Unbound DNS Blocklist and DNS over TLS - Blocklist doesn't seem to work

Started by cynicalApples7, August 28, 2022, 09:50:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2022, 09:50:26 PM
Forgive me, I am completely new to this. If this is a trivial "issue" that have been posted many times before I apologise.

And I've just finished my first install and completed the wizard. I am trying to use Unbound DNS Blocklist together with DNS over TLS. And I don't think it is working.

If I view the Unbound DNS log file. I have entries like:

Code Select

Informational unbound [65312:0] info: 192.168.2.10 pagead2.googlesyndication.com. A IN
Informational unbound [65312:0] info: 192.168.2.10 pagead2.googlesyndication.com. HTTPS IN


This is my setup.

I have not set a DNS server in "Services: DHCPv4: [LAN]" or in "System: Settings: General". I've have unchecked "Allow DNS server list to be overridden by DHCP/PPP on WAN".

In "Services: Unbound DNS: General" I have enabled DNSSEC Support.

In "Services: Unbound DNS: DNS over TLS" i have configured 4 Quad9 DNS servers.
Code Select

9.9.9.9 853 dns.quad9.net
149.112.112.112 853 dns.quad9.net
2620:fe::9 853 dns.quad9.net
2620:fe::fe 853 dns.quad9.net


I have enabled "Services: Unbound DNS: Blocklist" with the following filter lists: AdGuard List, Blocklist.site Facebook, EasyList, EasyPrivacy, Steven Black List, WindowsSpyBlocker (spy), WindowsSpyBlocker (update), WindowsSpyBlocker (extra).

Isn't that correct? Have I misconfigured something?

I am pretty sure that one of the filter lists above should block that google ad domain?
August 28, 2022, 10:08:19 PM #1
What port did you use in Listen Port (Unbound DNS: General) ?
And did you select the correct Network Interface?
August 28, 2022, 10:14:54 PM #2
Can you check from the client directly? From a pc is easy.
From one of my client pcs:
Code Select
dig pagead2.googlesyndication.com

; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> pagead2.googlesyndication.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40815
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pagead2.googlesyndication.com. IN A

;; ANSWER SECTION:
pagead2.googlesyndication.com. 10 IN A 0.0.0.0

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sun Aug 28 20:59:21 BST 2022
;; MSG SIZE  rcvd: 74
You see the 0.0.0.0 response means it was sinkholed. I'm using the Adguard list only for this check, so the list does block it *by plain dns on port 53*.
It could be that the client is sending the query on DNS over HTTPS though. I'm not sure if that's what that log entry says.
p.s. I don't use Unbound block lists. I use the AdguardHome plugin.
August 28, 2022, 10:33:17 PM #3
Linux client: dig pagead2.googlesyndication.com
Windows client: nslookup pagead2.googlesyndication.com
:) :)
August 29, 2022, 06:47:51 AM #4 Last Edit: August 29, 2022, 06:52:46 AM by cynicalApples7
Quote from: Spoonman2002 on August 28, 2022, 10:08:19 PM
What port did you use in Listen Port (Unbound DNS: General) ?
And did you select the correct Network Interface?

The Listen Port is 53. Should it be 853?
I use the All Interfaces (recommended)
August 29, 2022, 06:50:24 AM #5
Quote from: Spoonman2002 on August 28, 2022, 10:33:17 PM
Linux client: dig pagead2.googlesyndication.com
Windows client: nslookup pagead2.googlesyndication.com
:) :)

Code Select

; <<>> DiG 9.10.6 <<>> pagead2.googlesyndication.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pagead2.googlesyndication.com. IN A

;; ANSWER SECTION:
pagead2.googlesyndication.com. 3600 IN A 0.0.0.0

;; Query time: 84 msec
;; SERVER: 192.168.2.10#53(192.168.2.10)
;; WHEN: Mon Aug 29 06:48:13 CEST 2022
;; MSG SIZE  rcvd: 74
August 29, 2022, 02:01:40 PM #6
Listen Port 53 is correct.
I have multiple VLANs and I select the one I need in the dropdown menu.
August 29, 2022, 02:06:23 PM #7
did you UNcheck: Do not use the local DNS service as a nameserver for this system (System:Settings:General)
August 29, 2022, 05:18:24 PM #8
Quote from: cynicalApples7 on August 29, 2022, 06:50:24 AM
Quote from: Spoonman2002 on August 28, 2022, 10:33:17 PM
Linux client: dig pagead2.googlesyndication.com
Windows client: nslookup pagead2.googlesyndication.com
:) :)

Code Select

; <<>> DiG 9.10.6 <<>> pagead2.googlesyndication.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pagead2.googlesyndication.com. IN A

;; ANSWER SECTION:
pagead2.googlesyndication.com. 3600 IN A 0.0.0.0

;; Query time: 84 msec
;; SERVER: 192.168.2.10#53(192.168.2.10)
;; WHEN: Mon Aug 29 06:48:13 CEST 2022
;; MSG SIZE  rcvd: 74

OK, so your blocking is working for that client at least. You probably want to verify other clients and if any is using DoT or DoH, which your blocklist won't stop. You are likely going to need to do packet captures for that at the firewall.
August 29, 2022, 10:33:54 PM #9
Quote from: Spoonman2002 on August 29, 2022, 02:06:23 PM
did you UNcheck: Do not use the local DNS service as a nameserver for this system (System:Settings:General)

Yes :)
Print
Go Up Pages1
User actions