help needed with unbound / blacklist

George Thessalonikefs george at nlnetlabs.nl
Mon Dec 27 14:04:44 UTC 2021 

Hi Marko,

The local-zone configuration that you present does work.
Since you also include other configuration files, maybe something there 
prevents the use of the blacklist.conf file's contents to be used for 
specific clients? I see that you also may have access control and view 
options (from the filenames) that may affect this.

Best regards,
-- George

On 04/11/2021 13:05, Johannes B. Kernel via Unbound-users wrote:
> hello list,
> 
> on one of my servers i use "unbound" for blacklisting Domains.
> but it seems, its not working any longer after an past update of my system.
> 
> On the server is gentoo linux, Kernel 5.14.15
> Unbound is version 1.13.1
> 
> unbound -V
> Version 1.13.1
> 
> Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu 
> --host=x86_64-pc-linux-gnu --mandir=/usr/share/man 
> --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc 
> --localstatedir
> =/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2 
> --htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/ 
> --libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --
> disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb 
> --disable-static --disable-systemd --with-pythonmodule --with-pyunbound 
> --with-pthreads --with-libnghttp2 --disable-flto --di
> sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client 
> --enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr 
> --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc
> /dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
> Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l  24 
> Aug 2021
> Linked modules: dns64 python cachedb ipsecmod respip validator iterator
> TCP Fastopen feature available
> 
> 
> in /etc/unbound i have the following structure:
> 
> root.hints
> unbound.conf
> unbound.conf.d
> unbound.conf.ORIGINAL
> unbound.conf.WRK
> unbound_control.key
> unbound_control.pem
> unbound_server.key
> unbound_server.pem
> var
> 
> 
> my unbound.conf:
> ------------------------
> 
> 
> server:
> 
> statistics-cumulative: yes
> extended-statistics: yes
> log-queries: yes
> log-servfail: yes
> verbosity: 1
> 
> interface: 127.0.0.1
> interface: 116.202.87.165
> interface: 192.168.120.251
> interface: 192.168.110.250
> interface: 192.168.100.250
> outgoing-interface: 192.168.100.250
> outgoing-interface: 192.168.110.250
> outgoing-interface: 192.168.120.251
> outgoing-interface: 116.202.87.165
> num-threads: 2
> 
> include: /etc/unbound/unbound.conf.d/access_options.conf
> include: /etc/unbound/unbound.conf.d/name_solving.conf
> include: /etc/unbound/unbound.conf.d/privacy_options.conf
> include: /etc/unbound/unbound.conf.d/cache_options.conf
> include: /etc/unbound/unbound.conf.d/dnssec_options.conf
> include: /etc/unbound/unbound.conf.d/blacklist.conf
> include: /etc/unbound/unbound.conf.d/local_names.conf
> include: /etc/unbound/unbound.conf.d/opennic_names.conf
> include: /etc/unbound/unbound.conf.d/forwarders.conf
> include: /etc/unbound/unbound.conf.d/view.conf
> 
> remote-control:
>         control-enable: yes
>         control-interface: 127.0.0.1
>         control-port: 8953
>         control-use-cert: "no"
> 
> #backend: "testframe"
> #secret-seed: "default"
> #redis-server-host: 127.0.0.1
> ## redis server's TCP port
> #redis-server-port: 6379
> # timeout (in ms) for communication with the redis server
> #redis-timeout: 100
> # set timeout on redis records based on DNS response TTL
> #redis-expire-records: no
> 
> 
> the config of blacklist.conf:
> ------------------------------------
> local-zone: "zukxd6fkxqn.com <http://zukxd6fkxqn.com/>"always_nxdomain
> local-zone: "zy16eoat1w.com <http://zy16eoat1w.com/>"always_nxdomain
> 
> 
> but when i do from client a dns request
> it resolves the blacklisted domain
> 
> like this:
> ------------
> dig zy16eoat1w.com <http://zy16eoat1w.com/>
> 
> ; <<>> DiG 9.16.15 <<>> zy16eoat1w.com <http://zy16eoat1w.com/>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;zy16eoat1w.com <http://zy16eoat1w.com/>.                        IN      A
> 
> ;; ANSWER SECTION:
> zy16eoat1w.com <http://zy16eoat1w.com/>.         1855    IN      A 
>        103.224.212.219
> 
> ;; Query time: 170 msec
> ;; SERVER: 192.168.100.250#53(192.168.100.250)
> ;; WHEN: Wed Nov 03 10:48:55 CET 2021
> ;; MSG SIZE  rcvd: 59
> 
> 
> in the past it  worked that zy16eoat1w.com <http://zy16eoat1w.com/>
> could not be retrieved / resolved.
> 
> what is wrong in my setup?
> anyone has an idea or can help with with hints?
> 
> best regards
> marko
>

More information about the Unbound-users mailing list