DNSBL and additional features Plugin for Unbound

[mimugmail]

I will add an own page for it with this options

[Mks]

Hi

@mimugmail

May you could also add the option to add "views" to unbound, would be great.

br

[mimugmail]

When I find time, yes. Can you remind me in a few weeks? :)

[mrancier]

The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.

At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)

Code Select Expand


# cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
  forward-addr: 45.90.30.0#xx.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io


Soooo....yeah, it does not survive a reboot...oh well.

[RFGuy_KCCO]

The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.

At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)

Code Select Expand


# cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
  forward-addr: 45.90.30.0#xx.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io


Soooo....yeah, it does not survive a reboot...oh well.

If you place those lines in Unbound DNS --> General --> Custom Options, it will survive a reboot.

[mrancier]

Thank you for the reply.  I do know that using the Customs options box is able to work around this issue.  I was hoping to be able to keep the DoT config separate...for OCD reasons.  Thanks, though.

[magno101]

Sorry to bring this up again, but has there been any progress in the logging functionality surrounding blocked queries?

[mimugmail]

Sorry to bring this up again, but has there been any progress in the logging functionality surrounding blocked queries?

No, I have no idea how this should work

[mrancier]

What is the syntax for whitelisting domains ?  tried adding one, but it did not seem to work.

Thanks.

[brad.edmondson]

Hi,

It replaces all to 0.0.0.0:

https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py#L111

@mimugmail -
Would it be possible to add an option to reply with NXDOMAIN instead of 0.0.0.0? That's what BIND DNSBL does, and just looking anecdotally at my pageloads, seems to be faster than trying to connect to a broadcast address or loopback address and waiting for TCP to fail.

[mimugmail]

BIND uses RPZ for this which is exclusive to it.
If you know how to achieve this within Unbound there might be chance.

[schreibubi]

You'll get the NXDOMAIN response if you enable the commented out line:
file.write('local-zone: "' + str(line) + '" static\n')

This is how also Adblock in OpenWRT does it.

[schreibubi]

Hi,

any chance of getting this plug-in working in 20.7? Right now there is a conflict with opnsense-devel package...

Joerg

[mimugmail]

Just remove the -devel and install the stable one ...

[lar.hed]

I am using DOT, however now I am about to install my backup ISP connection, and are wondering if that will kind of screw things up? My reason for asking is that well when you add a second WAN (multi-WAN: https://docs.opnsense.org/manual/how-tos/multiwan.html ) then you also spec a 2nd DNS - and I can not figure out in my head how this is supposed to work with DOT? And how do one set up firewall rules? port 53 should not be used I guess, only 853? Or am I missing something?