DNSBL and additional features Plugin for Unbound

[mimugmail]

I'll start with DoT next week

[Mr.Goodcat]

Thank you for your efforts! Is DoH also on the roadmap?

[mimugmail]

I thought DoH is not available in Unbound?

[Mr.Goodcat]

I thought DoH is not available in Unbound?

Well, that answers my question :-[

[brinm00]

I'm just starting to 'play' with this extra Unbound plugin. I had a question though: would it be possible to test the DNSBL on just one of the interfaces. Now it seems like it is a global option. I would like to try/test some new features on just one of the VLAN's I have on my Opnsense fw. Thanks for looking into this...

[mimugmail]

No, sorry, it's only a global option

[brinm00]

Do you of any plans to make it available on only a subset of the interfaces ?

[mimugmail]

No, there are no plans

[xofer]

Do you of any plans to make it available on only a subset of the interfaces ?

As a sort of a workaround you could bind unbound (with blacklists) only to one interface and dnsmasq on the others.

[lar.hed]

As a rather newbie on OPNsense this might be wrong way to ask, however if one never asks, one will never learn :-)

Question: So I like this extension. Any chance there will be an option for setting to which IP adress to redirect any requests?

Background: I know there are a lot of lists out there, some use IP like 0.0.0.0 some other seem to like 127.1.1.1 or anything we simply do not have control over so to say. So what IP is this plugin redirecting all requests to - the one in the list, or anyone specified somwhere, and if it is configurable where do I set this?

My plan is to somehow include https://github.com/kvic-z/pixelserv-tls which I guess would be even better if it was somehow integrated with this package @kvic might be able to help out?

[mimugmail]

Hi,

It replaces all to 0.0.0.0:

https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py#L111

[lar.hed]

Superb :-) I can alter that file myself. However if would be great if that would be possible to set over a parameter in the GUI at some day :-)

[mrancier]

Is there a way to add a hostname to the configuration of DoT servers ?  This is necessary for TLS authentication for NextDNS.io or BlockerDNS.com.  It also enables the ability to configure blacklists and whitelist on NextDNS.io.

[pkernstock]

The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.

At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)

Code Select Expand


# cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
  forward-addr: 45.90.30.0#xx.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io


[mrancier]

The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.

At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)

Code Select Expand


# cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
  forward-addr: 45.90.30.0#xx.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io


I figured this would be the case, if momentarily, but I would rather do this then send naked queries or having to use their NexDNS cli client, which is still in its infancy.  Thank you so much.  Hope @migmugmail gets around to adding this functionality to the plugin.