DNS Whitelist still being blocked (Unbound)

Started by breimer273, February 19, 2025, 09:47:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 19, 2025, 09:47:45 PM Last Edit: February 20, 2025, 09:20:51 PM by breimer273 Reason: Reopening
Hello,
Having some trouble figuring out the white list for Unbound. I'm using hagezi's blocklists and those are working great. However, I am trying to access patc.net (known good site) but it is blocked on the blocklists. No problem. I'll add it to the whitelist. However, I still can't get it to resolve. Here's what I'm seeing (Reporting -> Unbound -> Details):

Code Select
2025-02-19 15:39:51    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    331ms    600         
2025-02-19 15:39:51    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    150ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:28    192.168.6.111    CNAME    www.patc.net.    Block    Local    NXDOMAIN    137ms    0    [hagezi] Badware Hoster blocking   
2025-02-19 15:26:27    192.168.6.111    A    patc.net.    Pass    Recursion    NOERROR    213ms    600         

Whitelist:
Code Select
www.patc.net.
www.patc.net
patc.net.
patc.net
February 20, 2025, 12:10:42 PM #1
Solved. I had to dig into the domain a bit more. Found that it was actually a CNAME that was being blocked. Added that to the white list and it appears to be working now.
February 20, 2025, 09:19:02 PM #2
Ok, I'm back again. Apparently it still is not working. Same results as above. Now my white list contains the CNAME addresses. The CNAME is what is on the block list. But I'm still being blocked. Whitelist now:

Code Select
www.patc.net.
www.patc.net
patc.net.
patc.net
s.multiscreensite.com
s.multiscreensite.com.
global.multiscreensite.com
global.multiscreensite.com.

Here's the dig for context. The domain multiscreensite[.]com is on the blocklist. So the query for www[.]patc[.]net is being blocked but I would like it to NOT be blocked.

Code Select
%dig www.patc.net @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.patc.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26938
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.patc.net.            IN    A

;; ANSWER SECTION:
www.patc.net.        300    IN    CNAME    s.multiscreensite.com.
s.multiscreensite.com.    300    IN    CNAME    global.multiscreensite.com.
global.multiscreensite.com. 60    IN    CNAME    a3c02b2530d6f27ca.awsglobalaccelerator.com.
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 99.83.169.22
a3c02b2530d6f27ca.awsglobalaccelerator.com. 49 IN A 75.2.0.180

;; Query time: 155 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 20 15:06:10 EST 2025
;; MSG SIZE  rcvd: 182
March 18, 2025, 07:10:46 PM #3 Last Edit: March 19, 2025, 03:51:18 AM by r111
I'm having the same problem: domains on the whitelist are still blocked. For example, the domain api.qustodio.com is blocked by the Hagezi Pro++ list, and it remains blocked when I add this exact domain to my whitelist. I'm running OPNsense 25.1.3-amd64.

Edit: I found a solution, or at least a workaround, on reddit:

https://www.reddit.com/r/opnsense/comments/1e5tj5g/unbound_dns_blocklist_whitelisted_domains_not/

Instead of whitelisting api.qustodio.com I whitelisted (^|.*\.)api.qustodiocom$ and flushed the cache.
March 22, 2025, 04:07:56 PM #4
This is a known issue with the way the Unbound blocking is handled.  There have been talks about how to fix it but no one has had the time.

https://github.com/opnsense/core/issues/6722

https://forum.opnsense.org/index.php?topic=35218.msg171068#msg171068
Print
Go Up Pages1
User actions