Blocking specific TLD

[Vilhonator]

Don't know how many are aware, but google just released bunch of new TLDs (or at least started advertise them) couple of days ago.

Among those TLDs were .zip (yes, DOT ZIP) and .mov TLDs. So my question is, is there a way to setup alias to collect all .zip domains or setup unbound to block them?

[CJ]

From what little I've seen the only way to do so involves either messing with the unbound config files or running a different/additional dns server.

Your best bet is to put in a feature request for it.

[lilsense]

I use pihole to do this with regex.

something like this:
\.(zip|mov)$

[Vilhonator]

I use pihole to do this with regex.

something like this:
\.(zip|mov)$

Yea that was first thing I looked into, but I'm looking for option to block something that runs on my OpnSense, since I would have to un-install OpnSense and replace it with something that supports pi-hole and that's not going to happen.

Might have to check if SNORT or Suricata has that option

[lilsense]

no need to uninstall OPNsense. you can install bhyve and run a pihole vm on the OPNsense similar to the OpenWRT discussion on this forum.

ref:
Bhyve on OPNsense for virtualization in 2023
HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP

[spacecase-25]

How can this be done without installing pihole?

[zan]

Easiest way in unbound is create domain override for 'zip' and point it to blackhole.

In AdGuardHome you can put this in Filter>Custom filtering rules:

Code: [Select]

||*.zip^

[JasMan]

I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).

[CJ]

I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).

Nice.  I like it.

[Kawachiller]

Thx for the solution!

I had the same question, and I found a solution (more a workaround) by adding a domain override into Unbound.

1. Go to Services: Unbound DNS: Overrides -> Domain Overrides
2. Add a new entry with the following values
    Domain: zip
    IP: 0.0.0.0

This will forward all domain queries for the TLD zip to the nameserver IP 0.0.0.0, and the queries will run into a timeout.
If you experience performance issues due to waiting for the timeout, you can change the IP to an existing internal IP, which refuse (not block!) DNS queries on port 53.

A query forwarding will also work (Services: Unbound DNS: Query Forwarding).