RPZ based on eDNS
Robert
triangul.2010 at gmail.com
Mon Jun 12 17:52:03 UTC 2023
Hi
I have the possibility to enrich every DNS query made by the client
(customer with single IP) of my network, and redirect it to my Unbound
server if necessary.
Enrichment could be made selectively for those clients that would have
special service enabled or bought (like: child protection, security
service, and so on, let's call it for example rpz-1 rpz-2 rpz-3).
If Unboud could make a decision based on the eDNS, and add an extra RPZ tag
to the DNS request I would gain an option to run a few new services for
clients from the same subnet.
For example by using the eDNS tag number from the Unassigned range (
values: 26947-65000 acording to
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11
)
dig @localhost google.com +ednsopt=64000:72707a2d33
Unbound based on eDNS tag ID could make a decision like:
edns-control-tag: 64000 "rpz-3"
So every DNS request with eDNS tag-ID = 64000 should apply RPZ tag = rpz-3
Regards
Robert
czw., 8 cze 2023, 11:57 użytkownik Petr Menšík via Unbound-users <
unbound-users at lists.nlnetlabs.nl> napisał:
> Hi Robert,
>
> which EDNS options or values you would like to use to make different
> responses? I doubt that is already implemented or documented. What is
> your use-case?
>
> Regards,
> Petr
>
> On 06. 06. 23 14:56, Robert Bokwa via Unbound-users wrote:
> > Hi
> >
> > I'm new on this user list, with Unbound I've been playing for more
> > than a year.
> >
> > Is there a way to use RPZ based on eDNS ? I didn't find anything on
> > documentation besides responses based on SRC IP addresses
> > (access-control-tag) or interface (interface-tag).
> >
> > If not, can it be a valuable feature request?
> > Users that share the same IP address pool could have different RPZ
> > applied.
> >
> > Best regards
> > Robert
>
> --
> Petr Menšík
> Software Engineer, RHEL
> Red Hat, http://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230612/ffca8538/attachment.htm>
More information about the Unbound-users
mailing list