RPZ: is this config correct?

RayG rgsub1 at btinternet.com
Tue Nov 10 15:33:29 UTC 2020 

OK so with log level set at 4 I don’t see in the log file lines like you list below

The log file is very large so I cannot attach it to this email even as pasted text.

Here is a link:
https://1drv.ms/u/s!As73rPtzISrU4mTvPONvZCWVSCWD?e=MJ18Lx

A couple of points.

1). Do I have to create the zone file before starting unbound?
2). Do I need to populate the file with anything?

I have tried all ways with no success.

Thanks

RayG

-----Original Message-----
From: George Thessalonikefs <george at nlnetlabs.nl> 
Sent: 09 November 2020 17:35
To: unbound-users at lists.nlnetlabs.nl
Cc: RayG <rgsub1 at btinternet.com>
Subject: Re: RPZ: is this config correct?

Hi RayG,

On verbosity >= 4 you could see the following entries that relate to rpz (from my own run where download and file creation succeed):
     debug: auth zone rpz.urlhaus.abuse.ch. transfer next HTTP fetch from
     debug: http download downloads/rpz of size
     info: auth zone http downloaded content preview:
     debug: auth zone rpz.urlhaus.abuse.ch. updated to serial
     debug: write zonefile file.name for rpz.urlhaus.abuse.ch.

local-zone answers are before the rpz zones, so you will not see entries in the log file for those.

Best regards,
-- George

On 09/11/2020 17:55, RayG wrote:
> Hi George,
> 
> Thanks for the reply.
>   
> I agree the XFR may not work but the URL should get the zone file.
> 
> Given I have pointed the zone file at unbound's log directory and it 
> can write the log OK I think it should be able to write the zone file. 
> It writes the log OK.
> 
> Again if I have understood correctly these two lines:
> 
> rpz-log: yes
> rpz-log-name: "URLHausRPZ"
> 
> Make unbound write entries in the log file using the label "URLHausRPZ"
> 
> I see none of those or a zone file in the log directory.
> 
> What should I be looking for in unbound's log file to show it's working?
> 
> One other question does it matter that some of the same entries may 
> have been entered in a block list file
> 
> Which has entries looking like this:
> 
> local-zone: "0.nextyourcontent.com" refuse # Source:
> https://someonewhocares.org/hosts/
> local-zone: "0.r.msn.com" refuse # Source:
> http://winhelp2002.mvps.org/hosts.txt
> local-zone: "0.start.bz" refuse # Source:
> http://sysctl.org/cameleon/hosts.win
> local-zone: "180clubrealestate.com" refuse # See:
> https://urlhaus.abuse.ch/host/180clubrealestate.com
> 
> RayG
> 
> -----Original Message-----
> From: George Thessalonikefs <george at nlnetlabs.nl>
> Sent: 09 November 2020 11:07
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: RPZ: is this config correct?
> 
> Hi RayG,
> 
> You are correct that the file should be written by unbound. Are you 
> sure that unbound has write permissions in that directory?
> 
> You could also use IP addresses for XFRs and they will be probed for 
> the SOA value and also tried if the url does not work.
> 
> However, I don't think that they offer the service over XFR. At least 
> they only advertise the url on their website.
> 
> Best regards,
> -- George
> 
> On 07/11/2020 16:17, RayG via Unbound-users wrote:
>> Hi,
>>
>> No response to this post as yet?
>>
>> Any help appreciated.
>>
>> RayG
>>
>> *From:*RayG <rgsub1 at btinternet.com>
>> *Sent:* 14 October 2020 15:59
>> *To:* 'unbound-users at lists.nlnetlabs.nl'
>> <unbound-users at lists.nlnetlabs.nl>
>> *Subject:* RPZ: is this config correct?
>>
>> I have created the following RPZ entry for unbound and added respip 
>> to the module configuration.
>>
>> rpz:
>>
>>        name: "rpz.urlhaus.abuse.ch."
>>
>>        zonefile: "c:\programdata\unbound\logs\URLHaus.rpz"
>>
>>        url: https://urlhaus.abuse.ch/downloads/rpz
>> <https://urlhaus.abuse.ch/downloads/rpz>
>>
>>        rpz-log: yes
>>
>>        rpz-log-name: "URLHausRPZ"
>>
>> If I understand things correctly unbound should fetch the zone file 
>> using the URL and store the data in the zonefile. I created an empty 
>> zone file but it is not being populated by unbound. I cannot see any 
>> relevant issues in the log file.  I also do not (have not yet) seen 
>> any entries in the log file with the appended log name item.
>>
>> Do I have the correct configuration and understanding?
>>
>> Following on would it be correct to add these masters to the
> configuration:
>>
>>        master: 151.101.130.49
>>
>>        master: 151.101.66.49
>>
>>        master: 151.101.194.49
>>
>>        master: 151.101.2.49
>>
>> C:\>dig urlhaus.abuse.ch.
>>
>> ; <<>> DiG 9.16.6 <<>> urlhaus.abuse.ch.
>>
>> ;; global options: +cmd
>>
>> ;; Got answer:
>>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1870
>>
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>>
>> ; EDNS: version: 0, flags:; udp: 4096
>>
>> ;; QUESTION SECTION:
>>
>> ;urlhaus.abuse.ch.              IN      A
>>
>> ;; ANSWER SECTION:
>>
>> urlhaus.abuse.ch.       3037    IN      CNAME
> p2.shared.global.fastly.net.
>>
>> p2.shared.global.fastly.net. 29 IN      A       151.101.130.49
>>
>> p2.shared.global.fastly.net. 29 IN      A       151.101.194.49
>>
>> p2.shared.global.fastly.net. 29 IN      A       151.101.2.49
>>
>> p2.shared.global.fastly.net. 29 IN      A       151.101.66.49
>>
>> The URL Returns data like this:
>>
>> $TTL 30
>>
>> @ SOA rpz.urlhaus.abuse.ch. hostmaster.urlhaus.abuse.ch. 2010141440
>> 300
>> 1800 604800 30
>>
>> NS localhost.
>>
>> ;
>>
>> ; abuse.ch URLhaus Response Policy Zones (RPZ)
>>
>> ; Last updated: 2020-10-14 14:40:12 (UTC)
>>
>> ;
>>
>> ; Terms Of Use: https://urlhaus.abuse.ch/api/ 
>> <https://urlhaus.abuse.ch/api/>
>>
>> ; For questions please contact urlhaus [at] abuse.ch
>>
>> ;
>>
>> testentry.rpz.urlhaus.abuse.ch CNAME . ; Test entry for testing 
>> URLhaus RPZ
>>
>> 1am.co.nz CNAME . ; Malware download (2020-08-17), see 
>> https://urlhaus.abuse.ch/host/1am.co.nz/
>> <https://urlhaus.abuse.ch/host/1am.co.nz/>
>>
>> 1ca.co.za CNAME . ; Malware download (2020-08-28), see 
>> https://urlhaus.abuse.ch/host/1ca.co.za/
>> <https://urlhaus.abuse.ch/host/1ca.co.za/>
>>
>> 1med.kiev.ua CNAME . ; Malware download (2020-10-14), see 
>> https://urlhaus.abuse.ch/host/1med.kiev.ua/
>> <https://urlhaus.abuse.ch/host/1med.kiev.ua/>
>>
>> 21robo.com CNAME . ; Malware download (2019-02-20), see 
>> https://urlhaus.abuse.ch/host/21robo.com/
>> <https://urlhaus.abuse.ch/host/21robo.com/>
>>
> 
>

More information about the Unbound-users mailing list