RPZ and Views Interaction
Otto Retter
otto at relax.theregoesmy.email
Tue Jan 28 05:32:00 UTC 2025
Hi all,
I'm running Unbound 1.22.0. If I have a client, say 10.0.0.1, with
the following tag definitions:
'''
define-tag: "test-client"
access-control-tag: 10.0.0.1/32 "test-client"
'''
and then an RPZ zone defined as:
'''
rpz:
name: "rpz.test.zone"
zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
rpz-action-override: nxdomain
rpz-log: yes
rpz-log-name: "rpz.test"
tags: "tag1 tag2 test-client"
'''
containing a line like "*.test.com CNAME .", I correctly get
an NXDOMAIN when querying "hello.test.com" when _no_ views are
enabled. However, if I throw views into the mix, then I am seeing
"hello.test.com" actually resolve. Here are my view definitions:
'''
access-control-view: 10.0.0.1/32 test-client
view:
name: "test-client"
view-first: yes
local-zone: "test.internal" static
local-data: "test.internal A 10.0.0.1"
'''
Note that querying "test.internal" from 10.0.0.1 returns the correct
A record, but querying anything under "rpz.test.zone" seems to bypass
RPZ. Is this intended behavior, am I not supposed to mix views and
RPZ, or is there perhaps a bug? Would be interested if anyone can
reproduce or if I've messed this up on my end. I have not yet turned
up verbosity to do any deeper digging, but would be happy to do so, and
I am willing/able to compile/test any fixes if there is indeed a bug.
Thanks,
Otto
More information about the Unbound-users
mailing list