Response Policy Zones (RPZ)

DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT

Response Policy Zone (RPZ) is a mechanism that makes it possible to define local policies in a standardized way and load policies from external sources. ¹

The base functionality of RPZ blocking DNS is similar to piHole but without the pretty graphics. (there are no plans to add the pretty graphics).

Note: Domains blocked by RPZ are not DROPped or REJECTed like when using a Firewall Rule. RPZ only blocks the domain name lookup. If a user decides to enter an IP address to get to their favorite site, RPZ will not stop it from happening. If this is needed I suggest using IP Address Blocklists.

Installation

Note: The test version of the RPZ add-on is installed manually until approved by the IPFire Developers. It is installed similar to this method:

https://www.ipfire.org/docs/devel/ipfire-2-x/addon-howto#testing-the-install-uninstall-update-routines-and-add-on-itself

rpz can be installed with the Pakfire web interface or via the console:

pakfire install rpz

Usage via WebGUI

The RPZ WebGUI is here thanks to Leo Hofmann!

To open the RPZ WebGUI go to menu IPFire > Response Policy Zones (RPZ).

Zonefiles section

List of the Names, URLs, and a short Remark for each zonefile item. There are 10 items maximum. Too many lists will slow down Unbound and DNS. ²

Add new line

To add a new RPZ list click on Add in the lower right corner of the Zonefiles section.

Add a Name and the URL of a RPZ list. A small remark can also be added. Then click Save.

Multiple adds or edits can be done at one time (before clicking Apply)

Note: Remember to press Apply after you have finished your modifications. The Apply sends an unbound-control reload which loads the various RPZ configuration files.

Edit an existing line

Click on the pencil (Edit) on the needed line.

Make the needed changes and then click Save.

Multiple adds or edits can be done at one time (before clicking Apply)

Note: Remember to press Apply after you have finished your modifications. The Apply sends an unbound-control reload which loads the various RPZ configuration files.

Custom lists section

List of allowlist domains and blocklist domain. Loads the custom allow/block list into unbound RPZ.

Domains are in this format:

*.com
*.domain.com
*.sub-domain.domain.com
*.sub.sub-domain.domain.com

domain.com
sub-domain.com
sub.sub-domain.domain.com

Allowlist

At times an outside RPZ list will block a needed website. Allowed items can be added to this list.

Blocklist

The block list operates in a similar way as the allowlist.

Make the needed changes to the custom allow/block lists and then click Save.

Multiple adds or edits can be done at one time (before clicking Apply)

Note: Remember to press Apply after you have finished your modifications.

Logging

RPZ logging can be found in the unbound logs. Go to Logs > Systems Logs, then click on DNS: Unbound in the drop-down, and then click the Update button.

Recommended RPZ lists

RPZ console commands

See the RPZ console commands here --> Using the RPZ Console

Links

Notes

Keep in mind there may be overlap between an RPZ list and a list offered in IP Address Blocklists. Please review the lists chosen before activating.
Each RPZ file begins with a SOA record defining the update rate. Tests show that unbound defines a downcounter for the 'automagical' update of the file. A reload operation of unbound resets these counters. Therefore a reload period shorter than a specific update time disables the auto update of this RPZ file.
- Defining or removing RPZ config files restarts unbound!

https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html ↩
Large RPZ files will slow down the unbound reload time and slow down a DNS lookup. Over 500,000 lines of RPZ files (total lines for all RPZ files) is discouraged. Over 1,000,000 lines of RPZ files (total lines for all RPZ files) is NOT recommended. ↩↩