Unbound Impressive Unbound native RPZ files collection for adblocking and more

[Deleted member 62525]

I though I will post it and share. Energized Protection has an impressive collection of many format files (including native Unbound RPZ files) used to manage blocking malware, ad blockers and more. Check it out. They use many sources and create combined listing in many categories.

Link -> https://github.com/EnergizedProtection/block#sources

 

[Ubimo]

How can we use them?
In Diversion? Or Skynet?

 

[Deleted member 62525]

How can we use them?
In Diversion? Or Skynet?

RPZ (Response Policy Zone) files are used by Unbound or Bind DNS to manage access w/policies to specific domains.

 

[Deleted member 62525]

More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.

 

[juched]

Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.

 

[Deleted member 62525]

Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.

Major advantage is that it is a "standard" way to manage domain access and policies. There are still not many providers of native RPZ files, however that said it is very simple to convert and host files with 0.0.0.0 to a standard RPZ format. This is what I have done. I like the fact that I am able to have multiple files and not a combined list - this way I can specify how unbound responds to each list by including override directive and if I need to disable specific zone.

Also, many sites include "last-modified" field in the http header and using that one can determine if the file needs to be downloaded. This is specially good for a very large files.

 

[amplatfus]

More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.

Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:

#unbound.conf.firewall
rpz:#RPZ                                                            
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone             
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru

#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:

unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus

 

[Deleted member 62525]

Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:

#unbound.conf.firewall
rpz:#RPZ                                                           
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone            
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru

#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:

unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus

 

[Deleted member 62525]

As I understand the standard first entry takes precedence. I would try putting your white list at the top in the config file.
Read this for help. https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.3.3
Hope you can resolve it after.

 

[Deleted member 62525]

It works for me without issue;

My config example

rpz:
    name: rpz.whitelist.local.zone
    zonefile: /opt/var/lib/zones/rpz.whitelist.zone

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

I first blocked asus.com in rpz.block.host.local.zone eg:

$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ manual block hosts
asus.com CNAME .

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

Then, whitelist zone file

$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ created from url -> https://orca.pet/notonmyshift/hosts.txt
;
asus.com CNAME  rpz-passthru.

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12009
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

;; ANSWER SECTION:
asus.com. 14400 IN A 103.10.4.216

 

[trinv]

More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.

Hi,
I got a problem when i config rpz in unbound.
/etc/unbound/unbound.conf:36: error: unknown keyword 'rpz'
/etc/unbound/unbound.conf:36: error: stray ':'
/etc/unbound/unbound.conf:37: error: syntax error

Plz help me
Thanks

 

[_me_myself_and_i_]

I though I will post it and share. Energized Protection has an impressive collection of many format files (including native Unbound RPZ files) used to manage blocking malware, ad blockers and more. Check it out. They use many sources and create combined listing in many categories.

Link -> https://github.com/EnergizedProtection/block#sources

Thank you for this!

Appending https://block.energized.pro/porn/formats/hosts to /opt/share/unbound/configs/blocksites does a wonderful job at blocking pr0n.

Now if there was an easy way to block all of Reddit’s NSFW subs…