OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: IsaacFL on December 03, 2022, 10:45:09 pm
-
I use unbound in resolver mode and for blocklist i use the URL method to download https://dbl.oisd.nl/.
I see in the log that it is downloading "blocklist download https://dbl.oisd.nl/ (lines: 980762 exclude: 0 block: 980754)"
But sites in the list are not being blocked. This had worked prior to the update.
-
I have the same issue with Unbound.
Workaround is to disable the blocklist in unbound (but keep unbound enabled), and setup a different blocker on virtual server, and point internal requests to that. Right now it will go from *hole > unbound > 1.1.1.1
-
any clue in unbound logs?
-
I don’t see anything in the logs. All indications are it is downloading list, etc but just not blocking. Dns lookup of a site on the list provides the actual ip.
My solution has been to turn off the blocklist and use forwarding to nextDNS.
-
sorry, nothing to hook on for debugging.
unbound blocklists work has been migrated to the python module, which (imho) should give a speed gain (no blocklist load to unbound ) and very interesting prospects for logging\analyzing blocked addresses lookups..
since this just happened, there may be a conflict with some (custom?) settings. perhaps enabling debug logging and/or query logging would help..
-
I turned on the logging. I did a lookup of a site (oh93.com.) that is in the blocklist. Can see in the log it resolved.
Filtering on oh93.com
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] reply: 2603:8001:2701:b120:a0b0:a26e:99d0:2827 oh93.com. AAAA IN NOERROR 0.070674 0 54
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: dns64 operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: dns64 operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: validator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: finishing processing for oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: resolving oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: validator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: dns64 operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: dns64 operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: validator operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: finishing processing for oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: reply from <oh93.com.> 204.11.56.26#53
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: response for oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: iterator operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Debug unbound [44112:0] debug: sending to target: <oh93.com.> 204.11.56.26#53
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: sending query: oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: processQueryTargets: oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: response for oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: iterator operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: sending query: oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: processQueryTargets: oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: processQueryTargets: oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: resolving (init part 3): oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: resolving (init part 2): oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: resolving oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: validator operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] info: dns64 operate: query oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:0] query: 2603:8001:2701:b120:a0b0:a26e:99d0:2827 oh93.com. AAAA IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] reply: 2603:8001:2701:b120:a0b0:a26e:99d0:2827 oh93.com. A IN NOERROR 0.155916 0 42
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: dns64 operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: validator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: dns64 operate: query oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: validator operate: query oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: finishing processing for oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: response for oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: iterator operate: query oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: sending query: oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: processQueryTargets: oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving (init part 3): oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving (init part 2): oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: validator operate: query oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: dns64 operate: query oh93.com. DS IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: validator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: finishing processing for oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: reply from <oh93.com.> 204.11.56.26#53
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: response for oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: iterator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Debug unbound [44112:3] debug: sending to target: <oh93.com.> 204.11.56.26#53
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: sending query: oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: processQueryTargets: oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: response for oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: iterator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: sending query: oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: processQueryTargets: oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving (init part 3): oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving (init part 2): oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: resolving oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: validator operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] info: dns64 operate: query oh93.com. A IN
2022-12-05T09:43:48-08:00 Informational unbound [44112:3] query: 2603:8001:2701:b120:a0b0:a26e:99d0:2827 oh93.com. A IN
-
dns64 operate
hah..may be..
-
turning dns64 off seems to fix it
-
yep. looks like a little typo in unbound.inc that sets dns64 module ahead of python..
i'll try to suggest something
-
@IsaacFL
how about
opnsense-patch -a kulikov-a 9bc7032then enable DNS64, save, apply? (with client cache clearing of course)
(the patch always puts the python module first in the module list)
-
I just applied patch, and it seems to have fixed it.
-
great, thanks for the feedback!
-
I have not enabled dns64, but experienced this issue after update.
I 'cleared it' by reloading the block list, in the past there was a message stating the number of records dowbloaded.
I also added a url https://block.energized.pro/ultimate/formats/domains.txt to see if that fixed it.
Today there was a power outage, so when the power came back, a cold restart was required.
The lack of blocking issue returned.
I pressed the apply button, no message and the little wheel indicator momentarily displayed.
I pressed apply again and the indicator was visible for longer, and behold after clearing the browser cache, no more adverts.
I did search this board and this phenomena occurred in the past.
The upgrade release notes mention this
unbound: rework DNSBL implementation to Python module
-
I pressed apply again and
no need to hit button twice - the result will not be better (at least)
you can go to logs and see the blocklists download process ("blocklist download.." records )
if there are errors in the py-module operation, they will also be in the unbound log
-
I have not enabled dns64, but experienced this issue after update.
I 'cleared it' by reloading the block list, in the past there was a message stating the number of records dowbloaded.
I also added a url https://block.energized.pro/ultimate/formats/domains.txt to see if that fixed it.
Today there was a power outage, so when the power came back, a cold restart was required.
The lack of blocking issue returned.
I pressed the apply button, no message and the little wheel indicator momentarily displayed.
I pressed apply again and the indicator was visible for longer, and behold after clearing the browser cache, no more adverts.
I did search this board and this phenomena occurred in the past.
The upgrade release notes mention this
unbound: rework DNSBL implementation to Python module
I don’t know if this is your issue, but earlier this week the energized list was down. So you might try a different list to verify.
-
@IsaacFL
Another cold start resulted in the same procedure being carried out to get blocking working.
The energised list was not used.
The log files do not show any errors.
I agree with the statement Unbound blocklist does not seem to be working since update to 22.7.9