Topics

1

20.1 Production Series / Unbound DNS blacklist?

« on: February 08, 2020, 07:24:02 pm »

There was some discussion about having having DNS blacklist available at the next major release (20.1).

I've been using scripts to download blacklists, re-format into a conf file, and feed into Unbound each morning.
It works, but it would be nice to have something better integrated into OPNsense.

Is there any approved/recommended package or plugin for Unbound DNS blacklist?
Thanks

2

General Discussion / Unbound DNS override for one client

« on: May 13, 2019, 05:32:48 am »

I block ad servers and tracking servers using Unbound.
I have an app on a Roku that needs to access a specific ad server or else if fails.
I can add an override for that specific ad server (or take that DNS entry out of my black list) and the Roku app works. Of course, that would apply to all clients.

Is it possible for Unbound to override a DNS entry for requests coming from a specific address.
Specifically, my Roku gets the real address and all other devices still get 0.0.0.0
Thanks.

3

General Discussion / Unbound DNS server at boot

« on: May 12, 2019, 09:07:06 pm »

I've configured Unbound to block advertising (and tracking) URLs. I followed the setup from https://devinstechblog.com/block-ads-with-dns-in-opnsense/ and added some more blacklists.

I have a slight Unbound problem when my firewall boots.
I'm using an APC2D4 with RAM disks for /tmp and /var and I'm using Unbound custom option "include:/var/unbound/ad-blacklist.conf". I could like to continue using the conf file in /var since I'm updating the list daily.
At boot, the /var/unbound/ad-blacklist.conf doesn't exist and Unbound won't start.
I'm using a somewhat crude method at startup: using a boot cron script, sleep for a length of time, touch /var/unbound/ad-blacklist.conf, start Unbound, sleep for a little while longer while Unbound starts, then run the rest of the script to download blacklists and create ad-blacklist.conf and restart Unbound again.

Is there any good way to create an empty file, /var/unbound/ad-blacklist.conf or any custom .conf, as Unbound starts ? That way, Unbound starts normally and I only have one re-start of Unbound?

4

General Discussion / Basic question about WAN rules

« on: April 19, 2019, 06:43:30 pm »

I've recently upgraded my home network from a consumer-grade router to OPNsense. So far, so good. I'm using an APU2D4. I've been a Sys Admin managing servers for years.

Just a really basic question about WAN rules.
Since this is for my home network, there will be nothing inbound from the WAN. Default drop for everything on the WAN.
Is there any down-side for having no additional WAN firewall rules (i.e. spamhaus_drop)?
Do I even need to block private networks and bogon networks since default drop should take care of everything?

I have a Sys Admin mentality of doing everything needed, but don't do tasks that you don't need or duplicated tasks for performance reasons. Is there any benefit for processing any WAN rules when I'm going to default drop anyway?
Now, if I were allowing anything inbound (i.e. inbound VPN or inbound to a DMZ), then WAN rules would be needed.
My LAN side has multiple IP blacklists and URL blocking. I'm going to be adding more in the future. I switched to OPNsense to have blacklists and ad-blocking.