help needed with unbound / blacklist

Johannes B. Kernel weberzbf at gmail.com
Thu Nov 4 12:05:13 UTC 2021


hello list,

on one of my servers i use "unbound" for blacklisting Domains.
but it seems, its not working any longer after an past update of my system.

On the server is gentoo linux, Kernel 5.14.15
Unbound is version 1.13.1

unbound -V
Version 1.13.1

Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir
=/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2
--htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/
--libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --
disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb
--disable-static --disable-systemd --with-pythonmodule --with-pyunbound
--with-pthreads --with-libnghttp2 --disable-flto --di
sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client
--enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr
--with-pidfile=/run/unbound.pid --with-rootkey-file=/etc
/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l  24 Aug
2021
Linked modules: dns64 python cachedb ipsecmod respip validator iterator
TCP Fastopen feature available


in /etc/unbound i have the following structure:

root.hints
unbound.conf
unbound.conf.d
unbound.conf.ORIGINAL
unbound.conf.WRK
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem
var


my unbound.conf:
------------------------


server:

statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 1

interface: 127.0.0.1
interface: 116.202.87.165
interface: 192.168.120.251
interface: 192.168.110.250
interface: 192.168.100.250
outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165
num-threads: 2

include: /etc/unbound/unbound.conf.d/access_options.conf
include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf
include: /etc/unbound/unbound.conf.d/view.conf

remote-control:
       control-enable: yes
       control-interface: 127.0.0.1
       control-port: 8953
       control-use-cert: "no"

#backend: "testframe"
#secret-seed: "default"
#redis-server-host: 127.0.0.1
## redis server's TCP port
#redis-server-port: 6379
# timeout (in ms) for communication with the redis server
#redis-timeout: 100
# set timeout on redis records based on DNS response TTL
#redis-expire-records: no


the config of blacklist.conf:
------------------------------------
local-zone: "zukxd6fkxqn.com"always_nxdomain
local-zone: "zy16eoat1w.com"always_nxdomain


but when i do from client a dns request
it resolves the blacklisted domain

like this:
------------
dig zy16eoat1w.com

; <<>> DiG 9.16.15 <<>> zy16eoat1w.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zy16eoat1w.com.                        IN      A

;; ANSWER SECTION:
zy16eoat1w.com.         1855    IN      A       103.224.212.219

;; Query time: 170 msec
;; SERVER: 192.168.100.250#53(192.168.100.250)
;; WHEN: Wed Nov 03 10:48:55 CET 2021
;; MSG SIZE  rcvd: 59


in the past it  worked that   zy16eoat1w.com
could not be retrieved / resolved.

what is wrong in my setup?
anyone has an idea or can help with with hints?

best regards
marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20211104/7d7f4843/attachment.htm>


More information about the Unbound-users mailing list