RPZ seems not work as expected?

[liudonghua123]

Hi, I am new to pdns, and I want to try the rpz features. I use the latest source build 5.2.2 version of pdns_recursor.

Here is my recursor.yml

dnssec:
  log_bogus: true
incoming:
  listen:
    - 127.0.0.1:53
recursor:
  extended_resolution_errors: true
  forward_zones:
    - zone: some.internal.domain
      forwarders:
        - 10.10.100.100:53
  lua_dns_script: /usr/local/etc/rpz_policy.lua
  rpzs:
    - name: '/usr/local/etc/blocklist.rpz.zone'
      defpol: NoAction
      defpolOverrideLocalData: true
      policyName: 'custom-policy'
      includeSOA: true
      defttl: 60
outgoing:
  source_address:
    - 0.0.0.0
    - '::'
logging:
  trace: yes
  quiet: true
  loglevel: 6

and blocklist.rpz.zone

$TTL 60
@ IN SOA localhost. root.localhost. 1 60 60 60 60
  IN NS localhost.

# NXDOMAIN
malicious.com.      CNAME   .
# NODATA
phishing.site.      CNAME   *.
# DROP
badware.net.        CNAME   rpz-drop.
# Overwrite
*.baidu.com.      A       1.1.1.1
*.qq.com.      CNAME   www.google.com.

and rpz_policy.lua

function preresolve(dq)
  if dq.policyName == "custom-policy" then
    local q = dq.qname:toString()
    if q:match("badware%.net%.?$") or q:match(".*%.badware%.net%.?$") then
      dq.rcode = 0
      dq:addAnswer(pdns.A, "1.1.1.1")
      return true
    end
  end
  return false
end

I found some logs when execute dig @127.0.0.1 malicious.com, dig @127.0.0.1 phishing.site and dig @127.0.0.1 badware.net, the result is not overwrited.

Jun 10 09:08:04 msg="Question" subsystem="syncres" level="0" prio="Info" tid="2" ts="1749517684.492" ecs="" mtid="0" proto="udp" qname="malicious.com" qtype="A" remote="127.0.0.1:57324"
Jun 10 09:08:04 [0] QM malicious.com: doResolve
......
Jun 10 09:10:27 msg="Question" subsystem="syncres" level="0" prio="Info" tid="2" ts="1749517827.238" ecs="" mtid="2" proto="udp" qname="phishing.site" qtype="A" remote="127.0.0.1:46934"
Jun 10 09:10:27 [2] QM phishing.site: doResolve
......

If I changed defpol: NoAction to defpol: NXDOMAIN or defpol: NODATA. It's the same. And whether I use lua_dns_script: /usr/local/etc/rpz_policy.lua or not, the result is not changed.

reference: https://doc.powerdns.com/recursor/lua-config/rpz.html#policy-custom

[omoerbeek]

There are a few things wrong:

1. In the RPZ zone itself the # comments will cause a syntax error. Use ;; for comments in zone files.
2. The Lua script is not needed, RPZ are handled without the need for any custom Lua. Y
3. If you want to use the actions defined the RPZ itself, do not set defpol and defpolOverrideLocalData. Leave them both out.

With that it works here. Example dig output:

; <<>> DiG 9.20.8 <<>> @127.0.0.1 -p 5301 malicious.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50572
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;malicious.com.			IN	A

;; ADDITIONAL SECTION:
.			60	IN	SOA	localhost. root.localhost. 1 60 60 60 60

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5301(127.0.0.1) (UDP)
;; WHEN: Tue Jun 10 07:57:43 CEST 2025
;; MSG SIZE  rcvd: 91

Trace line:

Jun 10 07:57:43 msg="Question" subsystem="syncres" level="0" prio="Info" tid="2" ts="1749535063.311" ecs="" mtid="1" proto="udp" qname="malicious.com" qtype="A" remote="127.0.0.1:51476"
Jun 10 07:57:43 [1] malicious.com|A:: RPZ Hit; PolicyName=custom-policy; Trigger=malicious.com; Hit=malicious.com; Type=QName; Kind=.

[liudonghua123]

Thanks a lot! I get it now.