Re: RPZ and Views Interaction

Tue, 28 Jan 2025 04:11:51 -0800 

Hi Otto,
From a quick test here locally (1.22.0) the tagged client does get the view local-data and also gets RPZ filtering applied. 

The minimal configuration I used is:
'''
server:
    module-config: "respip validator iterator"
    define-tag: "test-client"
    access-control-tag: 127.0.0.0/8 "test-client"
    access-control-view: 127.0.0.0/8 "test-client"

rpz:
    name: "rpz.test.zone"
    zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
    rpz-action-override: nxdomain
    rpz-log: yes
    rpz-log-name: "rpz.test"
    tags: "test-client"

view:
    name: "test-client"
    view-first: yes
    local-zone: "test.internal" static
    local-data: "test.internal A 10.0.0.1"
'''

If the above does not work for you a couple of pointers:
- Is the incoming traffic using the expected 10.0.0.1 IP?
- Are you using proxy-protocol-port?
- Other configuration that interferes with the above? Mainly for the
  access-control part?
- Maybe the content of the RPZ? Try using just a single record for
  testing (you still need to SOA record as well).

Best regards,
-- Yorgos



On 28/01/2025 06:32, Otto Retter via Unbound-users wrote:

Hi all,

I'm running Unbound 1.22.0. If I have a client, say 10.0.0.1, with
the following tag definitions:

'''
define-tag: "test-client"
access-control-tag: 10.0.0.1/32 "test-client"
'''

and then an RPZ zone defined as:
'''
rpz:
     name: "rpz.test.zone"
     zonefile: "/var/unbound/etc/zones/rpz/rpz.test.zone"
     rpz-action-override: nxdomain
     rpz-log: yes
     rpz-log-name: "rpz.test"
     tags: "tag1 tag2 test-client"
'''

containing a line like "*.test.com CNAME .", I correctly get
an NXDOMAIN when querying "hello.test.com" when _no_ views are
enabled. However, if I throw views into the mix, then I am seeing
"hello.test.com" actually resolve. Here are my view definitions:
'''
access-control-view: 10.0.0.1/32 test-client

view:
     name: "test-client"
     view-first: yes
     local-zone: "test.internal" static
     local-data: "test.internal A 10.0.0.1"
'''

Note that querying "test.internal" from 10.0.0.1 returns the correct
A record, but querying anything under "rpz.test.zone" seems to bypass
RPZ. Is this intended behavior, am I not supposed to mix views and
RPZ, or is there perhaps a bug? Would be interested if anyone can
reproduce or if I've messed this up on my end. I have not yet turned
up verbosity to do any deeper digging, but would be happy to do so, and
I am willing/able to compile/test any fixes if there is indeed a bug.

Thanks,
Otto
























					Reply via email to