RPZ ignored when is CNAME target?
Phil Pennock
unbound-users+phil at spodhuis.org
Wed Dec 16 13:26:57 UTC 2020
Folks, I've got RPZ settings in unbound, using a public feed (after
local safety exemptions, etc); to avoid tripping malware filters with
this email, let's assume that the malicious domain is "example.org".
Unbound is 1.13.0.
The URL retrieved and cached contains:
example.org CNAME .
If I `dig -t a www.example.org @192.168.1.53` then I see:
;; ANSWER SECTION:
www.example.org. 14399 IN CNAME example.org.
example.org. 14400 IN A 192.0.2.1
If I `dig -t a example.org @192.168.1.53` then I instead get an
NXDOMAIN.
So the RPZ filtering only applies to the initial query name, not to that
name appearing in a CNAME chain in the response.
Is this the _expected_ behavior?
Thanks,
-Phil
More information about the Unbound-users
mailing list