<div dir="ltr"><div>hello list,</div><div><br></div><div>on one of my servers i use "unbound" for blacklisting Domains.<br>but it seems, its not working any longer after an past update of my system.<br><br>On the server is gentoo linux, Kernel 5.14.15<br>Unbound is version 1.13.1</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">unbound -V</span><br>Version 1.13.1<br><br>Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir<br>=/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2 --htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/ --libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --<br>disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb --disable-static --disable-systemd --with-pythonmodule --with-pyunbound --with-pthreads --with-libnghttp2 --disable-flto --di<br>sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client --enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc<br>/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr<br>Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l  24 Aug 2021<br>Linked modules: dns64 python cachedb ipsecmod respip validator iterator<br>TCP Fastopen feature available<br></span><br></div><div><br></div><div>in /etc/unbound i have the following structure:</div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">root.hints</span><br><span style="color:rgb(24,178,24)">unbound.conf</span><span style="color:rgb(0,0,0)"></span><br><span style="font-weight:bold;color:rgb(84,84,255)">unbound.conf.d</span><span style="color:rgb(0,0,0)"></span><br>unbound.conf.ORIGINAL<br>unbound.conf.WRK<br>unbound_control.key<br>unbound_control.pem<br>unbound_server.key<br>unbound_server.pem<br><span style="font-weight:bold;color:rgb(84,84,255)">var</span><br></span></div><div><br></div><div><br></div><div>my unbound.conf:</div><div>------------------------</div><div><br></div><div><br></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">server:</span><br><br>statistics-cumulative: yes<br>extended-statistics: yes<br>log-queries: yes<br>log-servfail: yes<br>verbosity: 1<br><br>interface: 127.0.0.1<br>interface: 116.202.87.165<br>interface: 192.168.120.251<br>interface: 192.168.110.250<br>interface: 192.168.100.250<br>outgoing-interface: 192.168.100.250<br>outgoing-interface: 192.168.110.250<br>outgoing-interface: 192.168.120.251<br>outgoing-interface: 116.202.87.165<br>num-threads: 2<br><br>include: /etc/unbound/unbound.conf.d/access_options.conf<br>include: /etc/unbound/unbound.conf.d/name_solving.conf<br>include: /etc/unbound/unbound.conf.d/privacy_options.conf<br>include: /etc/unbound/unbound.conf.d/cache_options.conf<br>include: /etc/unbound/unbound.conf.d/dnssec_options.conf<br>include: /etc/unbound/unbound.conf.d/blacklist.conf<br>include: /etc/unbound/unbound.conf.d/local_names.conf<br>include: /etc/unbound/unbound.conf.d/opennic_names.conf<br>include: /etc/unbound/unbound.conf.d/forwarders.conf<br>include: /etc/unbound/unbound.conf.d/view.conf<br><br>remote-control:  <br>       control-enable: yes<br>       control-interface: 127.0.0.1<br>       control-port: 8953<br>       control-use-cert: "no"<br><br>#backend: "testframe"<br>#secret-seed: "default"<br>#redis-server-host: 127.0.0.1<br>## redis server's TCP port<br>#redis-server-port: 6379<br># timeout (in ms) for communication with the redis server<br>#redis-timeout: 100<br># set timeout on redis records based on DNS response TTL<br>#redis-expire-records: no<br></span></div><div><br></div><div><br></div><div>the config of blacklist.conf:<br>------------------------------------</div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">local-zone: "<a href="http://zukxd6fkxqn.com/" target="_blank">zukxd6fkxqn.com</a>"always_nxdomain</span><br>local-zone: "<a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a>"always_nxdomain<br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">but when i do from client a dns request </span></div><div><span style="font-family:monospace">it resolves the blacklisted domain<br><br></span></div><div><span style="font-family:monospace">like this:</span></div><div><span style="font-family:monospace">------------</span></div><div><span style="font-family:monospace"><span style="color:rgb(0,0,0)">dig <a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a></span><br><br>; <<>> DiG 9.16.15 <<>> <a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a><br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 1232<br>;; QUESTION SECTION:<br>;<a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a>.                        IN      A<br><br>;; ANSWER SECTION:<br><a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a>.         1855    IN      A       103.224.212.219<br><br>;; Query time: 170 msec<br>;; SERVER: 192.168.100.250#53(192.168.100.250)<br>;; WHEN: Wed Nov 03 10:48:55 CET 2021<br>;; MSG SIZE  rcvd: 59<br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">in the past it  worked that   </span><span style="font-family:monospace"><a href="http://zy16eoat1w.com/" target="_blank">zy16eoat1w.com</a></span></div><div><span style="font-family:monospace">could not be retrieved / resolved.<br><br>what is wrong in my setup?<br>anyone has an idea or can help with with hints?</span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">best regards</span></div><div><span style="font-family:monospace">marko</span></div><div class="gmail-yj6qo"></div><br class="gmail-Apple-interchange-newline"></div>