None. This why RPZ has a great advantage for me!
Thanks, I’ll look for that.
Until then I will use the ones already posted in this thread! hagezi lists look promising!
Cheers!
2 Likes
out of curiosity, how many blocked IP addresses are in your sfeakes config file?
Is anyone using the allow.rpz zone file?
I am following the PDF manual referenced above
https://community.ipfire.org/uploads/short-url/jDcZmM8dYeWSlLfhzuKTXUQZNuq.pdf
If I want to use Alllow a blocked domain in
“/etc/unbound/zonefiles/allow.rpz”
once I add a domain that I want to whitelist to “allow.rpz”
do I have to run rpzAllowBlock or am I missing something?
# rpz-AllowBlock
-bash: rpz-AllowBlock: command not found
I am!
here is a wiki that replaces that PDF.
I rolled the allow and block script rpzAllowBlock into the rpz-config script.
so you can do either:
rpz-config make allow
# or
rpz-config make block
# or
rpz-config make allowblock
See:: https://www.ipfire.org/docs/addons/rpz#custom-allow-list-or-block-list
2 Likes
@jon will this rpz list get updated automatically or we need any cron job
The unbound rpz list isn’t updated automatically.
The lists in /var/ipfire/dns/rpz are maintained by the user/admin of the specific IPFire system. A change to one or both files must be registered at unbound ( the DNS server ) by
rpz-config make allow
# or
rpz-config make block
# or
rpz-config make allowblock
3 Likes
The allow list and the block list are both custom lists and do not need updating unless you make a change (as Bernhard stated).
All of the other lists (like the popup ads or the multi light list you use) are updated by the unbound RPZ program.
No cron job is needed for any of the RPZ lists.
4 Likes
Something is getting in the way and my allow list isn’t whitelisting properly. I only have one entry
s3-ap-southeast-1-amazonaws.com
The reason for whitelisting is that the domain above is also in the Gerd’s light blocklist
I’m getting an NXDOMAIN response, and even NXRA
so Jon’s RPZ is working flawlessly.
rpz-config make allow
unbound: info: rpz: check for errors with "unbound-checkconf"
[1723149078] unbound-checkconf[13532:0] error: parse error /etc/unbound/zonefiles/allow.rpz 1:25: Syntax error, could not parse the RR's TTL
[1723149078] unbound-checkconf[13532:0] error: error parsing zonefile /etc/unbound/zonefiles/allow.rpz for allow.rpz.
[1723149078] unbound-checkconf[13532:0] fatal error: Could not setup authority zones
unbound: error: rpz: unbound-checkconf. exit.
rpz-config make allowblock
unbound: info: rpz: check for errors with "unbound-checkconf"
[1723149211] unbound-checkconf[13858:0] error: parse error /etc/unbound/zonefiles/allow.rpz 1:25: Syntax error, could not parse the RR's TTL
[1723149211] unbound-checkconf[13858:0] error: error parsing zonefile /etc/unbound/zonefiles/allow.rpz for allow.rpz.
[1723149211] unbound-checkconf[13858:0] fatal error: Could not setup authority zones
unbound: error: rpz: unbound-checkconf. exit.
I have tried your URL.
The output of the make operation has as first line
unbound: info: rpz: create zonefile for /var/ipfire/dns/rpz/allowlist
which is missing in your post.
This means there is something wrong with your config files /var/ipfire/dns/rpz/allowlist and /etc/ubound/zonfiles/allow.rpz.
Can you post the contents?
2 Likes
I guess I missed this step
/var/ipfire/dns/rpz/allowlist is empty
and /etc/unbound/zonefiles/allow.rpz
s3-ap-southeast-1-amazonaws.com
You are right!
The allowlist is filled with URL, which are translated to the allow.rpz file which should read
; Name: allow list
; Last modified: 2024-08-08 at 23.06.23 CEST
;
; domains with actions list
;
s3-ap-southeast-1-amazonaws.com CNAME rpz-passthru.
following the good old IPFire way
- define settings in /var/ipfire
- generate the associated service config
- restart service.
