Unbound not resolving Microsoft domains

Started by nerf, September 28, 2023, 10:19:13 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 12, 2024, 10:59:53 AM #15
Hello,
I was having the same issue.
Brand new installation, only the DHCP configured, used openDNS as dns IPs. unbound DNS was by the absolutest default configuration possible (brand new install and server).

My test computer connected on the LAN side could go on the internet, it could actually search for updates, but couldn't download the updates. And i couldn't figure out why until i found this post: somehow the blocklist is activated and is actively blocking some microsoft websites despite being unchecked (bing, msn, outlook, microsoft.com...) I had to whitelist those for the updates to work.
January 12, 2024, 03:54:19 PM #16

Quote from: newsense on September 29, 2023, 08:32:13 AM
Some lists in the blocklist section will even lock Microsoft updates, seems like you're in that situation.

If that's not the case your upstream DNS is doing something weird, and you should consider encrypting all your queries outbound

Quote from: CJ on October 01, 2023, 03:11:14 PM
Can you post a screenshot of your DNSBL page with advanced turned on and one of the Unbound reporting screen?

Quote from: Patrick M. Hausen on November 07, 2023, 02:53:01 PM
Are you using blocklists? If you do there most probably is no "issue". Microsoft domains frequently end up on blocklists, all the more so if you pull in a lot of them managed by volunteers.

Disable all block lists. Working now? If yes, then it's one of the blocklists, none of which are managed by the OPNsense project and none of which can be fixed by the OPNsense project.

If no, then we have an issue.

Still not clear which lists are enabled at all, but there are some blocklists built in that explicitely blocks microsoft stuff:

  • WindowsSpyBlocker (spy)
  • WindowsSpyBlocker (update)
  • WindowsSpyBlocker (extra)

If one simly enables all blocklists without reading, this may lead to described behaviour too.

More details on these lists can be found here https://crazymax.dev/WindowsSpyBlocker/blocking-rules/
For extra list it explicitely says:
QuoteONLY use if you know what you do
Be aware that these rules can also block Windows Update and other services.
Therefore, no support will be provided on them.

January 12, 2024, 04:00:29 PM #17
Quote from: marunjar on January 12, 2024, 03:54:19 PM
Still not clear which lists are enabled at all, but there are some blocklists built in that explicitely blocks microsoft stuff:

  • WindowsSpyBlocker (spy)
  • WindowsSpyBlocker (update)
  • WindowsSpyBlocker (extra)

While that's true, I think a lot of these cases are due to the way the current blocklist implementation handles CNAMEs.  If the blocklist itself is actively blocking the initial query it's relatively easy to troubleshoot.
Print
Go Up Pages 1 2
User actions