Add metric for num.rpz.action (#70)

Unbound exporter is now able to scrape each num.rpz.action.rpz-TYPE labeled by type. RPZ mode must be enabled in the unbound configuration and functioning for this metric to appear.
letsencrypt · Jan 8, 2024 · e284f50 · e284f50
1 parent 5e9c7ff
commit e284f50
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,6 +14,7 @@ services:
     volumes:
       - socket:/var/run/socket:rw
       - ./unbound-example.conf:/opt/unbound/etc/unbound/unbound.conf
+      - ./droplist.zone:/opt/unbound/etc/unbound/droplist.zone
     ports:
       - "1053:1053/udp"
       - "1053:1053/tcp"

diff --git a/droplist.zone b/droplist.zone
@@ -0,0 +1,2 @@
+*.example.com IN A 127.0.0.1
+*.example.net IN A 127.0.0.1
diff --git a/unbound-example.conf b/unbound-example.conf
@@ -7,11 +7,13 @@ remote-control:
 # The rest of this file is standard Unbound configuration
 # There's nothing special here.
 server:
+    module-config: "respip validator iterator"
+    extended-statistics: yes
     cache-max-ttl: 86400
     cache-min-ttl: 300
     directory: "/opt/unbound/etc/unbound"
     do-ip4: yes
-    do-ip6: no 
+    do-ip6: no
     do-tcp: yes
     do-udp: yes
     edns-buffer-size: 1232
@@ -53,7 +55,7 @@ server:
     access-control: 10.0.0.0/8 allow
     access-control: fc00::/7 allow
     access-control: ::1/128 allow
-    auto-trust-anchor-file: "var/root.key"
+    auto-trust-anchor-file: "/opt/unbound/etc/unbound/var/root.key"
     chroot: ""
     deny-any: yes
     harden-algo-downgrade: yes
@@ -65,7 +67,7 @@ server:
     harden-short-bufsize: yes
     hide-http-user-agent: no
     hide-identity: yes
-    hide-version: yes
+    hide-version: no
     http-user-agent: "DNS"
     identity: "DNS"
     private-address: 10.0.0.0/8
@@ -82,3 +84,10 @@ server:
     val-clean-additional: yes
     include: /opt/unbound/etc/unbound/a-records.conf
     include: /opt/unbound/etc/unbound/srv-records.conf
+
+rpz:
+    name: unbound_exporter_cloak
+    zonefile: /opt/unbound/etc/unbound/droplist.zone
+    rpz-log: yes
+    rpz-log-name: unbound_exporter_cloak
+    rpz-action-override: nxdomain
diff --git a/unbound_exporter.go b/unbound_exporter.go
@@ -320,6 +320,13 @@ var (
 			prometheus.GaugeValue,
 			nil,
 			"^rrset\\.cache\\.count$"),
+		newUnboundMetric(
+			"rpz_action_count",
+			"Total number of triggered Response Policy Zone actions, by type.",
+			prometheus.CounterValue,
+			[]string{"type"},
+			"^num\\.rpz\\.action\\.rpz-([\\w-]+)$",
+		),
 	}
 )