I have started using the recently introduced (upgraded) Unbound Blocklists in 25.7.9
My setup:
I have a fairly simple LAN setup
Main subnet: 192.168.1.1/24 (static IP defined for most clients)
Guest vLan subnet: 192.168.10.1/24
Unbound as main Recursive DNS resolver on port 53
dnsmasq running as DHCP on port 53035
Requirements:
1) I do not want any blocklists for my Guest subnet (192.168.10.1/24) clients
This is easy to implement in DNS blocklists, I add an entry with no blocklists; and set the source as 192.168.10.1/24. No DNS query from this subnet is blocked. Works exactly as expected.
2) I want all of my main LAN clients (192.168.1.1/24) to be using Blocklists, except 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100)
I add an entry with appropriate blocklists; and set the source as 192.168.1.1/24. All DNS queries from this subnet run through block lists.
Works as expected - but not for the 3 specific clients as expected.
Therefore,
3) I add another entry with no blocklists; and set the source as the 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100).
All DNS queries from these specific clients should not run through blocklists - however, these 3 clients also run through blocklists, Not working as expected.
------------------
I tried changing the order of the entries as well, making the 3 specific clients entry as the 1st entry.
Using the tester GUI, it shows that the 3 clients are also part of the policy in 192.168.1.1/24. It seems that Unbound is not treating the matches in a sequential fashion.
-----------------
Can someone guide me how to setup the Blocklists to achieve the desired outcome?
Suggestion:
I think, the Unbound blocklist GUI screen should also have an entry for 'Excluded Net' in addition to the 'Source Net' - this could then perhaps achieve the desired result
or make Unbound Blocklists process/match the 'Source Net' entries sequentially; so the first match gets processed according to the rules.