RPZ and Views Interaction
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Tue Jan 28 12:11:17 UTC 2025
Hi Otto,
From a quick test here locally (1.22.0) the tagged client does get the
view local-data and also gets RPZ filtering applied.
The minimal configuration I used is:
'''
server:
module-config: "respip validator iterator"
define-tag: "test-client"
access-control-tag: 127.0.0.0/8 "test-client"
access-control-view: 127.0.0.0/8 "test-client"
rpz:
name: "rpz.test.zone"
zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
rpz-action-override: nxdomain
rpz-log: yes
rpz-log-name: "rpz.test"
tags: "test-client"
view:
name: "test-client"
view-first: yes
local-zone: "test.internal" static
local-data: "test.internal A 10.0.0.1"
'''
If the above does not work for you a couple of pointers:
- Is the incoming traffic using the expected 10.0.0.1 IP?
- Are you using proxy-protocol-port?
- Other configuration that interferes with the above? Mainly for the
access-control part?
- Maybe the content of the RPZ? Try using just a single record for
testing (you still need to SOA record as well).
Best regards,
-- Yorgos
On 28/01/2025 06:32, Otto Retter via Unbound-users wrote:
> Hi all,
>
> I'm running Unbound 1.22.0. If I have a client, say 10.0.0.1, with
> the following tag definitions:
>
> '''
> define-tag: "test-client"
> access-control-tag: 10.0.0.1/32 "test-client"
> '''
>
> and then an RPZ zone defined as:
> '''
> rpz:
> name: "rpz.test.zone"
> zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
> rpz-action-override: nxdomain
> rpz-log: yes
> rpz-log-name: "rpz.test"
> tags: "tag1 tag2 test-client"
> '''
>
> containing a line like "*.test.com CNAME .", I correctly get
> an NXDOMAIN when querying "hello.test.com" when _no_ views are
> enabled. However, if I throw views into the mix, then I am seeing
> "hello.test.com" actually resolve. Here are my view definitions:
> '''
> access-control-view: 10.0.0.1/32 test-client
>
> view:
> name: "test-client"
> view-first: yes
> local-zone: "test.internal" static
> local-data: "test.internal A 10.0.0.1"
> '''
>
> Note that querying "test.internal" from 10.0.0.1 returns the correct
> A record, but querying anything under "rpz.test.zone" seems to bypass
> RPZ. Is this intended behavior, am I not supposed to mix views and
> RPZ, or is there perhaps a bug? Would be interested if anyone can
> reproduce or if I've messed this up on my end. I have not yet turned
> up verbosity to do any deeper digging, but would be happy to do so, and
> I am willing/able to compile/test any fixes if there is indeed a bug.
>
> Thanks,
> Otto
More information about the Unbound-users
mailing list