Unbound DNSBL, bypass for specific IPs

[slackadelic]

In the past I was able to create custom views within the command line and aded to /usr/local/etc/unbound.opnsense.d, however, that's when it was utilizing the dnsbl.conf directly.

Has anyone else attempted this?   All I see usable would be dnsbl.json, but when added to a custom .conf file unbound won't start.



This is the preliminary test:

server:
    access-control-view: 192.168.1.2/32 bypass
    access-control-view: 192.168.1.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /data/dnsbl.json




Any input would be appreciated!

Thank you!

[EdwinKM]

Somewhat related but requested for an entire interface/network: https://github.com/opnsense/core/issues/5712#issuecomment-1404083849

[slackadelic]

Appreciate the response, but that is a bit different.   

Right now I'm just curious what line I need to use in the 'include' so I can setup a custom view for DNSBL and have a bypass view.  It should work, but I need to know what to tie to since dnsbl.conf is empty and doesn't appear to be used, python module appears to utilize .json but not sure how Unbound handles that or even if it does handle it.

[Fright]

@slackadelic
i dont think its possible now with unbound views. unbound knows nothing about dnsbl now.
dnsbl.json does not have the unbound format - it specificaly formated for dnsbl_module that handles requests. unbound just passes request to this module at some moment and receive result (simplistically speaking).
so i think you could open a ticket and ask devs to implement some "client WL"

[slackadelic]

I see.. I'm curious why the format would change without a fall back or a way to export the given results to a properly formatted file?  I guarantee I'm not the only one who would like to use views for this type of thing..

[Fright]

I can't speak for the devs, but I wouldn't keep backwards compatibility in this case either - there were enough problems with the old way the dnsbls worked, and a combination of the two would guarantee a headache. At first glance, it seems to me that adding client WLs is quite feasible, and perhaps more flexible than with views. so imho  such a ticket has a chance of success)

[slackadelic]

When you say has a chance of being done, is that with the python module or is it something I can do from the command line?

[Fright]

I did not find in unbound ways to use different values of the module-config option for different clients. so yes - in the py module

[slackadelic]

Is this something I should submit a feature request on github for?

[bbin]

Some thoughts/suggestions:

With the way I tend to use dnsbl, it would be ideal to have the dnsbl selection be configured on a per bl basis, with the ability to target/exempt the bl based upon IP, range, network, or alias.  The adlist targeting in pihole provides a great example here; in pihole, you create groups in the "Clients" module and then can target adlists using the "Group assignment" function.

My current configuration uses pihole as the DNS resolver that is handed out to DHCP clients, and opnsense unbound is used as the upstream DNS server for pihole.  If I had the ability to easily add custom blocklists and target blocklists individually, I would get rid of my pihole.

[slackadelic]

My solution at this time: I run Adguard Home from the plugins right on OPNsense on port 53.  I then have Unbound running on port 5353.

Adguard is what clients get via DHCP etc.   If I need to bypass the block list, I just use policy-based rules in the firewall and redirect the clients to port 5353 rather than 53.

[gspannu]

My solution at this time: I run Adguard Home from the plugins right on OPNsense on port 53.  I then have Unbound running on port 5353.

Adguard is what clients get via DHCP etc.   If I need to bypass the block list, I just use policy-based rules in the firewall and redirect the clients to port 5353 rather than 53.

Would you mind sharing the firewall rule that you use for this behaviour?
Some details needed.... newbie here !

I have the same setup as you (AdGuard running on Port 53; and forwarding to Unbound on Port 5353 as recursive resolver)

I have a client that I wish to bypass adblocking:
Router IP: 192.168.1.1 running AGH as main DNS resolver.
Unbound: Running as recursive on port 5353
Client IP (need to bypass): 192.168.1.81

For the time being, I have just done the bypass of AdBlocking in AdGuardHome client settings.

[Bunch]

My solution at this time: I run Adguard Home from the plugins right on OPNsense on port 53.  I then have Unbound running on port 5353.

