OPNsense Forum

Hello,
Having some trouble figuring out the white list for Unbound. I'm using hagezi's blocklists and those are working great. However, I am trying to access patc.net (known good site) but it is blocked on the blocklists. No problem. I'll add it to the whitelist. However, I still can't get it to resolve. Here's what I'm seeing (Reporting -> Unbound -> Details):

2025-02-19 15:39:51    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    331ms    600         
2025-02-19 15:39:51    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    150ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:28    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    137ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:27    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    213ms    600         

Whitelist:
www.patc.net.
www.patc.net
patc.net.
patc.net


Solved. I had to dig into the domain a bit more. Found that it was actually a CNAME that was being blocked. Added that to the white list and it appears to be working now.

Ok, I'm back again. Apparently it still is not working. Same results as above. Now my white list contains the CNAME addresses. The CNAME is what is on the block list. But I'm still being blocked. Whitelist now:

www.patc.net.
www.patc.net
patc.net.
patc.net
s.multiscreensite.com
s.multiscreensite.com.
global.multiscreensite.com
global.multiscreensite.com.

Here's the dig for context. The domain multiscreensite[.]com is on the blocklist. So the query for www[.]patc[.]net is being blocked but I would like it to NOT be blocked.

%dig www.patc.net @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.patc.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26938
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.patc.net.            IN    A

;; ANSWER SECTION:
www.patc.net.        300    IN    CNAME    s.multiscreensite.com.
s.multiscreensite.com.    300    IN    CNAME    global.multiscreensite.com.
global.multiscreensite.com. 60    IN    CNAME    a3c02b2530d6f27ca.awsglobalaccelerator.com.
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 99.83.169.22
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 75.2.0.180

;; Query time: 155 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 20 15:06:10 EST 2025
;; MSG SIZE  rcvd: 182


I'm having the same problem: domains on the whitelist are still blocked. For example, the domain api.qustodio.com is blocked by the Hagezi Pro++ list, and it remains blocked when I add this exact domain to my whitelist. I'm running OPNsense 25.1.3-amd64.

Edit: I found a solution, or at least a workaround, on reddit:

https://www.reddit.com/r/opnsense/comments/1e5tj5g/unbound_dns_blocklist_whitelisted_domains_not/

Instead of whitelisting api.qustodio.com I whitelisted (^|.*\.)api.qustodiocom$ and flushed the cache.

This is a known issue with the way the Unbound blocking is handled.  There have been talks about how to fix it but no one has had the time.

https://github.com/opnsense/core/issues/6722

https://forum.opnsense.org/index.php?topic=35218.msg171068#msg171068