2 Likes
Working fine now,
THank you Berhnhard 
2 Likes
@jon this feature is really important and working stable please try to include in this feature bypass clients, example some device on the network doesnt need blocklists similar to adguardhome
Aug 8 01:25:00 black-x86-64 dns_blocklist.sh: Retreived 4 domain names from local blacklist file
Aug 8 01:25:00 black-x86-64 dns_blocklist.sh: Retreived 6540 domain names from https://adaway.org/hosts.txt
Aug 8 01:25:01 black-x86-64 dns_blocklist.sh: Retreived 162373 domain names from https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Aug 8 01:25:01 black-x86-64 dns_blocklist.sh: Retreived 250170 domain names from https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
Aug 8 01:25:04 black-x86-64 dns_blocklist.sh: Retreived 11789 domain names from https://someonewhocares.org/hosts/hosts
Aug 8 01:25:04 black-x86-64 dns_blocklist.sh: Retreived 20561 domain names from http://sysctl.org/cameleon/hosts
Aug 8 01:25:06 black-x86-64 dns_blocklist.sh: Retreived 25263 domain names from http://hostsfile.org/Downloads/hosts.txt
Aug 8 01:25:07 black-x86-64 dns_blocklist.sh: Retreived 250170 domain names from https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
Aug 8 01:25:07 black-x86-64 dns_blocklist.sh: Retreived 40203 domain names from https://easylist.to/easylist/easylist.txt
Aug 8 01:25:07 black-x86-64 dns_blocklist.sh: Retreived 199 domain names from https://easylist.to/easylist/fanboy-annoyance.txt
Aug 8 01:25:07 black-x86-64 dns_blocklist.sh: Cleaning & Sorting list of 767272 entries
Aug 8 01:25:07 black-x86-64 dns_blocklist.sh: Removed 104 domain names due to whitelist
Aug 8 01:25:20 black-x86-64 dns_blocklist.sh: Writing list of 262632 entries to unbound nxdomain configuration
I started with some Ad-Blockers and ended up with +262K IP addreses being blocked.
I did not checked these logs for some time so I am really impressed that unbound works with almost no impact while blocklist has 262K entries!
I am really impressed!
1 Like
I think this is a bit more complicated. The RPZ mechanism is applied to all DNS queries. To realize your idea, there has to be selection in unbound.
1 Like
I added code to check if the allowlist / blocklist is empty and to post a message.
1 Like
I tried the update.sh delivered with the archive but nothing is changed!
So how do I upgrade my RPZ add-on to the latest (considering you posted some improvements I want to test those)
./update.sh
Extracting backup includes...
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Stopping Unbound DNS Proxy... [ OK ]
Creating Backup...
does not have any backup includes
...Finished.
Removing files...
cat: /opt/pakfire/db/rootfiles/: Is a directory
...Finished.
Starting Unbound DNS Proxy... [ OK ]
Extracting files...
etc/
etc/unbound/
etc/unbound/zonefiles/
etc/unbound/zonefiles/block.rpz
etc/unbound/zonefiles/allow.rpz
etc/unbound/local.d/
etc/unbound/local.d/00-rpz.conf
usr/
usr/sbin/
usr/sbin/rpz-sleep
usr/sbin/rpz-metrics
usr/sbin/rpz-config
var/
var/ipfire/
var/ipfire/dns/
var/ipfire/dns/rpz/
var/ipfire/dns/rpz/blocklist
var/ipfire/dns/rpz/allowlist
var/ipfire/backup/
var/ipfire/backup/addons/
var/ipfire/backup/addons/includes/
var/ipfire/backup/addons/includes/rpz
...Finished.
Stopping Unbound DNS Proxy... [ OK ]
Starting Unbound DNS Proxy... [ OK ]
ls -lt /usr/sbin/rpz-*
-rwxr-xr-x 1 root root 5574 Aug 1 07:03 /usr/sbin/rpz-config
-rwxr-xr-x 1 root root 5440 Aug 1 07:03 /usr/sbin/rpz-metrics
-rwxr-xr-x 1 root root 2342 Aug 1 07:03 /usr/sbin/rpz-sleep
<- All above files are having dates from initial install I performed on 1st August: nothing changed
ls -lt /var/ipfire/dns/rpz/
total 0
-rw-r--r-- 1 root root 0 Aug 1 07:03 allowlist
-rw-r--r-- 1 root root 0 Aug 1 07:03 blocklist
<- All above files are having dates from initial install I performed on 1st August: nothing changed
hi
Congrat. Jon for your work
1 Like
What you posted from the terminal is correct.
There were only two versions and the current version is in Post #15 above.
If you are looking for this change, it has not been built yet. I am making other changes before making it available for build and testing.
Does this help?
2 Likes
Thank you for letting us know! Appreciated!
Yes, that particular change was the one that triggered my attempt to perform “update”
Let me know when you “publish” a new version and I will test it and post results here.
Until then let me express my appreciation for your work - all you have build by now works flawlessly in my opinion! And watching how RPZ blocks trackers from Huawei, Xiaomi and other phone manufacturers I have tested gives me an important visibility on how often phones spy on us…
Last thing to say: all “user needed” phone functionalities work as before activating the RPZ lists for blocking trackers so I would say that lists are correct and whatever was blocked was only the tracking part and not some functionalities user need it.
If my assumption is correct then this RPZ is awesome!
3 Likes