Whitelist problems?

[parasit]

Hi,
I have installed blocky (blocky_0.17_Linux_armv7) in local network on my Raspberry PI (192.168.1.38).
Blocking works very well, only sometimes even too well ...
I tried add some entries to whiteList, but looks like they are ignored.
The question is, is this a configuration problem or something else?

Eg. for almost all reddit links from email, browser returns error DNS_PROBE_FINISHED_NXDOMAIN
Same result fom nslookup:

> nslookup click.redditmail.com
Server:  UnKnown
Address:  192.168.1.38

Non-authoritative answer:
Name:    click.redditmail.com
Address:  0.0.0.0

> nslookup click.redditmail.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    thirdparty.bnc.lt
Addresses:  54.215.151.87
          13.57.159.75
Aliases:  click.redditmail.com

Below my blocky config

❯ cat config.yml
upstream:
  default:
    - 46.182.19.48
    - 80.241.218.68
    - tcp-tls:fdns1.dismail.de:853
    - https://dns.digitale-gesellschaft.ch/dns-query
blocking:
  whiteLists:
    ads:
      - |
        /reddit/
        /orbitfiles/
  blackLists:
    ads:
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
      - https://abp.oisd.nl/
      - https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt
  clientGroupsBlock:
    default:
      - ads
port: 53
httpPort: 4000
prometheus:
  enable: true

P.S. I try also with whitelist from file, but with same result.

[0xERR0R]

I tried your configuration and it worked (I changed the port to 55555 and enabled debug log level):

> dig @localhost -p 55555 click.redditmail.com +tcp
; <<>> DiG 9.16.1-Ubuntu <<>> @localhost -p 55555 click.redditmail.com +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26805
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; CLIENT-SUBNET: 185.95.218.0/24/0
;; QUESTION SECTION:
;click.redditmail.com.          IN      A

;; ANSWER SECTION:
click.redditmail.com.   220     IN      CNAME   thirdparty.bnc.lt.
thirdparty.bnc.lt.      60      IN      A       13.57.159.75
thirdparty.bnc.lt.      60      IN      A       54.215.151.87

;; Query time: 260 msec
;; SERVER: 127.0.0.1#55555(127.0.0.1)
;; WHEN: Tue Feb 01 08:57:05 CET 2022
;; MSG SIZE  rcvd: 123

Here is the log:

[2022-02-01 07:57:05] DEBUG server: new request
[2022-02-01 07:57:05] DEBUG blacklist_resolver: checking groups for request client_ip=172.26.0.1 client_names=172.26.0.1 groupsToCheck=ads question=A (click.redditmail.com.)
[2022-02-01 07:57:05] DEBUG regexCache: regex 'reddit' matched with 'click.redditmail.com'
[2022-02-01 07:57:05] DEBUG blacklist_resolver: domain is whitelisted client_ip=172.26.0.1 client_names=172.26.0.1 domain=click.redditmail.com group=ads question=A (click.redditmail.com.)
[2022-02-01 07:57:05] DEBUG caching_resolver: not in cache: go to next resolver client_ip=172.26.0.1 client_names=172.26.0.1 domain=click.redditmail.com next_resolver=ConditionalUpstreamResolver question=A (click.redditmail.com.)
[2022-02-01 07:57:05] DEBUG parallel_best_resolver: delegating to resolver client_ip=172.26.0.1 client_names=172.26.0.1 question=A (click.redditmail.com.) resolver=upstream 'https:https://dns.digitale-gesellschaft.ch:443/dns-query'
[2022-02-01 07:57:05] DEBUG upstream_resolver: received response from upstream answer=CNAME (thirdparty.bnc.lt.), A (13.57.159.75), A (54.215.151.87) client_ip=172.26.0.1 client_names=172.26.0.1 net=https protocol=TCP question=A (click.redditmail.com.) response_time_ms=248 return_code=NOERROR upstream=https://dns.digitale-gesellschaft.ch:443/dns-query
[2022-02-01 07:57:05]  INFO queryLog: query resolved answer=CNAME (thirdparty.bnc.lt.), A (13.57.159.75), A (54.215.151.87) client_ip=172.26.0.1 client_names=172.26.0.1 duration_ms=249 question=A (click.redditmail.com.) response_code=NOERROR response_reason=RESOLVED (https://dns.digitale-gesellschaft.ch:443/dns-query)

Did you restart blocky after adding the whitelist entry? The config file will be read only on startup.

[parasit]

It normally works as a service for me, but in this case I started it manually after each change.
I will try to run in Debug mode.

[parasit]

Sorry for the confusion. Looks like problem is in external DNS servers:

[2022-02-01 11:00:35]  INFO queryLog: query resolved answer=A (0.0.0.0) client_ip=::1 client_names=::1 duration_ms=112 question=A (click.redditmail.com.) response_code=NOERROR response_reason=RESOLVED (80.241.218.68:53)

[0xERR0R]

80.241.218.68 performs already ad blocking, see here: https://dismail.de/info.html#dns

If upstream DNS server already blocks some queries, blocky can't blacklist it.

Please try to remove this server from your configuration.

[0xERR0R]

I think, it would make sense to change example configuration and use only non blocking DNS servers

[andryou]

@parasit not related but in your config I believe you may need to change https://abp.oisd.nl/ to https://hosts.oisd.nl/ or https://dbl.oisd.nl/, latter probably more ideal as it is in plain domain list format and a slightly smaller file size. Unless I am mistaken Adblock-syntax blocklists aren't supported (please correct me if I am wrong!):

External blacklists must be either in the well-known Hosts format or just a plain domain list (one domain per line). Blocky also supports regex as more powerful tool to define patterns to block.
https://0xerr0r.github.io/blocky/configuration/#blocking-and-whitelisting

@0xERR0R I agree on changing the example config to use non-blocking DNS servers, such as 1.1.1.1 and perhaps 9.9.9.9 (9.9.9.9 does have some blocking but is a very favourable option over at Reddit). Thank you for all your work by the way! I am intrigued by this project and am thinking of taking my pi out of my drawer.

[0xERR0R]

@andryou yes, you're right. adblock format is not supported, only host file (or just domain list) or regex.