Messages

I'm so glad to see the unbound safesearch option that can be turned on with a checkbox in version 23. That is so convenient. The safesearch.conf file is very thorough.

I want to force everything but youtube to safesearch (we create youtube content that is clean but youtube seems they are labeling them adult so the safesearch is blocking some of our videos). Looking in the safesearch.conf file, I deleted the youtube section and saved it in VI. When restarting the service unbound put youtube back in that file.

Is there a way I can work around this?  I tried domain overrides and then host overrides for individual sites but I wasn't successful but perhaps I just need a tutorial.

What would be a nice feature is to be able to select which search engines to use safesearch kind of like the DNSBL blocklists has. 

Thanks to everyone who works on this.

This line specifically shows the module is pre-23.1. In case you haven't you should probably restart Unbound so the template generation has a chance to kick in.

As I stated in my first post, I have restarted the service numerous times, I have rebooted numerous times and I have gone into "system, firmware, packages" and reinstalled unbound twice with no change (my package for unbound says it is 1.17.1_1 and opnsense is 23.1_6-amd64). When I go to "firmware, update" it says all my packages are up to date.

If the module is pre-23.1 then there is something broken with the package manager apparently as I'm not getting the updated package. Do you have any other suggestions I should try? Is there a best way to remove unbound then reinstall to make sure the module gets updated properly?

***GOT REQUEST TO REINSTALL***
Currently running OPNsense 23.1_6 at Tue Feb  7 07:45:01 MST 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.

No packages are required to be fetched.
Integrity check was successful.
unbound-1.17.1_1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
   unbound-1.17.1_1

Number of packages to be reinstalled: 1
[1/1] Reinstalling unbound-1.17.1_1...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[1/1] Extracting unbound-1.17.1_1: .......... done
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

So I did more testing tonight, turned off dnsmasq, turned on unbound.

I went to interface/diagnostics/dns lookup put in:
raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list  and got the error below so I tried it with the https:// in front of the address which I don't believe is needed and get the same result below.
then it says in a popup "correct validations in form" and in red after I close the popup it says "Provide a valid hostname or address to query"

I get the same message when I enter:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

The unbound log shows all my blocklists like this:
07:00   Error   unbound   blocklist download : unable to download file from https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x8027ec0d0>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

If I put in google.com it resolves same with a few other websites.

I upgraded to 23.1_6 today but now unbound doesn't work at all.  See thread https://forum.opnsense.org/index.php?topic=32352.msg156382#msg156382

I upgraded to the latest this morning and it isn't fixed so that must have been a different issue I guess.

This morning I upgraded and am currently running OPNsense 23.1_6 and unbound 1.17.1_1

I can't get anything to resolve with unbound. I can ping outside IP addresses (8.8.8.8) but couldn't resolve any names with unbound. I turned off my blocklists thinking that had something to do with it but that's not it either even after restarting the service. I have had to turn off unbound and go to dnsmasq for now. I have also rebooted opnsense several times.

From the command line I get:
#host google.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
Host google.com not found: 2(SERVFAIL)

In the logs it appears it is all working:
2023-02-06T09:33:53-07:00   Informational   unbound   [74515:0] info: [25%]=2.73437e-07 median[50%]=5.46875e-07 [75%]=8.20312e-07   
2023-02-06T09:33:53-07:00   Informational   unbound   [74515:0] info: histogram of recursion processing times   
2023-02-06T09:33:53-07:00   Informational   unbound   [74515:0] info: average recursion processing time 0.202112 sec

In the emergency logs it shows:
SystemError: _PyEval_EvalFrameDefault returned a result with an error set   
           The above exception was the direct cause of the following exception:   
           AttributeError: 'NoneType' object has no attribute 'security'   
           ctx.log_entry(*info, ACTION_DROP, SOURCE_LOCAL, None, RCODE_SERVFAIL, 0, rep.security, rep.ttl)   
           File "dnsbl_module.py", line 243, in servfail_cb

With dnsmasq I'm back up and running, without filtering blocklists, I also reinstalled unbound with no change.

Any ideas what to do next?

Jay

I'm having the same problem. Unbound isn't downloading blocklists but for me it's because my unbuond can't resolve anything. I can ping 8.8.8.8 but anything that needs resolved by unbound isn't working for me. Yours seems to resolve stuff other than blocklists but mine doesn't.

I also should note that it is just not that one list, it is every list I have selected that gives that same error. I can go to any of these addresses in a browser and it shows me the text lists. Here are the ones I have selected and failed:
https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list

https://blocklistproject.github.io/Lists/alt-version/torrent-nl.txt

https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt 

https://blocklistproject.github.io/Lists/alt-version/redirect-nl.txt

https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt

https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt

https://blocklistproject.github.io/Lists/alt-version/piracy-nl.txt 

https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt

https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt

Hi Cookie,
Yes, when I put that address in a browser it brings up the list of site names so the dns is working. It had been working before 22.7 but I don't know the exact version that broke it.

My production OPNsense ver 22.7.11 no longer is blocking porn and other things because the blocklists are not downloading. From the error logs:
2023-01-24T16:19:40-07:00   Error   unbound   blocklist download : unable to download file from https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (error : HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x802615b20>: Failed to establish a new connection: [Errno 8] Name does not resolve')))

I thought schedules were working, then they weren't.  I did some digging and I think there is a bug. I am running OPNsense 22.7.4-amd64

I did some testing today and I was able to get one to work and another didn't but they are both created the same way with the same dates and times. I can't see any difference in the rules other than in the schedule list page it shows the times (same times) in a different column. I can't post a screenshot but I will attach it so you can see the little clock showing the schedule is active but when you look at the dates it should not be active.

Today is September 26th.  Clearly you can see the first schedule, called 24hr, is not listed to work on Sept 26th yet the little clock icon shows it is active today for some reason. When testing, the "days off" schedule I initially made the dates Sept 24-25 and Oct 1-2. It didn't show the clock icon and in my rules list it was gray as it should be as today is not an active day. I then went back and edited that rule to add everything you see there but when I chose "Saturday and Sunday" URLs it is listed differently but as you see it. Even now, after updating the second rule, it's still working correctly.

Why is the 24hr schedule showing active on dates it's not supposed to be active? Is it a bug or a feature?

Thanks,
Jay

For anyone having the same issue, I had to create a different schedule of when I wanted to allow access then create a pass rule with this schedule.  Then following this rule I created a block all rule and it seems to work. Not as simple, but it works.

Is anyone else having this issue? 

I have setup a schedule for rules, and I have chosen Mondays-Fridays on the calendar of the schedule in Opnsense.  However, that firewall rule to block all traffic on that vlan during that time still is doing it on Saturdays and Sundays. 

The schedule looks like this:
------------------------------------------
No_Internet   {name of schedule}
August 22 - 26    {dates selected for schedule}
August 29 - 31
September 1 - 2
September 5 - 9
September 12 - 16
September 19 - 23
September 26 - 30
October 3 - 7
October 10 - 14
October 17 - 21
October 24 - 28
October 31
November 1 - 4
November 7 - 11
November 14 - 18
November 21 - 23
November 28 - 30
December 1 - 2
December 5 - 9   

9:30-10:15   {Time for Schedule}
Fall%20Semester {Time range description}
---------------------

My firewall rule on that VLAN calls for that schedule above named "No_internet" and it works on the dates listed but for some reason it also works on the dates not listed too.  Currently on OPNsense 22.7.3_2-amd64 but was this way on my 22.1 versions too.

What am I doing wrong?

I don't believe so.  I think it's only blocking webmail but I'm not sure as we turned off the blocklisting since many of my users, including me, use webmail.