Unbound ignores blocklist

[ksx4system]

I'm trying to use the blocklist available at https://hole.cert.pl/domains/v2/domains.txt (also https://hole.cert.pl/domains/v2/domains_hosts.txt in hosts format) with Unbound - it is ignored despite using the correct settings. Check hosts version of the blocklist to understand why I've used this exact destination IP.

[CJ]

I'm trying to use the blocklist available at https://hole.cert.pl/domains/v2/domains.txt (also https://hole.cert.pl/domains/v2/domains_hosts.txt in hosts format) with Unbound - it is ignored despite using the correct settings. Check hosts version of the blocklist to understand why I've used this exact destination IP.

How are you testing?  What leads you to believe that it's not working?

[CJ]

In regards to your destination IP, what are you expecting to accomplish?  Just because it shows in the linked list doesn't provide any context as to your reasoning.

[ksx4system]

How are you testing?  What leads you to believe that it's not working?

I'm testing by using dig (eg. dig @routerIP notwanted.domain), it should resolve to a predefined IP (as shown on screenshot) effectively blocking that domain. That's what blocklists are for, right?

In regards to your destination IP, what are you expecting to accomplish?

Please read my original post again, it'll clarify everything. By blocking selected domains (or actually redirecting them to "wrong" IP, as shown on screenshot) instead of allowing access to malicious service, let's say a web page something else will be provided by a non-malicious server. Very simple solution.

[marunjar]

Have you already checked logs under Services ‣ Unbound DNS ‣ Log File?
What does entry for fetching your blocklist show there?
It should list excluded, blocked and wildcard entries of list.

Also have you checked if domain you use for testing is in file?
Because the ones you posted (v2) are different from the one visible in your screenshot (without v2)

[Fright]

tested with  https://hole.cert.pl/domains/v2/domains.txt
works

[CJ]

I'm testing by using dig (eg. dig @routerIP notwanted.domain), it should resolve to a predefined IP (as shown on screenshot) effectively blocking that domain. That's what blocklists are for, right?

What happens if you test using the DNS Lookup screen in OPNsense?

IPlease read my original post again, it'll clarify everything. By blocking selected domains (or actually redirecting them to "wrong" IP, as shown on screenshot) instead of allowing access to malicious service, let's say a web page something else will be provided by a non-malicious server. Very simple solution.

Neither this response nor your original post have clarified anything.  What benefit are you expecting to see from returning a "wrong" IP instead of just blocking the request?

[Patrick M. Hausen]

Neither this response nor your original post have clarified anything.  What benefit are you expecting to see from returning a "wrong" IP instead of just blocking the request?

DNS bases ad blockers frequently return e.g. 0.0.0.0 for a blocked FQDN.

[CJ]

Neither this response nor your original post have clarified anything.  What benefit are you expecting to see from returning a "wrong" IP instead of just blocking the request?

DNS bases ad blockers frequently return e.g. 0.0.0.0 for a blocked FQDN.

Sure, but there's a big difference between 0.0.0.0 and some random IP like the OP is using.  That's what I'm trying to get at.  What do they think they're getting by using a random IP instead of 0.0.0.0 or even NXDOMAIN?

[Fright]

What do they think they're getting by using a random IP

not random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics  ;))

[ksx4system]

What do they think they're getting by using a random IP

not random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics  ;))

This is exactly what server behind IP visible on my screenshot does. It's a service provided free of charge by national CERT of Poland.

tested with  https://hole.cert.pl/domains/v2/domains.txt
works

Either 24.1.3_1 or reboots/Unbound reloads fixed it, now it works for me too. Case closed I guess ;)

[CJ]

What do they think they're getting by using a random IP

not random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics  ;))

And none of that was clear from the OP, hence why I had originally asked.

[ksx4system]

And none of that was clear from the OP, hence why I had originally asked.

It was perfectly clear, this is why I've provided txt files.