RPZ based on destination

T_Simonaitis · July 4, 2022, 8:53am

Hello,

we are implementing recursive DNS service with a multiple RPZ zones,

where user can decide which policies to use by selecting one of multiple DNS servers IPs

(think cloudflare 1.1.1.1 - default, 1.1.1.2 - with malware blocking, 1.1.1.3 - malware+adult blocking).

To implement this (in one server) one could run multiple unbound instances,

but rpz: unbound configuration already supports tags, however, tags can only be set

by client source IP.

I'm thinking about adding one more access-control directive: like access-control-tag,

but for destination IP (lets say access-control-dest-tag).

Do you think it would be a reasonable approach?

Best Regards,

Tomas

George_Yorgos_Thessa · July 5, 2022, 4:21pm

Hi Tomas,

There is ongoing work that we call acl per interface.
This applies all the same logic of the access-control directives but for the listening interface(s) instead.

It is being worked on a separate branch:
https://github.com/NLnetLabs/unbound/tree/acl_interface

This will be part of the next Unbound *feature* release (circa September).

It should be ready, pending review near the release date.

If you want to already test I can provide some quick documentation:

- each access-control-* option you could previously use per client-ip
   you can now do the same per listening interface with interface-*.
   Note: The "access-control:" directive is named "interface-action:"
- if you mix and match access-control* options and the new interface-*
   options, the access-control* options always overrule the interface-*
   options as they are considered more specific (targeting clients
   instead of the whole interface).
- The interfaces used in the interface-* options must have been already
   defined with the interface: directive.

The unbound.conf man page and the example.conf file should provide most of the information you would need.

Let me know if it works for you.

Best regards,
-- George

T_Simonaitis · July 5, 2022, 6:15pm

Thanks George,

I will definitely try this separate branch.

T_Simonaitis · August 29, 2022, 8:33am

Hi George,

is there any chance You could help merge acl_interface

branch to 1.16.2?

util/configparser.c, util/configlexer.c and daemon/daemon.c

fails to patch.

George_Yorgos_Thessa · August 29, 2022, 10:03am

Hi Tomas,

I can do you one better.
ACL per interface is going to be included in the next feature version of Unbound (somewhere in September).
I would probably have a PR ready this week which will be ready to be merged on master.

I will update here when the PR is ready.

Best regards,
-- George

George_Yorgos_Thessa · September 11, 2022, 7:42pm

Hi Tomas,

The PR is now ready (https://github.com/NLnetLabs/unbound/pull/753).
I had to rebase (and force push) to the acl_interface branch, so if you were using that already a simple git pull will probably not work.

Best regards,
-- George

T_Simonaitis · September 15, 2022, 8:46am

Thanks George,

I've successfully compiled it and testing so far I see no issues.

P.S.

for other users,

make sure to take into account comment

"Note: any 'access-control*:' setting overrides all 'interface-*:"

the config:

interface: 192.168.0.1

interface: 192.168.0.2

define-tag: "malware"

interface-tag: 192.168.0.2 "malware"

access-control: 0.0.0.0/0 allow

rpz:

name: "malware.zone"

primary: 192.168.0.100

tags: "malware"

will not work as one might expect - the queries to 192.168.0.2 will not use rpz.

You need something like this:

interface: 192.168.0.1

interface-action: 192.168.0.1 allow

interface: 192.168.0.2

interface-action: 192.168.0.2 allow

define-tag: "malware"

interface-tag: 192.168.0.2 "malware"

rpz:

name: "malware.zone"

primary: 192.168.0.100

tags: "malware"