Some notes on using the RPZ function

After getting the RPZ functionality of kresd working, and being unsatisified by the results, I finally got around to doing some query logging by stopping kresd and starting it by adding -v to the command line and redirecting the results to a file.

/usr/bin/kresd -v -c /tmp/kresd.config -f 1 /tmp/kresd -a 0.0.0.0 53 -a :: 53 -k /etc/root.keys > /mnt/sdb1/kresd.log

Now, the RPZ fiile has entries like the following:

000007.ru       CNAME   .

This results in queries like the following:

[plan] plan '000007.ru.' type 'A'
[resl] finished: 4, queries: 1, mempool: 16392 B
[plan] plan '000007.ru.' type 'AAAA'
[resl] finished: 4, queries: 1, mempool: 16392 B
[plan] plan '000007.ru.appalachian.home.' type 'A'
[resl]   => querying: '127.0.0.1' score: 11 zone cut: '.' m12n: '000007.ru.apPALacHiaN.homE.' type: 'A' proto: 'udp'
[plan] plan '000007.ru.appalachian.home.' type 'AAAA'
[resl]   => querying: '127.0.0.1' score: 11 zone cut: '.' m12n: '000007.Ru.APPALacHiAn.hOme.' type: 'AAAA' proto: 'udp'
[iter]   <= rcode: NXDOMAIN
[ pc ]   => answer cached for TTL=5
[resl]   <= server: '127.0.0.1' rtt: 0 ms
[resl] finished: 4, queries: 1, mempool: 16392 B
[iter]   <= rcode: NXDOMAIN
[ pc ]   => answer cached for TTL=5
[resl]   <= server: '127.0.0.1' rtt: 1 ms
[resl] finished: 4, queries: 1, mempool: 16392 B

You can see that the host gets rewritten as [host].[local lan name] and correctly returns NXDOMAIN. However, the browser “helpfully” asks for the www version:

[plan] plan 'www.000007.ru.' type 'A'
[resl]   => using root hints
[plan]   plan '.' type 'DNSKEY'
[ rc ]     => satisfied from cache
[iter]     <= rcode: NOERROR
[vldr]     <= parent: updating DNSKEY
[vldr]     <= answer valid, OK
[resl]   => querying: '2001:500:1::53' score: 10 zone cut: '.' m12n: 'RU.' type: 'NS' proto: 'udp'
[plan] plan 'www.000007.ru.' type 'AAAA'
[resl]   => using root hints
[plan]   plan '.' type 'DNSKEY'
[ rc ]     => satisfied from cache
[iter]     <= rcode: NOERROR
[vldr]     <= parent: updating DNSKEY
[vldr]     <= answer valid, OK
[resl]       => querying: '199.19.57.1' score: 10 zone cut: 'org.' m12n: 'ORG.' type: 'DNSKEY' proto: 'udp'

I think I may give up on the RPZ as it’s too difficult to work around all these sort of things. Black listing DNS seemed to work much better when I was using just dnsmasq.

I’ve gone to running Pi-Hole in an lxc and rather than point my router there, I’m planning on setting that as the DNS server option for my DHCP clients.

The only way I could get rpz file to work was after taking the modified yoyo file and then copying data and adding *. to each address. Then added this to end of original file.

For example with 000007.ru would add to the rpz *.000007.ru so each entry was doubled with modified entry.

From your log can see this fixed the second www request.

I was hoping I wouldn’t need to do that.

To accomplish this on one line, I changed the following line in the script found elsewhere on this topic:

} | sort -u | sed -e 's/$/\tCNAME\t./' >> $blacklistfile

to

} | sort -u | sed -e 's/$/\tCNAME\t./'| sed 'p; /^/*./' >> $blacklistfile

I’ll run this for a while and see if I notice any difference.

Well, I just found out the busybox version of sed in 3.6 doesn’t work right. I’ll have to update my version of the script.

IDK if this was a problem before since there were some other issues with my script. I’ll take a look at the one posted to see what needs to change.