Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: eddy on July 08, 2022, 09:43:21 PM

Title: How to add "local-zone" entries for Unbound with "always_nxdomain"?
Post by: eddy on July 08, 2022, 09:43:21 PM
Perhaps I missed it, but I can't find a way to add the equivalent of these config lines to Unbound in OPNsense.

server:
    local-zone: "mask.apple-dns.net." always_nxdomain
    local-zone: "mask-t.apple-dns.net." always_nxdomain

When these domains are not resolvable, iOS alerts the user that iCloud Private Relay is not available on the network, and gives the option to disable it or to use a different network (see "Allow for network traffic audits" in this document (https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay) for more information.)

Is there some place to add custom unbound.conf stanzas?
Title: Re: How to add "local-zone" entries for Unbound with "always_nxdomain"?
Post by: zz00mm on July 10, 2022, 10:50:14 PM
I put custom conf files into directory "/usr/local/etc/unbound.opnsense.d"

If you look at /usr/local/etc/unbound.conf" you'll see that it has a wildcard *.conf include statement.

When the unbound service is started, it copies *.conf from above directory into /var/unbound/etc

I believe this is covered in the unbound document section. I use custom conf files to perform some additional blocks myself.
UPDATE: Forgot the link
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I've been blocking using unbound/dnsbl , not using nxdomain, so I'll have to try it and see how it works.
Title: Re: How to add "local-zone" entries for Unbound with "always_nxdomain"?
Post by: eddy on July 11, 2022, 02:47:30 PM
Thanks for the link! I was looking for someplace to put customizations in the UI.

FWIW, when it comes to adblocking, AdGuard uses this rule by default:
QuoteRespond with zero IP address (0.0.0.0 for A; :: for AAAA) when blocked by Adblock-style rule; respond with the IP address specified in the rule when blocked by /etc/hosts-style rule

(Using NXDOMAIN can cause some browsers / devices to fallback to alternative/secondary resolvers.) An NXDOMAIN response is required for the specific canary domains I mentioned (similar to returning NXDOMAIN for use-application-dns.net to prevent Firefox from using DoH by default).
Title: Re: How to add "local-zone" entries for Unbound with "always_nxdomain"?
Post by: zz00mm on July 11, 2022, 10:16:55 PM
https://www.routerperformance.net/opnsense-repo/

Has an additional Repo that can be added and a custom Unbound option addition. You could try it. I prefer creating the additional .conf file. This way upgrades haven't caused me any issues so far.
Text only | Text with Images