RPZ ignored when is CNAME target?

Fredrik Pettai pettai at sunet.se
Thu Dec 17 21:22:59 UTC 2020



> On 16 Dec 2020, at 14:26, Phil Pennock via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> Folks, I've got RPZ settings in unbound, using a public feed (after
> local safety exemptions, etc); to avoid tripping malware filters with
> this email, let's assume that the malicious domain is "example.org".
> Unbound is 1.13.0.
> 
> The URL retrieved and cached contains:
> 
>  example.org  CNAME  .
> 
> If I `dig -t a www.example.org @192.168.1.53` then I see:
> 
>  ;; ANSWER SECTION:
>  www.example.org.		14399 IN CNAME example.org.
>  example.org.		14400 IN A 192.0.2.1
> 
> If I `dig -t a example.org @192.168.1.53` then I instead get an
> NXDOMAIN.
> 
> So the RPZ filtering only applies to the initial query name, not to that
> name appearing in a CNAME chain in the response.
> 
> Is this the _expected_ behavior?

Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.

Re,
/P




More information about the Unbound-users mailing list