From 64648db2ec5b396c8727ec8afa634c80c36d167c Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Wed, 11 Feb 2026 08:15:26 +0100 Subject: [PATCH] feat(vortex-firewall): Add BIND RPZ support for DNS blocking Auto-detects DNS server (BIND vs dnsmasq) and generates appropriate blocklist format: - BIND: Response Policy Zone (RPZ) with NXDOMAIN responses - dnsmasq: addn-hosts sinkhole file (existing) Tested with 46,067 blocked domains on BIND named server. Co-Authored-By: Claude Opus 4.5 --- .../root/usr/sbin/vortex-firewall | 97 ++++++++++++++++++- 1 file changed, 96 insertions(+), 1 deletion(-) diff --git a/package/secubox/secubox-vortex-firewall/root/usr/sbin/vortex-firewall b/package/secubox/secubox-vortex-firewall/root/usr/sbin/vortex-firewall index 31fa0d65..9a2c4395 100755 --- a/package/secubox/secubox-vortex-firewall/root/usr/sbin/vortex-firewall +++ b/package/secubox/secubox-vortex-firewall/root/usr/sbin/vortex-firewall @@ -280,6 +280,102 @@ intel_merge() { } generate_blocklist() { + # Detect DNS server + local dns_server="dnsmasq" + if pgrep -f "/usr/sbin/named" >/dev/null 2>&1 || pidof named >/dev/null 2>&1; then + dns_server="bind" + fi + + log "Generating blocklist for $dns_server..." + + local count=$(sqlite3 "$BLOCKLIST_DB" "SELECT COUNT(*) FROM domains WHERE blocked=1;") + + if [ "$dns_server" = "bind" ]; then + # Generate BIND RPZ zone + generate_bind_rpz "$count" + else + # Generate dnsmasq hosts file + generate_dnsmasq_hosts "$count" + fi +} + +generate_bind_rpz() { + local count="$1" + local rpz_zone="/etc/bind/zones/rpz.vortex.zone" + local rpz_conf="/etc/bind/named.conf.vortex" + local serial=$(date +%Y%m%d%H) + + log "Generating BIND RPZ zone ($count domains)..." + + # Generate RPZ zone file + cat > "$rpz_zone" <> "$rpz_zone" + echo "*.$domain CNAME ." >> "$rpz_zone" + done + + log "RPZ zone written: $rpz_zone" + + # Generate BIND config include + cat > "$rpz_conf" </dev/null; then + log "Adding RPZ policy to BIND config..." + # Add response-policy to options block + sed -i '/^options {/,/^};/ { + /^};/ i\ response-policy { zone "rpz.vortex"; }; + }' /etc/bind/named.conf + fi + + # Include vortex config if not already + if ! grep -q "named.conf.vortex" /etc/bind/named.conf 2>/dev/null; then + echo 'include "/etc/bind/named.conf.vortex";' >> /etc/bind/named.conf + fi + + log "BIND RPZ config written: $rpz_conf" + + # Reload BIND + if [ -x /etc/init.d/named ]; then + /etc/init.d/named reload 2>/dev/null || /etc/init.d/named restart 2>/dev/null + log "BIND reloaded" + fi + + # Update stats + local now=$(date -Iseconds) + echo "{\"domains\":$count,\"last_update\":\"$now\",\"blocks\":0,\"queries\":0,\"dns_server\":\"bind\"}" > "$STATS_FILE" +} + +generate_dnsmasq_hosts() { + local count="$1" + log "Generating dnsmasq blocklist..." # Generate hosts file for sinkhole @@ -290,7 +386,6 @@ generate_blocklist() { sqlite3 -separator ' ' "$BLOCKLIST_DB" \ "SELECT '$SINKHOLE_IP', domain FROM domains WHERE blocked=1;" >> "$BLOCKLIST_HOSTS" - local count=$(grep -c "^$SINKHOLE_IP" "$BLOCKLIST_HOSTS") log "Generated $count sinkhole entries" # Generate dnsmasq config