module_policy_rpz.rpl 2.52 KB
Newer Older
Grigorii Demidov's avatar
Grigorii Demidov committed
1 2 3
; config options
	stub-addr: 1.2.3.4
        feature-list: policy=policy:add(policy.rpz(policy.DENY, '{{INSTALL_DIR}}/sets/resolver/zone.rpz'))
4
	query-minimization: off
Grigorii Demidov's avatar
Grigorii Demidov committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
CONFIG_END

SCENARIO_BEGIN policy.rpz test

RANGE_BEGIN 0 110
	ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
example.cz. IN A
SECTION ANSWER
example.cz. IN A 5.6.7.8
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
dummy.example.cz. IN A
SECTION ANSWER
dummy.example.cz. IN A 9.10.11.12
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
nic.cz. IN A
SECTION ANSWER
nic.cz. IN A 13.14.15.16
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
dummy.nic.cz. IN A
SECTION ANSWER
dummy.nic.cz. IN A 17.18.19.20
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
example.com. IN A 21.22.23.24
ENTRY_END
RANGE_END

; blocked by example.cz CNAME . 
; NXDOMAIN expected
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
example.cz. IN A
ENTRY_END

STEP 20 CHECK_ANSWER
ENTRY_BEGIN
73
MATCH flags rcode question answer
74
REPLY QR RD RA AA NXDOMAIN
Grigorii Demidov's avatar
Grigorii Demidov committed
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
SECTION QUESTION
example.cz. IN A
SECTION ANSWER
ENTRY_END

; blocked by *.example.cz CNAME *.
; NXDOMAIN expected
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
dummy.example.cz. IN A
ENTRY_END

STEP 40 CHECK_ANSWER
ENTRY_BEGIN
91
MATCH flags rcode question answer
92
REPLY QR RD RA AA NXDOMAIN
Grigorii Demidov's avatar
Grigorii Demidov committed
93 94 95 96 97 98 99 100 101 102 103 104 105 106
SECTION QUESTION
dummy.example.cz. IN A
SECTION ANSWER
ENTRY_END

; blocked nic.cz CNAME rpz-drop.
; SERVFAIL expected
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
nic.cz. IN A
ENTRY_END

107
STEP 55 CHECK_ANSWER
Grigorii Demidov's avatar
Grigorii Demidov committed
108
ENTRY_BEGIN
109
MATCH flags rcode question answer
Grigorii Demidov's avatar
Grigorii Demidov committed
110 111 112 113 114 115 116 117
REPLY QR RD RA SERVFAIL
SECTION QUESTION
nic.cz. IN A
SECTION ANSWER
ENTRY_END

; matches  *.nic.cz CNAME rpz-tcp-only.
; TC flag expected
118
STEP 60 QUERY
Grigorii Demidov's avatar
Grigorii Demidov committed
119 120 121 122 123 124
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
dummy.nic.cz. IN A
ENTRY_END

125
STEP 65 CHECK_ANSWER
Grigorii Demidov's avatar
Grigorii Demidov committed
126
ENTRY_BEGIN
127
MATCH flags rcode question answer
Grigorii Demidov's avatar
Grigorii Demidov committed
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144
REPLY QR TC RD RA NOERROR
SECTION QUESTION
dummy.nic.cz. IN A
SECTION ANSWER
ENTRY_END

; matches  example.com CNAME rpz-passthru.
; rpz not affected
STEP 70 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
example.com. IN A
ENTRY_END

STEP 80 CHECK_ANSWER
ENTRY_BEGIN
145
MATCH flags rcode question answer
Grigorii Demidov's avatar
Grigorii Demidov committed
146 147 148 149 150 151 152 153
REPLY QR RD RA NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
example.com. IN A 21.22.23.24
ENTRY_END

SCENARIO_END