Bug 1262 - Feature request: RPZ
Feature request: RPZ
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
unspecified
All All
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-05 14:16 CEST by idarlund
Modified: 2017-05-09 15:28 CEST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description idarlund 2017-05-05 14:16:47 CEST
I've come across https://www.unbound.net/pipermail/unbound-users/2015-December/004143.html and it seems it hasn't been implemented yet. Because of that I've created this feature request.

Domain Name Service Response Policy Zones (DNS RPZ) is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. It is currently implemented in the ISC BIND nameserver (9.8 or later). Another generic name for the DNS RPZ functionality is "DNS firewall".

The prime motivation for create this feature is to protect users from badness on the Internet related to known-malicious global identifiers such as host names, domain names, IP addresses, or nameservers. Criminals tend to keep using the same identifiers until they are taken away from them. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective. Using RPZ, a network or DNS administrator can implement their own protection policies base based on reputation feeds from security service providers on a near-real-time basis.

Examples include:
If one knows a bad hostname or domain name, one can block clients from accessing it or redirect them to a walled garden.
If one know a bad IP address or subnet, one can block clients from accessing hostnames that reference it.
If one knows a nameserver that doesn't host anything except bad domains, one can block clients from accessing DNS information hosted by those nameservers.

More information about RPZ can be found over at https://en.wikipedia.org/wiki/Response_policy_zone
Comment 1 Wouter Wijngaards 2017-05-09 15:28:30 CEST
Hi idarlund,

This response on the mailing list may be useful
https://www.unbound.net/pipermail/unbound-users/2016-January/004147.html

Unbound has gained a lot of features to date that perform actions that could be used to implement a policy that looks like what RPZ specifies.  We are looking at what is necessary to complete that picture, and would welcome your suggestion(s).

Perhaps the current setup is fine and all you need is a transformation script that takes some sort of input and creates a config file (that you include: in the main unbound.conf file)? 

Best regards, Wouter