Reading unbound blog and RPZ draft I tried implementing rpm response IP address trigger.
My unbound.conf contains like "module-config: "respip validator iterator”. As an example the rpz file has the following entry 16.205.251.0.0.rpz-ip CNAME *. When I perform dig ns-1756.awsdns-27.co.uk <http://ns-1756.awsdns-27.co.uk/> it returns actual IP - which I think it should filter and return NODATA. ; <<>> DiG 9.17.11 <<>> ns-1756.awsdns-27.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30242 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns-1756.awsdns-27.co.uk. IN A ;; ANSWER SECTION: ns-1756.awsdns-27.co.uk. 14400 IN A 205.251.198.220 ;; Query time: 450 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Sun Jul 11 18:37:28 MDT 2021 ;; MSG SIZE rcvd: 68 Am I doing it right? Marek Abram (Mark) [email protected]
