IPFire Domain Blocklist ( Suricata - Unbound - Adguard )

[yeraycito]

https://www.ipfire.org/dbl

[nero355]

My eyes hurt when I open that link... :(

You should have linked to : https://www.ipfire.org/blog/introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone

Still a lot of RED but just a fraction compared to the link above !!



Seems to work with Pi-Hole too, but not going to use it for now since a lot of websites/companies claim to have the best Block List out there and not all of them are actually that great...

[Patrick M. Hausen]

I am going to try them in AdGuard Home because blocklist management and logging in AGH is great, so why not.

[abraxxa]

Can we get this integrated into the unbound blocklists?

[Patrick M. Hausen]

Can we get this integrated into the unbound blocklists?

You can easily configure it.

- Navigate to https://www.ipfire.org/dbl/how-to-use
- Scroll down to "Plaintext Formats"
- Pick e.g. Domains > Malware

This results in this URL: https://dbl.ipfire.org/lists/malware/domains.txt

In OPNsense navigate to Service > Unbound > Blocklists, click the tiny + to add one, enable advanced mode, enter the URL above into the "URLs of Blocklists" field, add a description, save and apply.

Done. Repeat for more lists as you see fit.

This is what it looks like in AdGuard Home which is what I use. Should work in Unbound all the same.

[abraxxa]

Thanks for the quick reply!
I wasn't aware of keeping the Type field empty and entering the URL(s) instead.

Reading the IPFire DBL how-to-use docs guided me towards using the 'DNS Request Policy Zone (RPZ)' feature of unbound but I guess this isn't configurable via the OPNSense WebUI?

[OPNenthu]

I've been using these lists for a couple days and I'm a bit confused at how they're supposed to work with Unbound in OPNsense in particular.

For example the domain 'facebook.com' exists in the social list: https://dbl.ipfire.org/lists/social/domains.txt

If I try to resolve 'facebook.com' literally, then it's of course blocked:

Code Select Expand

$ nslookup facebook.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find facebook.com: NXDOMAIN

(note: I specify to return 'NXDOMAIN' in the Unbound policy under Advanced settings)

However, if I resolve subdomains like 'www.facebook.com' these are not blocked:

Code Select Expand

$ nslookup www.facebook.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
www.facebook.com    canonical name = star-mini.c10r.facebook.com.
Name:    star-mini.c10r.facebook.com
Address: 31.13.66.35
Name:    star-mini.c10r.facebook.com
Address: 2a03:2880:f31d:1:face:b00c:0:25de

And sure enough I can get to Facebook just by appending 'www.' in the browser.

Is this working correctly and I'm just not understanding the reason why the blocklist doesn't also include 'www.facebook.com' or '*.facebook.com'?  Or, is it supposed to block all 'facebook.com' domains and Unbound just isn't working with this format?

It's not the only Unbound DNSBL in this format.  I took a peek at the built-in AdGuard list and it also doesn't use wildcards or 'www.' prefixes, but others (like Hagezi's lists) do.

[Patrick M. Hausen]

Reading the IPFire DBL how-to-use docs guided me towards using the 'DNS Request Policy Zone (RPZ)' feature of unbound but I guess this isn't configurable via the OPNSense WebUI?

Sorry, no idea. As I said I am not using blocklists in Unbound (I gave them a quick try before writing my last reply, though). I can wholeheartedly recommend AdGuard Home.

[tuto2]

However, if I resolve subdomains like 'www.facebook.com' these are not blocked:

The blocklists will consider a domain as a wildcard if the domain starts with "*." in the downloaded list. In all other cases it does an exact match.