Unbound - DNSBL exclusions for DNS over TLS Servers

Started by Tubs, October 11, 2020, 11:39:22 AM

Previous topic - Next topic
Hello,

it is possible in unbound plugin to define DNSBL addresses as exclusions for DNS over TLS Servers?

I am using opnsense box with unbound as primary DNS server. My mail server with spam filter and DNSBL also is using this box as DNS server. When I used to direct resolve the domain all was fine. But since I changed to use DNS over TLS with Cloudflare server may mail server cannot use all DNSBL list any longer.

Defining exclusion list in unbound is my first idea. Alternatively, setup bind on opnsense additionally for DNBS only or setup an dedicated DNS server directly on the mail server.

Hi
maybe you can work with overwrites and set the list as DNS entries there.
There is also a whitelist in Unbound which would exclude the DNSBL from these entries.

good luck.
armin
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!

Quote from: ArminF on October 11, 2020, 02:06:27 PM
maybe you can work with overwrites and set the list as DNS entries there.
A workaround that could help. I will try out.

Quote
There is also a whitelist in Unbound which would exclude the DNSBL from these entries.
Here I am not sure what you are talking about. There is a white list called "private domains". But my understanding is that this will disable the filter to block return of local IP addresses (e. g. 127.0.0.x) as typically used by DNSBL as response. Or are you talking about a different setting?

Whitelisting on the Blacklist Section.
This should skip the DNSBl for these domains and route all.

So maybe you can exclude your domain here.

good luck!
a
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!

Quote from: ArminF on October 12, 2020, 09:05:16 PM
Whitelisting on the Blacklist Section.

OK. Now we are talking about two different things. I was not talking about the DNSBL function of the unbund plugin. My issue is related to to another server using DNBS and as DNS server my opnsense box with unbound plugin and DoT to a big anycast resolver.

My question is if I can define expeditions for unbound not to use the DoT connection for certain addresses and resolve these addressed by its own.

Sorry got you wrong.
I don't think you can split the mail server to use "normal" DNS and for the rest DNS over TLS with unbound.
Afaik the fallback would use 53 but only if no 853 is reachable.

Firewall rule to point your mailserver to another DNS or install a forwarder to you ISP ones on the mailserver direct. And for client use the unbound? Would that be an idea?

Maybe some other guys have better ideas! Keep fingers crossed.
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!

If you want to keep using DNSBL then you have to use unencrypted DNS, unbound can't read encrypted requests.

You can setup your outbound to be full recursive to there is no need to use other forwarders?

Quote from: Tubs on October 13, 2020, 02:26:39 PM
Quote from: ArminF on October 12, 2020, 09:05:16 PM
Whitelisting on the Blacklist Section.

OK. Now we are talking about two different things. I was not talking about the DNSBL function of the unbund plugin. My issue is related to to another server using DNBS and as DNS server my opnsense box with unbound plugin and DoT to a big anycast resolver.

My question is if I can define expeditions for unbound not to use the DoT connection for certain addresses and resolve these addressed by its own.

Quote from: ArminF on October 13, 2020, 10:02:44 PM
Firewall rule to point your mailserver to another DNS or install a forwarder to you ISP ones on the mailserver direct. And for client use the unbound? Would that be an idea?

Yes, that is more or less what I already described in my first post as possible solutions.
(1) resolver on mail server directly
(2) point mail server to other DNS. My idea additional bind on OPNsense.

As "split functionality" of unbound act as resolver resolver for one host and act as DoT forwarder for everything else is not possible, that's it.