Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply #596

Closed
jpgpi250 opened this issue Jan 4, 2022 · 2 comments
Closed

Comments

@jpgpi250
Copy link

jpgpi250 commented Jan 4, 2022

Pi-hole + unbound user here (currently v1.14.0), using RPZ zones, this to ensure 'always blocked', using, for example, the list from urlhaus.

When using pi-hole + unbound, unbound is used as the upstream resolver.
The developer of pihole-FTL has added code to allow detection of responses, blocked by the upstream resolver.
Pi-hole (dnsmasq+++) can use a variety of upstream resolvers. Apparently, when using with upstream resolver quad9, the following code allows pi-hole to indicate the query was blocked by the upstream resolver:

[FR]: is it possible to provide this information from unbound to pi-hole, e.g. unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply?

@wcawijngaards
Copy link
Member

The commit adds the option rpz-signal-nxdomain-ra and if it is set, then the RA flag is turned off for NXDOMAIN blocked queries by the RPZ.

wcawijngaards added a commit that referenced this issue Jan 5, 2022
  the rcode from the iterator return path. This fixes signal unset RA
  after a CNAME.
wcawijngaards added a commit that referenced this issue Jan 5, 2022
@jpgpi250
Copy link
Author

jpgpi250 commented Jan 5, 2022

tested, compiled unbound master branch 1.14.1 and used latest pi-hole version
added rpz-signal-nxdomain-ra: yes to the rpz config

works perfectly, result as expected in the pihole query log. thanks @wcawijngaards

image

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jan 13, 2022
* nlnet/master:
  - Fix prematurely terminated TCP queries when a reply has the same ID.
  Changelog note for NLnetLabs#600 - Merge NLnetLabs#600 from pemensik: Change file mode before changing file   owner.
  Change file mode before changing file owner
  Update documentation links
  - Fix for NLnetLabs#596: Fix rpz-signal-nxdomain-ra to work for clientip   triggered operation.
  - Fix NLnetLabs#598: Fix unbound-checkconf fatal error: module conf   'respip dns64 validator iterator' is not known to work.
  - Fix for NLnetLabs#596: add unit test for nsip trigger and signal unset RA.
  - Fix for NLnetLabs#596: add unit test for nsdname trigger and signal unset RA.
  - Fix unit tests for rpz now that the AA flag returns successfully from   the iterator loop.
  - Fix for NLnetLabs#596: fix that rpz return message is returned and not just   the rcode from the iterator return path. This fixes signal unset RA   after a CNAME.
  - Fix that RPZ does not set RD flag on replies, it should be copied   from the query.
  - Fix NLnetLabs#596: only unset RA when NXDOMAIN is signalled.
  - Fix to add test for rpz-signal-nxdomain-ra.
  - Fix NLnetLabs#596: unset the RA bit when a query is blocked by an unbound   RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to   signal that a domain is externally blocked to clients when it   is blocked with NXDOMAIN by unsetting RA.
  - contrib/aaaa-filter-iterator.patch file renewed diff content to   apply cleanly to the current coderepo for the current code version.
  - Fix NLnetLabs#591: Unbound-anchor manpage links to non-existent license file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants