Domains cannot be whitelisted with Unbound

[spacecase-25]

If a domain is contained within a configured blocklist, then it does not appear that there is anyway to whitelist it.  This is despite Unbound clearly being designed to have this functionality... there's a whitelist button right there in the Unbound reporting tab.  I have tried restarting Unbound and it is configured to flush DNS cache on restart.  This functionality appears to be broken.

[sorano]

It works for me, what is the FQDN and how does your whitelist entry look?

[spacecase-25]

It works for me, what is the FQDN and how does your whitelist entry look?

I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?

[sorano]

I've never added whitelisted entries from the reporting tab so I wouldn't know.

I add my whitelisted domain in:

Services --> Unbound DNS --> Blocklist
Whitelist Domains: Input FQDN or use regexp.

[CJ]

It works for me, what is the FQDN and how does your whitelist entry look?

I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?

I've done this and it does just work.  Under your DNSBL settings, do you see the domain in the whitelist?

[spacecase-25]

It works for me, what is the FQDN and how does your whitelist entry look?

I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?

I've done this and it does just work.  Under your DNSBL settings, do you see the domain in the whitelist?

It appears to be.  Is this what you're talking about?

[CJ]

This is interesting.  I did some testing on my server and it appears to be a possible bug with the reporting and/or whitelisting of the DNSBL.

The reason it's not working for you is because of the CNAME.  Once you allowed click.redditmail.com it started resolving.  You can see that in your original screenshot.  The problem is that click.redditmail.com resolves via CNAME to thirdparty.bnc.lt which is also on the blocklist.

Unbound Reporting shows the A and AAAA records being allowed but the CNAME being blocked.  However, it only shows the original click.redditmail.com request, not the resulting CNAME.  Additionally, because of that, there's no option to allow the resulting CNAME query.

As a workaround until this gets looked at, if you do a DNS query you'll get the CNAME for the domain.  You can then add that to your list along with click.redditmail.com and it will work.  However, if the CNAME changes to a different blocked domain, you'll have to go through the whole process again.

https://github.com/opnsense/core/issues/6722

[spacecase-25]

This is interesting.  I did some testing on my server and it appears to be a possible bug with the reporting and/or whitelisting of the DNSBL.

The reason it's not working for you is because of the CNAME.  Once you allowed click.redditmail.com it started resolving.  You can see that in your original screenshot.  The problem is that click.redditmail.com resolves via CNAME to thirdparty.bnc.lt which is also on the blocklist.

Unbound Reporting shows the A and AAAA records being allowed but the CNAME being blocked.  However, it only shows the original click.redditmail.com request, not the resulting CNAME.  Additionally, because of that, there's no option to allow the resulting CNAME query.

As a workaround until this gets looked at, if you do a DNS query you'll get the CNAME for the domain.  You can then add that to your list along with click.redditmail.com and it will work.  However, if the CNAME changes to a different blocked domain, you'll have to go through the whole process again.

https://github.com/opnsense/core/issues/6722

Awesome, thanks for your reply.  What tool do you recommend using to drill down into these DNS queries that are giving me trouble to find the additional domains to whitelist?  Ideally a command line tool for linux.

[CJ]

As I mentioned, anything that does a DNS query will tell you.  On linux you can use dig or nslookup.  You can even just use the DNS Lookup page in OPNSense and do it all in the browser.