Unbound DNS Reporting | Whitelisting not working

[CJ]

I'm also seeing this behavior looking up a whitelisted host with my Unbound instance on 23.1.  I've even used the whitelist button on /ui/unbound/overview to ensure it's not just an issue with my regex.  The UI recognizes that the host is in the whitelist (the Command column button shows "Block Domain"), but using the DNS Lookup page, I get:

Client: localhost
Type: CNAME
Domain: 05.emailinboundprocessing.com.
Action: Block
Source: Local
Return Code: NOERROR
Blocklist: Blocklist.site Ads
Command: <Block Domain>

Using nslookup from my windows client, I get:
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 05.emailinboundprocessing.com.

Unfortunately, I don't have a separate lab environment where I can just wipe the server and start over

Do you have Unbound configured to flush the cache on reload?  Have you restarted Unbound?

What do your Unbound logs say?

[kolbyjack]

Do you have Unbound configured to flush the cache on reload?  Have you restarted Unbound?

What do your Unbound logs say?

I have it configured to flush on reload, I have restarted it multiple times, and even though I've checked every log-related checkbox on /ui/unbound/advanced and set the Log Level Verbosity to 5, /ui/diagnostics/log/core/resolver says there are no logs.  Am I looking in the wrong place?

[kolbyjack]

It helps if I allow logs to be written to disk.  I have ~1,200 lines of logs for this query now, is there anything specific I should look for? "block" doesn't appear anywhere.

[CJ]

Drop the verbosity back to default, then do a query and see what it says.  You can leave the other boxes regarding logging checked.

[kolbyjack]

There's not much when I reduce the log level back to 1:

Code Select Expand

[48968:3] query: 127.0.0.1 05.emailinboundprocessing.com. A IN
[48968:3] reply: 127.0.0.1 05.emailinboundprocessing.com. A IN NXDOMAIN 0.246784 0 47
[48968:0] query: 127.0.0.1 05.emailinboundprocessing.com. AAAA IN
[48968:0] reply: 127.0.0.1 05.emailinboundprocessing.com. AAAA IN NXDOMAIN 0.252064 0 47
[48968:3] query: 127.0.0.1 05.emailinboundprocessing.com. MX IN
[48968:3] reply: 127.0.0.1 05.emailinboundprocessing.com. MX IN NOERROR 0.086638 0 167
[48968:1] query: 127.0.0.1 05.emailinboundprocessing.com. TXT IN
[48968:1] reply: 127.0.0.1 05.emailinboundprocessing.com. TXT IN NOERROR 0.093567 0 167

[CJ]

Set your log level to Debug when using the log page.  What shows up when you search for "exclude domains"?

[kolbyjack]

Apologies for the delay in my reply, but once again proving that everyone has a testing environment, a disk failure forced my hand late last week, and after installing 23.7 and restoring my config from a backup, whitelist entries work fine now.

[CJ]

That's interesting.  Because I believe I've discovered the issue with why it doesn't work with some domains.

https://github.com/opnsense/core/issues/6722

[kolbyjack]

That's what I get for not testing exactly what was failing before.  I didn't reenable Blocklist.site Ads before testing this morning, so I picked a random hostname from Reporting -> Unbound DNS, and that one must not have resolved to a CNAME.