Add Response Policy Zones (RPZ) support to Unbound

[nzkiwi68]

Can we please have Response Policy Zones (RPZ) in Unbound?

I see it's supported in Unbound; https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26

The ideal would be;

• support for RPZ
• the ability to specify the RPZ data
• and how often to fetch it
• and set the response for each RPZ (send to NXDOMAIN, NODATA or redirect)
• whitelist RPZ override
• blacklist RPZ override

RPZ good overview and graphic; https://zvelo.com/using-dns-rpz-to-protect-against-malicious-threats/

I would immediately start using; https://urlhaus.abuse.ch/api/#retrieve

and the download for their RPZ is; https://urlhaus.abuse.ch/downloads/rpz/

RPZ is a very powerful tool for DNS blocking and is used by many security vendors as a mechanism for providing their security data, here's a few; https://www.spamhaus.org/news/article/669/spamhaus-dbl-as-a-response-policy-zone-rpz https://abuse.ch/blog/using-urlhaus-as-response-policy-zone-rpz/ https://ioc2rpz.net/ http://www.surbl.org/

[AdSchellevis]

best open a feature request in core using our template (https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md&title=), to increase chances of success its also advisable to limit the scope of the request and clearly describe what it should do (if possible with configuration examples). In case it should replace an existing feature (such as the current blacklists), describe the pro's and cons as well.

The ports repository is only a downstream sync of the software build instructions, which probably already contains the correct version of unbound.

[fichtner]

In the scope of this ports request I have no idea how "support for RPZ" is translating to something we can do WRT the current port configuration:

https://github.com/opnsense/ports/blob/1fe0cc14818e2143cab7227e2a0350018775fc59/dns/unbound/Makefile#L41-L53