RPZ and Views Interaction

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Tue Jan 28 12:11:17 UTC 2025 

Hi Otto,

 From a quick test here locally (1.22.0) the tagged client does get the 
view local-data and also gets RPZ filtering applied.

The minimal configuration I used is:
'''
server:
     module-config: "respip validator iterator"
     define-tag: "test-client"
     access-control-tag: 127.0.0.0/8 "test-client"
     access-control-view: 127.0.0.0/8 "test-client"

rpz:
     name: "rpz.test.zone"
     zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
     rpz-action-override: nxdomain
     rpz-log: yes
     rpz-log-name: "rpz.test"
     tags: "test-client"

view:
     name: "test-client"
     view-first: yes
     local-zone: "test.internal" static
     local-data: "test.internal A 10.0.0.1"
'''

If the above does not work for you a couple of pointers:
- Is the incoming traffic using the expected 10.0.0.1 IP?
- Are you using proxy-protocol-port?
- Other configuration that interferes with the above? Mainly for the
   access-control part?
- Maybe the content of the RPZ? Try using just a single record for
   testing (you still need to SOA record as well).

Best regards,
-- Yorgos



On 28/01/2025 06:32, Otto Retter via Unbound-users wrote:
> Hi all,
> 
> I'm running Unbound 1.22.0. If I have a client, say 10.0.0.1, with
> the following tag definitions:
> 
> '''
> define-tag: "test-client"
> access-control-tag: 10.0.0.1/32 "test-client"
> '''
> 
> and then an RPZ zone defined as:
> '''
> rpz:
>      name: "rpz.test.zone"
>      zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
>      rpz-action-override: nxdomain
>      rpz-log: yes
>      rpz-log-name: "rpz.test"
>      tags: "tag1 tag2 test-client"
> '''
> 
> containing a line like "*.test.com CNAME .", I correctly get
> an NXDOMAIN when querying "hello.test.com" when _no_ views are
> enabled. However, if I throw views into the mix, then I am seeing
> "hello.test.com" actually resolve. Here are my view definitions:
> '''
> access-control-view: 10.0.0.1/32 test-client
> 
> view:
>      name: "test-client"
>      view-first: yes
>      local-zone: "test.internal" static
>      local-data: "test.internal A 10.0.0.1"
> '''
> 
> Note that querying "test.internal" from 10.0.0.1 returns the correct
> A record, but querying anything under "rpz.test.zone" seems to bypass
> RPZ. Is this intended behavior, am I not supposed to mix views and
> RPZ, or is there perhaps a bug? Would be interested if anyone can
> reproduce or if I've messed this up on my end. I have not yet turned
> up verbosity to do any deeper digging, but would be happy to do so, and
> I am willing/able to compile/test any fixes if there is indeed a bug.
> 
> Thanks,
> Otto

More information about the Unbound-users mailing list