Unbound.cmd

[spirillen]

It looks like Unbound don't understand that if you add a 3. or 4. lvl domain it should be blocking the 2. lvl domain :(

Here is an example

grep -Ri 'microsoft.com' /var/lib/unbound/
/var/lib/unbound/someonewhocares.db:local-zone: "amer.hops.glbdns.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "apprep.smartscreen.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "himicrosoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "microsoft.com-it2-dye1.premi-fedelta-degli-utenti.us." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "microsoft.com-msoft52.info." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "reports.wes.df.telemetry.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "settings-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "statsfe2.ws.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "v10.vortex-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "vortex-win.data.microsoft.com." always_nxdomain
/var/lib/unbound/someonewhocares.db:local-zone: "wes.df.telemetry.microsoft.com." always_nxdomain

Now let try a dig of microsoft.com

dig microsoft.com

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> +nocookie microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24260
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 12 12:15:41 CEST 2019
;; MSG SIZE  rcvd: 42

As shown unbound is not only blocking from tld.secondlelvel to fourth.level etc but also the other way from fourth to second level 😞 so the use of always_nxdomain value leads to unwanted issues.

Currently I have no idea how to solve this.....

[ScriptTiger]

I've reverted everything back to the old format since this is a pretty critical problem. Thanks for letting me know!

[ScriptTiger]

I was a bit hasty on this one and forgot to drop the subdomain pruning on the first commits, but just corrected that. Subdomains are not automatically blocked with the current redirect structure, right? I think we talked about that before, bust just making sure.

[spirillen]

No that shouldn't be a problem with the redirect, but you differently loose the huge benefits from the nxdomain in timeouts 😡

Will take this up with the guys writing unbound as is have a huge impact on my project....

[ScriptTiger]

Definitely let me know later what happens with this, if it gets resolved or if I can put it back, etc.

[ScriptTiger]

@spirillen, if you need to do testing with the old script to remove subdomains and make sure all parents are only listed once, etc., use this version:

https://github.com/ScriptTiger/Hosts-Conversions/tree/0d43f3fd4a30b9ee33922aede687cc09c90bc343

[ScriptTiger]

I just read your latest comment in the other thread, did you figure out the problem? Was it a problem with your config? Let me know if I can revert the commits back to before if they work.

[spirillen]

I most find a windows inst somewhere and make a virtual 😃

But have you an idea on how to apply whitelisted 9th. level domains?
https://gitlab.com/my-privacy-dns/rpz-dns-firewall-tools/unbound/issues/2

[ScriptTiger]

HowTo whitelist a 9th. lvl domain
If you have a record like

local-zone: "2o7.net" always_nxdomain
How do you best whitelist ex.

whitelist.this.3gupload.112.2o7.net

I don't use Unbound, but have you tried this?

local-zone: "whitelist.this.3gupload.112.2o7.net" redirect
local-data: "whitelist.this.3gupload.112.2o7.net A X.X.X.X"

X.X.X.X=IP of whitelist.this.3gupload.112.2o7.net

You can do an nslookup to find the IPs for whitelist.this.3gupload.112.2o7.net. If it has multiple IPs, you can make records for each like this:

local-zone: "whitelist.this.3gupload.112.2o7.net" redirect
local-data: "whitelist.this.3gupload.112.2o7.net A X.X.X.1"
local-data: "whitelist.this.3gupload.112.2o7.net A X.X.X.2"
local-data: "whitelist.this.3gupload.112.2o7.net A X.X.X.3"

If this is just for home use, you don't really need to list all of them. I usually just take the top one and use that.

[ScriptTiger]

If Unbound can do conditional forwarding so you can point "whitelist.this.3gupload.112.2o7.net" to use another name server, like 8.8.8.8 (Google DNS), that should work too. But, like I said, I am not too familiar with Unbound.

[ScriptTiger]

Every DNS software might handle precedence differently though, so a conditional forwarder might work if it takes precedence over a local-zone always_nxdomain record. But it may not, depending on the DNS software. So you'll have to play with those options to see which works best with Unbound.

[spirillen]

Funny just made a thought about that here 😆

[ScriptTiger]

You should do whatever Unbound recommends. I know DualServer, for instance, does not give conditional forwarders precedence over "wild hosts," wild card host entries you can use to block domains with certain keywords, etc., so it wouldn't work in that case. But if it works for Unbound in this case, it's a lot easier because you don't have to worry about managing the IPs.

[spirillen]

@ScriptTiger you are on windows, could you please try this setup with an unbound?

[ScriptTiger]

I will check it out next week, I'm heading out of town now for the next few days.

So always_nxdomain works, I can put everything back to the way it was before?

[spirillen]

Looks like it on my local test, and then we should be aware and maybe add a note in the top of the file that says how to whitelist a 7th level domain by

local-zone: "sub.lvl.example.net" transparent

But personally i would let it test on a windows installation first.... and leave it with the current rewrite

[ScriptTiger]

I just downloaded Unbound so I don't forget. The first thing I saw when I opened the archive is the file create_unbound_ad_servers.cmd that says this:

for /F "eol=; tokens=*" %%a in (%work_dir%\yoyo_ad_servers) do (
echo local-zone: %%a redirect>>%dst_dir%\unbound_ad_servers
echo local-data: "%%a A 127.0.0.1">>%dst_dir%\unbound_ad_servers
)

So it seems the developers of Unbound recommend this way.

[spirillen]

Or it's just some rather outdated ex. 😄

Well it is the recommended if you don't have a proper whitelist, but @mitchellkrogza have a nice whitelist for the drug addicted fb and google zombies

But according to this comment I see no issues in doing always_nxdomain

Local-zones should only be applied for matching domains and subdomains.

[ScriptTiger]

I'm reopening this issue to remind me to revisit it once again when I come back.

[spirillen]

Hi @ScriptTiger Just for information, You might have a look on this thread about memory usage in huge zone with a

local-zone: "example.com" redirect
local-data: "example.com A 0.0.0.0"

Versus

local-zone: "example.com" always_nxdomain