DNS Resolver

doktornotor

Thanks - is that documented somewhere?

Not that I'm aware of.

johnpoz

Well I added a bit of info to https://doc.pfsense.org/index.php/Unbound_DNS_Resolver about it. If I can find more info on the reason for that will be happy to update the wiki.

doktornotor

@johnpoz:

If I can find more info on the reason for that

https://www.unbound.net/documentation/unbound.conf.html

Afraid unless someone's willing to recode the pfSense code per the manpage to stick various advanced options to respective clauses as required, people will have to specify that themselves.

dstroot

Wow - I have been putting things in "advanced" and anything in there caused unbound to not come up. I just thought there was something wrong with what I was doing. Just tried adding 'server:" and it worked!!

doktornotor

I think this should be presented as a bold red hint in the GUI. Not just the wiki. Apparently people have no idea how's this supposed to work. Worth a bug IMO.

Hugovsky

I've found that I had to use the "server:" by accident. I'm using this to block dns from ads and spyware. Just make a file and put it at /conf folder to survive updates. Then, use this syntax:

server:
include: /conf/local-blocking-data.conf
include: ………
….

and it works. Free ad internet.

the file itself is in this format:

local-data: "000freexxx.com A 0.0.0.0"
local-data: "004.frnl.de A 0.0.0.0"
local-data: "01sexe.com A 0.0.0.0"
local-data: "01viral.com A 0.0.0.0"
local-data: "039068a.dialer-select.com A 0.0.0.0"
local-data: "0427d7.se A 0.0.0.0"
local-data: "0702.de A 0.0.0.0"
……

I use a script to generate it from varius sources like http://pgl.yoyo.org/adservers/ or https://github.com/jodrell/unbound-block-hosts.

Hugovsky

But there seems to be something wrong. If I use advanced options, I can't use "Register DHCP leases in the DNS Resolver" enabled. Although it works fine.

johnpoz

Yeah I see this

Below is a minimal config file. The source distribution contains an
extensive example.conf file with all the options.

# unbound.conf(5) config file for unbound(8).
server:
directory: "/etc/unbound"

But I assume the stuff in this box is for the server, so didn't think would have to add that, etc. Be nice to be able to use the include: directive as well to load a specific file with say host over rides in it, etc. But can not seem to be able to figure out how to get include: to work using this advanced box?

from your unbound doc link

Files can be included using the include: directive. It can appear any-
where, it accepts a single file name as argument. Processing continues
as if the text from the included file was copied into the config file
at that point.

If that would work - that would be pretty slick ;)

the only notes on the advanced box are
"Enter any additional configuration parameters to add to the DNS Resolver configuration here, separated by a newline"

doktornotor

include: works, already used by default


$ grep include: /var/unbound/unbound.conf
include: /var/unbound/access_lists.conf
include: /var/unbound/host_entries.conf
include: /var/unbound/dhcpleases_entries.conf
include: /var/unbound/domainoverrides.conf
include: /var/unbound/remotecontrol.conf

Though, the issue is… if you create something there outside of pfS awareness, the files will vanish sooner or later, at least on nanobsd.

Hugovsky

I think I've answered both of you in my previous post. I think we're talking about the same.

johnpoz

Oh so you need to have .conf on the end of it?

Hugovsky

I've made a file to put in /conf folder and inside the file I've put:

local-data: "000freexxx.com A 0.0.0.0"
local-data: "004.frnl.de A 0.0.0.0"
local-data: "01sexe.com A 0.0.0.0"
local-data: "01viral.com A 0.0.0.0"
local-data: "039068a.dialer-select.com A 0.0.0.0"
local-data: "0427d7.se A 0.0.0.0"
local-data: "0702.de A 0.0.0.0"
etc…

Save file as something.conf and it works.

johnpoz

yeah that is exactly what others were looking for! Thanks!

@doktornotor:

include: works, already used by default
$ grep include: /var/unbound/unbound.conf
include: /var/unbound/access_lists.conf
include: /var/unbound/host_entries.conf
include: /var/unbound/dhcpleases_entries.conf
include: /var/unbound/domainoverrides.conf
include: /var/unbound/remotecontrol.conf
Though, the issue is… if you create something there outside of pfS awareness, the files will vanish sooner or later, at least on nanobsd.

Open a bug ('feature request'), and maybe this can be addressed in a 2.2.1 or 2.3.

Jim

doktornotor

Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)

wagonza

@johnpoz has made a note of it at https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Configuration - it can always be revisited for 2.2.1 or whatever in the future. To late now.

dennypage

What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?

@johnpoz:

local-data: "click01.aditic.net A 10.10.10.1"

doktornotor

@dennypage:

What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?

Ever tried to put hundreds/thousands entries in there (like, ad blocking)? :D

Hugovsky

Exactly. I have 70.000+ domains excluded.

@doktornotor:

Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)

Naw, we should make sure that feeds for this are bundled in pfSense Gold!