<div dir="ltr"><br><div>hello list,</div><div><br></div><div>on one of my servers i use "unbound" for blacklisting Domains.<br>but it seems, its not working any longer after an past update of my system.<br><br>On the server is gentoo linux, Kernel 5.14.15<br>Unbound is version 1.13.1</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">unbound -V
</span><br>Version 1.13.1
<br>
<br>Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir<br>=/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2 --htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/ --libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --<br>disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb --disable-static --disable-systemd --with-pythonmodule --with-pyunbound --with-pthreads --with-libnghttp2 --disable-flto --di<br>sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client --enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc<br>/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
<br>Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l 24 Aug 2021
<br>Linked modules: dns64 python cachedb ipsecmod respip validator iterator
<br>TCP Fastopen feature available<br></span><br></div><div><br></div><div>in /etc/unbound i have the following structure:</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">root.hints
</span><br><span style="color:rgb(24,178,24)">unbound.conf</span><span style="color:rgb(0,0,0)">
</span><br><span style="font-weight:bold;color:rgb(84,84,255)">unbound.conf.d</span><span style="color:rgb(0,0,0)">
</span><br>unbound.conf.ORIGINAL
<br>unbound.conf.WRK
<br>unbound_control.key
<br>unbound_control.pem
<br>unbound_server.key
<br>unbound_server.pem
<br><span style="font-weight:bold;color:rgb(84,84,255)">var</span><br></span></div><div><br></div><div><br></div><div>my unbound.conf:</div><div>------------------------</div><div><br></div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">server:
</span><br>
<br>statistics-cumulative: yes
<br>extended-statistics: yes
<br>log-queries: yes
<br>log-servfail: yes
<br>verbosity: 1
<br>
<br>interface: 127.0.0.1
<br>interface: 116.202.87.165
<br>interface: 192.168.120.251
<br>interface: 192.168.110.250
<br>interface: 192.168.100.250
<br>outgoing-interface: 192.168.100.250
<br>outgoing-interface: 192.168.110.250
<br>outgoing-interface: 192.168.120.251
<br>outgoing-interface: 116.202.87.165
<br>num-threads: 2
<br>
<br>include: /etc/unbound/unbound.conf.d/access_options.conf
<br>include: /etc/unbound/unbound.conf.d/name_solving.conf
<br>include: /etc/unbound/unbound.conf.d/privacy_options.conf
<br>include: /etc/unbound/unbound.conf.d/cache_options.conf
<br>include: /etc/unbound/unbound.conf.d/dnssec_options.conf
<br>include: /etc/unbound/unbound.conf.d/blacklist.conf
<br>include: /etc/unbound/unbound.conf.d/local_names.conf
<br>include: /etc/unbound/unbound.conf.d/opennic_names.conf
<br>include: /etc/unbound/unbound.conf.d/forwarders.conf
<br>include: /etc/unbound/unbound.conf.d/view.conf
<br>
<br>remote-control: <br> control-enable: yes
<br> control-interface: 127.0.0.1
<br> control-port: 8953
<br> control-use-cert: "no"
<br>
<br>#backend: "testframe"
<br>#secret-seed: "default"
<br>#redis-server-host: 127.0.0.1
<br>## redis server's TCP port
<br>#redis-server-port: 6379
<br># timeout (in ms) for communication with the redis server
<br>#redis-timeout: 100
<br># set timeout on redis records based on DNS response TTL
<br>#redis-expire-records: no<br></span></div><div><br></div><div><br></div><div>the config of blacklist.conf:<br>------------------------------------</div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">local-zone: "<a href="http://zukxd6fkxqn.com">zukxd6fkxqn.com</a>"always_nxdomain
</span><br>local-zone: "<a href="http://zy16eoat1w.com">zy16eoat1w.com</a>"always_nxdomain<br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">but when i do from client a dns request </span></div><div><span style="font-family:monospace">it resolves the blacklisted domain<br><br></span></div><div><span style="font-family:monospace">like this:</span></div><div><span style="font-family:monospace">------------</span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">dig <a href="http://zy16eoat1w.com">zy16eoat1w.com</a>
</span><br>
<br>; <<>> DiG 9.16.15 <<>> <a href="http://zy16eoat1w.com">zy16eoat1w.com</a>
<br>;; global options: +cmd
<br>;; Got answer:
<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244
<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
<br>
<br>;; OPT PSEUDOSECTION:
<br>; EDNS: version: 0, flags:; udp: 1232
<br>;; QUESTION SECTION:
<br>;<a href="http://zy16eoat1w.com">zy16eoat1w.com</a>. IN A
<br>
<br>;; ANSWER SECTION:
<br><a href="http://zy16eoat1w.com">zy16eoat1w.com</a>. 1855 IN A 103.224.212.219
<br>
<br>;; Query time: 170 msec
<br>;; SERVER: 192.168.100.250#53(192.168.100.250)
<br>;; WHEN: Wed Nov 03 10:48:55 CET 2021
<br>;; MSG SIZE rcvd: 59<br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">in the past it worked that </span><span style="font-family:monospace"><a href="http://zy16eoat1w.com">zy16eoat1w.com</a></span></div><div><span style="font-family:monospace">could not be retrieved / resolved.<br><br>what is wrong in my setup?<br>anyone has an idea or can help with with hints?</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">best regards</span></div><div><span style="font-family:monospace">marko</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div></div>