Why Bind9 responds with latency for RPZ rule?

Question

Can you please help me to resolve next problem?

I have setup Bind9 and added RPZs with blocking rules. Here is version of Bind9:

BIND 9.18.25 (Extended Support Version) <id:6dc676c>
running on Linux x86_64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)
built by make with '--with-jemalloc=yes' '--with-tuning=large' '--disable-doh' 'CFLAGS=-O2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no 

Here are configs:

https://github.com/ousatov-ua/dns-filtering/tree/main/etc/bind

Here are RPZs loaded:

https://github.com/ousatov-ua/dns-filtering/blob/main/opt/bind9/update-blocklists.sh

Bind9 responds with latency!=0 when I make dig for some blocked domain name. For instance:

dig @127.0.0.1 -p 5553 sql.ru

; <<>> DiG 9.18.25 <<>> @127.0.0.1 -p 5553 sql.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14713
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4a7ce26da4158386010000006606e1bba99a7ade2a9c0f1e (good)
;; QUESTION SECTION:
;sql.ru.                                IN      A

;; ADDITIONAL SECTION:
rpz.blocklist.olus-dns.com. 1   IN      SOA     olus-dns.com. hostmaster.olus-dns.com. 1706637601 86400 3600 604800 86400

;; Query time: 495 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Fri Mar 29 17:43:55 EET 2024
;; MSG SIZE  rcvd: 148

It looks like it first resolves named and than checks if it exists in RPZ:

dig @127.0.0.1 -p 5553 mail.ru

; <<>> DiG 9.18.25 <<>> @127.0.0.1 -p 5553 mail.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cd8c137dea6fb205010000006606e1eadcfc31e955e11317 (good)
;; QUESTION SECTION:
;mail.ru.                       IN      A

;; ADDITIONAL SECTION:
rpz.blocklist.olus-dns.com. 1   IN      SOA     olus-dns.com. hostmaster.olus-dns.com. 1706637601 86400 3600 604800 86400

;; Query time: 139 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Fri Mar 29 17:44:42 EET 2024
;; MSG SIZE  rcvd: 149

Unbound, PDNS-recursor respond with 0 latency in this case.

Why this happens? How to resolve it?

Thank you in advance!!!

P.S. Seems like I need qname-wait-recurse and nsip-wait-recurse set to “no” - will check it out

Answer 1

By default, Bind9 make recursion and only after that apply policy. To fix it I just needed to add next to policy:

qname-wait-recurse false
recursive-only false
nsip-wait-recurse false

So the full configuration of policy should be defined in next way:

        response-policy {
            zone "rpz.oisd-nsfw";
            zone "rpz.hagezy-anti-privacy";
            ...
     
        } qname-wait-recurse false
          recursive-only false
          nsip-wait-recurse false;