Bug 1262 - Feature request: RPZ
Feature request: RPZ
Product: unbound
Classification: Unclassified
Component: server
All All
: P3 enhancement
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2017-05-05 14:16 CEST by idarlund
Modified: 2019-01-04 11:54 CET (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description idarlund 2017-05-05 14:16:47 CEST
I've come across https://www.unbound.net/pipermail/unbound-users/2015-December/004143.html and it seems it hasn't been implemented yet. Because of that I've created this feature request.

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

The prime motivation for create this feature is to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.

Examples include:
If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.

More information about RPZ can be found over at https://en.wikipedia.org/wiki/Response_policy_zone
Comment 1 Wouter Wijngaards 2017-05-09 15:28:30 CEST
Hi idarlund,

This response on the mailing list may be useful

Unbound has gained a lot of features to date that perform actions that could be used to implement a policy that looks like what RPZ specifies.  We are looking at what is necessary to complete that picture, and would welcome your suggestion(s).

Perhaps the current setup is fine and all you need is a transformation script that takes some sort of input and creates a config file (that you include: in the main unbound.conf file)? 

Best regards, Wouter
Comment 2 Konstantin V Bekreyev 2018-02-21 07:24:31 CET
When unbound will added to the products that can utilize DNS RPZ at https://dnsrpz.info/ ?

We would like a single infrastructure on different platforms, but the unbound here does not available now? I would not like to change the unbound to anything else.
Comment 3 Wouter Wijngaards 2018-02-21 11:10:03 CET

Have you tried contrib/fastrpz.patch?  That should work.  Perhaps this is not listed on the website you mention?

Best regards, Wouter
Comment 4 Konstantin V Bekreyev 2018-02-21 11:34:05 CET
Yes, unbound not listed and I can't find documentation about what I can do after patching, how to configure, examples, etc.
Comment 5 Wouter Wijngaards 2018-02-21 11:36:39 CET

This email might help?


And more explained here?

Best regards, Wouter
Comment 6 Konstantin V Bekreyev 2018-02-21 12:20:58 CET
I saw these letters, I am interesting that all this must appeared in the public version "out of the box", as well as in the documentation. I understand that all this can be done by scripts, but I think if everything will be unified, everyone will be more comfortable and will help the introduction of the DNS RPZ.
Comment 7 Fredrik Pettai 2018-11-21 19:51:29 CET
+1 for fixing this RFE
Comment 8 idarlund 2018-11-22 13:40:03 CET

The "fastrpz" package is not open source and it requires to share data with it's creator. This feature request is regarding getting rpz support in unbound and not adding some 3rd party proprietary software.

Adding some other customised scripts is also out of bounds. The support for rpz is already implemented in several other dns servers and I belive that unbound should support it "out of the box" as well.

Rpz is a really easy way to add an additional layer of security for networks.

Comment 9 Arnaud Gavara 2019-01-04 11:54:26 CET

RPZ is natively integrated in Knot Resolver, PDNS Recursor and of course BIND but not in Unbound.
We are changing our DNS infrastructure and for the recursive service our choice is on Unbound but the non native support of RPZ is a real problem that could make us change our choice. I specify that it's not possible for us to go through a third company or to compile ourselves the package.
So I hope that this RFE will soon be heard by the developers.