@aweidner said in [TLD blacklist, exclusion and whitelist]
For a new-to-pfblockerng-person like me this sounds unnecessary unintuitive. If there is a blacklist, why can't i use the whitelist in the same realm?
Unbound mode is the original/first generation of DNSBL. It relies on Unbound local-zone and local-data entries to block domains.
TLDR;
Unbound Mode is too restrictive in wildcard blocking. Unbound Python mode (the next generation of DNSBL) doesn't use Unbound's local-zone/local-data entries, and removes all these types of restrictions. Therefore, you can use the DNSBL Whitelist feature with Python mode in this circumstance.
Existing pfBlockerNG DNSBL Unbound mode:
In this mode, entries are added to Unbound with an include file located at:
/var/unbound/pfb_dnsbl.conf
For each single domain to be blocked, a local-data entry is added:
local-data: "example.com A 10.10.10.1"
Any DNS request for example.com would be sinkholed to 10.10.10.1 where the DNSBL Webserver will respond to that request.
If the TLD Wildcard blocking option is enabled, entries will be added to Wildcard block domains:
local-zone: "xyz" "transparent"
local-data: "example.xyz 60 IN A 10.10.10.1"
local-data: "example2.xyz 60 IN A 10.10.10.1"
For each TLD (ie: xyz), a transparent zone is created, and any xyz domains that need to be wildcard blocked are added to the associated transparent zone entry with local-data entries.
When users want to Wildcard block a whole TLD, TLDs would be added to the TLD Blacklist with a local-zone redirect entry:
local-zone: "ru" redirect local-data: "ru 60 IN A 10.10.10.1"
If "ru" is wilcard blocked, and a user wants to allow a specific ru domain to be allowed, domains can be added to the
TLD Whitelist. The entries in Unbound will use a local-zone static entry to block all domains except for domains that are
explicitly defined with a local-date entry;
local-zone: "ru" "static"
local-data: "ramblr.ru A 31.31.205.163"
