OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: jimjohn on May 03, 2021, 05:13:10 pm
-
Hi,
I use Unbound DNS on Port 53 to forward to BIND on Port 53530, whereas BIND does DNS Blacklisting (found that way more reliable than Unbound).
Question: How can I exclude single hosts from DNSBL (e.g. gaming console), e.g. to use multiplayer features.
Thanks!
-
I have a solution that you might want to consider although it is not a direct answer to your question.
I run AdGuard Home as a blacklisting DNS resolver from @mimugmail's community plugin repo.
AdGuard listens on all interfaces and is the standard recursive DNS server for all networks.
AdGuard then forwards to BIND as unbound would in your example, but there are no blacklists configured in BIND.
Now I can use NAT port forwarding for individual hosts - forwarding
- protocol: TCP/UDP
- source: specific host
- destination: interface address
- destination port: 53
- redirect target: 127.0.0.1:53530
bypassing AdGuard and blacklisting this way.
I cannot come up with any idea how to do this in your scenario keeping the blacklisting on the last DNS server in your chain.
-
Thanks … somehow I am not sure about AdGuard. They do not eben have an imprint on their website …
-
Thanks … somehow I am not sure about AdGuard. They do not eben have an imprint on their website …
It's not AdGuard but AdGuard Home, which is 100% open source:
https://github.com/AdguardTeam/AdGuardHome
-
Now I can use NAT port forwarding for individual hosts - forwarding
- protocol: TCP/UDP
- source: specific host
- destination: interface address
- destination port: 53
- redirect target: 127.0.0.1:53530
bypassing AdGuard and blacklisting this way.
That seems overly complicated and unnecessary (edit: because you then have DNS settings all over the firewall rather than just in your DNS server):
If you already use adguard Home, just go there and use a "client" setting and disable DNSBL for that client and it necessary specify a specific upstream DNS server for that client.
On Unbound, check whether ACL could be used to specify a different (non-DNSBL) upstream/forward server?
Finally, just wondering what has been unstable about unbound DNSBL - too many lists?
-
Now I can use NAT port forwarding for individual hosts - forwarding
- protocol: TCP/UDP
- source: specific host
- destination: interface address
- destination port: 53
- redirect target: 127.0.0.1:53530
bypassing AdGuard and blacklisting this way.
That seems overly complicated and unnecessary -
If you already use adguard Home, just go there and use a "client" setting and disable DNSBL for that client and it necessary specify a specific upstream DNS server for that client.
Actually that is the way to go - I am just trying to achieve that without AdGuard. Tried it once, moved back to Unbound and BIND. Maybe I give it another try.
-
Lots of ways to achieve your goal, but certainly recommend a second look at adguard home as it has developed a lot over the last year
-
With ADGuard you can say "this device" is not subject to any rules but to my knowledge it is not possible to apply certain filtering rules per device, no granularity
With BIND effectively just creating redirect rules allows you to do that.
-
With ADGuard you can say "this device" is not subject to any rules but to my knowledge it is not possible to apply certain filtering rules per device, no granularity
With BIND effectively just creating redirect rules allows you to do that.
Tell me more ... ;) :)