Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
RPZ policy for unbound - transform RPZ zone into local zone statements
#!/bin/bash
RPZ_ZONE="rpz.cesnet.cz"
RPZ_SERVER="nsa.cesnet.cz"
OUTPUT_FILE="unbound_$RPZ_ZONE.conf"
function resolve_target() {
local domain="$1"
shift
local target=$@
dig +noauthority +noadditional +noquestion $target | sed -rn 's_^.*(\s+IN\s+A(AAA)?\s+.*)$_'$domain'\1_p'
}
function get_local_data() {
while read domain target; do
if [[ "${target}" = "." ]]; then #just block - we do nothing
echo -e "$domain\tIN\tCNAME\t$target"
else #try to resolve the target
resolve_target "${domain}" "${target}" -t A
resolve_target "${domain}" "${target}" -t AAAA
fi
done
}
set -e
rawrpz=$(dig -t axfr "$RPZ_ZONE" @"$RPZ_SERVER")
rpz=$(sed -rn 's_^(.*)\.'"$RPZ_ZONE"'\.\s.*IN\s+CNAME\s+(.*)$_\1\t\2_p' <<<"$rawrpz")
local_data=$(get_local_data <<<"$rpz")
echo "server:" > "${OUTPUT_FILE}"
while read line; do
[[ -n "$line" ]] && \
echo -e "\tlocal-data: \"$line\"" >> "${OUTPUT_FILE}"
done <<< "${local_data}"
@vcunat
Copy link

vcunat commented May 6, 2020

For anyone arriving here, Unbound now supports RPZ directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment