Bypassing DNSBL for specific IPs
Ns8h last edited by
Not sure if this has been posted before but just figured out views are possible in Unbound 1.6 and can be used for bypassing DNSBL zones for specific IPs/ranges.
To do this you need to add some stuff to the custom unbound options:
server: access-control-view: 192.168.0.2/32 bypass access-control-view: 192.168.0.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
Host 192.168.0.2 is able to bypass all pfBlockerNG inserted DNSBL zones but is able to resolve other local zones e.g. DHCP added zones. Everything else on the 192.168.0.0/24 subnet gets blocked as normal through DNSBL.
Would be neat for pfBlockerNG to be able to create multiple conf files so that different views could utilize different sets of block lists.
P.s. not sure if the multiple Zones are actually necessary - Unbound experts let me know if this can be improved ;) Also, documentation for "view-first" seems quite confusing. How I understand it is that if left in the default state "no" none of the "global" local zones are respected and only zones configured in the view are used.
mifronte last edited by
Thanks. If this works, I can turn DNSBL back on and exclude the one host. Kudos to you.
I seem to can't get it to work. When I added the custom commands to DNS Resolver (modified for my networks) DNSBL does not block ads.
I will have to read up on the unbound custom views.
sparkman123 last edited by
The OP's suggested config works for me. I melded it with Cloudflare's recent DNS-over-TLS commands as well to have a more robust configuration.
In case anyone's interested, here are my commands:
server: access-control-view: <excluded dnsbl="" subnet="">bypass access-control-view: <included dnsbl="" subnet="">dnsbl ssl-upstream: yes do-tcp: yes minimal-responses: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes forward-zone: name: "." # Below 4 addresses are Cloudflare DNS forward-addr: 126.96.36.199@853 forward-addr: 188.8.131.52@853 view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf</included></excluded>
mifronte last edited by
This method is just not working for me :( I am trying to block all except host 10.168.2.157, but as soon as I add the configuration to the DNS Resolver custom options, DNSBL stops working although it is still running without errors. I get no more DNSBL alerts and ads shows up on all my hosts.
Here is my DNS Resolver (unbound) custom options:
server: access-control-view: 10.168.2.157/32 bypass access-control-view: 10.168.0.0/16 dnsbl do-tcp: yes minimal-responses: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
horse2370 last edited by
Revisiting this thread as I needed to exclude my Roku devices on my network as they need to reach ad sites for the news feeds to work. (sucks) Getting it to work has raised some questions that maybe others can chime in on and maybe my configuration / findings may help others.
I am using Cloudflares DNS over TLS hence the forward-zone configuration. In addition I run a Plex server at home and need to define the private-domain to allow internal resolution to a private IP address.
I have three Roku devices that use the "bypass" view
Everything else on my three network segments uses DNSBL to block ads.
I have native IPv6 and hence need to add access control as some hosts use IPv6 for DNS transport.
There are a number of host overrides configured to resolve private IP addresses and hidden hosts from the internal Intranet and not use the public IP addresses resolved by my external NS.
Example of my custom options: -
server: private-domain: "plex.direct" access-control-view: 192.168.1.51/32 bypass access-control-view: 192.168.1.61/32 bypass access-control-view: 192.168.1.83/32 bypass access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.2.0/24 dnsbl access-control-view: 192.168.3.0/24 dnsbl rrset-roundrobin: yes forward-zone: name: "." forward-ssl-upstream: yes # Cloudflare DNS forward-addr: 184.108.40.206@853 forward-addr: 220.127.116.11@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853 view: name: "bypass" view-first: yes #include: /var/unbound/host_entries.conf view: name: "dnsbl" view-first: yes include: /var/unbound/host_entries.conf include: /var/unbound/pfb_dnsbl.*conf
What I have found is if I use a 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?
Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.
The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out. Not what I expected.
I also, had a number of issues, that I did not continue confirming exactly the behavior, when trying to format for readability the custom options by indenting some lines using spaces. This caused it to fail. so no leading spaces on any line. :-)
unbound "view" is not very well documented, but does provide some potential for client specific workarounds that I've needed every now and then. Debug seems limited in the log files regarding matching of access-control-view and which view is being used. Maybe I had too much verbosity enabled and message were deep and I missed them?
With multiple hosts for testing and having dig/nslookup forced to use IPv4 or IPv6 I was able to finally reproduce what I believe is a working config. Albeit with some configuration options that I don't fully understand why they work how they do. Will see how it goes . . . .
If anyone can comment on the subnet masks and the include: