It is worth mentioning that Unbound supports Response policy zone (RPZ), and they have finally merged the work and released it under version 1.10.0.
According to there response on when they would like to release this, it should be within February 2020.
The following setup guidance is based on unbound.conf(5).
# Response Policy Zones # RPZ policies. Applied in order of configuration. QNAME and Response IP # Address trigger are the only supported triggers. Supported actions are: # NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from # file, using zone transfer, or using HTTP. The respip module needs to be added # to the module-config, e.g.: module-config: "respip validator iterator". rpz: name: "rpz.mypdns.cloud" zonefile: "rpz.mypdns.cloud" master: axfr.ipv4.mypdns.cloud@5353 # IPv4 master: axfr.mypdns.cloud # IPv6 zonefile: /etc/unbound/zones/rpz.mypdns.cloud.rpz.zone url: https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/bind-9/raw/master/rpz_zones/rpz.mypdns.cloud.rpz rpz-action-override: NXDOMAIN # Optional rpz: name: typosquatting.mypdns.cloud master: axfr.ipv4.mypdns.cloud@5353 zonefile: typosquatting.mypdns.cloud.rpz.zone rpz-log: yes rpz: name: whitelist.mypdns.cloud master: axfr.ipv4.mypdns.cloud@5353 master: axfr.mypdns.cloud zonefile: /etc/unbound/zones/whitelist.mypdns.cloud.rpz.zone rpz-log: yes rpz: name: drop.rpz.mypdns.cloud url: https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/bind-9/-/raw/master/rpz_zones/drop.rpz.mypdns.cloud.rpz zonefile: /etc/unbound/zones/drop.rpz.mypdns.cloud.rpz.zone rpz-log: yes
Now save this in your config directory as rpz.mypdns.cloud.conf
That should be about it :)
Response Policy Zone Options
Response Policy Zones are configured with rpz:, and each one must have a name:. There can be multiple ones, by listing multiple rpz clauses, each with a different name. RPZ clauses are applied in order of configuration. The respip module needs to be added to the module-config, e.g.: module-config: "respip validator iterator".
Only the QNAME and Response IP Address triggers are supported. The supported RPZ actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. RPZ QNAME triggers are applied after local-zones and before authzones.
- name: <zone name>
- Name of the authority zone.
- master: <IP address or host name>
- Where to download a copy of the zone from, with AXFR and IXFR.
- Multiple masters can be specified. They are all tried if one fails.
- url: <url to zonefile>
- Where to download a zonefile for the zone. With http or https.
- An example for the url is https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/bind-9/-/raw/master/rpz_zones/drop.rpz.mypdns.cloud.rpz. Multiple url statements can be given, they are tried in turn. If only urls are given the SOA refresh timer is used to wait for making new downloads. If also masters are listed, the masters are first probed with UDP SOA queries to see if the SOA serial number has changed, reducing the number of downloads. If none of the urls work, the masters are tried with IXFR and AXFR. For https, the tls-cert-bundle and the hostname from the url are used to authenticate the connection.
- allow-notify: <IP address or host name or netblockIP/prefix>
- With allow-notify you can specify additional sources of notifies. When notified, the server attempts to first probe and then zone transfer. If the notify is from a master, it first attempts that master. Otherwise other masters are attempted. If there are no masters, but only urls, the file is downloaded when notified. The masters from master: statements are allowed notify by default.
- zonefile: <filename>
- The filename where the zone is stored. If not given then no zonefile is used. If the file does not exist or is empty, unbound will attempt to fetch zone data (eg. from the master servers).
- rpz-action-override: <action>
- Always use this RPZ action for matching triggers from this zone.
- Possible action are: nxdomain, nodata, passthru, drop, disabled and cname.
- rpz-cname-override: <domain>
- The CNAME target domain to use if the cname action is configured for rpz-action-override.
- rpz-log: <yes or no>
- Log all applied RPZ actions for this RPZ zone. Default is no.
- rpz-log-name: <name>
- Specify a string to be part of the log line, for easy referencing.
- tags: <list of tags>
- Limit the policies from this RPZ clause to clients with a matching tag. Tags need to be defined in define-tag and can be assigned to client addresses using access-control-tag. Enclose list of tags in quotes "" and put spaces between tags. If no tags are specified the policies from this clause will be applied for all clients.