diff --git a/contrib/README b/contrib/README index d8afceabd..18c076fd8 100644 --- a/contrib/README +++ b/contrib/README @@ -51,3 +51,5 @@ distribution but may be helpful. compile. From Saksham Manchanda (Secure64). Please note that we think this will drop DNSKEY and DS lookups for tlds and hence break DNSSEC lookups for downstream clients. +* drop2rpz: perl script that converts the Spamhaus DROP-List in RPZ-Format, + contributed by Andreas Schulze. diff --git a/contrib/drop2rpz b/contrib/drop2rpz new file mode 100644 index 000000000..01602f651 --- /dev/null +++ b/contrib/drop2rpz @@ -0,0 +1,39 @@ +#!/usr/bin/perl + +# usage: curl --silent https://www.spamhaus.org/drop/drop.txt | $0 > /path/to/spamhaus-drop.rpz.local +# +# unbound.conf: +# rpz: +# name: "spamhaus-drop.rpz.local." +# zonefile: "/path/tp/spamhaus-drop.rpz.local" +# rpz-log: yes +# rpz-log-name: "spamhaus-drop" +# + +use strict; +use vars qw{$o1 $o2 $o3 $o4 $m}; + +# trailing dots required +my $origin = 'drop.spamhaus.org.rpz.local.'; +my $mname = 'localhost.'; +my $rname = 'root.localhost.'; +my $ns = $mname; + +my $rpz_action = '.'; # return NXDOMAIN +#my $rpz_action = '*.'; # return NODATA +#my $rpz_action = 'rpz-drop.'; # drop the query + +print "$origin SOA $mname $rname 1 43200 7200 2419200 3600\n"; +print "$origin NS $ns\n"; +while(<>) { + if(($o1, $o2, $o3, $o4, $m) = m{(\d+)\.(\d+)\.(\d+)\.(\d+)/(\d+)}) { + print "$m.$o4.$o3.$o2.$o1.rpz-ip.$origin CNAME $rpz_action\n"; + } else { + print "$_"; + } +} + +# add a testpoint: ask for "dns.google" +# print "32.8.8.8.8.rpz-ip.$origin CNAME $rpz_action\n"; + +exit; diff --git a/doc/Changelog b/doc/Changelog index 6bbb4dba5..03fcb7d42 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +17 February 2020: Wouter + - drop2rpz: perl script that converts the Spamhaus DROP-List in + RPZ-Format, contributed by Andreas Schulze. + 14 February 2020: Wouter - Fix spelling in unbound.conf.5.in. - Stop unbound-checkconf from insisting that auth-zone and rpz