So I want to preface this with the note that I cannot confirm this is a result of upgrading to 23.1. I did not test this beforehand. However it is not major enough of an issue to make me want to deal with flashing back. But it is major enough where I really want to try to fix it.
I do say I feel like I have always had issues with unbound blocklist in the past not working, and I remember I've tried doing resolves with some of the domains in the lists, and I think they always resolved depsite forcing unbound as my dns on all my devices, and even trying resolving directly from the opnsense shell. Nothing is using DoT/DoH. So I'm questioning now if it ever really even worked.
Anyways the issue is, it seems like the blocklists are just not working. I first noticed this with the new statistics, where it shows "Size of Blocklist" as "0". Despite having multiple blocklists selected in Unbound > Blocklists (and yes it's enabled and I've tried rebooting the service and firewall).
For example: https://blocklistproject.github.io/Lists/tracking.txt
Tried resolving from my computer:
nslookup 1000mercis.com
Server: firewallhostname
Address: myfirewallip
Non-authoritative answer:
Name: 1000mercis.com
Addresses: 64:ff9b::5396:f484
83.150.244.132
And then also tried it directly in firewall shell:
nslookup 1000mercis.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: 1000mercis.com
Address: 83.150.244.132
Name: 1000mercis.com
Address: 64:ff9b::5396:f484
So I looked a bit further and ran unbound -d -vv -c unbound.conf
and it prints the following:
[1675862429] unbound[40886:0] debug: setup SSL certificates
[1675862429] unbound[40886:0] debug: switching log to syslog
Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Python path configuration:
PYTHONHOME = (not set)
PYTHONPATH = (not set)
program name = 'unbound'
isolated = 0
environment = 1
user site = 1
import site = 0
sys._base_executable = ''
sys.base_prefix = '/usr/local'
sys.base_exec_prefix = '/usr/local'
sys.platlibdir = 'lib'
sys.executable = ''
sys.prefix = '/usr/local'
sys.exec_prefix = '/usr/local'
sys.path = [
'/usr/local/lib/python39.zip',
'/usr/local/lib/python3.9',
'/usr/local/lib/lib-dynload',
]
Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
Python runtime state: core initialized
ModuleNotFoundError: No module named 'encodings'
Current thread 0x0000000801412000 (most recent call first):
<no Python frame>
Not sure if that is a major or related issue. Also not sure where to go from here.
I want to avoid breaking my config, and I'd like to avoid a fresh install.
Figured I'd try the forums with people who are significantly more experience with opnsense and this stuff in general than me.
Ok so I believe I got this working.
I had to uncheck all my lists in blocklist, and then apply. Then re-enable the lists I want and apply.
Nslookup now shows they are resolving to 0.0.0.0 as expected (before they were actually resolving, not being blocked).
It also now shows rhe count in the new Unbound stats page.
However, after my last update it broke again, and I had to disable each list ,apply, then reenable them.
Not sure why but its working again.
Seems like some bug.
Similar issue here. I'm not using any of the default lists, I use advanced mode with a single blocklist URL specified. No matter what I do, the size of the blocklist is always 0 now. This is with no whitelisting configured and return NXDOMAIN checked. Unbound blocklist feature does indeed appear to be broken now.
2023-02-28T12:48:40-05:00 Notice unbound blocklist download done in 2.20 seconds (0 records)
2023-02-28T12:48:40-05:00 Notice unbound blocklist download https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/pro.blacklist.conf (lines: 486283 exclude: 486273 block: 0)
2023-02-28T12:48:38-05:00 Notice unbound blocklist download : exclude domains matching .*localhost$|^(?![a-zA-Z_\d]).*
Quote from: milkywaygoodfellas on February 28, 2023, 06:50:29 PM
Similar issue here. I'm not using any of the default lists, I use advanced mode with a single blocklist URL specified. No matter what I do, the size of the blocklist is always 0 now. This is with no whitelisting configured and return NXDOMAIN checked. Unbound blocklist feature does indeed appear to be broken now.
2023-02-28T12:48:40-05:00 Notice unbound blocklist download done in 2.20 seconds (0 records)
2023-02-28T12:48:40-05:00 Notice unbound blocklist download https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/pro.blacklist.conf (lines: 486283 exclude: 486273 block: 0)
2023-02-28T12:48:38-05:00 Notice unbound blocklist download : exclude domains matching .*localhost$|^(?![a-zA-Z_\d]).*
Looks like in my case, unbound blocklist format has changed? If I select the "unbound" downloads from oisd.nl or https://github.com/hagezi/dns-blocklists it does not work, but if I use the "domains" format instead, it works as expected.
Hi I also encounter problems with native unbound Lists ending with .conf... Why does the unbound implementation within opnsense seem to be different vs. the standalone cli version? Is it really broken?
Quote from: tabsats on October 28, 2023, 09:21:41 AM
Hi I also encounter problems with native unbound Lists ending with .conf... Why does the unbound implementation within opnsense seem to be different vs. the standalone cli version? Is it really broken?
It's not broken. Start a new thread and provide more details such as your OPNSense version, a link to the blocklist you're attempting to use, etc.