Response Policy Zones (RPZ)

DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT work in progress DRAFT

Response Policy Zone (RPZ) is a mechanism that makes it possible to define local policies in a standardized way and load policies from external sources. 1.

The base functionality of RPZ blocking DNS is similar to piHole but without the pretty graphics. (there are no plans to add the pretty graphics).

Note: Domains blocked by RPZ are not DROPped or REJECTed like when using a Firewall Rule. RPZ only blocks the domain name lookup. If a user decides to enter an IP address to get to their favorite site, RPZ will not stop it from happening. If this is needed I suggest using IP Address Blocklists.

Installation

Note: The test version of the RPZ add-on is installed manually until approved by the IPFire Developers. It is installed similar to this method:

https://www.ipfire.org/docs/devel/ipfire-2-x/addon-howto#testing-the-install-uninstall-update-routines-and-add-on-itself

rpz can be installed with the Pakfire web interface or via the console:

pakfire install rpz

Usage

There is no web interface for this add-on.

  • PS - I need someone to assist with a WebGUI

To run this add-on, open the serial console, or open the local terminal to access the IPFire box via SSH. There are three simple scripts available for set-up:

rpz-config - Create, remove or make an external RPZ file

rpz-metrics - Locates RPZ names from the message logs and sort by name.

rpz-sleep - Pause RPZ for a NUMBER of seconds (default 5 minutes).

Create a config file for RPZ

The rpz-config script assists in creating, deleting or building RPZ files.

Usage:  rpz-config  <action> <name> <url>

Actions:
add <name> <url>        adds new RPZ config file by RPZ name
remove <name> <url>     removes unneeded RPZ files by RPZ name
  <name>                unique alpha-numeric name for the RPZ file.  This name appears in the message log and
                          is the base name for the config file. e.g., threatfox, urlhaus, PopUpAdsHZ
  <url>                 URL for RPZ.  Must be in a format similar to https://example.com/path/filename.
                          Other protocols such as file://, ftp://, etc. will not work.
make <allow or block>   build the custom allow or block RPZ files



Example commands:

rpz-config add MxLightHZ https://raw.githubusercontent.com/hagezi/dns-blocklists/main/rpz/light.txt

rpz-config remove MxLightHZ

rpz-config make allow

example rpz-config command
example rpz-config command

Custom allow list or block list

The rpz-config make allow script loads the custom allow list into unbound RPZ.

Allow list

Sometimes outside RPZ lists will block a needed website. Allowed items can be added to this list.

Edit the /var/ipfire/rpz/allowlist and add the needed websites:

example allowlist
example allowlist

Block list

The block list operates in a similar way as the allow list and is located at /var/ipfire/rpz/blocklist:

example blocklist
example blocklist

Metrics of RPZ usage

The rpz-metrics script searches the message logs for RPZ names and sorts those names by the number of hits. Selecting all message logs (1 year or 53 message log files) may take ~60 seconds to complete.

Usage:  rpz-metrics <number of message logs>
    default <number of message logs> is 2

example metrics
example metrics

Pause RPZ for N time

Pause for NUMBER seconds. SUFFIX may be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.

Usage:  rpz-sleep <sleep time>
    default <sleep time> is 5 minutes

example sleep rpz
example sleep rpz

  1. Hagezi - DNS Blocklists
  2. ThreatFox - DNS Response Policy Zone (RPZ)
  3. URLHaus - DNS Response Policy Zone (RPZ)
  4. jpgpi250 - DNS block list for DoH 2

Known issues

  • The current unbound-leases-bridge causes frequent unbound restarts and may cause the RPZ list updates to be delayed by a day or three ( with some luck ).
    The reason is the update mechanism for the RPZ files. Each RPZ file begins with a SOA record defining the update rate. Tests show that unbound obviously defines a downcounter for the 'automagical' update of the file. A reload operation of unbound resets these counters. Therefore a reload period shorter than a specific update time disables the update of this RPZ file.
  • Large RPZ files will slow down the unbound reload time and slow down a DNS lookup. Over 500,000 lines of RPZ files (total lines for all RPZ files) is discouraged. Over 1,000,000 lines of RPZ files (total lines for all RPZ files) is NOT recommended.
  • Keep in mind there may be overlap between an RPZ list and a list offered in IP Address Blocklists. Please review the lists chosen before activating.

  1. https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html 

  2. https://jpgpi250.github.io/piholemanual/doc/Unbound%20response%20policy%20zones.pdf 

Edit Page ‐ Yes, you can edit!
Last changed by Bernhard Bitsch, July 21 View Older Revisions