25.7.8 Unbound blocklist source nets

Started by gpfountz, November 26, 2025, 08:28:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2025, 08:28:30 PM
After upgrading to 25.7.8, I configured unbound's blocklist's source nets to include my LAN and IoT networks, excluding my GUEST network.  The problem is as soon as someone on the guest network does a lookup of a blocked domain, that domain's IP lookup is cached. After this, that blocked domain's IPs are served to my LAN.

Is there a solution for this?  I know I can use a different DNS server for my GUEST network. That is what I was doing before the source nets feature was added to 25.7.8.

Thanks in advance!
Today at 01:08:29 AM #1
Unfortunately I'm seeing the same effect. Once a domain is cached by a user in a source net that is allowed access. The users from a source net that are blocked can now retrieve a cached request. It seems that source net blocking only blocks recursive DNS not cached DNS. :(
Today at 02:05:07 AM #2
What happens if you disable the caches?

Advanced->Message Cache Size = 0
Advanced->RRset Cache Size = 0
Today at 11:54:01 AM #3
I'll second this!

I've done quite a bit of testing, moving from Adguardhome to unbound and its BL's. Even using the same BL's with the URL's added to unbound make them identical, I'm still getting AD's coming through when using unbound, that I don't when using Adguardhome.
A restart of Opnsense also doesn't appear to make any difference, local client dns cache and browser cache clears as well as rebooted the client.

I'll give it a second go after the next upgrade
Print
Go Up Pages1
User actions