Whitelisting domains filtered by RPZ

Unbound
1

Hello Unbound fellow users,

We are setting up a large scale filtering based on unbound + RPZ domain lists.We will have 68 lists sorted by themes allowing one to have powerful RPZ filtering.

Some of our themes are containing more than 268Mo of FQDN…

Among these FQDNs, are possibly some false positive, or some domains that our user base would like to filter out of these lists (in the first place).

What would be the advised way to exclude / whitelist a domain from an RPZ filtering ?

We have for exemple:

rpz:
name: “blog.rpz.domain”
zonefile: “blog.rpz.domain”
primary: 18.16.99.8
rpz-log: yes
rpz-log-name: “blog-rpz-domain”
tags: “blog_test”

In the rpz list “twitter.com” is listed and filtered

Would adding this statement allow “twitter.com” not to be filtered ?

local-zone: “*.twitter.comalways_transparent

My goal is that the “always_transparent” statement has precedence on any other config statement (and more particularly on the rpz block).

If you have other suggestion, please let me know.

Sincerely yours.

(attachments)

LOGO_OCTOPUS_90.png

2

Hello Unbound fellow users,

We are setting up a large scale filtering based on unbound + RPZ domain lists.We will have 68 lists sorted by themes allowing one to have powerful RPZ filtering.

Some of our themes are containing more than 268Mo of FQDN…

Among these FQDNs, are possibly some false positive, or some domains that our user base would like to filter out of these lists (in the first place).

What would be the advised way to exclude / whitelist a domain from an RPZ filtering ?

We have for exemple:

rpz:
name: “blog.rpz.domain”
zonefile: “blog.rpz.domain”
primary: 18.16.99.8
rpz-log: yes
rpz-log-name: “blog-rpz-domain”
tags: “blog_test”

In the rpz list “twitter.com” is listed and filtered

Would adding this statement allow “twitter.com” not to be filtered ?

local-zone: “*.twitter.comalways_transparent

My goal is that the “always_transparent” statement has precedence on any other config statement (and more particularly on the rpz block).

If you have other suggestion, please let me know.

Answering my own question here:

It looks like the most reliable solution would be to setup a whitelist RPZ zone where you would put your whitelisted domains.

This might look like this :

rpz:
name: “whitelist.rpz.zone”
zonefile: “whitelist.rpz.zone”
rpz-log: yes
rpz-log-name: “whitelist”
tags: “whitelist”

and in the zone file simply use smthg like :

whitelist.rpz.zone. 86400 IN SOA localhost. root.local. 20220413 604800 86400 2419200 86400
whitelist.rpz.zone. 86400 IN A x.y.z.t
whitelist.rpz.zone. 86400 IN NS LOCALHOST.
twitter.com.whitelist.rpz.zone. 86400 IN CNAME rpz-passthru.
*.twitter.com.whitelist.rpz.zone. 86400 IN CNAME rpz-passthru.

If anyone can confirm this is the expected and best / right way to proceed, would be nice.

(attachments)

LOGO_OCTOPUS_90.png

3

Hi