Unbound blocks the first server on the list and ignores rest of the lines

P

presci00

Hi, I am running Freebsd on the raspberry pi. And have installed unbound to filter the traffic. Here is my unbound.conf
Code: 
server:
    interface: 0.0.0.0
   
    access-control: 192.168.0.0/24 allow
    access-control: 127.0.0.1 allow
    access-control: ::1 allow
    access-control: 0.0.0.0/0 deny
    access-control: ::/0 deny
    aggressive-nsec: yes
    cache-max-ttl: 14400
    cache-min-ttl: 1200
    hide-identity: yes
    hide-version: yes

    do-daemonize: yes
    pidfile: "/var/run/unbound.pid"

    # blocklist files
    include: /usr/local/etc/unbound/blocklist/yoyo.conf
    use-syslog: yes
    verbosity: 3
    log-queries: yes

And here is my yoyo.conf
Code: 
server:

    local-zone: "1-1ads.com" redirect
    local-data: "1-1ads.com A 127.0.0.1"

    local-zone: "101com.com" redirect
    local-data: "101com.com A 127.0.0.1"

the issue is when I do "drill 1-1ads.com" it returns me the nxdomain. But when I try to drill 101com.com it doesn't return nxdomain. It prints the ip address of the domain. I don't have any clue as to what is going on. I also tried adding the code directly in unbound.conf but that doesn't work either.
I have also tried
Code: 
local-zone: "1-1ads.com" always_nxdomain
but this also blocks the first address not the subsequent address. I tried adding space between the lines. but that doesn't work. Any help would be appreciated. thanks.
 
For blocking as local void zones it looks here as below.
Code: 
local-zone: "0.0.0.0" static
local-zone: "005.free-counter.co.uk" static
local-zone: "006.free-counter.co.uk" static
...and so on...
 
Thank you. I went through documentation. Which I should have done earlier. to block the site I had to put.
Code: 
    local-data: "adserver.example.com A 127.0.0.1"
    local-data: "adserver1.example.com A 127.0.0.1"
    local-data: "adserver2.example.com A 127.0.0.1"
It blocks the site perfectly when I tried drill command on adserver.example.com

After some more testing I found that any domain that starts with number doesn't work with unbound
Code: 
server:
    interface: 0.0.0.0

    access-control: 192.168.0.0/24 allow
    access-control: 127.0.0.1 allow
    access-control: ::1 allow
    access-control: 0.0.0.0/0 deny
    access-control: ::/0 deny

    
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    verbosity: 1 
    log-queries: yes
    log-replies: yes

    local-data: "adserver.example.com A 127.0.0.1"
    local-data: "adserver1.example.com A 127.0.0.1"
    local-data: "adserver2.example.com A 127.0.0.1"
    local-data: "k0408kodyvai9.pro A 127.0.0.1"
    local-data: "g041353e6dd.com A 127.0.0.1"
    local-data: "041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl A 127.0.0.1"
    local-data: "04215455.xyz A 127.0.0.1"
    local-data: "0427d7.se A 127.0.0.1"
    local-data: "045zov0vxv.zcyrek.com.pl A 127.0.0.1"
In above sample adserver.example.com is blocked & so is k0408kodyvai9.pro & g041353e6dd.com but stops working after 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl
Code: 
$> drill g041353e6dd.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27937
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 
;; QUESTION SECTION:
;; g041353e6dd.com.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
com.    900    IN    SOA    a.gtld-servers.net. nstld.verisign-grs.com. 1700198534 1800 900 604800 86400


$> drill 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5108
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl.    IN    A

;; ANSWER SECTION:
041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl.    300    IN    A    104.21.8.115
041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl.    300    IN    A    172.67.188.115
 
some more testing

Code: 
    local-zone: "adserver.example.com" always_nxdomain  # works
    local-zone: "adserver1.example.com" always_nxdomain   # works
    local-zone: "adserver2.example.com" always_nxdomain  # works
    local-zone: "adserver3.example.com" always_nxdomain  # works
    local-zone: "1-23a.com" always_nxdomain  # works
    local-zone: "1-23b.com" always_nxdomain  # works
    local-zone: "1f23b.com" always_nxdomain  # works
    local-zone: "1g23.com" always_nxdomain  # works
    local-zone: "1234.com" always_nxdomain  # doesn't works
    local-zone: "123a.com" always_nxdomain  # doesn't works
    local-zone: "12322.com" always_nxdomain  # doesn't works
    local-zone: "12g3.com" always_nxdomain  # doesn't work

In the above code if the domain that doesn't work is encountered rest of the configuration is ignored.
In above test the domains that doesn't work are tried individually but aggregated here
 
You must log in or register to reply here.
Back
Top