Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: stan on October 18, 2025, 08:39:20 AM

Title: Unbound DNSBL not reporting blocked addresses?
Post by: stan on October 18, 2025, 08:39:20 AM
25.7.5
We are forced to use SAP Ariba by a client.
We are using Unbound with DNSBL and many lists on.
And we get white page when visiting the main site (which is Pass).
Apparently there are many other addresses that are contacted when wotking with that cloud system.
And some of the addresses we assume get blocked by some of the BLs (when we switch the BL function or all the BLs off it all works).
But nothing shows in the Unbound report page as blocked, the main address is Pass.
So what we ended up doing is:
 - ask the client to provide a full list of addresses so that we can whitelist them all (do not know if it is going to work and if they will provide a list).
 - switching lists on/off to find the "non-offending" lists which we can leave on - we are now with this setup that seems to work but we are hesitant to switch on other lists because it is too much hassle to test (at one point we were almost ready to switch off the whole DNSBL function).

For other web application/sites we had to whitelist matomo and pardot.com but they showed up in the report and it was clear what to whitelist and what BL was stopping them.

So how is it possible see all blocked addresses in the Unbound reporting when visiting a site (Passed) and then many other addresses are contacted afterwards (blocked, most likely because we do not see them in the reporting). From what I have read it is related to many addresses being "aliases" for a CNAME and then the that CNAME is blocked but does not show in the Unbound reporting page so that we can whitelist it or switch off the list blocking it.
I have read some posts somehow related to this issue but I am not sure what the viable options are or if this is being worked on.
I used ADH in the past as plugin but for me it was a hassle when upgrading and started with Unbound DNSBL as an internal solution. I am not clear if ADH would be a solution if I go that way again.

Are CNAME records even shown on the Unbound reporting page at all?
Title: Re: Unbound DNSBL not reporting blocked addresses?
Post by: Patrick M. Hausen on October 18, 2025, 08:43:34 AM
Switch on the query log, probably. Or use AdGuard Home for blocking. It has great reporting.
Text only | Text with Images