RPZ ignored when is CNAME target?
Fredrik Pettai
pettai at sunet.se
Thu Dec 17 21:22:59 UTC 2020
> On 16 Dec 2020, at 14:26, Phil Pennock via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
> Folks, I've got RPZ settings in unbound, using a public feed (after
> local safety exemptions, etc); to avoid tripping malware filters with
> this email, let's assume that the malicious domain is "example.org".
> Unbound is 1.13.0.
>
> The URL retrieved and cached contains:
>
> example.org CNAME .
>
> If I `dig -t a www.example.org @192.168.1.53` then I see:
>
> ;; ANSWER SECTION:
> www.example.org. 14399 IN CNAME example.org.
> example.org. 14400 IN A 192.0.2.1
>
> If I `dig -t a example.org @192.168.1.53` then I instead get an
> NXDOMAIN.
>
> So the RPZ filtering only applies to the initial query name, not to that
> name appearing in a CNAME chain in the response.
>
> Is this the _expected_ behavior?
Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.
Re,
/P
More information about the Unbound-users
mailing list