Unbound Blocklists - How to exclude certain specific clients ?

[gspannu]

I have started using the recently introduced (upgraded) Unbound Blocklists in 25.7.9

My setup:

I have a fairly simple LAN setup
Main subnet: 192.168.1.1/24 (static IP defined for most clients)
Guest vLan subnet: 192.168.10.1/24


Unbound as main Recursive DNS resolver on port 53
dnsmasq running as DHCP on port 53035


Requirements:
1) I do not want any blocklists for my Guest subnet (192.168.10.1/24) clients
This is easy to implement in DNS blocklists, I add an entry with no blocklists; and set the source as 192.168.10.1/24. No DNS query from this subnet is blocked. Works exactly as expected.

2) I want all of my main LAN clients (192.168.1.1/24) to be using Blocklists, except 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100)
I add an entry with appropriate blocklists; and set the source as 192.168.1.1/24. All DNS queries from this subnet run through block lists.
Works as expected - but not for the 3 specific clients as expected.

Therefore,
3) I add another entry with no blocklists; and set the source as the 3 specific clients (192.168.1.24, 192.168.1.36, 192.168.1.100).
All DNS queries from these specific clients should not run through blocklists - however, these 3 clients also run through blocklists, Not working as expected.

------------------

I tried changing the order of the entries as well, making the 3 specific clients entry as the 1st entry.

Using the tester GUI, it shows that the 3 clients are also part of the policy in 192.168.1.1/24. It seems that Unbound is not treating the matches in a sequential fashion.

-----------------

Can someone guide me how to setup the Blocklists to achieve the desired outcome?


Suggestion:
I think, the Unbound blocklist GUI screen should also have an entry for 'Excluded Net' in addition to the 'Source Net' - this could then perhaps achieve the desired result
or make Unbound Blocklists process/match the 'Source Net' entries sequentially; so the first match gets processed according to the rules.

[gspannu]

I have managed to workaround this in a way by defining multiple CIDRs... Not the best solution, but it works.

1) Do not set any Unbound DNS blocklist for Guest clients

2) Change my static DHCP settings for main LAN clients; and assigned each a static IP
I segregated into 4 groups - just for ease of management
192.168.1.0/26:   192.168.1.1 - 192.168.1.62
192.168.1.64/26:   192.168.1.65 - 192.168.1.126 (clients that do not need adblocking)
192.168.1.128/26:   192.168.1.129 - 192.168.1.190
192.168.1.192/26:   192.168.1.193 - 192.168.1.254

Now created an entry in Unbound Blocklists
- Choose blocklists as desired
- Set source as 192.168.1.0/26, 192.168.1.128/26, 192.168.192/26 - so now all LAN clients except in range (192.168.1.65 - 192.168.1.126) get ad-blocking.

I still feel that Unbound ad-blocking should either work sequentially and use the rules on first match or each Unbound Blocklist entry should also have an exclude source list - This would make it much easier to use adblocking feature.

[Patrick M. Hausen]

Or use AdGuard Home which has a much nicer UI for tasks like this one.

[OPNenthu]

Are we sure that the Unbound blocklists feature really supports targeting individual hosts?  The only place where it's hinted at is in the helptext for the Source Net(s) field, which gives 192.168.1.1 as an example input.  However, the field itself and the rest of the helptext talks only about networks.

Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists

Multiple policies can be defined, each separated by one or more source nets. This means you can use blocklists or specific (wildcard) domains on specific networks, allowing more fine-grained control over your setup. The algorithm selects the most specific subnet when domains overlap across subnet sizes.

Might be good to raise a GitHub issue, at least for clarification.

EDIT: the helptext also says something about equally sized networks:

All specified networks should use the same protocol family and have equal sizes to avoid priority issues.

... not sure if that's per-blocklist entry or across all of them.

[gspannu]

Or use AdGuard Home which has a much nicer UI for tasks like this one.

I have used AGH extensively, also used Blocky (similar to AGH, but with even more granular control !).
However, these both are not recursive DNS resolvers (only forwarders)

... I am now keen to use Unbound (and the latest update for blocklists has made it promising), I would like to keep everything native.

It would be nice if Unbound had some more development work done regarding Blocklists

[gspannu]

Are we sure that the Unbound blocklists feature really supports targeting individual hosts?  The only place where it's hinted at is in the helptext for the Source Net(s) field, which gives 192.168.1.1 as an example input.  However, the field itself and the rest of the helptext talks only about networks.

Same for the docs: https://docs.opnsense.org/manual/unbound.html#blocklists

Multiple policies can be defined, each separated by one or more source nets. This means you can use blocklists or specific (wildcard) domains on specific networks, allowing more fine-grained control over your setup. The algorithm selects the most specific subnet when domains overlap across subnet sizes.

Might be good to raise a GitHub issue, at least for clarification.

EDIT: the helptext also says something about equally sized networks:

All specified networks should use the same protocol family and have equal sizes to avoid priority issues.

... not sure if that's per-blocklist entry or across all of them.

Unbound blocklists does support hosts/ networks - it is just that the current implementation is a bit basic (perhaps wrong description, as it does the job well), I think the source hosts/networks/ exclusions needs to be further developed to make it more user accessible and feature rich.

The same protocol/ equal size applies to each block-list entry