Hello,
I would like to implement a sort of RPZ in unbound.
Eg. All A queries for example.com. would be answered with an custom A
address but other queries would be resolved normally. I put following
lines in config and works as expected:
local-zone: "example.com." typetransparent
local-data: "example.com. IN A X.Y.Z.W"
In addition to that I would like to 'redirect' IPv6 related queries to
the same IPv4 address.
This could be done by sending NOERROR with empty answer section to the
client requesting AAAA record to force it to do an A record query.
I tried with:
local-zone: "example.com." typetransparent
local-data: "example.com. IN A X.Y.Z.W"
local-data: "example.com. IN AAAA"
This 'works' but response from unbound is apparently malformed:
$ dig aaaa example.com
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> aaaa example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3330
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Message has 11 extra bytes at end
;; QUESTION SECTION:
;example.com. IN AAAA
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Oct 23 15:29:24 CEST 2019
;; MSG SIZE rcvd: 57
Drill returns AAAA 'record':
$ drill AAAA example.com @localhost
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 19808
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; example.com. IN AAAA
;; ANSWER SECTION:
example.com. 3600 IN AAAA \# 0
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 23 15:54:10 2019
;; MSG SIZE rcvd: 38
Is there another way to deny existence of a record?
Benjamin
P.s.: Unbound version 1.9.4 on CentOS Linux release 7.6.1810 (Core)
