DNS Resolver
-
Wow - I have been putting things in "advanced" and anything in there caused unbound to not come up. I just thought there was something wrong with what I was doing. Just tried adding 'server:" and it worked!!
-
I think this should be presented as a bold red hint in the GUI. Not just the wiki. Apparently people have no idea how's this supposed to work. Worth a bug IMO.
-
I've found that I had to use the "server:" by accident. I'm using this to block dns from ads and spyware. Just make a file and put it at /conf folder to survive updates. Then, use this syntax:
server:
include: /conf/local-blocking-data.conf
include: ………
….and it works. Free ad internet.
the file itself is in this format:
local-data: "000freexxx.com A 0.0.0.0"
local-data: "004.frnl.de A 0.0.0.0"
local-data: "01sexe.com A 0.0.0.0"
local-data: "01viral.com A 0.0.0.0"
local-data: "039068a.dialer-select.com A 0.0.0.0"
local-data: "0427d7.se A 0.0.0.0"
local-data: "0702.de A 0.0.0.0"
……I use a script to generate it from varius sources like http://pgl.yoyo.org/adservers/ or https://github.com/jodrell/unbound-block-hosts.
-
But there seems to be something wrong. If I use advanced options, I can't use "Register DHCP leases in the DNS Resolver" enabled. Although it works fine.
-
Yeah I see this
Below is a minimal config file. The source distribution contains an
extensive example.conf file with all the options.# unbound.conf(5) config file for unbound(8).
server:
directory: "/etc/unbound"But I assume the stuff in this box is for the server, so didn't think would have to add that, etc. Be nice to be able to use the include: directive as well to load a specific file with say host over rides in it, etc. But can not seem to be able to figure out how to get include: to work using this advanced box?
from your unbound doc link
Files can be included using the include: directive. It can appear any-
where, it accepts a single file name as argument. Processing continues
as if the text from the included file was copied into the config file
at that point.If that would work - that would be pretty slick ;)
the only notes on the advanced box are
"Enter any additional configuration parameters to add to the DNS Resolver configuration here, separated by a newline" -
include: works, already used by default
$ grep include: /var/unbound/unbound.conf include: /var/unbound/access_lists.conf include: /var/unbound/host_entries.conf include: /var/unbound/dhcpleases_entries.conf include: /var/unbound/domainoverrides.conf include: /var/unbound/remotecontrol.confThough, the issue is… if you create something there outside of pfS awareness, the files will vanish sooner or later, at least on nanobsd.
-
I think I've answered both of you in my previous post. I think we're talking about the same.
-
Oh so you need to have .conf on the end of it?
-
I've made a file to put in /conf folder and inside the file I've put:
local-data: "000freexxx.com A 0.0.0.0"
local-data: "004.frnl.de A 0.0.0.0"
local-data: "01sexe.com A 0.0.0.0"
local-data: "01viral.com A 0.0.0.0"
local-data: "039068a.dialer-select.com A 0.0.0.0"
local-data: "0427d7.se A 0.0.0.0"
local-data: "0702.de A 0.0.0.0"
etc…Save file as something.conf and it works.
-
yeah that is exactly what others were looking for! Thanks!
-
include: works, already used by default
$ grep include: /var/unbound/unbound.conf include: /var/unbound/access_lists.conf include: /var/unbound/host_entries.conf include: /var/unbound/dhcpleases_entries.conf include: /var/unbound/domainoverrides.conf include: /var/unbound/remotecontrol.confThough, the issue is… if you create something there outside of pfS awareness, the files will vanish sooner or later, at least on nanobsd.
Open a bug ('feature request'), and maybe this can be addressed in a 2.2.1 or 2.3.
Jim
-
Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)
-
@johnpoz has made a note of it at https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Configuration - it can always be revisited for 2.2.1 or whatever in the future. To late now.
-
What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?
local-data: "click01.aditic.net A 10.10.10.1"
-
What is the advantage of putting this in the "Advanced" section instead of the "Host Overrides" section?
Ever tried to put hundreds/thousands entries in there (like, ad blocking)? :D
-
Exactly. I have 70.000+ domains excluded.
-
Seriously, I think all that's needed now it to tell people to prefix their advanced configuration with a proper clause (with a wiki/manpage link or whatever.) Prevents invalid bugs as well. (Persistent includes could be done right now via one of the file manager packages that store the files in config.xml, I guess.)
Naw, we should make sure that feeds for this are bundled in pfSense Gold!
-
I have already added DNSBL to pfBlockerNG… I have been testing this with a few Testers for a couple weeks now... I think its best to use Unbound Resolver, but its not too difficult to format the lists for DNSMasq.
pfBlockerNG already has a download list scheduler so it was easy to add this functionality. I have added Domain parsers for the following lists so far:
- yoyo
- HPHosts
- Adaway
- Malware Domains
- Someonewhocares
- WinHelp
- Malware Domain Lists
8 ) Phishtank (these are converted from URLs… so they can cause some FPs) - Emerging Threats IQRisk Domain list
- Dshield
- Bambenek GOZ
- Squid Blacklists
The domains are placed into a single list for Unbound Resolver (about 2 million malicious domains and Advert Domain).
local-data: "googlesyndication.com A 10.10.10.1"
A NAT rule on the LAN interface will forward 10.10.10.1:80 to 127.0.01:8081. Which is a new Lighttpd Web server service on the pfSense Box (VIP and NAT are customizable) … For http requests it will load the index.php file and record the event and update the widget counter. Still working on improving https alerts and trying not to do any MITM. Currently a "1x1" Gif is sent to fill the Browsers Advert space..
Unbound can also load a python script which would simplify some of this process where the script could record the Rejected Request. Other improvements could be ACL to customize the Domain Blocking as currently it will block for any DNS Request. I don't think that Unbound is currently compiled with python script ability.
Sample Logfile -
DNSBL Reject,Jan 9 22:42:16,b.scorecardresearch.com,xx.xx.xx.xx,/b?c1=1&c2=1000009&c3=Thomson%20Reuters%20LLC&c4=5Min_unknown_AOL&c5=040800&c6=News/General%20News
Here are some Screenshots of DNSBL in pfBlockerNG…
My Pull Request for pfBlockerNG v1.0 has been merged but is waiting for final review.
I hope to have the bugs worked out for DNSBL fairly soon and I will release this in v2.0
-
I know this is the Unbound Resolver thread but I wanted to chime in and say it would be really nice to get pfBlockerNG through the review process and into the packages repo. I have been one of the testers and 1) it's solid and 2) it adds a great deal of security functionality. Now that 2.2 is nearing release maybe that can happen - fingers crossed.
-
I know this is the Unbound Resolver thread but I wanted to chime in and say it would be really nice to get pfBlockerNG through the review process and into the packages repo. I have been one of the testers and 1) it's solid and 2) it adds a great deal of security functionality. Now that 2.22 is nearing release maybe that can happen - fingers crossed.
+1 to this, have enjoyed watching the progression bbcan177 has made
