Domains cannot be whitelisted with Unbound

Started by spacecase-25, August 05, 2023, 02:31:50 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 05, 2023, 02:31:50 AM Last Edit: August 05, 2023, 02:34:58 AM by spacecase-25
If a domain is contained within a configured blocklist, then it does not appear that there is anyway to whitelist it.  This is despite Unbound clearly being designed to have this functionality... there's a whitelist button right there in the Unbound reporting tab.  I have tried restarting Unbound and it is configured to flush DNS cache on restart.  This functionality appears to be broken.

August 05, 2023, 03:15:05 PM #1
It works for me, what is the FQDN and how does your whitelist entry look?
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 05, 2023, 10:10:04 PM #2
Quote from: sorano on August 05, 2023, 03:15:05 PM
It works for me, what is the FQDN and how does your whitelist entry look?
I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?
August 06, 2023, 02:22:31 PM #3
I've never added whitelisted entries from the reporting tab so I wouldn't know.

I add my whitelisted domain in:

Services --> Unbound DNS --> Blocklist
Whitelist Domains: Input FQDN or use regexp.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 06, 2023, 03:18:59 PM #4
Quote from: spacecase-25 on August 05, 2023, 10:10:04 PM
Quote from: sorano on August 05, 2023, 03:15:05 PM
It works for me, what is the FQDN and how does your whitelist entry look?
I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?

I've done this and it does just work.  Under your DNSBL settings, do you see the domain in the whitelist?
August 06, 2023, 05:36:03 PM #5
Quote from: CJ on August 06, 2023, 03:18:59 PM
Quote from: spacecase-25 on August 05, 2023, 10:10:04 PM
Quote from: sorano on August 05, 2023, 03:15:05 PM
It works for me, what is the FQDN and how does your whitelist entry look?
I clicked the whitelist button next to the entry under the details panel.  One would think that would just work, no?

I've done this and it does just work.  Under your DNSBL settings, do you see the domain in the whitelist?
It appears to be.  Is this what you're talking about?

August 07, 2023, 04:09:19 PM #6 Last Edit: August 07, 2023, 04:33:47 PM by CJ
This is interesting.  I did some testing on my server and it appears to be a possible bug with the reporting and/or whitelisting of the DNSBL.

The reason it's not working for you is because of the CNAME.  Once you allowed click.redditmail.com it started resolving.  You can see that in your original screenshot.  The problem is that click.redditmail.com resolves via CNAME to thirdparty.bnc.lt which is also on the blocklist.

Unbound Reporting shows the A and AAAA records being allowed but the CNAME being blocked.  However, it only shows the original click.redditmail.com request, not the resulting CNAME.  Additionally, because of that, there's no option to allow the resulting CNAME query.

As a workaround until this gets looked at, if you do a DNS query you'll get the CNAME for the domain.  You can then add that to your list along with click.redditmail.com and it will work.  However, if the CNAME changes to a different blocked domain, you'll have to go through the whole process again.

https://github.com/opnsense/core/issues/6722
August 11, 2023, 01:38:12 AM #7
Quote from: CJ on August 07, 2023, 04:09:19 PM
This is interesting.  I did some testing on my server and it appears to be a possible bug with the reporting and/or whitelisting of the DNSBL.

The reason it's not working for you is because of the CNAME.  Once you allowed click.redditmail.com it started resolving.  You can see that in your original screenshot.  The problem is that click.redditmail.com resolves via CNAME to thirdparty.bnc.lt which is also on the blocklist.

Unbound Reporting shows the A and AAAA records being allowed but the CNAME being blocked.  However, it only shows the original click.redditmail.com request, not the resulting CNAME.  Additionally, because of that, there's no option to allow the resulting CNAME query.

As a workaround until this gets looked at, if you do a DNS query you'll get the CNAME for the domain.  You can then add that to your list along with click.redditmail.com and it will work.  However, if the CNAME changes to a different blocked domain, you'll have to go through the whole process again.

https://github.com/opnsense/core/issues/6722
Awesome, thanks for your reply.  What tool do you recommend using to drill down into these DNS queries that are giving me trouble to find the additional domains to whitelist?  Ideally a command line tool for linux.
August 11, 2023, 08:09:05 PM #8
As I mentioned, anything that does a DNS query will tell you.  On linux you can use dig or nslookup.  You can even just use the DNS Lookup page in OPNSense and do it all in the browser.
Print
Go Up Pages1
User actions