Messages

Including more comprehensive and regularly updated community lists would significantly improve the default security level of OPNsense installations.

When editing blocklist you can enable advanced mode to get the `URLs of Blocklists` field, where you can add urls to all blocklists you want.
They don't necessarily have to be provided by opnsense itself.

Unbound is a dns resolver and don't need any upstream dns.
see https://docs.opnsense.org/manual/unbound.html, you can even find someting about query forwarding and dns over tls there.

System > Settings > General is a little different, see https://docs.opnsense.org/manual/settingsmenu.html#general

If you chose mullvad instead of unbound this is totally fine, but as you found out it will bypass unbound depending on your settings.
To use unbound you don't need any dns server in general settings, just uncheck `Allow DNS server list to be overridden by DHCP/PPP on WAN` and uncheck `Do not use the local DNS service as a nameserver for this system`, thats it basically.
Or if you prefer check `Do not use the local DNS service as a nameserver for this system` and add 127.0.0.1 to servers explicitely.

Query forwarding or DoT should then be configured under services > unbound itself IMO.

In System > Settings > General I have my upstream DNS server configured

This may be cause of your problem.
Why do you set any dns servers if you want unbound to be used?

Having set `Do not use the local DNS service as a nameserver for this system` is fine, but as long as you want unbound (aka the local DNS service) to be used you have to add 127.0.0.1 explicitely as your dns server then.

If you wanna force all dns request to your firewall, even if client wants to use something else, you may think about using nat
https://forum.opnsense.org/index.php?topic=9245.0

Hi there,

just updated from 24.7.5_3 to 24.7.6 and it looks like live view is somehowborked now.

Rules seem to be ok and everything is working as far is i could tell but log shows everything somehow wrong.
Also when showing detailed rule info the details are for wrong rules.
Sometimes the rule itself cannot be opened from link in rule details.

e.g. when looking at ipv6.png and ipv6_details.png, these entries should have nothing to do with ipv6 at all, also link to actual rule is not working.

Or there are some devices i know that they want to bypass dns on my opnsense, so i have defined port forward rule that i'm logging.
Usually these rdr rules pop up in log, with light blue background, but now these looks like in rdr.png and rdr_details.png

Is anybody experiencing similar problems?
Is there anybody who can help me to analyse further?

Thanks.

EDIT: I think I'm going to revert to 24.7.5_3 tomorrow

There is no pihole for opnsense.

If you use unbound as your dns you can set up blocklists directly: https://docs.opnsense.org/manual/unbound.html#blocklists

Or if you want to use adguard home, it's available from mimugmail 's community repo.
There is also a whole thread about it https://forum.opnsense.org/index.php?topic=22162.0

[Services ‣ Unbound DNS ‣ Log File]

Have you already checked logs under Services ‣ Unbound DNS ‣ Log File?
What does entry for fetching your blocklist show there?
It should list excluded, blocked and wildcard entries of list.

Also have you checked if domain you use for testing is in file?
Because the ones you posted (v2) are different from the one visible in your screenshot (without v2)

[then]

Some lists in the blocklist section will even lock Microsoft updates, seems like you're in that situation.

If that's not the case your upstream DNS is doing something weird, and you should consider encrypting all your queries outbound

Can you post a screenshot of your DNSBL page with advanced turned on and one of the Unbound reporting screen?

Are you using blocklists? If you do there most probably is no "issue". Microsoft domains frequently end up on blocklists, all the more so if you pull in a lot of them managed by volunteers.

Disable all block lists. Working now? If yes, then it's one of the blocklists, none of which are managed by the OPNsense project and none of which can be fixed by the OPNsense project.

If no, then we have an issue.

Still not clear which lists are enabled at all, but there are some blocklists built in that explicitely blocks microsoft stuff:

• WindowsSpyBlocker (spy)
• WindowsSpyBlocker (update)
• WindowsSpyBlocker (extra)

If one simly enables all blocklists without reading, this may lead to described behaviour too.

More details on these lists can be found here https://crazymax.dev/WindowsSpyBlocker/blocking-rules/
For extra list it explicitely says:

ONLY use if you know what you do
Be aware that these rules can also block Windows Update and other services.
Therefore, no support will be provided on them.

Unused memory is wasted memory :)
This behavior is totally fine for ARC, it will be freed if other processes needs more memory.

Wildcard domains will make list a lot smaller, which should be preferred IMO, but i have no experience with as it is pretty new.
Between domain list and hosts file there shouldn't be much difference.

Glad you found a solution with adguard.

You already mentioned in first post that the lists are specially for unbound following it's config format.

As documented, you would've needed a simple list of domains: https://docs.opnsense.org/manual/unbound.html#blocklists
But host files are working too and with recent update also lists including wildcard domains should work.

reverse dns is working fine here.
have you checked if something is wrong with your adguard settings or blocked by firewall itself?

https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#specifying-upstreams-for-reverse-dns

Ist das adguard plugin aus mimugmail's community repo und hört auf port 53?
Falls ja, dann muss beim Adguard service eine checkbox gesetzt werden.

Für details siehe https://forum.opnsense.org/index.php?topic=33661.0

edit: fixe ip für DNS sollte dann auch nicht mehr notwendig sein

Normally you don't need rules on WAN interface, because you establish connections only from the LAN side. 

You need to create your block rules on your LAN interface with given ips as destination and with direction IN: https://docs.opnsense.org/manual/firewall.html#direction

You already have an IP_BLOCK hosts which is good to keep number of rules short, you can use this as destination too.
After applying changes, your client shouln't be able to connect to mentioned game server anymore.
Dependent on how your game is getting list of available servers, it may still be shown, but connection is not possible.

explicit configuration is working here, it also makes more clear what is actually set/happening

but maybe updated adguard plugin will help too ;) https://github.com/opnsense/core/issues/6513#issuecomment-1518684956

Of course this is working, that's a different configuration with adguard *not* listening on port 53
With proper NAT rules ports may be changed as workaround too.

But for adguard listening on port 53 there is still something missing, as franco said:

The cleanup/feature here is that adguard can now work as standalone as well as bind or dnscrypt-proxy WITHOUT a running unbound or dnsmasq, but in order for this to work it needs to communicate which port it uses and only port 53 is eligible for a core DNS provider...