Proper DNSBLs for Unbound

[OPNenthu]

I'm a bit ignorant still on advanced DNS topics.  Please be patient :)

This thread is in response to the discussion on page 1, specifically posts #5-8, here: https://forum.opnsense.org/index.php?topic=50857.0

I didn't want to further derail the IPFire topic so am posting separately to better understand this.

---

I feel that some of the DNS hosts lists that we use in Unbound are not specifically written for it and result in incomplete blocking because Unbound uses exact matching, whereas other engines may treat them as zones and automatically block subdomains.

For reference here are the built-in DNSBLs in OPNsense for Unbound.

It appears the hagezi lists, for example, are wildcarded but many of the others (e.g. AdGuard) are not and those could (depending how they're written) be less reliable in Unbound.

Is that a fair assessment and is there RPZ support in the roadmap for the Unbound UI?  Would that solve this, and is there even a gap or am I off with this assessment?

Thanks.  This has long been one of my nagging unresolved questions.

[OPNenthu]

There's some evidence in post #10 from Patrick on the other thread that there is indeed a difference in how Unbound matches domains in URL lists vs. others (e.g. AdGuard Home).

https://forum.opnsense.org/index.php?topic=50857.msg260901#msg260901

[OPNenthu]

It looks like there's a mention of this in the OPNsense docs but I must have missed it:

https://docs.opnsense.org/manual/unbound.html#predefined-sources

Note:
The OISD lists are wildcard lists. Meaning that they will block all subdomains of the listed domains. For more information, refer to OISD. This keeps the list small and manageable, but are more effective than regular lists.

So in addition to the Hagezi lists, it looks like the OISD lists are also wildcarded.  The Hagezi ones just aren't marked as such in the doc, but they do use the wildcard version in the Unbound plugin as I noticed.