Unbound DNS blacklist

[UdK]

I have the strangest issue with DNSBL on 20.7.2. Seems that the "enable" checkbox under Services: Unbound DNS: Blacklist is reversed.

When the "enable" checkbox is checked:

1.  /var/unbound/etc/dnsbl.conf is empty
2. /var/unbound/etc/lists.inc has my list source from https://block.energized.pro/ultimate/formats/domains.txt


When the "enable" checkbox is UNchecked:

1.  /var/unbound/etc/dnsbl.conf is populated with entires from https://block.energized.pro/ultimate/formats/domains.txt
2. /var/unbound/etc/lists.inc is blank


Seems that entries from https://block.energized.pro/ultimate/formats/domains.txt resolve to localhost only when the "enable" checkbox is UNchecked. However, when it is checked we resolve names to actual addresses.

Is this expected? Something seems amiss.

Thank you folks!

Seeing the exact same issue on 20.1.9_1

[blacksteel1288]

I'm seeing similar inconsistencies when applying changes to blacklists.  It's unclear if saving on the blacklist page reloads the lists or if you need to restart the unbound service from the top page.

I'm also unable to get whitelists to work using a github-hosted text file that contains a list of hosts.  Has anyone been able to get that to work?

[mimugmail]

Whitelist only works with domains, not URL where to retrieve them

[mfpck]

Ok. got it- the trick is simple untick and hit safe a couple of times and optionally watch the size of dsbl.conf to get sure.

Now I am trying the opposite way, to disable blocking without success:

I disabled all lists and disabled blocking feature as well the size of dsb.conf is back to zero ok.
To get sure I restarted unbound but the client was still unable to resolve one domain I picked from the dsbl.conf...hmm. I also tried to reboot opnsense but the client request was still resolved to 0.0.0.0 ?

Is it a server or client caching issue somehow or does the following unbound options maybe speed that up:
Prefetch Support
and
Prefetch DNS Key Support

What I did not tried is to reboot the client after disabling the blocking feature maybe it's the way to go ?

[mimugmail]

If the conf is empty and unbound restartet it should block anything.

[mfpck]

It should ;-)

[mimugmail]

not  8)

[blacksteel1288]

@mimugmail are you able to enter more than 1 domain or regex in the whitelist field and get it to work?

[l0stnyc]

I am having some delays with blacklist within unbound and was hoping for some clarification.  When I select a new list, hitting save doesn't seem to pull an immediate download and update.  Do I also need to restart unbound?  What would trigger an immediate download?

[Mks]

Hi all, just one questions. I switched from manual blacklist to the Unbound blacklist feature.

The blacklist entries should be stored in the /var/unbound/etc/dnsbl.conf or I am wrong here?
In my case the file is still empty after enabling the feature, even so all files in /var/unbound/etc/

Where are the entries stored?

br

[Meditux]

Hi Mks,

yes, the entries be stored in the /var/unbound/etc/dnsbl.conf.

The download or the update is controlled by the file:
/usr/local/opnsense/scripts/unbound/download_blacklists.py

root@xxx:/var/unbound/etc # ls -lsa
total 39416
    4 drwxr-x---  2 unbound  unbound       512 Oct 23 07:16 .
    4 drwxr-xr-x  9 unbound  unbound       512 Oct 25 04:18 ..
    4 -rw-r-----  1 unbound  unbound      1295 Oct 25 04:17 blacklists.ini
39392 -rw-r-----  1 unbound  unbound  40285646 Oct 25 13:21 dnsbl.conf
    4 -rw-r-----  1 unbound  unbound        42 Oct 23 06:21 dnsbl.inc
    0 -rw-r-----  1 unbound  unbound         0 Oct 25 04:17 dot.conf
    4 -rw-r-----  1 unbound  unbound        78 Oct 23 06:21 lists.inc
    0 -rw-r-----  1 unbound  unbound         0 Oct 25 04:17 miscellaneous.conf
    4 -rw-r-----  1 unbound  unbound       106 Oct 23 06:21 whitelist.inc

Greetings meditux

[Mks]

Ok thanks!

Just doublechecked, it works.

br

[Gary7]

I am running v20.7.4 and I have a fundamental question/issue with Unbound blacklist.

In Services:Unbound DNS:Blacklist, I enable lists, select lists, and Save.  /var/unbound/etc/dnsbl.conf is created/updated
In System:Settings:Cron, add "Download Unbound DNSBLs and restart" which will execute "/usr/local/sbin/configctl unbound dnsbl". /var/unbound/etc/dnsbl.conf is created/updated

However, Unbound is not updated. New blacklist is not loaded into Unbound. Either adding or removing blacklist entries.

I have to stop & restart Unbound in Lobby:Dashboard. This is not desirable.
Or
In a shell, execute "/usr/local/sbin/configctl unbound reload"

If /var/unbound/etc/dnsbl.conf is null, "/usr/local/sbin/configctl unbound reload" reloads immediately. If /var/unbound/etc/dnsbl.conf has a lot of entries, Unbound takes a while to reload the new dnsbl.conf as expected.

Am I missing something?

A related very minor detail in Services:Unbound DNS:Blacklistl: With no lists enabled, hit "Save" and it returns immediately. With multiple lists enabled, hit "Save" and the animation of the Save button never ends even after dnsbl.conf is created.

On a somewhat related item:
I am using a PCEngines apu2 and using memory file system for /var & /tmp.
At bootup, is there a recommended way to execute "/usr/local/sbin/configctl unbound dnsbl" or equivalent and create dnsbl.conf? Then, execute "/usr/local/sbin/configctl unbound reload"?
In /etc/crontab @reboot, I could simply run a little script that sleeps for a while to let everything start and then execute the 2 commands.

Thanks

[dia4]

I found this blacklist, it looks interesting. There are duplicate domains but a lot are new compare to the Unbound's list (~700.000+)


https://dbl.oisd.nl/


Ciao

[rhubarb]

I am experiencing this problem.

However, it seems that when I hit apply, the little animated ellipse shows up. If I leave it alone in this state for a while until it returns, then it works.  If I select away to a different menu item it breaks it.