OPNsense Forum
English Forums => Development and Code Review => Topic started by: tillsense on September 05, 2019, 07:55:00 pm
-
Is started by Michael:
Today I'll start building a plugin for Unbound additional features, bringing DNSBL to @opnsense without the need for BIND or dnscrypt-proxy. Future versions will offer DoT and more (depending on your ideas)
https://twitter.com/mimu_muc/status/1169482538009747461
Ideas:
Please schedule a field for regex entries :)
-
Example please :)
-
Hi,
builds your concept on this: https://github.com/alectrocute/UnboundBL ?
I think pi-hole has implemented the regex topic of a blacklist very well and also a helpful documentation: https://docs.pi-hole.net/ftldns/regex/tutorial.
cheers
till
-
For manual black and whitelisting, sure.
In general it will behave same like bind or dnscrypt
-
Hi,
For manual black and whitelisting, sure.
Yes this is also the wish/idea (Please schedule a field for regex entries) ;)
In general it will behave same like bind or dnscrypt
Yes is regex.
cheers
till
-
Has there been any progress with this? Looking to replicate Pi-Hole like DNS Black holing using the default UNBOUND DNS Forwarder.
-
Via Console:
pkg install os-unbound-plus-devel
-
Via Console:
pkg install os-unbound-plus-devel
Hi, so I guess this is still in development at the moment?
Can you explain quickly how this package works? Does it replace the entire unbound package or just extend it with some additional functionality? Do you have any screenshots of the GUI options of this package?
-
It will only add a submenu to Unbound. It will be similar to dnscrypt dnsbl section, just give it a spin
-
It will only add a submenu to Unbound. It will be similar to dnscrypt dnsbl section, just give it a spin
Excellent, and are you aware of any good URL list sources for ad blocking?
-
It's a multiselect list, you cant use own ones ...
-
It's a multiselect list, you cant use own ones ...
The DNSBL lists?
-
Yes, just test it
-
How is the update of the blocklists realized?
Is there an automatic update every 24 hours as pihole does it?
-
Just add a cronjob, it in the list of available jobs
-
Will there be an option to search logs for blocked sites that a host wanted to visit like in pihole?
In pihole you can filter by blocked and allowed sites in the logs and also easily whitelist blocked sites.
-
So I just stumbled upon this.... installed the package, ticked all the lists, and it blocked my Outlooks connection to office365..... so it must be working!
Are there any logs generated, how do I know which blacklist has blocked access for example?
Thanks.
-
Yeah - I have also already increased the log level and sent all logs to my syslog server. It got chatty. But still couldn't figure out what's blocked based on which list. That makes it somewhat hard to use.
Nevertheless I use this as a front-line filter at the moment. All non-blocked outbound requests go to an upstream pi-hole which has another set of lists.
But with that architecture I lost all insights on pi-hole as well all requests now come from a single IP. Well...
-
How can I expand the block-list? I just get a drop-down menu with pre-installed lists
Regards
Rainer
-
There's an open PR which allows manual lists but it's not merged yet, maybe after 20.1
-
Thanks for your quick answer!
-
You can follow it here: https://github.com/opnsense/plugins/pull/1647
-
I seem to have a problem with unbound-plus-devel 0.4 since the update from 0.3.
If I enable "Adaway List" and "Easy List" everything is ok.
However, with Stephen Black list unbound does not start (I have not tried them all).
Anyone else who have the same problem or just me?
-
Theres a problem with Domains beginning with numbers .. fix follows
-
Thanks!
I just saw this https://github.com/opnsense/plugins/pull/1694
-
;D
-
Just came across this after playing around with a separate pi-hole for a week or so. I like the pi-hole graphs and data, but do like the idea of having my DNS service running within opnsense itself.
This seems like a better option than having to run both unbound and bind at the same time and forward queries from one to the other. Thanks to everyone involved in this work!
I played around with logging and it does appear harder to get blocked queries out of unbound, though. It's either too verbose, or not verbose enough unfortunately.
-
I just ran into an incident where it looks like unbound was updating its blocklist via cron and then it failed to restart due to an error in dnsbl.conf:
Apr 5 02:01:29 opnsense unbound: [50182:0] error: error parsing local-data at 2 '.text-center A 0.0.0.0': Empty label
Apr 5 02:01:29 opnsense unbound: [50182:0] error: Bad local-data RR .text-center A 0.0.0.0
Apr 5 02:01:29 opnsense unbound: [50182:0] fatal error: Could not set up local zones
This killed the process entirely and my installation was left without a working resolver (which made it appear that the internet was not working).
