Whitelisting domains filtered by RPZ

dns at todoo.biz dns at todoo.biz
Tue May 31 08:23:12 UTC 2022 

> Le 30 mai 2022 à 12:38, dns--- via Unbound-users <unbound-users at lists.nlnetlabs.nl> a écrit :
> 
> Hello Unbound fellow users, 
> 
> 
> We are setting up a large scale filtering based on unbound + RPZ domain lists. 
> We will have 68 lists sorted by themes allowing one to have powerful RPZ filtering. 
> 
> Some of our themes are containing more than 268Mo of FQDN… 
> 
> Among these FQDNs, are possibly some false positive, or some domains that our user base would like to filter out of these lists (in the first place). 
> 
> 
> What would be the advised way to exclude / whitelist a domain from an RPZ filtering ? 
> 
> 
> We have for exemple: 
> 
> 
>> rpz:
>> 	name: "blog.rpz.domain"
>> 	zonefile: "blog.rpz.domain"
>> 	primary: 18.16.99.8
>> 	rpz-log: yes
>> 	rpz-log-name: "blog-rpz-domain"
>> 	tags: "blog_test"
> 
> 
> In the rpz list "twitter.com <http://twitter.com/>" is listed and filtered
> 
> 
> Would adding this statement allow "twitter.com <http://twitter.com/>" not to be filtered ? 
> 
>> local-zone: "*.twitter.com <http://twitter.com/>" always_transparent
> 
> 
> 
> My goal is that the "always_transparent" statement has precedence on any other config statement (and more particularly on the rpz block). 
> 
> If you have other suggestion, please let me know. 


Answering my own question here: 

It looks like the most reliable solution would be to setup a whitelist RPZ zone where you would put your whitelisted domains. 

This might look like this : 

rpz:
	name: "whitelist.rpz.zone"
	zonefile: "whitelist.rpz.zone"
	rpz-log: yes
	rpz-log-name: "whitelist"
	tags: "whitelist"



and in the zone file simply use smthg like : 

whitelist.rpz.zone.	86400	IN	SOA	localhost. root.local. 20220413 604800 86400 2419200 86400
whitelist.rpz.zone.	86400	IN	A	x.y.z.t
whitelist.rpz.zone.	86400	IN	NS	LOCALHOST.
twitter.com.whitelist.rpz.zone.	86400	IN	CNAME	rpz-passthru.
*.twitter.com.whitelist.rpz.zone.	86400	IN	CNAME	rpz-passthru.



If anyone can confirm this is the expected and best / right way to proceed, would be nice. 


> 
> 
> Sincerely yours. 
> 
>> <LOGO_OCTOPUS_90.png>

—


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220531/a9372b02/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: LOGO_OCTOPUS_90.png
Type: image/png
Size: 4732 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220531/a9372b02/attachment-0001.png>

More information about the Unbound-users mailing list