Basic bind question

paradox55 · July 07, 2019, 10:27:28 PM

I'd like to use the DNSBL in bind, but want to continue using unbound as my DNS server. BIND has a dns-forward option, but it's very specific about it only being for unknown dns queries.

Ideally, I'd like it to go like so for every DNS query:

BIND (53) / DNSBL -> Unbound (port 5353) / ad-blacklist, domain blacklist config files, etc -> DNSEC/TLS via port 853 to 1.1.1.1

Would setting dns-forward in bind be all I need to do?

mimugmail · July 08, 2019, 06:01:32 AM

Why not using dnscrypt plugin and DoH?

paradox55 · July 08, 2019, 02:47:47 PM

Quote from: mimugmail on July 08, 2019, 06:01:32 AM
Why not using dnscrypt plugin and DoH?

dnscrypt w/wo DoH stopped working constantly and needed to be restarted each time. So, the plugin seems a little borked.

Besides unbound is great with tls. It would be nice if it had the same dnsbl bind/dnscrypt have though.

mimugmail · July 08, 2019, 03:31:20 PM

I had a report the daemon always crashes when you have IPv6 enabled in plugin but not on interface.
I'm using it at home perfectly fine all the time.

paradox55 · July 08, 2019, 04:31:10 PM

Quote from: mimugmail on July 08, 2019, 03:31:20 PM
I had a report the daemon always crashes when you have IPv6 enabled in plugin but not on interface.
I'm using it at home perfectly fine all the time.

I'm pretty sure it was disabled on the plugin side as well.

I'm just going to go make a feature request in 19.7 for DNSBL on Unbound. Thanks for taking the time to reply though!

mimugmail · July 08, 2019, 04:32:49 PM

Quote from: paradox55 on July 08, 2019, 04:31:10 PM

I'm just going to go make a feature request in 19.7 for DNSBL on Unbound. Thanks for taking the time to reply though!

You'd not be the first one :)

paradox55 · July 08, 2019, 04:37:08 PM

Quote from: mimugmail on July 08, 2019, 04:32:49 PM
Quote from: paradox55 on July 08, 2019, 04:31:10 PM

I'm just going to go make a feature request in 19.7 for DNSBL on Unbound. Thanks for taking the time to reply though!

You'd not be the first one :)

So I'm not exactly familiar with how DNSBL works. This - https://github.com/oznu/dns-zone-blacklist/tree/master/unbound - for unbound does the same thing as the DNSBL on bind/dnscrypt, correct?

If so, it probably wouldn't be hard to convert the existing blacklists into unbound format, yeah?

mimugmail · July 08, 2019, 04:57:39 PM

Yep, but the hardest part is building a plugin around it so you can manage it via GUI.

paradox55 · July 10, 2019, 05:18:12 AM

Quote from: mimugmail on July 08, 2019, 04:57:39 PM
Yep, but the hardest part is building a plugin around it so you can manage it via GUI.

I ended up bypassing bind and making a bash script to convert blacklists into unbound format. I now have basically all of the pihole blacklists running.

My only concern is how large blacklists may impact performance and if it would be a better idea to run them in a ramdisk.

Basic bind question

paradox55

July 07, 2019, 10:27:28 PM

mimugmail

July 08, 2019, 06:01:32 AM #1

paradox55

July 08, 2019, 02:47:47 PM #2

mimugmail

July 08, 2019, 03:31:20 PM #3

paradox55

July 08, 2019, 04:31:10 PM #4

mimugmail

July 08, 2019, 04:32:49 PM #5

paradox55

July 08, 2019, 04:37:08 PM #6

mimugmail

July 08, 2019, 04:57:39 PM #7

paradox55

July 10, 2019, 05:18:12 AM #8