I checked the downloaded lists that I'm using and didn't see any one with ".text-center" in the same so maybe it's in the processing script someplace? I also noticed that one of my lists (https://hosts-file.net/ad_servers.txt) was giving me a 404 error when I tried just now to see if the offending line was in there. So perhaps a combination of the above failed download and then trying to process that download into the dnsbl.conf file?
In any case, I removed the offending line and unbound restarted normally. Maybe some further checks could be made to ensure that blocklists produce valid configurations? Or maybe a check into the blocklist update script that backs up the previous working config and reverts it if unbound refuses to start after an update (with a warning to take a close look)?
Thank you for your work with this plugin!
-
This is already fixed and will be released with 20.1.4
-
Hi,
i still can't find the DOT option according to the plugin description? Am I missing something?
cheers
till
-
I'll start with DoT next week
-
Thank you for your efforts! Is DoH also on the roadmap?
-
I thought DoH is not available in Unbound?
-
I thought DoH is not available in Unbound?
Well, that answers my question :-[
-
I'm just starting to 'play' with this extra Unbound plugin. I had a question though: would it be possible to test the DNSBL on just one of the interfaces. Now it seems like it is a global option. I would like to try/test some new features on just one of the VLAN's I have on my Opnsense fw. Thanks for looking into this...
-
No, sorry, it's only a global option
-
Do you of any plans to make it available on only a subset of the interfaces ?
-
No, there are no plans
-
Do you of any plans to make it available on only a subset of the interfaces ?
As a sort of a workaround you could bind unbound (with blacklists) only to one interface and dnsmasq on the others.
-
As a rather newbie on OPNsense this might be wrong way to ask, however if one never asks, one will never learn :-)
Question: So I like this extension. Any chance there will be an option for setting to which IP adress to redirect any requests?
Background: I know there are a lot of lists out there, some use IP like 0.0.0.0 some other seem to like 127.1.1.1 or anything we simply do not have control over so to say. So what IP is this plugin redirecting all requests to - the one in the list, or anyone specified somwhere, and if it is configurable where do I set this?
My plan is to somehow include https://github.com/kvic-z/pixelserv-tls (https://github.com/kvic-z/pixelserv-tls) which I guess would be even better if it was somehow integrated with this package @kvic might be able to help out?
-
Hi,
It replaces all to 0.0.0.0:
https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py#L111
-
Superb :-) I can alter that file myself. However if would be great if that would be possible to set over a parameter in the GUI at some day :-)
-
Is there a way to add a hostname to the configuration of DoT servers ? This is necessary for TLS authentication for NextDNS.io or BlockerDNS.com. It also enables the ability to configure blacklists and whitelist on NextDNS.io.
-
The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.
At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)
# cat /var/unbound/etc/dot.conf
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#xx.dns1.nextdns.io
forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
forward-addr: 45.90.30.0#xx.dns2.nextdns.io
forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io
-
The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.
At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)
# cat /var/unbound/etc/dot.conf
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#xx.dns1.nextdns.io
forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
forward-addr: 45.90.30.0#xx.dns2.nextdns.io
forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io
I figured this would be the case, if momentarily, but I would rather do this then send naked queries or having to use their NexDNS cli client, which is still in its infancy. Thank you so much. Hope @migmugmail gets around to adding this functionality to the plugin.
-
I will add an own page for it with this options
-
Hi
@mimugmail
May you could also add the option to add "views" to unbound, would be great.
br
-
When I find time, yes. Can you remind me in a few weeks? :)
-
The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.
At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)
# cat /var/unbound/etc/dot.conf
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#xx.dns1.nextdns.io
forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
forward-addr: 45.90.30.0#xx.dns2.nextdns.io
forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io
Soooo....yeah, it does not survive a reboot...oh well.
-
The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.
At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)
# cat /var/unbound/etc/dot.conf
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.0#xx.dns1.nextdns.io
forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
forward-addr: 45.90.30.0#xx.dns2.nextdns.io
forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io
Soooo....yeah, it does not survive a reboot...oh well.
If you place those lines in Unbound DNS --> General --> Custom Options, it will survive a reboot.
-
Thank you for the reply. I do know that using the Customs options box is able to work around this issue. I was hoping to be able to keep the DoT config separate...for OCD reasons. Thanks, though.
-
Sorry to bring this up again, but has there been any progress in the logging functionality surrounding blocked queries?
-
Sorry to bring this up again, but has there been any progress in the logging functionality surrounding blocked queries?
