Hi Marko,
The local-zone configuration that you present does work.
Since you also include other configuration files, maybe something there
prevents the use of the blacklist.conf file's contents to be used for
specific clients? I see that you also may have access control and view
options (from the filenames) that may affect this.
Best regards,
-- George
On 04/11/2021 13:05, Johannes B. Kernel via Unbound-users wrote:
hello list,
on one of my servers i use "unbound" for blacklisting Domains.
but it seems, its not working any longer after an past update of my system.
On the server is gentoo linux, Kernel 5.14.15
Unbound is version 1.13.1
unbound -V
Version 1.13.1
Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu
--host=x86_64-pc-linux-gnu --mandir=/usr/share/man
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc
--localstatedir
=/var/lib --docdir=/usr/share/doc/unbound-1.13.1-r2
--htmldir=/usr/share/doc/unbound-1.13.1-r2/html --with-sysroot=/
--libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --
disable-dnstap --enable-ecdsa --disable-subnet --enable-cachedb
--disable-static --disable-systemd --with-pythonmodule --with-pyunbound
--with-pthreads --with-libnghttp2 --disable-flto --di
sable-rpath --enable-event-api --enable-ipsecmod --enable-tfo-client
--enable-tfo-server --with-libevent=/usr --with-libhiredis=/usr
--with-pidfile=/run/unbound.pid --with-rootkey-file=/etc
/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1l 24
Aug 2021
Linked modules: dns64 python cachedb ipsecmod respip validator iterator
TCP Fastopen feature available
in /etc/unbound i have the following structure:
root.hints
unbound.conf
unbound.conf.d
unbound.conf.ORIGINAL
unbound.conf.WRK
unbound_control.key
unbound_control.pem
unbound_server.key
unbound_server.pem
var
my unbound.conf:
------------------------
server:
statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 1
interface: 127.0.0.1
interface: 116.202.87.165
interface: 192.168.120.251
interface: 192.168.110.250
interface: 192.168.100.250
outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165
num-threads: 2
include: /etc/unbound/unbound.conf.d/access_options.conf
include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf
include: /etc/unbound/unbound.conf.d/view.conf
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
control-use-cert: "no"
#backend: "testframe"
#secret-seed: "default"
#redis-server-host: 127.0.0.1
## redis server's TCP port
#redis-server-port: 6379
# timeout (in ms) for communication with the redis server
#redis-timeout: 100
# set timeout on redis records based on DNS response TTL
#redis-expire-records: no
the config of blacklist.conf:
------------------------------------
local-zone: "zukxd6fkxqn.com <http://zukxd6fkxqn.com/>"always_nxdomain
local-zone: "zy16eoat1w.com <http://zy16eoat1w.com/>"always_nxdomain
but when i do from client a dns request
it resolves the blacklisted domain
like this:
------------
dig zy16eoat1w.com <http://zy16eoat1w.com/>
; <<>> DiG 9.16.15 <<>> zy16eoat1w.com <http://zy16eoat1w.com/>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9244
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;zy16eoat1w.com <http://zy16eoat1w.com/>. IN A
;; ANSWER SECTION:
zy16eoat1w.com <http://zy16eoat1w.com/>. 1855 IN A
103.224.212.219
;; Query time: 170 msec
;; SERVER: 192.168.100.250#53(192.168.100.250)
;; WHEN: Wed Nov 03 10:48:55 CET 2021
;; MSG SIZE rcvd: 59
in the past it worked that zy16eoat1w.com <http://zy16eoat1w.com/>
could not be retrieved / resolved.
what is wrong in my setup?
anyone has an idea or can help with with hints?
best regards
marko
