Hi I have the possibility to enrich every DNS query made by the client (customer with single IP) of my network, and redirect it to my Unbound server if necessary. Enrichment could be made selectively for those clients that would have special service enabled or bought (like: child protection, security service, and so on, let's call it for example rpz-1 rpz-2 rpz-3). If Unboud could make a decision based on the eDNS, and add an extra RPZ tag to the DNS request I would gain an option to run a few new services for clients from the same subnet.
For example by using the eDNS tag number from the Unassigned range ( values: 26947-65000 acording to https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11 ) dig @localhost google.com +ednsopt=64000:72707a2d33 Unbound based on eDNS tag ID could make a decision like: edns-control-tag: 64000 "rpz-3" So every DNS request with eDNS tag-ID = 64000 should apply RPZ tag = rpz-3 Regards Robert czw., 8 cze 2023, 11:57 użytkownik Petr Menšík via Unbound-users < unbound-users@lists.nlnetlabs.nl> napisał: > Hi Robert, > > which EDNS options or values you would like to use to make different > responses? I doubt that is already implemented or documented. What is > your use-case? > > Regards, > Petr > > On 06. 06. 23 14:56, Robert Bokwa via Unbound-users wrote: > > Hi > > > > I'm new on this user list, with Unbound I've been playing for more > > than a year. > > > > Is there a way to use RPZ based on eDNS ? I didn't find anything on > > documentation besides responses based on SRC IP addresses > > (access-control-tag) or interface (interface-tag). > > > > If not, can it be a valuable feature request? > > Users that share the same IP address pool could have different RPZ > > applied. > > > > Best regards > > Robert > > -- > Petr Menšík > Software Engineer, RHEL > Red Hat, http://www.redhat.com/ > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > >
