Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Specify if the order of entries in an RPZ file matters #935

Closed
zacknewman opened this issue Sep 11, 2023 · 6 comments
Closed

[FR] Specify if the order of entries in an RPZ file matters #935

zacknewman opened this issue Sep 11, 2023 · 6 comments
Assignees
@gthess

Comments

@zacknewman
Copy link

zacknewman commented Sep 11, 2023
edited
Loading

Current behavior
unbound.conf(5) does not state whether the order of the entries in a Response Policy Zone (RPZ) file matters. While in the Response Policy Zone Options section, it states "RPZ clauses are applied in order of configuration"; it would be nice to know if the order of entries in a given file is also adhered to.

Describe the desired feature
Explicitly state whether the order of RPZ file entries matters.

Potential use-case
I am using unbound as both a recursive resolver and "ad blocker". When having a wildcard entry that corresponds to one RPZ action (e.g., CNAME .), one may want to perform a different action on specific subdomains (e.g., CNAME rpz-passthru.). As an explicit example, what is the outcome of a DNS query for www.example.com based on an RPZ file that looks like below?

$ORIGIN example.
www.example.com CNAME rpz-passthru.
*.example.com CNAME .

If the order of entries matters, then the query will be resolved normally; however if the order of entries does not matter, then sometimes the response will be NXDOMAIN and other times it will be resolved normally. It would be nice to know either way.

Based on a very small sample size, it appears that the order does matter; but that can be a fluke and so I would like to know for certain if one can actually rely on that always being the case.
@spirillen
Copy link

spirillen commented Jul 12, 2024
edited
Loading

I actually have a similar situation where is seems like any "Blocking" rule super seeds "permissive" rules like the passtrhu.

There can be a numerous good arguments for why this is, however, in my case I maintenance a local rpz zone that differs from my projects records *.mypdns.cloud", in my local RPZ zone I have a number of rpz-passthru` records for e.g. GitHub like these

avatars.githubusercontent.com.blacklist.matrix.lan,CNAME,rpz-passthru
private-user-images.githubusercontent.com.blacklist.matrix.lan,CNAME,rpz-passthru

Whereas the @matrix project have the following records

raw.githubusercontent.com.whitelist.mypdns.cloud,CNAME,rpz-passthru
*.githubusercontent.com.malicious.mypdns.cloud,CNAME,.
*.githubusercontent.com.tracking.mypdns.cloud,CNAME,.

Expected behaviour is to get the PASSTRUE = the IP for both avatars- private-user-images.githubusercontent.com

While the log for sure show what actually happens.

Jul 12 19:28:35 vision unbound[104053]: [104053:5] info: 127.0.0.1 avatars.githubusercontent.com. A IN
Jul 12 19:28:35 vision unbound[104053]: [104053:5] info: rpz: applied [malicious policy] *.githubusercontent.com. rpz-nxdomain 127.0.0.1@36385 avatars.githubusercontent.com. A IN
Jul 12 19:28:35 vision unbound[104053]: [104053:5] info: 127.0.0.1 avatars.githubusercontent.com. A IN NXDOMAIN 0.000000 1 58

The question is now, how can the expected output be accommodated by using the RPZ standard rules? is this a request for a weight system, from where a list with the weight of 0 supersedes other lists? (As Zero is the first number in the IT universe and stays first in line)

@spirillen spirillen mentioned this issue Jul 12, 2024
Closed
@gthess
Copy link
Member

gthess commented Jul 23, 2024

@zacknewman, the order of records in a single RPZ file does not matter. An RPZ file is just a regular zone file with extra metadata information. In your example www.example.com. exists and will match the passthru rule. Anything else that does not exist under example.com. (because of the wildcard) will match the NXDOMAIN rule. Duplicate records in the zonefile are ignored by Unbound. I'll update the text on the man page to reflect this.

@spirillen, I believe you are talking about different rpz feeds (different rpz: clauses in Unbound). I will reply to your issue instead.

