RPZ ignored when is CNAME target?

Phil_Pennock1 · December 16, 2020, 1:26pm

Folks, I've got RPZ settings in unbound, using a public feed (after
local safety exemptions, etc); to avoid tripping malware filters with
this email, let's assume that the malicious domain is "example.org".
Unbound is 1.13.0.

The URL retrieved and cached contains:

example.org CNAME .

If I `dig -t a www.example.org @192.168.1.53` then I see:

  ;; ANSWER SECTION:
  www.example.org. 14399 IN CNAME example.org.
  example.org. 14400 IN A 192.0.2.1

If I `dig -t a example.org @192.168.1.53` then I instead get an
NXDOMAIN.

So the RPZ filtering only applies to the initial query name, not to that
name appearing in a CNAME chain in the response.

Is this the _expected_ behavior?

Thanks,
-Phil

Frederik_Pettai · December 17, 2020, 9:22pm

Yes, and you can add a *.example.org CNAME . entry in your RPZ zone file to catch anything “below” too.

Re,
/P

Phil_Pennock1 · December 18, 2020, 12:30am

That's a distinct issue; for my local RPZ zone, I do exactly that. For
instance, I tend to be paranoid about public feeds of "deny access"
rules and make sure that my own IP ranges and domains are exempted,
always, so that I'm less likely to be locked out of my own stuff because
of a corrupted feed, so I do have:

spodhuis.org CNAME rpz-passthru.
*.spodhuis.org CNAME rpz-passthru.

Really the fact that www.example.org was a subdomain of the target of
the CNAME is a red herring. If I have `example.org` and `*.example.org`
in the deny-list, and then someone registers `example.net` and sets it
up as a DNAME for `example.org`, that's a rather fast way get around
checks.

I've done what I should have done before and checked the spec; by my
reading of <https://tools.ietf.org/html/draft-vixie-dns-rpz-04>, section
5.1 seems to claim that if www.example.net is a CNAME pointing to
example.org, and example.org is set to return NXDOMAIN, then
www.example.net should return NXDOMAIN too.

Am I mis-reading 5.1, or is Unbound not (yet?) implementing this version
of the spec?

-Phil

Frederik_Pettai · December 18, 2020, 4:08pm

Ah, sorry, I thought you wanted to be sure to block *anything* below.

So you might have found an issue with Unbound's RPZ-implementation.
The initial work references an earlier version of this draft AFAIK...
I’d suggest you file this as an issue on Unbound’s Github page and let the devs look at it.

Re,
/P

George_Yorgos_Thessa · December 21, 2020, 4:19pm

Hi Phil,

This is not yet implemented in unbound.
The current RPZ implementation is implementing part of the draft.
There is ongoing work to complete the RPZ implementation and this functionality will also be included.

Best regards,
-- George