Unbound: excessive private-address entries.

[daemongloom]

Currently Unbound in OPNsense does not allow to query spamhaus/spamcop (and others) DNSBLs. That's because of entry private-address: 127.0.0.0/8' that was added at fd00370
That was a paranoid solution from https://forum.opnsense.org/index.php?topic=1416.0 that breaks RFC and it's effect is noted in unbound.conf(5) man.
Section "private-address: " clearly states:

Turning on 127.0.0.0/8 would hinder many spam- blocklists as they use that.

That problem was raised a few times but no answer from developers was given. ( https://forum.opnsense.org/index.php?topic=9633.0 and #1783 )

Is it possible to remove that entry from configuration or add a way to override that entries completely? Manual editing of configuration on each update is not a good way to allow DNSBL requests.

[fichtner]

I'm not sure how paranoid it is if multiple projects are doing it independently: pfsense/pfsense@afeb18ff0ec https://redmine.pfsense.org/issues/9708 even if it takes a while to land in other projects.

You can use Dnscrypt-proxy or Bind to do the filtering, see https://docs.opnsense.org/manual/how-tos/dnscrypt-proxy.html and https://docs.opnsense.org/manual/how-tos/bind.html and both explicitly work fine with Unbound.

Cheers,
Franco

[daemongloom]

That's a recent commit for pfsense and they will discover that problem soon.
There should be a toggle in settings for entries that could cause such problems.

[fichtner]

Is there anything else we can help you with? I'm unsure what to do, because we're not simply removing a line that was put in for a reasons without a proper replacement strategy.

[daemongloom]

There is no way to do that without removing a line or adding a toggle for administrator to disable that check.
I'll just switch to another dns server in that case.

[fichtner]

Ok. I've mentioned "proper replacement strategy" here to indicate that nothing is set in stone, but a toggle doesn't look very useful. It's not a fix, it's at best a workaround with real world security implications.

@mimugmail wants to build an adblocker into unbound via plugin so I guess that would be a better course of action in the midterm.

[daemongloom]

@mimugmail wants to build an adblocker into unbound via plugin so I guess that would be a better course of action in the midterm.

That's not a solution. Not even a workaround.
Spamhouse, spamcop and other DNSBLs that people use in mentioned threads are used for mail antispam protection by Microsoft Exchange's antispam, rspamd and other antispam filters. That is not similar to dns adblockers.

[mimugmail]

That's not a solution. Not even a workaround.
Spamhouse, spamcop and other DNSBLs that people use in mentioned threads are used for mail antispam protection by Microsoft Exchange's antispam, rspamd and other antispam filters.

I thought I have rspamd successfully running against spamcop with Unbound ... did you really check this or did you just copy from the man page?

[daemongloom]

I've checked it. With default settings I get "No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 2.0.0.127.zen.spamhaus.org" on test requests. It returns correct 127.0.0.x addresses with correct settings.
Can you check that your rspamd uses Unbound as resolver?

[daemongloom]

I've checked it again. The only line I change in config is 'private-address: 127.0.0.0/8'. First request done with default settings, second with line commented out. I've replaced my domain name to DOMAIN.TLD.

> 2.0.0.127.zen.spamhaus.org
 Server: routersrv.DOMAIN.TLD
 Address: 192.168.127.1
 *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 2.0.0.127.zen.spamhaus.org

> 2.0.0.127.zen.spamhaus.org
 Server: routersrv.DOMAIN.TLD
 Address: 192.168.127.1
 Non-authoritative answer:
 Name: 2.0.0.127.zen.spamhaus.org
 Addresses: 127.0.0.2 127.0.0.10 127.0.0.4

[ruffy91]

A possible solution would be to add a editable list of domains which are allowed DNS-Rebinding.
The administrator could then just add the DNSBL domains which are used to this list.
This can be implemented by adding private-domain entries for the domains on this list.
@fichtner Would this be a proper replacement strategy?

[mimugmail]

@ruffy91 how would this look like in unbound config?

[ruffy91]

From https://nlnetlabs.nl/documentation/unbound/unbound.conf/:
private-domain:
Allow this domain, and all its subdomains to contain private
addresses. Give multiple times to allow multiple domain names
to contain private addresses. Default is none.

example:

server:
private-domain: sbl.spamhaus.org
private-domain: xbl.spamhaus.org
private-domain: bl.spamcop.net

This allow sbl.spamhaus.org, xbl.spamhaus.org and bl.spamcop.net and all their subdomains (= DNSBL queries) to return private IPs.

[mimugmail]

Did you try to set this in custom config?

[daemongloom]

Did you try to set this in custom config?

Yes, mail blocklists work after adding next lines to custom options field in opnsense unbound settings. First line is required.

server:
private-domain: sbl.spamhaus.org
private-domain: xbl.spamhaus.org
private-domain: zen.spamhaus.org
private-domain: bl.spamcop.net

[mimugmail]

OK, will add this feature to unbound-plus plugin. :)