@gthess gthess self-assigned this Jul 23, 2024
@zacknewman
Copy link
Author

Yeah, it appears to be the case that the most specific match wins regardless; so even though www.example.com matches *.example.com which appears first; the rule on www.example.com "wins" since it's a more specific match. When multiple lines of the same specificity exist, then the first wins.

@gthess
Copy link
Member

gthess commented Jul 23, 2024

Note that a wildcard in DNS is not the same as a wildcard in regular expressions for example.
It is not a catch all under example.com, rather it only matches labels that do not exist.
Quick example for a zonefile with the following content:

one.example.com. TXT "exists"
two.example.com. TXT "exists"
*.example.com. TXT "wildcard"

A query for a.two.example.com. IN TXT will return NXDOMAIN.
It will not be expanded from the above wildcard because two.example.com exists in the zone.
In contrast a query for a.three.example.com. IN TXT will return "wildcard".

The same wildcard rules apply to RPZ files.

@zacknewman
Copy link
Author

Foolishly I treated wildcards like a wildcard in a regular expression; hence the opening of this issue. Had I not been ignorant, I wouldn't have opened this. Apologize for the noise.

gthess added a commit that referenced this issue Jul 23, 2024
@gthess
- For #935 and #1104, clarify RPZ order and semantics.
c717deb
@gthess
Copy link
Member

gthess commented Jul 23, 2024

No problem! You would be surprised how often DNS people (including me) are bitten by wildcard semantics.

jedisct1 added a commit to jedisct1/unbound that referenced this issue Aug 17, 2024
@jedisct1
Merge remote-tracking branch 'nlnet/master'
3857248 
* nlnet/master: (66 commits)
  - Tag for release 1.21.0, the repository continues with 1.21.1   in development.
  - Fix spelling for the cache-min-negative-ttl entry in the   example.conf.
  - Fix that for windows the module startup is called and sets up   the module-config.
  - Set version number to 1.21.0 for release.
  - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,   Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv   University and Reichman University).
  - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco   Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
  - Fix that alloc stats for forwards and hints are printed, and when   alloc stats is enabled, the unit test for unbound control waits for   reloads to complete.
  Changelog note for NLnetLabs#1090 - Merge NLnetLabs#1090: Cookie secret file. Adds   `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store   cookie secrets for EDNS COOKIE secret rollover. The remote control   add_cookie_secret, activate_cookie_secret and drop_cookie_secret   commands can be used for rollover, the command print_cookie_secrets   shows the values in use.
  Cookie secret file (NLnetLabs#1090)
  Update changelog. - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix testbound for alloc stats strdup in util/alloc.c.
  - Fix that alloc stats has strdup checks, it stops debuggers from   complaining about mismatch at free time.
  - Fix that the worker mem report with alloc stats does not attempt   to print memory use of forwards and hints if they have been   deleted already.
  - Fix dnstap test program, cleans up to have clean memory on exit,   for tap_data_free, does not delete NULL items. Also it does not try   to free the tail, specifically in the free of the list since that   picked up the next item in the list for its loop causing invalid   free. Added internal unit test to unbound-dnstap-socket for that.
  - Fix for NLnetLabs#1114: Fix that cache fill for forward-host names is   performed, so that with nonzero target-fetch-policy it fetches   forwarder addresses and uses them from cache. Also updated that   delegation point cache fill routines use CDflag for AAAA message   lookups, so that its negative lookup stops a recursion since the   cache uses the bit for disambiguation for dns64 but the recursion   uses CDflag for the AAAA target lookups, so the check correctly   stops a useless recursion by its cache lookup.
  - Fix to document parameters of auth_zone_verify_zonemd_with_key.
  - Add root key 38696 from 2024 for DNSSEC validation. It is added   to the default root keys in unbound-anchor. The content can be   inspected with `unbound-anchor -l`.
  - For NLnetLabs#935 and NLnetLabs#1104, clarify RPZ order and semantics.
  - Cleanup ede.tdir test.
  - Fix link of unbound-dnstap-socket without openssl.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zacknewman @gthess @spirillen