I tried now really long and hard to get a single domain to the blocklist. I am really surprised that it's so hard next to impossible.
My path so far:
1. I first misinterpreted the area insecure domains wrongly. Adding the domains there had no effect of blocking them. Since i falsely thought i should enter them as regex I crashed my system inbetween.
2. I then read that one can edit the config of unbound directly over ssh. But the files are always restored after reboot.
3. I then read that one can add own configs under /var/unbound/etc/ that are included during start. But restarting unbound just deleted the .conf again and the domain was still not blocked.
4. I finally set up a domainoverride under overrides of that domain to 0.0.0.0. ie. what blocklist is doing anyway.
So it works now. But I found it really strange that there is no option for that under blocklist, plus that all manual config changes don't work at all.
Is there a better way?
Host Overrides (not Domain Overrides!) are the correct way to do this. The Blocklist feature is not meant for individual hosts.
Custom Unbound conf files need to be placed in /usr/local/etc/unbound.opnsense.d: https://docs.opnsense.org/manual/unbound.html#advanced-configurations
Cheers
Maurice
Thx for clarification I think now something might be still broken. After some hours unbound seems to have crashed. There was a problem with unbound being not able to update the blocklists. After that it was impossible to get it started. Only after I deavtivated it, rebooted and then activated the blocklist again it seems up working.
But now I am afraid it might just crash again.
The blocklists are implemented in a very simplistic way, i.e. as explicit configuration statements. If there is anything in those online ressources that results in a syntax error, Unbound won't start.
I prefer AdGuard Home which is much more resilient in that regard.