| # Response Policy Zone (RPZ) |
| **NOTE**: work in progress, not completed. |
| *This is a template for any sub-pages in the roadmap space. Copy, paste, and edit it as you need.* |
| ## What is it? |
| *Describe briefly what this feature is about and its benefits to IPFire.* |
| RPZ allows admins to easily block access to websites via DNS lookup. The lookup is done before the main communication which is based on IP addresses ( which can be blocked by IP Address Blocklists ). Usually the URLs of malicious websites do change much less often, compared to the IPs of them. |
| Response Policy Zone (RPZ) is a mechanism to define local policies in a standardized way and load those policies from external sources. This is done usually by application like PiHole ( running on device in the local network ). This addon allows this functionality as part of unbound ( inside IPFire ). |
| ## Who is working on it? |
| *List the people who own this feature.* |
| - Jon Murphy |
| - Bernhard Bitsch |
| - TBD |
| ## Current Status |
| - Targeted Release: N/A |
| - Tracker Bug: none |
| ## Description |
| *Describe this feature in detail. Include details as listed below.* |
| This RPZ addon enable the RPZ functionality by adding about 10 lines in the unbound configuration file. The configuration files for the various sources are added by a config script. Further scripts ( metrics and sleep ) make RPZ easier for the admin to use. |
| The RPZ scripts do not actually download the RPZ lists. This is done via the Unbound RPZ code. |
| ### Benefits to IPFire |
| *Explain how IPFire and the users benefit from this feature.* |
| RPZ blocking sources are grouped via categories. Examples include: fake websites, annoying pop-up ads, newly registered domains, DoH bypass sites, bad "host" services, malicious top level domains (e.g., *.zip, *.mov), piracy, gambling, pornography, and more. RPZ lists come from various RPZ providers and their available categories. Tests show that [Hagezi's lists](https://github.com/hagezi/dns-blocklists) are good 'standard', very good maintained and with some issue threads on github for reporting new entries or false entries. |
| RPZ blocking sources are grouped via categories. Examples include: |
| - [fake websites](https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#trollface-fake---protects-against-internet-scams-traps--fakes-), |
| - annoying [pop-up ads](https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#tada-pop-up-ads---protects-against-annoying-and-malicious-pop-up-ads-), |
| - newly registered domains, |
| - DoH bypass sites, |
| - bad "host" services, |
| - malicious top level domains (e.g., *.zip, *.mov), |
| - piracy, |
| - gambling, |
| - pornography, |
| - and more. |
| RPZ lists come from various RPZ providers and their available categories. Tests show that [Hagezi's lists](https://github.com/hagezi/dns-blocklists) are good 'standard', very good maintained and with some issue threads on github for reporting new entries or false entries. |
| ### Impact |
| *Explain what impact this feature could have on updates and compatibility.* |
| There may be overlap between an RPZ list and a list offered in IP Address Blocklists. Please review the lists chosen before activating. |
| ### Documentation |
| *Write or link to further documentation about this feature. Mainly used to refer to documentation on this site, but also link to developer documentation or Git repositories.* |
| - [DNS Response Policy Zones](https://dnsrpz.info) |
| - [Wikipedia - Response policy zone](https://en.wikipedia.org/wiki/Response_policy_zone) |
| - [Unbound Documentation - Response Policy Zones](https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html) |
| - [IPFire Community - DoHblock - Blocking DNS over HTTPS via RPZ](https://community.ipfire.org/t/dohblock-blocking-dns-over-https-via-rpz/10295/1) |
| - [IPFire Community - Test version of a RPZ](https://community.ipfire.org/t/i-created-a-test-version-of-a-rpz-add-on-and-i-am-looking-for-feedback/11934/1) |
| - [IPFire Wiki - Response Policy Zones (RPZ)](https://www.ipfire.org/docs/addons/rpz) |
| ## Feedback |
| *This section initially is empty but will over time collect user feedback.* |
| ## Dependencies |
| *What is required to build this feature. Could be simply 'None'.* |
| This is more of a significant challenge: finding RPZ lists that meet the needed criteria and are not part-time lists. |
| ## Release Notes |
| *(Pre-)write some text that can become part of the release notes to make writing those easier.* |
| To do. |