Unbound blocklists do not block subdomains

[lifepillar]

I am using Unbound on OPNsense 22.1.6. I have enabled blocklists and added Steven Black list. On my local machine, I try if it works:

$ dig 44chan.me

; <<>> DiG 9.10.6 <<>> 44chan.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;44chan.me.         IN   A

;; ANSWER SECTION:
44chan.me.      3600   IN   A   0.0.0.0

So far, so good. However, Unbound still resolves subdomains of blocked domains:

$ dig cz.44chan.me

; <<>> DiG 9.10.6 <<>> cz.44chan.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cz.44chan.me.         IN   A

;; ANSWER SECTION:
cz.44chan.me.      14400   IN   A   72.52.178.23

Looking at the blocklists, I see thar there are entries of the type: local-data "<domain> 0.0.0.0". I have tried to change them to local-zone: "<domain>" always_nxdomain and then it blocks also subdomains. Is the current behaviour intentional? Could it be changed as I suggest?

[zerwes]

I would prefer the usage of
local-zone: "donaldtrump.com" redirect
local-data: "donaldtrump.com A 0.0.0.0"
in order to block duck.donaldtrump.com and f... and s... etc…
As it will have the same behavior of returning 0.0.0.0 instead of NXDOMAIN ...

[lifepillar]

Thanks for the tip!

I'm afraid, however, that my changes are overridden as soon as the blocklist is updated. Is there a way to tweak OPNsense to block subdomains by default?

[zerwes]

I have implemented this in our ansible role for unbound + dnsbl (https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound)
If I find the time, I can open a PR, or if you like, you can do this too .. the main lines are https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound/blob/main/templates/unbound-dnsbl-updater.py.j2#L82:L96 ... it is open source ...

[lifepillar]

Cool, thanks! I'll try it later today!

[lifepillar]

I've monkey-patched my installation, and it works. Thanks!

As for the PR, I think that this would address my issue: https://github.com/opnsense/core/pull/5152. Unfortunately, it's still open, but hopefully it will be merged soon.