Local Data and RPZ¶

Local overrides for DNS data may be defined in the local-data configuration tree. It provides various input formats described in following subsections.

local-data:¶

ttl: <time ms|s|m|h|d>¶: Optional, this allows to write the new TTL value for records generated by the local-data.

nodata: true|false¶

Default: true

Enabling NODATA synthesis, false if disabling. If set to true (the default), an empty answer will be synthesised for matching name but mismatching type (e.g. AAAA query when only A hint exists).

The typical use case is to define some name-address pairs, which also generate corresponding reverse PTR records.

addresses: <dict[hostname, address]>¶: Optional, direct addition of hostname and IP address pairs.

addresses-files: <list of paths>¶: Optional direct addition of hostname and IP address pairs from files in /etc/hosts like format.

local-data:
  addresses:
    a1.example.com: 2001:db8::1
    a2.example.com: 2001:db8::2
  addresses-files:
    - /etc/hosts
  # some options
  ttl: 5m
  nodata: false # don't force empty answer for missing record types on mentioned names

records: <zonefile format string>¶: Optional, direct addition of records in DNS zonefile format. The zonefile syntax is more flexible, e.g. it can define any type of records.

local-data:
  records: |
    www.google.com.  CNAME  forcesafesearch.google.com.
    example.com  TXT  "an example text record"
    34.example.com  AAAA  2001:db8::3
    34.example.com  AAAA  2001:db8::4

RPZ files are another way of adding rules.

rpz: <list>¶

file: <path>¶: Path to a RPZ zonefile.

tags: <list of tags>¶: Optional, tags to link with other policy rules, e.g. views.

local-data:
  rpz:
    - file: /tmp/adult.rpz
      tags: [ adult ]
      # security blocklist applied for everyone
    - file: /tmp/security.rpz

So far, RPZ support is limited to the most common features:

just files which are not automatically reloaded when changed
rules with rpz-* labels are ignored, e.g. .rpz-client-ip
CNAME *.some.thing does not expand the wildcard

subtrees: <list>¶

This allows defining more complex sets of rules. It allows blocking whole subtrees.

type: empty|nxdomain|redirect¶: Type of a subtree.

tags: <list of tags>¶: Optional, tags to link with other policy rules, e.g. views.

local-data:
  subtrees:
    - type: empty
      tags: [ malware ]
      roots: [ evil.example.org, malware.example.net ]