RPZ ignored when is CNAME target?

Phil Pennock unbound-users+phil at spodhuis.org
Wed Dec 16 13:26:57 UTC 2020


Folks, I've got RPZ settings in unbound, using a public feed (after
local safety exemptions, etc); to avoid tripping malware filters with
this email, let's assume that the malicious domain is "example.org".
Unbound is 1.13.0.

The URL retrieved and cached contains:

  example.org  CNAME  .

If I `dig -t a www.example.org @192.168.1.53` then I see:

  ;; ANSWER SECTION:
  www.example.org.		14399 IN CNAME example.org.
  example.org.		14400 IN A 192.0.2.1

If I `dig -t a example.org @192.168.1.53` then I instead get an
NXDOMAIN.

So the RPZ filtering only applies to the initial query name, not to that
name appearing in a CNAME chain in the response.

Is this the _expected_ behavior?

Thanks,
-Phil


More information about the Unbound-users mailing list