RPZ based on eDNS

Robert · June 6, 2023, 12:56pm

Hi

I’m new on this user list, with Unbound I’ve been playing for more than a year.

Is there a way to use RPZ based on eDNS ? I didn’t find anything on documentation besides responses based on SRC IP addresses (access-control-tag) or interface (interface-tag).

If not, can it be a valuable feature request?
Users that share the same IP address pool could have different RPZ applied.

Best regards
Robert

pemensik · June 8, 2023, 9:50am

Hi Robert,

which EDNS options or values you would like to use to make different responses? I doubt that is already implemented or documented. What is your use-case?

Regards,
Petr

Robert · June 12, 2023, 5:52pm

Hi

I have the possibility to enrich every DNS query made by the client (customer with single IP) of my network, and redirect it to my Unbound server if necessary.

Enrichment could be made selectively for those clients that would have special service enabled or bought (like: child protection, security service, and so on, let’s call it for example rpz-1 rpz-2 rpz-3).
If Unboud could make a decision based on the eDNS, and add an extra RPZ tag to the DNS request I would gain an option to run a few new services for clients from the same subnet.

For example by using the eDNS tag number from the Unassigned range ( values: 26947-65000 acording to https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-11 )

dig @localhost google.com +ednsopt=64000:72707a2d33

Unbound based on eDNS tag ID could make a decision like:

edns-control-tag: 64000 “rpz-3”

So every DNS request with eDNS tag-ID = 64000 should apply RPZ tag = rpz-3

Regards
Robert

czw., 8 cze 2023, 11:57 użytkownik Petr Menšík via Unbound-users <unbound-users@lists.nlnetlabs.nl> napisał: