Unbound DNS Reporting | Whitelisting not working

[calboy386]

Version 23.1.11

I have read several other posts that seem to be related, but have not really seen a resolution.  Since the previous post is > 120d, I am starting a new one.

I have a fresh install and have enabled DNSBL and everything is working as expected.  Except we are blocking xbox due to login.live.com being included in one of the lists.  I see it blocked on the reports.  To whitelist it, I have tried entering (multiple versions of) the name and have also clicked the 'Whitelist Domain' button next to the 'Top Blocked Domains' in the Unbound DNS reporting page - which just adds it to the whitelist I already tried - but :shrug:. 

Regardless, the domain continues to be blocked even after the whitelisting.

Any help is appreciated.  I am fairly new to the OPNsense community so if my question(s) sound newbie-ish, my apologies up front.

[CJ]

How long are you waiting after trying?  How are you checking the whitelist?  What machines, OS, tools, etc are you testing with?

What happens when you use the DNS Lookup page in OPNSense?  Have you made any changes besides enabling the DNSBL and DNS Reporting?

What happens if you disable the DNSBL?

[calboy386]

Thank you for the response.  Just FYI, I have 2 OPNsense setups.  One I am using - live - for my household.  And one in a lab.  I am seeing the behavior in both.

I am waiting just a minute or so after Applying and then restarting Unbound. (update: I waited over an hour - just to see if it mattered - it did not).
If I click on the 'add to whitelist' in the reporting, yes the domain shows up in the whitelist - list.
I am using Linux Mint for testing - both 'dig' and 'nslookup'.  I am also using a browser to open sites.
I added a specific destination address in the Blocklist config, so I can definately tell when Unbound DNS is giving me a blocked response.
If I disable DNSBL, or even untic one of the lists, it works as designed.

Using nslookup, I noticed the whilelisted domain gets no response, versus the 10.10.10.10 I would expect to see.

(broken whitelist)
$ nslookup login.live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
*** Can't find login.live.com: No answer

(non-blocked domain)
$ nslookup live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   live.com
Address: 204.79.197.212

(normal blocked domain)
$ nslookup penthouse.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   penthouse.com
Address: 10.10.10.10

[calboy386]

I installed Wireshark and this might be a clue.  "Cannot handle DNSSEC security RRs".  I will research about DNSSEC and OPNsense/Unbound and see what I can find.

-M

Frame 41: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) on interface 0
    Interface id: 0 (wlp2s0)
        Interface name: wlp2s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2023 15:55:27.994215369 CDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1688504127.994215369 seconds
    [Time delta from previous captured frame: 0.031023893 seconds]
    [Time delta from previous displayed frame: 0.031023893 seconds]
    [Time since reference or first frame: 3.385878928 seconds]
    Frame Number: 41
    Frame Length: 85 bytes (680 bits)
    Capture Length: 85 bytes (680 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: b0:6a:41:ec:cc:80 (b0:6a:41:ec:cc:80), Dst: IntelCor_25:cb:32 (80:00:0b:-:-:-)
    Destination: IntelCor_25:cb:32 (80:00:0b:-:-:-)
        Address: IntelCor_25:cb:32 (80:00:0b:-:-:-)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: b0:6a:41:-:-:- (b0:6a:41:-:-:-)
        Address: b0:6a:41:-:-:- (b0:6a:41:-:-:-)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.x.x, Dst: 192.168.x.x
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 71
    Identification: 0xaa0a (43530)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x627f [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.x.1
    Destination: 192.168.x.202
User Datagram Protocol, Src Port: 53, Dst Port: 58392
    Source Port: 53
    Destination Port: 58392
    Length: 51
    Checksum: 0x33f3 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 2]
Domain Name System (response)
    Transaction ID: 0xb909
    Flags: 0x8580 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        login.live.com: type A, class IN
            Name: login.live.com
            [Name Length: 14]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
    [Request In: 40]
    [Time: 0.031023893 seconds]

[CJ]

Thank you for the response.  Just FYI, I have 2 OPNsense setups.  One I am using - live - for my household.  And one in a lab.  I am seeing the behavior in both.

I am waiting just a minute or so after Applying and then restarting Unbound. (update: I waited over an hour - just to see if it mattered - it did not).
If I click on the 'add to whitelist' in the reporting, yes the domain shows up in the whitelist - list.
I am using Linux Mint for testing - both 'dig' and 'nslookup'.  I am also using a browser to open sites.
I added a specific destination address in the Blocklist config, so I can definately tell when Unbound DNS is giving me a blocked response.
If I disable DNSBL, or even untic one of the lists, it works as designed.

Using nslookup, I noticed the whilelisted domain gets no response, versus the 10.10.10.10 I would expect to see.

(broken whitelist)
$ nslookup login.live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
*** Can't find login.live.com: No answer

(non-blocked domain)
$ nslookup live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   live.com
Address: 204.79.197.212

(normal blocked domain)
$ nslookup penthouse.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   penthouse.com
Address: 10.10.10.10

Why are you expecting to see 10.10.10.10?  The DNSBL should be returning 0.0.0.0.  It seems like you're setup is more than just a clean install plus DNSBL.

Also, 127.0.0.53 is the local DNS cache on your Mint.  What happens if you add your OPNSense IP to query it directly?

Lastly, what happens when you use the DNS Lookup page in the OPNSense UI?

[calboy386]

I had modified Unbound to return the 10.10.10.10. 

So I've been working on this for days.

1) reset OPNsense to defaults, set DNS to 1.1.1.1, enable resolver, DNSSEC, and harden DNSSEC, time server = Chicago
2) verify DNS works from OPNsense and Mint test server - everything works as expected.
3) add one domain under Blocklist/Blocklist Domains (penthouse.com)
4) client host dig returns 0.0.0.0 - as expected
5) remove pentouse.com (Clear All) from Blocklist Domains, Apply, restart Unbound
6) now every query returns SERVERFAIL from the client (tried clearing DNS cache, tried different tools - nslookup, host, etc)
7) But OPNsense drill returns correctly

Nothing I have tried fixes this.  Unbound is just broken and every lookup from the client returns SERVERFAIL.

I am downloading a FreeBSD ISO to build a new clinet in the lab to test with. 
 

[calboy386]

I get the same from FreeBSD (see attached).  It *appears* to be Unbound on OPNsense. 

[calboy386]

Ok, I (re)installed OPNsense from ISO on a new VM and it is having trouble resolving before any blocklists are enabled/disabled.  Keep in mind this is a lab, which is behind another 'production' OPNsense.

It is plain vanilla, with the exception of bogon and private networks being allowed in the WAN config.

But if I login to the shell and run ....

1) drill @1.1.1.1 penthouse.com ; it returns correctly.  This leads me to believe I am getting thru the prod OPNsense w/o issue.
2) drill @127.0.0.1 penthouse.com ' returns SERVFAIL.  As does any domain name.

I am nearly positive this is somehow my lack of understanding.  So thank you for your patience. 

[CJ]

I had modified Unbound to return the 10.10.10.10. 

Right.  I forgot that functionality was added.

Ok, I (re)installed OPNsense from ISO on a new VM and it is having trouble resolving before any blocklists are enabled/disabled.  Keep in mind this is a lab, which is behind another 'production' OPNsense.

Okay, that's good.  It means that we can build this out one piece at a time to determine what the issue is.  I assume that you are the production OPNSense admin as well?

It is plain vanilla, with the exception of bogon and private networks being allowed in the WAN config.

I don't think you need to change those settings in order to test.  IIRC, I didn't disable them when I set up my VMs.

But if I login to the shell and run ....

1) drill @1.1.1.1 penthouse.com ; it returns correctly.  This leads me to believe I am getting thru the prod OPNsense w/o issue.
2) drill @127.0.0.1 penthouse.com ' returns SERVFAIL.  As does any domain name.

Okay, let's not worry about drill.  Go to the Interfaces -> Diagnostics -> DNS Lookup page.  What gets returned if you search for google.com?  What about penthouse.com?

I am nearly positive this is somehow my lack of understanding.  So thank you for your patience.

No problem.  We just need to make sure to take slow, reproducible steps so that I can make sure I understand your setup and where it's breaking.  Right now you're kind of flailing about and it's hard to determine where the actual problem lies.

[calboy386]

Yes, I am the admin of the prod instance as well. 

Using the built in GUI tools, I get valid responses for both google and penthouse.  It defaults to the DNS I have configured on the device, 1.1.1.1

[CJ]

Yes, I am the admin of the prod instance as well. 

Using the built in GUI tools, I get valid responses for both google and penthouse.  It defaults to the DNS I have configured on the device, 1.1.1.1

You're only getting a response from 1.1.1.1?  Nothing from 127.0.0.1?  Is 1.1.1.1 the only DNS you have configured?

What happens if you put 127.0.0.1 in the Server box and repeat the lookups?

What do you have under these sections?

System -> Settings -> General -> Networking section
Services -> Unbound -> Query Forwarding
Services -> Unbound -> DNS over TLS

[calboy386]

Sorry for the delay, I was rolling around in the dirt with my kids (camping) the last several days.

You're only getting a response from 1.1.1.1?  Nothing from 127.0.0.1?  Is 1.1.1.1 the only DNS you have configured?

What happens if you put 127.0.0.1 in the Server box and repeat the lookups?

Yes, 1.1.1.1 is the only DNS server configures.  If I use 127.0.0.1 and resolve google.com in the GUI, I get nothing.  No response.  No error.

What do you have under these sections?

System -> Settings -> General -> Networking section

Just the 1.1.1.1 - everything else is blank or unchecked.

Services -> Unbound -> Query Forwarding

Nothing

Services -> Unbound -> DNS over TLS

Nothing

Obviously the Query Forward needed to be configured.  So I checked the "use system DNS servers" and google.com (and penthouse.com) is now resolving.  I had this checked before, but stated "I'm a bit all over the place".

So I enabled DNSBL for porn, and penthouse.com now returns 0.0.0.0 as expected. 
Then I added penthouse.com to the whitelist and it is resolving again, while other sites still return 0.0.0.0 - as expected.

So I must have had some wonky setting somewhere that I 'fixed' by factory resetting.  And once we realized I needed to add the forward back in - viola.  All is well in my kingdom. 

Thank you for the patience and support. 

[CJ]

That's odd.  Because Unbound should have been resolving using the root DNS servers.

Do you have either of the DNS server options checked in System -> Settings -> General?

Also, you should add the second Cloudflare DNS server at least, or better off, set up DoT to the Cloudflare servers.

https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/

If you're not using any upstream filtering you may also want to add some other providers so you don't have a single point of failure.

[kolbyjack]

I'm also seeing this behavior looking up a whitelisted host with my Unbound instance on 23.1.  I've even used the whitelist button on /ui/unbound/overview to ensure it's not just an issue with my regex.  The UI recognizes that the host is in the whitelist (the Command column button shows "Block Domain"), but using the DNS Lookup page, I get:

Client: localhost
Type: CNAME
Domain: 05.emailinboundprocessing.com.
Action: Block
Source: Local
Return Code: NOERROR
Blocklist: Blocklist.site Ads
Command: <Block Domain>

Using nslookup from my windows client, I get:
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 05.emailinboundprocessing.com.

Unfortunately, I don't have a separate lab environment where I can just wipe the server and start over

[Patrick M. Hausen]

You can use this for a clean test installation:

https://github.com/punktDe/vagrant-opnsense