Adguard is what clients get via DHCP etc.   If I need to bypass the block list, I just use policy-based rules in the firewall and redirect the clients to port 5353 rather than 53.

Would you mind sharing the firewall rule that you use for this behaviour?
Some details needed.... newbie here !

I have the same setup as you (AdGuard running on Port 53; and forwarding to Unbound on Port 5353 as recursive resolver)

I have a client that I wish to bypass adblocking:
Router IP: 192.168.1.1 running AGH as main DNS resolver.
Unbound: Running as recursive on port 5353
Client IP (need to bypass): 192.168.1.81

For the time being, I have just done the bypass of AdBlocking in AdGuardHome client settings.

Assume you have set your AdGuardHome working with AdBlock function

Currently you want 192.168.1.81 to bypass AdBlock (but I assume you will want to add more IP later)
You may skip step 1 if you think you will never add more IPs

1. Firewall: Aliases, Create Alias with
Type: Host(s)
Content: List of IPs you want to bypass (192.168.1.81)
Name: ByPassAdBlock

2. Firewall: NAT: Port Forward, Create new rule
Interface: LAN (assume the 192.168.1.81 is in LAN interface)
TCP/IP Version: IPv4
Protocol: UDP
Source: ByPassAdBlock
Destination: any
Destination port range: DNS to DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353

[gspannu]

Assume you have set your AdGuardHome working with AdBlock function

Currently you want 192.168.1.81 to bypass AdBlock (but I assume you will want to add more IP later)
You may skip step 1 if you think you will never add more IPs

1. Firewall: Aliases, Create Alias with
Type: Host(s)
Content: List of IPs you want to bypass (192.168.1.81)
Name: ByPassAdBlock

2. Firewall: NAT: Port Forward, Create new rule
Interface: LAN (assume the 192.168.1.81 is in LAN interface)
TCP/IP Version: IPv4
Protocol: UDP
Source: ByPassAdBlock
Destination: any
Destination port range: DNS to DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353

Thanks... 👍
This works, much appreciated....

------------------------------------------------------
Could I ask another related question?

I have created a IPsec EAP-MSCHAP VPN server on the OPNsense.
Set this up as per instructions in the OPNsense manual and firewall rules as suggested.

OPNsense address: 192.168.1.1
VPN pool: 10.10.10.1/24
VPN DNS server: 192.168.1.1 (as I want all DNS resolution to happen through OPNsense)

What works...
I am able to connect to the server from my mobile clients (when not at home) and browse the internet (with traffic flowing through OPNsense). All works well, with DNS resolution and browsing.
This is with OPNsense using Unbound or DNSmasq as default resolver on Port 53.

What does not work...
However, when I use AGH as the default resolver (AGH -> Unbound @5353) - my VPN clients can no longer browse the internet anymore !

AGH is listening on default 0.0.0.0:53 (as default as specified in the yaml file).
-----------------------------------------------------------

For some reason, VPN clients are unable to access Internet when using AGH, but work fine when I use Unbound/DNSmasq.

VPN clients can access LAN clients in both scenarios, it is just the internet that drops while using AGH.

Any ideas as to what additional firewall rule I need to ensure that my VPN clients (10.10.10.0/24) can use OPNsense DNS server (AGH) and have all traffic routed through OPNsense as well?

Thanks...

[Bunch]

I has another pair of port forward rules set to IPsec Interface in my VPS, don't know rather this can apply to your case
As I'm still using Legacy configuration in that setup , and there is no LAN interface in that setup too

1. Firewall: Aliases, Create Alias with
Type: Host(s)
Content: DDNS of my router
Name: MyIP

2. Firewall: NAT: Port Forward, Create new rule
Interface: IPSEC
TCP/IP Version: IPv4
Protocol: UDP
Source: any
Destination: any
Destination port range: DNS to DNS
Redirect target IP: MyIP
Redirect target port: 53