I stumbled on another RPZ list of newly registered domains (NRD’s):
It is pretty neat, the maintainer is updating it daily
Some of these lists are really large 3x85MB and total about 9 million domains,
Would it make sense to setup a separate box with unbound +RPZ to keep IPfire running smooth or would that defeat the purpose of secure DNS?
Nice finding. But the lists aren’t in RPZ format.
The files in unbound directory contain lines that could be included in unbound.conf, but the auto update mechanism by a SOA record doesn’t exist.
It could be compiled to the RPZ format. But this would be demand an extra fcrontab entry, f.e., for updating ( and a reload operation of unbound, which would reset the update timers ).
GitHub - minoplhy/filters-converter <–maybe?
Did not check the quality of the several converters ( source syntax → RPZ syntax ).
But all programs don’t write a SOA record for auto update. This is mandatory for the process implemented by @jon !
But auto updating by unbound doesn’t function with these list anyway.
The idea of the RPZ addon is
List not adhering to this model must be loaded externally and announced to unbound by a reload operation, with the issues described in the RPZ wiki article.
Ok just as a test, I used one of the converters on my firewall to convert
https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/hosts/multi.txt
python3 host_rpz_argv.py multi.txt test.txt
to a text file with rpz format that I placed in /srv/ipfire/html and used apache on the firewall for the link to import
@bbitsch yes your correct the one i tested doesnt do the SOA record
Note: the adblock converter puts double CNAME . into the test.txt
Ill post back if the outcome is favorable or not… this is now just out of curiosity.
Remains the problem of auto update.
The only solution would be
wget-able’Perhaps ask the maintainer if they could host a RPZ version?
In the correct format for IPfire.
The worst thing they can say is No.
There is no special IPFire format. The addon just uses the format defined in the unbound documentation and described in https://jpgpi250.github.io/piholemanual/doc/Unbound%20response%20policy%20zones.pdf
I was successful in converting and importing the list into rpz with jons awesome beta-addon, but I’m not sure its worth it since you have to use http from the green ip of the firewall for unbound to do the import due to self signed certs. if anyone wants to know how i did it, i can explain via pm… ive hijacked jons thread a bit much and apologize @jon