help needed with unbound / blacklist
Johannes B. Kernel
weberzbf at gmail.com
Thu Nov 4 12:05:13 UTC 2021
hello list,
on one of my servers i use "unbound" for blacklisting Domains.
but it seems, its not working any longer after an past update of my system.
On the server is gentoo linux, Kernel 5.14.15
Unbound is version 1.13.1
unbound -V
Version 1.13.1
Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir
=/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2
--htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/
--libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --
disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb
--disable-static --disable-systemd --with-pythonmodule --with-pyunbound
--with-pthreads --with-libnghttp2 --disable-flto --di
sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client
--enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr
--with-pidfile=/run/unbound.pid --with-rootkey-file=/etc
/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l 24 Aug
2021
Linked modules: dns64 python cachedb ipsecmod respip validator iterator
TCP Fastopen feature available
in /etc/unbound i have the following structure:
root.hints
unbound.conf
unbound.conf.d
unbound.conf.ORIGINAL
unbound.conf.WRK
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem
var
my unbound.conf:
------------------------
server:
statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 1
interface: 127.0.0.1
interface: 116.202.87.165
interface: 192.168.120.251
interface: 192.168.110.250
interface: 192.168.100.250
outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165
num-threads: 2
include: /etc/unbound/unbound.conf.d/access_options.conf
include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf
include: /etc/unbound/unbound.conf.d/view.conf
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
control-use-cert: "no"
#backend: "testframe"
#secret-seed: "default"
#redis-server-host: 127.0.0.1
## redis server's TCP port
#redis-server-port: 6379
# timeout (in ms) for communication with the redis server
#redis-timeout: 100
# set timeout on redis records based on DNS response TTL
#redis-expire-records: no
the config of blacklist.conf:
------------------------------------
local-zone: "zukxd6fkxqn.com"always_nxdomain
local-zone: "zy16eoat1w.com"always_nxdomain
but when i do from client a dns request
it resolves the blacklisted domain
like this:
------------
dig zy16eoat1w.com
; <<>> DiG 9.16.15 <<>> zy16eoat1w.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zy16eoat1w.com. IN A
;; ANSWER SECTION:
zy16eoat1w.com. 1855 IN A 103.224.212.219
;; Query time: 170 msec
;; SERVER: 192.168.100.250#53(192.168.100.250)
;; WHEN: Wed Nov 03 10:48:55 CET 2021
;; MSG SIZE rcvd: 59
in the past it worked that zy16eoat1w.com
could not be retrieved / resolved.
what is wrong in my setup?
anyone has an idea or can help with with hints?
best regards
marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20211104/7d7f4843/attachment.htm>
More information about the Unbound-users
mailing list