I created a test version of a RPZ add-on and I am looking for feedback

Networking DNS
387

Good morning,

a big thanks to everyone for the warm words and their good will to find a solution - I very much appreciate this, and may this was Bernhards intention when reopening the thread.

I’m also very happy in (as suggested by most of you) to move the development discussion, back to the mailing list. I’ll send a corresponding mail for starting it today evening.

I kindly invite you @jon to join this upcoming discussion, because you are most familiar with DNS and especially with the RPZ feature. So your expertise of it’s pro and cons will help us to understand why you have decided to base your work on it and to find the correct “filter” location and mechanism.

I would not be to afraid or worry about Michael and a possible “naughty list” - IMHO there has to be much more as a few strong words in a forum to get on such a list - even if it exists or not. As far as I know, he is no person, which blocks a good and fact based discussion - so I see no bigger problems with blaming you or the “how” and “who” questions in the future.

In this point I have to disagree with you - such an important and widely used feature should be part of the core distribution.

Thanks once again to everyone, lets keep the good spirit and hopefully we see us back on the mailing list.

-Stefan

7 Likes
388

@stevee if that’s the case I’d be even more excited

3 Likes
389

Good evening,

as promised and requested I’ve started the brainstorming process on our development mailing list:

Please feel free to join this process to find the best possible solution.

In order to post to the mailing list you have to request a subscription - detailed information can be obtained on our wiki:

Best regards,

-Stefan

5 Likes
390

If I may pick your brain, I would love to hear your thoughts or insights on these.

I have tried blocking QUiC with 2 Firewall rules but that’s it :(:confounded_face:

391

Thank you!

1 Like
392

:exploding_head: :dodo:
please do not :cat_with_wry_smile:

search the web or this place here:
https://community.ipfire.org/t/question-about-dns-over-https/15273/16

however: it is mankind at its best ...
:man_facepalming:
invent DoH for a better whatever
invent something to kill/block/render DoH for a better whatever
:circus_tent:
:popcorn:

1 Like
393

Does RPZ block queries from SSH console?

I am pinging a domain listed in RPZ zonefile and I am getting a response :face_with_diagonal_mouth:

perhaps my Zonefiles are not updating?

# ping myvcart.com
PING myvcart.com (3.33.130.190) 56(84) bytes of data.
64 bytes from a2aa9ff50de748dbe.awsglobalaccelerator.com (3.33.130.190): icmp_seq=1 ttl=243 time=16.0 ms
64 bytes from a2aa9ff50de748dbe.awsglobalaccelerator.com (3.33.130.190): icmp_seq=2 ttl=243 time=14.6 ms
64 bytes from a2aa9ff50de748dbe.awsglobalaccelerator.com (3.33.130.190): icmp_seq=3 ttl=243 time=19.4 ms
64 bytes from a2aa9ff50de748dbe.awsglobalaccelerator.com (3.33.130.190): icmp_seq=4 ttl=243 time=18.1 ms
64 bytes from a2aa9ff50de748dbe.awsglobalaccelerator.com (3.33.130.190): icmp_seq=5 ttl=243 time=15.6 ms

the domain above is listed in the Zonefile called ‘urlhaus’

image
image915×137 10.5 KB

zonefile is supposed to update every 300 seconds

image
image965×137 6.93 KB

My RPZ addon config

image
image1510×805 25.8 KB

it’s probably the ‘www’ in front but I am still confused.

when I do a ping from a Windows PC just using command prompt, without ‘www’ it is blocked

nslookup myvcart.com
Server:  ipfire.local
Address:  192.168.1.1

Name:    myvcart.com
Addresses:  ::
          127.0.0.1

ping myvcart.com
Ping request could not find host myvcart.com. Please check the name and try again.

both domain and subdomain (www…. and without www.) are hosted on the same (A W S) server

image
image837×723 23.1 KB

394

As a quick solution, in the Custom blocklist add:
myvcart.com

or if you want to block every subdomain at myvcart, then in the Custom blocklist add:
*.myvcart.com

Let me do some testing so I can better answer.

1 Like
395

yes.

Example: I blocked blogspot.com just for testing

[**root@ipfire** ~] # nslookup blogspot.com
;; Got recursion not available from 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find blogspot.com: NXDOMAIN

[**root@ipfire** ~] # ping blogspot.com
ping: blogspot.com: Name or service not known

The urlhaus is only blocking www.myvcart.com so anything else like 123456.myvcart.com will be passed on to the internet.

so this is the right answer to block other subdomains:

This will block something like 123456.myvcart.com

When I added urlhaus as a RPZ list, then I see this:

[root@ipfire ~] # nslookup www.myvcart.com
;; Got recursion not available from 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find www.myvcart.com: NXDOMAIN

[root@ipfire ~] #

NXDOMAIN means RPZ blocked www.myvcart.com

4 Likes
396

Jon,

Thank you for the detailed explanation.

1 Like
397

Have you discussed with hagezi yet about licensing and maintainance?

I emailed Gerd (hagezi) to the e-mail under Contact at GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!, and got this response:

From: Gerd Z. hagezi@protonmail.com
Sent: Friday, December 5, 2025 08:08
To: raffe
Subject: Re: Inquiry regarding use of your DNS blocklists in IPFire

Hi Raffe,

thanks for reaching out about the RPZ add-on project for IPFire, it’s great to see community efforts like Jon’s gaining traction!

My DNS blocklists at GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean! are provided under the GNU General Public License v3.0 (GPLv3), which permits free use, modification, and distribution as long as the terms are followed, including sharing source code for derivative works.

The lists have existed for years, are publicly accessible via the GitHub repo and CDN mirrors, and I’ve been actively maintaining them with updates 1-6 times daily.

False positives are a priority: I monitor reports via GitHub issues, and fixes are typically pushed within hours or days depending on the list.

No prior discussions on licensing or maintenance have happened with me directly, but I’m happy to support integration.

Best,
Gerd

HaGeZi DNS-Blocklists
Sent from Proton Mail for iOS.
-------- Original Message --------
On Thursday, 12/04/25 at 20:32 raffe wrote:

Hi hagezi!
A member of the IPFire open-source firewall community (Jon) has created a test version of an RPZ add-on for the firewall. There’s a long discussion thread about it, and now that we’re starting to discuss how to proceed officially, the question of using your blocklists has come up:

https://github.com/hagezi/dns-blocklists

Some of the key considerations from the IPFire side are:

  • That the lists are freely accessible and free of licensing restrictions

  • That the project is long-term and actively maintained

  • That false positives are handled quickly

People are also asking whether anyone has already discussed licensing and maintenance with you:
https://community.ipfire.org/t/i-created-a-test-version-of-a-rpz-add-on-and-i-am-looking-for-feedback/11934/380

Would you be willing to share your position on licensing and maintenance?
You’re very welcome to reply directly in the IPFire DNS forum here:
https://community.ipfire.org/c/networking/dns/25
Or, if you prefer, you can reply to me and I’ll paste your answer into the thread for you :slightly_smiling_face:

Thanks a lot!

raffe

5 Likes