is a real problem that could make us change our choice. I specify that it's not possible for us to go through a third company or to compile ourselves the package.
So I hope that this RFE will soon be heard by the developers.