Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: CJ on July 12, 2023, 09:56:30 PM

Title: Unbound blocking domain that isn't on the domain block list
Post by: CJ on July 12, 2023, 09:56:30 PM
This is rather odd and I'm curious if anyone else can replicate this.  I'm attempting to resolve askubuntu.com and it's being blocked by Unbound.

When I look at the Unbound reporting, I see that it's reporting that askubuntu.com is blocked due to the Abuse.ch ThreatFox list.  According to the logs, that is located at https://threatfox.abuse.ch/downloads/hostfile

When I go to the ThreatFox url, askubuntu.com isn't on the list.  Perhaps it was and go removed in between updates of my DNSBL?  I disabled the DNSBL and enabled it in order to force a new download.

I'm still getting the same results.  Unbound Reporting says that askubuntu.com is blocked due to the ThreatFox list.

The other odd thing is that the ThreatFox list states that it has 6925 domains on it.  The Unbound log states that it pulled down 6959 lines, of which there were 6950 domains.

Any ideas why there are different numbers and where the askubuntu.com block came from?

Thanks.
Title: Re: Unbound blocking domain that isn't on the domain block list
Post by: therecker on July 12, 2023, 11:04:46 PM
Not sure how helpful this will be but I added that blocklist to my pihole and it is NOT blocking askubuntu.com. When I added it it parsed the following amount of domains.

  Target: https://threatfox.abuse.ch/downloads/hostfile
  [✓] Status: Retrieval successful
  [✓] Parsed 6894 exact domains and 0 ABP-style domains (ignored 0 non-domain entries)
Title: Re: Unbound blocking domain that isn't on the domain block list
Post by: CJ on July 13, 2023, 01:52:14 PM
Quote from: therecker on July 12, 2023, 11:04:46 PM
Not sure how helpful this will be but I added that blocklist to my pihole and it is NOT blocking askubuntu.com. When I added it it parsed the following amount of domains.

  Target: https://threatfox.abuse.ch/downloads/hostfile
  [✓] Status: Retrieval successful
  [✓] Parsed 6894 exact domains and 0 ABP-style domains (ignored 0 non-domain entries)

Since askubuntu.com isn't in the list, I wouldn't expect it to block it.  Still very odd that the reporting would list ThreatFox as the reason.

I removed ThreatFox and added it back and now I get the same number of domains as you, as well as that matching the number of domains on the list.  askubuntu.com is also not being blocked anymore.

No idea what weird state it got hung up in, as toggling the DNSBL should have been enough to pull down new copies of the lists and clean everything out when I restarted Unbound.
Text only | Text with Images