Hi there
I just found it would be a good idea to completely setup my opnsense machine from scatch and to check all the features und functionality I was used to over the last couple of years.
One strange thing I found meanwhile - maybe I do something wrong somewhere - any help and advice is highly appreciated ...
I enabled unbound-DNS service but without the blocklist feature. The dashboard shows the top blocked domains. Checking the logs shows a couple of blocked entries blocked by Steven Black List.
How can that be the case when the blocklist feature is not enabled ?
It's possible you are not using the built-in lists, but you may have in the past inputted an URL directly. This is not visible in the default view, you have to enable 'advanced' first for it to be visible.
No, definitely not. I just double checked it and the log files refer to the Steven Black List.
So "Type of DNSBL" shows "Nothing Selected" AND "URLs of Blocklists" is empty as well?
A search for the list name or block or DNSBL in the logs pane does not reveal anything interesting?
yes - all empty and this section is anyway not enabled !!!
But checking the logs shows me :
2025-02-21T04:01:33 Notice unbound [85712:0] notice: init module 1: iterator
2025-02-21T04:01:33 Informational unbound [85712:0] info: dnsbl_module: blocklist loaded. length is 129867
2025-02-21T04:01:33 Informational unbound [85712:0] info: dnsbl_module: updating blocklist.
2025-02-21T04:01:33 Notice unbound [85712:0] notice: init module 0: python
Any idea ? What kind of blocklist does unbound update when there is none configured and the blocklist service is not enabled ...
I'd be looking at the dnsbl section of /conf/config.xml
and also at /usr/local/etc/unbound/unbound-blocklists.conf
Lastly, manual configuration might exist in /usr/local/etc/unbound.opnsense.d
I have checked all places you suggested - nothing in there.
So this problem still exists.
Any other idea ?
Quote from: urmel on March 02, 2025, 01:41:18 PMI have checked all places you suggested - nothing in there.
So this problem still exists.
Any other idea ?
i noticed the same thing on the fresh install this morning. and yep nothing is enabled but under reporting: unbound DNS. it showed adguard, and several others being blocked!
2nd screen shot
files are too big...
While this isn't an answer to why this happened, is it possible for you to check the box to Enable DNS blocklists and then pick a list from the drop down menu. Apply those settings and let the list download. Then go back, de-select the blocklist and uncheck the "enable" box for the block lists?
This might 'reset' whatever odd config is causing these to run?
Take any of the presumed blocked domains, go to Interfaces - Diagnostics - DNS Lookup:
- hostname == blocked domain
- server == 127.0.0.1 ### Unbound
If you get 0.0.0.0 or NXDOMAIN then Unbound is blocking, else what you're seeing is only the reporting engine.
---
For SSH / Console
As an example, if Unbound is not blocking this is the output for the presumed blocked domain seen in the screenshot:
root@OPNsense:~ #
root@OPNsense:~ # host variations.brave.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
variations.brave.com is an alias for d17ndjuagurpsr.cloudfront.net.
d17ndjuagurpsr.cloudfront.net has address 3.164.255.20
d17ndjuagurpsr.cloudfront.net has address 3.164.255.10
d17ndjuagurpsr.cloudfront.net has address 3.164.255.103
d17ndjuagurpsr.cloudfront.net has address 3.164.255.55
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:2200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:e000:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:7a00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:8200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:ee00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:ac00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:3200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:8600:15:85fe:56c0:93a1
root@OPNsense:~ #
I tried the diagnostics DNS-Lookup and I do not get the 0.0.0.0 or NXDOMAIN -
but what I get is:
Quote2025-03-03 16:58:45 10.10.0.6 A clients3.google.com. Pass Recursion NOERROR 57ms 44
2025-03-03 16:58:45 10.10.0.40 A api.openweathermap.org. Pass Recursion NOERROR 78ms 24
2025-03-03 16:58:37 localhost MX aax-eu.amazon.de. Pass Recursion NOERROR 98ms 60
2025-03-03 16:58:37 localhost TXT aax-eu.amazon.de. Pass Recursion NOERROR 32ms 60
2025-03-03 16:58:36 localhost AAAA aax-eu.amazon.de. Pass Recursion NOERROR 61ms 60
2025-03-03 16:58:36 localhost CNAME aax-eu.amazon.de. Block Local NOERROR 59ms 3600 Steven Black List
So why is it telling block in the last line and is referencing to Steven Black List ?
I did a couple of further checks and it is very clear that unbound is blocking although not being enabled - it is not only the reporting machine.
When I try to open some sponsored links from the Google search result page - I do get "Website not reachable" in the browser and checking then details reported by unbound I do see that the attempt to call that domain was blocked with Steven Black List
Not exactly sure if it's the same issue, but it feels very much related:
With Unbound DNS enabled (blocklist disabled) some of my client devices resolved non-existent FQDNs to CloudFront IP addresses. For example, opening http://xxxxxxxxxxthisdoesntexistxxxxxxxxx.com in a browser (http not https!) showed a CloudFront page saying: 403 ERROR The request could not be satisfied. (attached screenshot)
In my case I managed to solve the issue by adjusting the following OPNsense settings under System -> Settings -> General (not sure which one it was, likely the first):
* Domain: home.arpa (had it set to "house" before)
* Prefer IPv4 over IPv6: yes
Then restarted the firewall, reconnected all clients (renew DHCP leases) and the issue was gone.
I see the same. My blocklist in Unbound is disabled yet in the reporting view it says the size of the blocklist is over 45k domains.
Not exactly the same issue but possibly related:
Whitelisting also doesn't seem to work, whitelisted domains are still appearing in the top blocked domains (even months after whitelisting), just with the blocking icon next to them instead of the whitelisting icon.
Maybe there's a general problem with removing entries from the internal lookup table?
FWIW: Enabling/disabling the blocklist feature and hitting "Apply" does not change Unbound's behavior immediately - you have to restart it as well. Also, DNS caching might come into play when you test different settings.
Apart from that detail, disabling the blocklist feature works for me.
Quote from: meyergru on March 10, 2025, 11:10:05 AMFWIW: Enabling/disabling the blocklist feature and hitting "Apply" does not change Unbound's behavior immediately - you have to restart it as well. Also, DNS cahing might come into play when you test different settings.
Apart from that detail, disabling the blocklist feature works for me.
im reading you should not have to restart the service in the manual. but
https://docs.opnsense.org/manual/unbound.html
Note
Applying the blocklist settings will not restart Unbound, rather it will signal to Unbound to dynamically process the blocklists as soon as they're downloaded. There may be up to a minute of delay before Unbound has loaded everything. During this time Unbound will still be just as responsive.