NOTE: work in progress, not completed.
This is a template for any sub-pages in the roadmap space. Copy, paste, and edit it as you need.
What is it?
Describe briefly what this feature is about and its benefits to IPFire.
RPZ allows admins to easily block access to websites via DNS lookup. The lookup is done before the main communication which is based on IP addresses ( which can be blocked by IP Address Blocklists ). Usually the URLs of malicious websites do change much less often, compared to the IPs of them.
Response Policy Zone (RPZ) is a mechanism to define local policies in a standardized way and load those policies from external sources. This is done usually by application like PiHole ( running on device in the local network ). This addon allows this functionality as part of unbound ( inside IPFire ).
Who is working on it?
List the people who own this feature.
- Jon Murphy
- Bernhard Bitsch
- Leo Hofmann
- Erik Kapfer - consultant
Current Status
- Targeted Release: N/A
- Tracker Bug: none
Description
Describe this feature in detail. Include details as listed below.
This RPZ addon enable the RPZ functionality by adding about 10 lines in the unbound configuration file. The configuration files for the various sources are added by a config script. Further scripts ( metrics and sleep ) make RPZ easier for the admin to use.
The RPZ scripts do not actually download the RPZ lists. This is done via the Unbound RPZ code.
Benefits to IPFire
Explain how IPFire and the users benefit from this feature.
RPZ is a straightforward way to stop users from connecting to harmful sites like phishing pages or malware servers while keeping the network and its users safe with minimal fuss.
An easy to use allowlist is handy for avoiding issues when legitimate sites get flagged by mistake or need to stay accessible for business reasons.
RPZ blocking sources are grouped via categories. Examples include:
- fake websites,
- annoying pop-up ads,
- newly registered domains,
- DoH bypass sites,
- bad "host" services,
- malicious top level domains (e.g., .zip, .mov),
- piracy,
- gambling,
- pornography,
- Threat Intelligence Feeds 1
- and more.
RPZ lists come from various RPZ providers and their available categories. Tests show that Hagezi's lists are good 'standard', very well maintained and with some issue threads on github for reporting new entries or false entries.
Impact
Explain what impact this feature could have on updates and compatibility.
There may be overlap between an RPZ list and a list offered in IP Address Blocklists or Suricata intrusion prevention systems (IPS). Local admins should review the lists chosen before activating.
Documentation
Write or link to further documentation about this feature. Mainly used to refer to documentation on this site, but also link to developer documentation or Git repositories.
- DNS Response Policy Zones
- Wikipedia - Response policy zone
- Unbound Documentation - Response Policy Zones
- IPFire Community - DoHblock - Blocking DNS over HTTPS via RPZ
- IPFire Community - Test version of a RPZ
- IPFire Wiki - Response Policy Zones (RPZ)
Feedback
This section initially is empty but will over time collect user feedback.
Dependencies
What is required to build this feature. Could be simply 'None'.
This is more of a significant challenge:
- finding RPZ lists that meet the needed criteria with additional categories.
Release Notes
(Pre-)write some text that can become part of the release notes to make writing those easier.
To do.
-
may be overlap with IPS. ↩