25.7.8 Unbound blocklist source nets

[gpfountz]

After upgrading to 25.7.8, I configured unbound's blocklist's source nets to include my LAN and IoT networks, excluding my GUEST network.  The problem is as soon as someone on the guest network does a lookup of a blocked domain, that domain's IP lookup is cached. After this, that blocked domain's IPs are served to my LAN.

Is there a solution for this?  I know I can use a different DNS server for my GUEST network. That is what I was doing before the source nets feature was added to 25.7.8.

Thanks in advance!

[cat2devnull]

Unfortunately I'm seeing the same effect. Once a domain is cached by a user in a source net that is allowed access. The users from a source net that are blocked can now retrieve a cached request. It seems that source net blocking only blocks recursive DNS not cached DNS. :(

[OPNenthu]

What happens if you disable the caches?

Advanced->Message Cache Size = 0
Advanced->RRset Cache Size = 0

[OzziGoblin]

I'll second this!

I've done quite a bit of testing, moving from Adguardhome to unbound and its BL's. Even using the same BL's with the URL's added to unbound make them identical, I'm still getting AD's coming through when using unbound, that I don't when using Adguardhome.
A restart of Opnsense also doesn't appear to make any difference, local client dns cache and browser cache clears as well as rebooted the client.

I'll give it a second go after the next upgrade

[Javier®]

One solution for distributing blocklists across your networks is to use RPZ.
The problem is that you have to do it manually in /usr/local/etc/unbound.opnsense.d
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html

[OPNenthu]

I haven't enabled the per-network DNSBL on my end as of yet, but for those who are seeing this- are you using dynamic IPv6 prefixes?  I'm looking at the Source Nets field and I don't know how you would even configure it for e.g. IA_PD.

AFAIK, we don't (yet) have any mechanism to track those for use in form fields like this.  Am I misinformed, or is this feature presently limited to IPv4 and IPv6 networks where the prefixes are not changing?

In any case: https://github.com/opnsense/core/issues/9474

[gpfountz]

Thanks for filing the issue.

In my case, all my clients are assigned only an ipv4 address for the DNS server; so no IPv6 issues here.

My thoughts are that we need to query the blocklist prior to querying the cache and blocklist results should not update the cache.  Not sure what a change like this would do to performance.

[OPNenthu]

The good news is it looks like a fix was quickly proposed in the ticket and it involves not caching domains which have a blocklist policy (I think on any network).  If I understand correctly, the performance hit would then be limited to lookups in which the domain is blocked by another network's policy.

So, basically, ads and other garbage would be served more slowly on unfiltered networks :-)  I can live with that.

Unfortunately the feature is still a non-starter for me, personally, if dynamic IPv6 prefixes aren't handled.  There's a feature request to add dynamic prefix type Aliases (https://github.com/opnsense/core/issues/7000), but I still don't see any way to configure those types of networks in UI forms that require text input rather than Aliases.  Is this something being worked on in OPNsense in order to make IA_PD more usable?

[franco]

The alias support wouldn't help with Unbound, though. It's a situation where ISPs and software authors involved said: we don't care and the user or integrator can script it, wich leads to dissatisfaction as much as satisfaction.

For one you'd need to invent a suffix notation that includes the interface and the netmask:

::123:0:0:0:0/64%lan

And then you need to translate it all the time and support it seamlessly across a inhomogeneous software landscape?


Cheers,
Franco