<div dir="ltr"><div dir="auto"><div>Hi</div><div dir="auto"><br></div><div dir="auto"><div style="font-size:12.8px" dir="auto">I have the possibility to enrich every DNS query made by the client (customer with single IP) of my network, and redirect it to my Unbound server if necessary. <br></div><div style="font-size:12.8px" dir="auto">Enrichment could be made selectively for those clients that would have special service enabled or bought (like: child protection, security service, and so on, let's call it for example rpz-1 rpz-2 rpz-3).</div><div style="font-size:12.8px" dir="auto">If Unboud could make a decision based on the eDNS, and add an extra RPZ tag to the DNS request
I would gain an option to run a few new services for clients from the same subnet.
</div><div style="font-size:12.8px" dir="auto"><br></div><div style="font-size:12.8px" dir="auto">For example by using the eDNS tag number from the Unassigned range (
values: 26947-65000 acording to <a href="https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11">https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11</a>
) <br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px" dir="auto">dig @localhost <a href="http://google.com">google.com</a> +ednsopt=64000:72707a2d33</div><div style="font-size:12.8px" dir="auto"><br></div><div style="font-size:12.8px">Unbound based on eDNS tag ID could make a decision like:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">edns-control-tag: 64000 "rpz-3"</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">So every DNS request with eDNS tag-ID = 64000 should apply RPZ tag = rpz-3<br></div><div style="font-size:12.8px"><br></div></div><div dir="auto"></div><div dir="auto">Regards</div><div dir="auto">Robert <br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">czw., 8 cze 2023, 11:57 użytkownik Petr Menšík via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" rel="noreferrer" target="_blank">unbound-users@lists.nlnetlabs.nl</a>> napisał:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Robert,<br>
<br>
which EDNS options or values you would like to use to make different <br>
responses? I doubt that is already implemented or documented. What is <br>
your use-case?<br>
<br>
Regards,<br>
Petr<br>
<br>
On 06. 06. 23 14:56, Robert Bokwa via Unbound-users wrote:<br>
> Hi<br>
><br>
> I'm new on this user list, with Unbound I've been playing for more <br>
> than a year.<br>
><br>
> Is there a way to use RPZ based on eDNS ? I didn't find anything on <br>
> documentation besides responses based on SRC IP addresses <br>
> (access-control-tag) or interface (interface-tag).<br>
><br>
> If not, can it be a valuable feature request?<br>
> Users that share the same IP address pool could have different RPZ <br>
> applied.<br>
><br>
> Best regards<br>
> Robert<br>
<br>
-- <br>
Petr Menšík<br>
Software Engineer, RHEL<br>
Red Hat, <a href="http://www.redhat.com/" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.redhat.com/</a><br>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB<br>
<br>
</blockquote></div></div></div>
</div>