Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Series => Topic started by: Shivang Pithadiya on August 21, 2025, 08:24:07 AM

Title: Not able to Block specific websites or domains using UnboundDNS blocklis feature
Post by: Shivang Pithadiya on August 21, 2025, 08:24:07 AM
Hello OPNsense Team,

I've OPNsense version 25.1.12

I am new to OPNsense and would like to block certain websites using UnboundDNS. As a test, I added the domain duckduckgo.com under Services > Unbound DNS > Blocklist (screenshot attached). However, the domain is still accessible and not being blocked.

Could you please guide me on the correct steps to configure domain blocking through UnboundDNS so that I can successfully apply it in my environment?

Thank you for your support.

Best regards,
Shivang Pithadiya
Title: Re: Not able to Block specific websites or domains using UnboundDNS blocklis feature
Post by: Shivang Pithadiya on August 21, 2025, 10:12:42 AM
Hello OPNsense Team,

The initial issue has been resolved, thank you. However, I am now facing a new problem.

I have removed all entries from the blocklist and also disabled the blocklist feature under Services > Unbound DNS > Blocklist. Despite this, the previously blocked domain is still inaccessible.

Could you please help me understand why the domain remains blocked even after disabling the blocklist and removing all entries?

Looking forward to your guidance.

Best regards,
Shivang Pithadiya
Title: Re: Not able to Block specific websites or domains using UnboundDNS blocklis feature
Post by: Fabian Wenk on August 22, 2025, 05:20:40 PM
I have never tested such own blocks so far. It depends what exactly Unbound does return to a resolving client. In DNS even negative answers have a TTL, so clients will also cache this and not re-request it for some time. On unix-based systems you may be able to check with 'dig duckduckgo.com' (in below output the current TTL is 200 seconds):

fabian@flashback:~/ % dig duckduckgo.com       

; <<>> DiG 9.10.6 <<>> duckduckgo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54015
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;duckduckgo.com.         IN   A

;; ANSWER SECTION:
duckduckgo.com.      200   IN   A   40.114.177.156

;; Query time: 66 msec
;; SERVER: 2001:xxxx:xxxx:1::2#53(2001:xxxx:xxxx:1::2)
;; WHEN: Fri Aug 22 17:16:10 CEST 2025
;; MSG SIZE  rcvd: 59


Two things you can do, or just wait until TTLs have expired:

1) In Unbound settings in General enable the "Flush DNS Cache during reload" and then restart unbound service

2) Figure out how to flush local DNS cache on your client system, some system do this e.g. when the LAN cable is unplugged and plugged in again (or corresponding the Wi-Fi is turned off and on again).
Text only | Text with Images