RPZ - Response Policy Zones

DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT

Response Policy Zone (RPZ) is a mechanism that makes it possible to define local policies in a standardized way and load policies from external sources. 1

The base functionality of RPZ blocking DNS is similar to piHole but without the pretty graphics. (there are no plans to add the pretty graphics).

Note: Domains blocked by RPZ are not DROPped or REJECTed like when using a Firewall Rule. RPZ only blocks the domain name lookup. If a user decides to enter an IP address to get to their favorite site, RPZ will not stop it from happening. If this is needed I suggest using IP Address Blocklists.

Installation

Note: The test version of the RPZ add-on is installed manually until approved by the IPFire Developers. It is installed similar to this method:

https://www.ipfire.org/docs/devel/ipfire-2-x/addon-howto#testing-the-install-uninstall-update-routines-and-add-on-itself

rpz can be installed with the Pakfire web interface or via the console:

pakfire install rpz

Usage

There is no web interface for this add-on (yet!)

To run this add-on, open the serial console, or open the local terminal to access the IPFire box via SSH. There are four simple scripts available for set-up:

rpz-config - Create, remove or make an external RPZ file

rpz-make - Loads custom allow lists and blocks lists into unbound RPZ

rpz-metrics - Locates RPZ names from the message logs and sort by name.

rpz-sleep - Pause RPZ for a NUMBER of seconds (default 5 minutes).

Create a config file for RPZ via "rpz-config"

The rpz-config script assists in creating or deleting RPZ files.

Usage:  rpz-config  <action> <name> <url>
        create or delete RPZ configuration files

Actions:
  add <name> <url>  adds new RPZ config file by RPZ name
  remove <name>     removes unneeded RPZ files by RPZ name
    <name>             unique alpha-numeric name for the RPZ file.  This name appears in the message log and
                         is the base file name for the config file. e.g., threatfox, urlhaus, PopUpAdsHZ
    <url>              URL for RPZ.  Must be in a format similar to https://example.com/path/filename.
                         Other protocols such as file://, ftp://, etc., will not work.
  reload            reloads configuration into unbound 
  list              lists all active RPZ names and URLs



Example commands:

rpz-config add MxLightHZ https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/light.txt

rpz-config remove MxLightHZ

example rpz-config command
example rpz-config command

Custom allow list or block list via "rpz-make"

The rpz-make script loads the custom allow/block list into unbound RPZ.

Usage:    rpz-make <name>
            build the custom allow or block RPZ files
Name:
  allow       build RPZ file from allowlist
  block       build RPZ file from blocklist
  allowblock  build both RPZ files
  reload      reloads configuration into unbound

Example commands:

rpz-make allow
rpz-make block
rpz-make allowblock

Allow list

Sometimes outside RPZ lists will block a needed website. Allowed items can be added to this list.

Edit the /var/ipfire/dns/rpz/allowlist and add the needed websites:

example allowlist
example allowlist

Block list

The block list operates in a similar way as the allow list and is located at /var/ipfire/dns/rpz/blocklist:

example blocklist
example blocklist

Metrics of RPZ usage via "rpz-metrics"

The rpz-metrics script searches the message logs for RPZ names and sorts those names by the number of hits. Selecting all message logs (1 year or 53 message log files) may take ~60 seconds to complete.

Usage:  rpz-metrics <number of message logs>
    default <number of message logs> is 2

example metrics
example metrics

Pause RPZ for N time via "rpz-sleep"

Pause for NUMBER seconds. SUFFIX may be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.

Usage:  rpz-sleep <sleep time>
    default <sleep time> is 5 minutes

example sleep rpz
example sleep rpz

Logging

RPZ logging can be found in the unbound logs. Go to Logs > Systems Logs, then click on DNS: Unbound in the drop-down, and then click the Update button.

example of RPZ in system logs
example of RPZ in system logs

  1. Hagezi - DNS Blocklists
  2. ThreatFox - DNS Response Policy Zone (RPZ)
  3. URLHaus - DNS Response Policy Zone (RPZ)
  4. jpgpi250 - DNS block list for DoH 2

Known issues

  • The current unbound-leases-bridge causes frequent unbound restarts and may cause the RPZ list updates to be delayed by a day or three.
    • The reason is the update mechanism for the RPZ files. Each RPZ file begins with a SOA record defining the update rate. Tests show that unbound obviously defines a downcounter for the 'automagical' update of the file. A reload operation of unbound resets these counters. Therefore a reload period shorter than a specific update time disables the update of this RPZ file.
    • A workaround may be to delete the RPZ file in /etc/unbound/zonefiles from time to time.
  • Large RPZ files will slow down the unbound reload time and slow down a DNS lookup. Over 500,000 lines of RPZ files (total lines for all RPZ files) is discouraged. Over 1,000,000 lines of RPZ files (total lines for all RPZ files) is NOT recommended.
  • Keep in mind there may be overlap between an RPZ list and a list offered in IP Address Blocklists. Please review the lists chosen before activating.

  1. https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html 

  2. https://jpgpi250.github.io/piholemanual/doc/Unbound%20response%20policy%20zones.pdf 

Edit Page ‐ Yes, you can edit!
Last changed by Jon, Friday View Older Revisions