No, I have no idea how this should work
-
What is the syntax for whitelisting domains ? tried adding one, but it did not seem to work.
Thanks.
-
Hi,
It replaces all to 0.0.0.0:
https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py#L111
@mimugmail -
Would it be possible to add an option to reply with NXDOMAIN instead of 0.0.0.0? That's what BIND DNSBL does, and just looking anecdotally at my pageloads, seems to be faster than trying to connect to a broadcast address or loopback address and waiting for TCP to fail.
-
BIND uses RPZ for this which is exclusive to it.
If you know how to achieve this within Unbound there might be chance.
-
You'll get the NXDOMAIN response if you enable the commented out line:
file.write('local-zone: "' + str(line) + '" static\n')
This is how also Adblock in OpenWRT does it.
-
Hi,
any chance of getting this plug-in working in 20.7? Right now there is a conflict with opnsense-devel package...
Joerg
-
Just remove the -devel and install the stable one ...
-
I am using DOT, however now I am about to install my backup ISP connection, and are wondering if that will kind of screw things up? My reason for asking is that well when you add a second WAN (multi-WAN: https://docs.opnsense.org/manual/how-tos/multiwan.html (https://docs.opnsense.org/manual/how-tos/multiwan.html) ) then you also spec a 2nd DNS - and I can not figure out in my head how this is supposed to work with DOT? And how do one set up firewall rules? port 53 should not be used I guess, only 853? Or am I missing something?
-
If I may ask for two small requests:
1) A local blacklist, where one can enter a few local (for me swedish) URLs to block
2) Firefox DoH checkbox since "Custom options" is about to be removed. Currently I have, which I think is correct inside the "Custom options" box the following: local-zone: "use-application-dns.net" static - it would be nice to get a checkbox the same thing so to speak, call something like "Prevent client auto DoH"?
ERROR: My try on request no 2 above, using custom options is NOT correct - I wonder what I did wrong....?
-
Yea right I now know what I did wrong - so I am new to unbound, so this goes under learning I guess.
Under the Unbound DNS - > General -> Custom options, one need to add this:
server:
local-zone: "use-application-dns.net." always_nxdomain
I simply forgot to add the "server:" part of the above.
-
I just installed latest release of OPNsense 20.7 and it seems Unbound DNS blacklist do not work at all. No matter what lists I select from the dropdown list ads are still being displayed.
-
Anyone running DoT with Multi-WAN (failover)? Would be happy if someone could attach a log and settings for getting this to work - I might have screwed up somewhere, and I can not for the world get my failover to work again....
-
Anyone running DoT with Multi-WAN (failover)? Would be happy if someone could attach a log and settings for getting this to work - I might have screwed up somewhere, and I can not for the world get my failover to work again....
same for me.
-
What exactly is the problem there?
-
Well that is just that, I know my current config does not work when it comes to failover (although it did once upon a time, and I have verified that with a separate config (which I have backed up of course) that seem to work - however that config makes my printer to not work... so I restored the config where the printer works and failover does not...) - everything else works.
So my idea was to check the config backup that works, and compare it to my non working failover - nothing turned up to help me. So now I am just trying to figure out if anyone else has WAN failover and DoT over Unbound?
-
But this should be reproducable with en- and disabling DoT, isnt it?
-
Well if I remove my 4 DoT servers (1.1.1.1@853 , 1.0.0.1@853 , 9.9.9.9@853 and 114.112.112.112@853) if will not fix my WAN failover issue, and more importent, when I added them all back I lost some of the URL (DNS) lookups (read: some web sites was not resolved). Something a reboot solved.
I have been thinking alot about this issue I seem to have, and I am convinced it is some sort of rule problem.
For example I have a rule that only allows 853 to pass out of the WAN interfaces (FTTH and LTE), even with that active, after removing the four DoT servers from Unbound, I still get 100% name resolution working - I kind of did not expect that to happen....
So something got to be screwed up on my firewalls rules...
-
Can we please have Response Policy Zones (RPZ) in Unbound?
I see it's supported in Unbound;
https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 (https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
The ideal would support for RPZ and the ability to specify the RPZ data and how often to fetch it;
I would immediately start using;
https://urlhaus.abuse.ch/api/#retrieve (https://urlhaus.abuse.ch/api/#retrieve)
and the download for their RPZ is;
https://urlhaus.abuse.ch/downloads/rpz/ (https://urlhaus.abuse.ch/downloads/rpz/)
RPZ is a very powerful tool for DNS blocking that I would love to use with Unbound.
-
Maybe worth Open a feature request in GitHub?