Unbound Impressive Unbound native RPZ files collection for adblocking and more

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Markster

Senior Member
More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

Code:
rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.
 

juched

Senior Member
Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.
 

Markster

Senior Member
Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.
Major advantage is that it is a "standard" way to manage domain access and policies. There are still not many providers of native RPZ files, however that said it is very simple to convert and host files with 0.0.0.0 to a standard RPZ format. This is what I have done. I like the fact that I am able to have multiple files and not a combined list - this way I can specify how unbound responds to each list by including override directive and if I need to disable specific zone.

Also, many sites include "last-modified" field in the http header and using that one can determine if the file needs to be downloaded. This is specially good for a very large files.
 

amplatfus

Senior Member
More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

Code:
rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.
Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:
Code:
#unbound.conf.firewall
rpz:#RPZ                                                            
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone             
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru
Code:
#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:
Code:
unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus
 

Markster

Senior Member
Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:
Code:
#unbound.conf.firewall
rpz:#RPZ                                                           
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone            
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru
Code:
#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:
Code:
unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus
 

Markster

Senior Member
It works for me without issue;

My config example
Code:
rpz:
    name: rpz.whitelist.local.zone
    zonefile: /opt/var/lib/zones/rpz.whitelist.zone

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

I first blocked asus.com in rpz.block.host.local.zone eg:
Code:
$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ manual block hosts
asus.com CNAME .

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

Then, whitelist zone file
Code:
$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ created from url -> https://orca.pet/notonmyshift/hosts.txt
;
asus.com CNAME  rpz-passthru.

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12009
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

;; ANSWER SECTION:
asus.com. 14400 IN A 103.10.4.216
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top