Unbound is blocking without having blocklist functionality enabled

Started by urmel, February 17, 2025, 11:14:59 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
February 17, 2025, 11:14:59 PM
Hi there

I just found it would be a good idea to completely setup my opnsense machine from scatch and to check all the features und functionality I was used to over the last couple of years.

One strange thing I found meanwhile - maybe I do something wrong somewhere - any help and advice is highly appreciated ...

I enabled unbound-DNS service but without the blocklist feature. The dashboard shows the top blocked domains. Checking the logs shows a couple of blocked entries blocked by Steven Black List.

How can that be the case when the blocklist feature is not enabled ?
February 18, 2025, 03:53:34 PM #1
It's possible you are not using the built-in lists, but you may have in the past inputted an URL directly. This is not visible in the default view, you have to enable 'advanced' first for it to be visible.
In theory there is no difference between theory and practice. In practice there is.
February 18, 2025, 05:38:22 PM #2
No, definitely not. I just double checked it and the log files refer to the Steven Black List.
February 19, 2025, 04:17:07 AM #3
So "Type of DNSBL" shows "Nothing Selected" AND "URLs of Blocklists" is empty as well?
A search for the list name or block or DNSBL in the logs pane does not reveal anything interesting?
February 21, 2025, 06:51:39 PM #4 Last Edit: February 21, 2025, 06:58:10 PM by urmel
yes - all empty and this section is anyway not enabled !!!

But checking the logs shows me :

2025-02-21T04:01:33   Notice   unbound   [85712:0] notice: init module 1: iterator   
2025-02-21T04:01:33   Informational   unbound   [85712:0] info: dnsbl_module: blocklist loaded. length is 129867   
2025-02-21T04:01:33   Informational   unbound   [85712:0] info: dnsbl_module: updating blocklist.   
2025-02-21T04:01:33   Notice   unbound   [85712:0] notice: init module 0: python

Any idea ? What kind of blocklist does unbound update when there is none configured and the blocklist service is not enabled ...
February 21, 2025, 09:13:20 PM #5
I'd be looking at the dnsbl section of /conf/config.xml
and also at /usr/local/etc/unbound/unbound-blocklists.conf
Lastly, manual configuration might exist in /usr/local/etc/unbound.opnsense.d
March 02, 2025, 01:41:18 PM #6
I have checked all places you suggested - nothing in there.

So this problem still exists.

Any other idea ?
March 02, 2025, 01:55:05 PM #7 Last Edit: March 02, 2025, 02:36:49 PM by DEC670airp414user
Quote from: urmel on March 02, 2025, 01:41:18 PMI have checked all places you suggested - nothing in there.

So this problem still exists.

Any other idea ?

i noticed the same thing on the fresh install this morning.    and yep nothing is enabled but under reporting: unbound DNS.  it showed adguard, and several others being blocked!
March 02, 2025, 02:37:34 PM #8
2nd screen shot
files are too big...
March 02, 2025, 06:02:03 PM #9
While this isn't an answer to why this happened, is it possible for you to check the box to Enable DNS blocklists and then pick a list from the drop down menu. Apply those settings and let the list download. Then go back, de-select the blocklist and uncheck the "enable" box for the block lists?

This might 'reset' whatever odd config is causing these to run?
March 02, 2025, 06:44:18 PM #10
Take any of the presumed blocked domains, go to Interfaces - Diagnostics - DNS Lookup:

- hostname == blocked domain

- server == 127.0.0.1  ### Unbound

If you get 0.0.0.0 or NXDOMAIN then Unbound is blocking, else what you're seeing is only the reporting engine.


---

For SSH / Console

As an example, if Unbound is not blocking this is the output for the presumed blocked domain seen in the screenshot:

Code Select
root@OPNsense:~ #

root@OPNsense:~ # host variations.brave.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

variations.brave.com is an alias for d17ndjuagurpsr.cloudfront.net.
d17ndjuagurpsr.cloudfront.net has address 3.164.255.20
d17ndjuagurpsr.cloudfront.net has address 3.164.255.10
d17ndjuagurpsr.cloudfront.net has address 3.164.255.103
d17ndjuagurpsr.cloudfront.net has address 3.164.255.55
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:2200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:e000:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:7a00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:8200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:ee00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:ac00:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:3200:15:85fe:56c0:93a1
d17ndjuagurpsr.cloudfront.net has IPv6 address 2600:9000:26ec:8600:15:85fe:56c0:93a1
root@OPNsense:~ #
March 03, 2025, 05:02:25 PM #11 Last Edit: March 03, 2025, 05:04:08 PM by urmel
I tried the diagnostics DNS-Lookup and I do not get the 0.0.0.0 or NXDOMAIN -

but what I get is:

Quote2025-03-03 16:58:45   10.10.0.6   A   clients3.google.com.   Pass   Recursion   NOERROR   57ms   44   
2025-03-03 16:58:45   10.10.0.40   A   api.openweathermap.org.   Pass   Recursion   NOERROR   78ms   24   
2025-03-03 16:58:37   localhost   MX   aax-eu.amazon.de.   Pass   Recursion   NOERROR   98ms   60   
2025-03-03 16:58:37   localhost   TXT   aax-eu.amazon.de.   Pass   Recursion   NOERROR   32ms   60   
2025-03-03 16:58:36   localhost   AAAA   aax-eu.amazon.de.   Pass   Recursion   NOERROR   61ms   60   
2025-03-03 16:58:36   localhost   CNAME   aax-eu.amazon.de.   Block   Local   NOERROR   59ms   3600   Steven Black List

So why is it telling block in the last line and is referencing to Steven Black List ?
March 04, 2025, 08:00:06 AM #12
I did a couple of further checks and it is very clear that unbound is blocking although not being enabled - it is not only the reporting machine.

When I try to open some sponsored links from the Google search result page - I do get "Website not reachable" in the browser and checking then details reported by unbound I do see that the attempt to call that domain was blocked with Steven Black List

March 07, 2025, 07:59:52 PM #13 Last Edit: March 07, 2025, 08:18:55 PM by unelected
Not exactly sure if it's the same issue, but it feels very much related:

With Unbound DNS enabled (blocklist disabled) some of my client devices resolved non-existent FQDNs to CloudFront IP addresses. For example, opening http://xxxxxxxxxxthisdoesntexistxxxxxxxxx.com in a browser (http not https!) showed a CloudFront page saying: 403 ERROR The request could not be satisfied. (attached screenshot)

In my case I managed to solve the issue by adjusting the following OPNsense settings under System -> Settings -> General (not sure which one it was, likely the first):
* Domain: home.arpa (had it set to "house" before)
* Prefer IPv4 over IPv6: yes
Then restarted the firewall, reconnected all clients (renew DHCP leases) and the issue was gone.
March 10, 2025, 07:44:13 AM #14
I see the same. My blocklist in Unbound is disabled yet in the reporting view it says the size of the blocklist is over 45k domains.
Print
Go Up Pages1 2
User actions