| CARVIEW |
Select Language
HTTP/2 200
date: Tue, 15 Jul 2025 20:14:17 GMT
content-type: text/html; charset=utf-8
cache-control: max-age=0, private, must-revalidate
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
link: ; rel=preload; as=fetch; crossorigin=use-credentials
referrer-policy: no-referrer-when-downgrade
server-timing: issue_layout-fragment;desc="issue_layout fragment";dur=207.258156,issue_conversation_content-fragment;desc="issue_conversation_content fragment";dur=734.211068,issue_conversation_sidebar-fragment;desc="issue_conversation_sidebar fragment";dur=47.44999,nginx;desc="NGINX";dur=1.447653,glb;desc="GLB";dur=94.350555
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With, Accept,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: fd8fbbc
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=3cJZcSOqPMxfuMyXM1XW5a%2BXVxuQ4vfn4yemjbgWZRUcPjriyZABi%2BaQRUX0sFSf3fQRslV60nybrxR2DdS1LFxb36Ak3TysGA43v4jwH6JbePzOMFlKCij%2FKiCcJutjrXsHBA5x1HcnjWYPchio1uZeayYyAlPQGm6iwe5LrR%2BILPkiAEmD6c3jwXqvd6TNaXv6Z55m2T2goMAtGb0xUry3UeOGzVYI2Bil90SOx4aOMfoHQ2h%2B7YeRUJqMxJtYaQhO8q8%2BSHjhliamAKBrUg%3D%3D--ct4zEU%2BEfraLGM1V--ZmRxr0Kk4rnfuGWN3YMXlQ%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1732808278.1752610456; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 20:14:16 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 15 Jul 2026 20:14:16 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: DFD2:9F066:114478:15FC47:6876B698
rpz trigger clientip and action rpz-passthru not working as expected · Issue #1029 · NLnetLabs/unbound · GitHub
klutchell/unbound-docker#437
No one assignedNo labelsNo typeNo projectsNo milestoneNone yetNo branches or pull requests
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Closed
klutchell/unbound-docker
#437Description
Describe the bug
We are running unbound as name server for clients, configured to forward/stub requests to an upstream name server and with an rpz.
For some clients, rpz-passthru has been configured in the rpz zone file, but it appears that further entries in the rpz zone file are also matched, so the client receives an unexpected response.
On the other hand, the behavior of rpz-drop seems to be as expected - no further entries in the rpz zone file are matched.
To reproduce
Made a little Docker setup to reproduce the behavior:
┌───────┐ .─────────.
│client1│───┐ ,─' '─.
└───────┘ │ ┌───────┐ ┌───────┐ ; :
├──▶│ dns │─────▶│ ns │────▶: INET ;
┌───────┐ │ └───────┘ └───────┘ ╲ ╱
│client2│───┘ '─. ,─'
└───────┘ `───────'
client1 (10.255.255.201)
- Alpine Linux
- bind-tools
- rpz-passthru
client2 (10.255.255.202):
- Alpine Linux
- bind-tools
- rpz-drop
dns (10.255.255.53):
- unbound
- forwarding/stubbing to ns
- rpz
ns (10.255.255.53):
- bind9
- forwarding to INET
- hosting example.com
rpz zone file:
$TTL 300
$ORIGIN rpz.example.com.
@ IN SOA rpz.example.com. hosting.example.com. (
2024031300 ; serial
300 ; refresh
150 ; retry
604800 ; expiry
60 ; minimum ttl
)
www.example.com 300 IN A 192.168.192.168
32.201.255.255.10.rpz-client-ip 300 IN CNAME rpz-passthru.
32.202.255.255.10.rpz-client-ip 300 IN CNAME rpz-drop.
debugging client1 with rpz-passthru, when there's an additional match in the rpz zone file:
docker exec -ti client1 bash
client1:/# dig +short dns
10.255.255.53
client1:/# dig +short @dns www.example.com
192.168.192.168
===> unbound logs
2024-03-13 11:08:26 dns | [1710324506] unbound[1:0] debug: rpz: trigger clientip 10.255.255.201/32 on 10.255.255.201 action=rpz-passthru
2024-03-13 11:08:26 dns | [1710324506] unbound[1:0] debug: rpz: qname trigger www.example.com. with action=rpz-local-data
2024-03-13 11:08:26 dns | [1710324506] unbound[1:0] info: rpz: applied [rpz.example.com] www.example.com. rpz-local-data 10.255.255.201@60529 www.example.com. A IN
2024-03-13 11:08:26 dns | [1710324506] unbound[1:0] reply: 10.255.255.201 www.example.com. A IN NOERROR 0.000000 1 60
debugging client1 with rpz-passthru, when there's no other match in the rpz zone file:
docker exec -ti client1 bash
client1:/# dig +short @dns mail.example.com
10.255.255.25
===> unbound logs
2024-03-13 11:09:20 dns | [1710324560] unbound[1:0] debug: rpz: trigger clientip 10.255.255.201/32 on 10.255.255.201 action=rpz-passthru
2024-03-13 11:09:20 dns | [1710324560] unbound[1:0] reply: 10.255.255.201 mail.example.com. A IN NOERROR 0.000000 1 61
debugging client2 with rpz-drop and an additional match in the rpz zone file:
docker exec -ti client2 bash
client2:/# dig @dns www.example.com
;; communications error to 10.255.255.53#53: timed out
;; communications error to 10.255.255.53#53: timed out
;; communications error to 10.255.255.53#53: timed out
; <<>> DiG 9.18.24 <<>> @dns www.example.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached
===> unbound logs
2024-03-13 11:10:16 dns | [1710324616] unbound[1:0] debug: rpz: trigger clientip 10.255.255.202/32 on 10.255.255.202 action=rpz-drop
2024-03-13 11:10:16 dns | [1710324616] unbound[1:0] info: rpz: applied [rpz.example.com] clientip www.example.com. rpz-drop 10.255.255.202@42675 www.example.com. A IN
2024-03-13 11:10:21 dns | [1710324621] unbound[1:0] debug: rpz: trigger clientip 10.255.255.202/32 on 10.255.255.202 action=rpz-drop
2024-03-13 11:10:21 dns | [1710324621] unbound[1:0] info: rpz: applied [rpz.example.com] clientip www.example.com. rpz-drop 10.255.255.202@59646 www.example.com. A IN
2024-03-13 11:10:26 dns | [1710324626] unbound[1:0] debug: rpz: trigger clientip 10.255.255.202/32 on 10.255.255.202 action=rpz-drop
2024-03-13 11:10:26 dns | [1710324626] unbound[1:0] info: rpz: applied [rpz.example.com] clientip www.example.com. rpz-drop 10.255.255.202@52502 www.example.com. A IN
Expected behavior
We expect that if the action rpz-passthru is used, no further entries in the rpz zone file are evaluated.
System:
-
Unbound version: 1.18.0 and 1.19.2
-
OS: Linux (openSUSE, Ubuntu, Alpine, doesn't matter)
-
unbound -Voutput:
Version 1.19.2
Configure line: --build=aarch64-alpine-linux-musl --host=aarch64-alpine-linux-musl --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --localstatedir=/var --with-username=unbound --with-run-dir= --with-pidfile= --with-rootkey-file=/usr/share/dnssec-root/trusted-key.key --with-libevent --with-pthreads --disable-static --disable-rpath --enable-dnstap --with-ssl --without-pythonmodule --with-pyunbound
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.1.4 24 Oct 2023
Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
Expecting the issue could be located somewhere here - but that's just a guess...
Please find the Docker setup attached.
Thanks and best regards!
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
Issue actions
You can’t perform that action at this time.