<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div><blockquote type="cite" class=""><div class="">Le 30 mai 2022 à 12:38, dns--- via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" class="">unbound-users@lists.nlnetlabs.nl</a>> a écrit :</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hello Unbound fellow users, </div><div class=""><br class=""></div><div class=""><br class=""></div>We are setting up a large scale filtering based on unbound + RPZ domain lists. <div class="">We will have 68 lists sorted by themes allowing one to have powerful RPZ filtering. </div><div class=""><br class=""></div><div class="">Some of our themes are containing more than 268Mo of FQDN… </div><div class=""><br class=""></div><div class="">Among these FQDNs, are possibly some false positive, or some domains that our user base would like to filter out of these lists (in the first place). </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">What would be the advised way to exclude / whitelist a domain from an RPZ filtering ? </div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">We have for exemple: </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class=""><div class="">rpz:</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>name: "blog.rpz.domain"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>zonefile: "blog.rpz.domain"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>primary: 18.16.99.8</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-log: yes</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-log-name: "blog-rpz-domain"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>tags: "blog_test"</div></div></blockquote></div><div class=""><br class=""></div><div class="">In the rpz list "<a href="http://twitter.com/" class="">twitter.com</a>" is listed and filtered</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Would adding this statement allow "<a href="http://twitter.com/" class="">twitter.com</a>" not to be filtered ? </div><div class=""><br class=""></div><div class=""><blockquote type="cite" class="">local-zone: "*.<a href="http://twitter.com/" class="">twitter.com</a>" <i class="">always_transparent</i></blockquote></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">My goal is that the "always_transparent" statement has precedence <b class="">on any other config statement</b> (and more particularly on the rpz block). </div><div class=""><br class=""></div><div class="">If you have other suggestion, please let me know. </div></div></div></blockquote><div><br class=""></div><div><br class=""></div><div>Answering my own question here: </div><div><br class=""></div><div>It looks like the most reliable solution would be to setup a whitelist RPZ zone where you would put your whitelisted domains. <div class=""><br class=""></div><div class="">This might look like this : </div><div class=""><br class=""></div><div class=""><div class="">rpz:</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>name: "whitelist.rpz.zone"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>zonefile: "whitelist.rpz.zone"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-log: yes</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-log-name: "whitelist"</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>tags: "whitelist"</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">and in the zone file simply use smthg like : </div><div class=""><br class=""></div><div class=""><div class="">whitelist.rpz.zone.<span class="Apple-tab-span" style="white-space: pre;"> </span>86400<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>SOA<span class="Apple-tab-span" style="white-space: pre;"> </span>localhost. root.local. 20220413 604800 86400 2419200 86400</div><div class="">whitelist.rpz.zone.<span class="Apple-tab-span" style="white-space: pre;"> </span>86400<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>A<span class="Apple-tab-span" style="white-space: pre;"> </span>x.y.z.t</div><div class="">whitelist.rpz.zone.<span class="Apple-tab-span" style="white-space: pre;"> </span>86400<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>NS<span class="Apple-tab-span" style="white-space: pre;"> </span>LOCALHOST.</div><div class="">twitter.com.whitelist.rpz.zone.<span class="Apple-tab-span" style="white-space: pre;"> </span>86400<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>CNAME<span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-passthru.</div><div class="">*.twitter.com.whitelist.rpz.zone.<span class="Apple-tab-span" style="white-space: pre;"> </span>86400<span class="Apple-tab-span" style="white-space: pre;"> </span>IN<span class="Apple-tab-span" style="white-space: pre;"> </span>CNAME<span class="Apple-tab-span" style="white-space: pre;"> </span>rpz-passthru.</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">If anyone can confirm this is the expected and best / right way to proceed, would be nice. </div></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Sincerely yours. </div><div class=""><br class=""></div><div class="">—<br class=""><span id="cid:9074469A-93B0-41E4-80A1-3D36C1A3F8EA"><LOGO_OCTOPUS_90.png></span></div></div></div></blockquote></div><br class=""><div class="">
<meta charset="UTF-8" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Menlo; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">—<br class=""></div><span><img apple-inline="yes" id="BF3555CA-12AD-4E29-AEE1-E395FE2C8455" src="cid:9074469A-93B0-41E4-80A1-3D36C1A3F8EA" class=""></span>
</div>
<br class=""></div></body></html>