-
Notifications
You must be signed in to change notification settings - Fork 693
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unbound - Blocklist.site URLs No Longer Working - OPNsense Unable to Download DNSBL Lists from Blocklist.site #6514
Comments
Sorry - closing. Must of been a once off issue. |
Hi @fichtner , I am wondering if the issue described above is what I recently commented on in the following post? https://forum.opnsense.org/index.php?topic=32052.msg162636#msg162636 If so, should I open up a new issue, or would you like to use this existing one? Thank you. |
if it's about |
Thank you @AdSchellevis for your quick response. It is indeed quite possible it is DNS-related, but not necessarily due to upstream DNS server issue. I am going to post what I mentioned in the forum here in case it helps (as I have some thoughts on what could possibly be going on listed): "I too have experienced this issue in more recent versions. Unfortunately I am unable to say when I started noticing the change, but here is some information in case it helps determine what could be going on...
Notice unbound blocklist: https://adaway.org/hosts.txt (exclude: 0 block: 0)
Notice unbound blocklist parsing done in 0.58 seconds (7355 records) NOTE: Even though the data seems to be retrieved, it appears it is not active until I then restart the service* (e.g. restart service button on Blocklist page). *It also seems as though I need to go through the disable/enable steps then restart service an additional time to have everything fully work. I am not sure if it is always just one time, but I do know that doing the entire process once does not usually get everything working. DNS config information that may be of interest:
If it is not a setting issue, I am wondering if perhaps the following may relate to what I am seeing:
I hope the above is helpful." Thank you |
@Chaskel likely a problem with settings, best investigate local dns access first, check if other hosts are accessible. In case anything goes wrong on Unbounds end, I would expect you can find more information in it's log. |
Thank you @AdSchellevis . Both the unsuccessful (system boot) and successful (manually initiated post-boot) log entries I referenced in my last post are actually from the Unbound log file. In both of my OPNsense locations I see local DNS from clients work as well as from as the OPNsense Interfaces: Diagnostics: DNS Lookup tool. As the issue appears to happen only at boot each time at both of my OPNsense locations, that is what makes me wonder if a dependent process may not be fully starting before Unbound blocklist-related processes are starting up. Is there any possibility that in a configuration like I have where Unbound DNS over TLS is used (or maybe even DNSSEC that I reference having enabled), that those name resolution services are not fully up and running yet when the blocklist-related processes starts up? Thank you |
@Chaskel so dns works on boot, but only not from the local machine at that time? The resolve error is only recorded after boot and a manual download works without issues? (you can trigger this using |
@AdSchellevis as far as I am aware, I am not having any issues with clients relating to DNS. What made me realize something was not working correctly is when web browsing clients started getting advertisements (which led me to check out the Unbound logs and discover the name resolution issue). DNS appears to work for everything except for the Unbound blocklist download process at boot, and yes manual download works, however please note the specifics I previously referenced that after manual download (which I have been using the GUI steps I mentioned), I have to do several steps (and some more than once), to have the actual blocklist start working for the web browsing clients. Thank you |
@Chaskel can you remove |
Sure @AdSchellevis I can do that. I will need to do a little later as in the last few minutes I had to put a whitelist domain entry in for my family to be able to do some work-related items. I will provide you with an update once I am able to reboot. Do you think it is worth you reopening this Github issue for now? |
@Chaskel if this is the issue, better open a new ticket. I expect it would be better if the previous downloaded data will be used on boot, but that's something we can discuss when there's an issue with a clear cause. |
@AdSchellevis I removed the file. I'm listing what I did in case the order, or method used could change outcome:
Would you like me to do anything else, and if not, should I create 2 issues (one for the boot issue and another for the manual load issue - and what what you recommend I title the issue(s))? @daygle , in case you want to see if the problem you created this particular Github issue for does show back up if you reboot, feel free to share. Thank you |
Oh wow! I woke up this morning and many emails with messages for this issue - wasn't expecting this many replies for my closed case. @AdSchellevis So are you saying you think that I will receive the error again after a reboot of OPNsense? |
@AdSchellevis I suspect that my issue was caused because I made the below change, but not sure? https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/ |
Hi @daygle , it is more of a question of curiosity on my part to see if you see the same behavior on reboot. |
@AdSchellevis in addition to my last questions for you on if you would like me to try anything else as well as what your recommendation is for creating 1 or 2 new Github issues (and what to title them for you), I wanted to provide the following update. Just now I reverted the change you had me do earlier today (remove file) and I observed a message I thought I had seen once before prior to me escalating this issue (but I did not have a copy of the exact message from the first time I saw it). I am not sure why this particular message sometimes randomly appears during restart instead of the usual "[Errno 8] Name does not resolve" we have been discussing: 2023-04-23T19:06:35-07:00 | Notice | unbound | blocklist: https://adaway.org/hosts.txt (exclude: 0 block: 0) | Current listing for the directory: Contents of 85-dnsbl: /usr/local/sbin/configctl -dq unbound dnsbl Just like the one time I saw that error before, a following reboot did not show the same: 2023-04-23T19:21:34-07:00 | Notice | unbound | blocklist: https://adaway.org/hosts.txt (exclude: 0 block: 0) | Thank you, and I hope this additional information is possibly helpful. |
If removing the file makes sure the name resolve doesn't happen on boot, just open a ticket for that. I can think of multiple reasons why other configuration issues may lead to not being able to access the resource, but that really lies outside of community support scope. Let's try to keep this simple and focused to the issue at hand, my time is rather limited. |
Hi @AdSchellevis , I greatly appreciate your time and support. Issue 6523 has now been created for this. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Just wanted to report that it appears that Blocklist.site lists appear to have changed website/URL for the DNSBL lists. OPNsense now reporting 'Failed to establish a new connection: [Errno 8] Name does not resolve' when attempting to download DNSBL lists from Blocklist.site.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
OPNsense/Unbound should correctly download Blocklist.site DNSBL.
Describe alternatives you considered
As a workaround I have added the below DNSBL to the 'URLs of Blocklists' within Unbound.
https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt
https://blocklistproject.github.io/Lists/alt-version/drugs-nl.txt
https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt
https://blocklistproject.github.io/Lists/alt-version/malware-nl.txt
https://blocklistproject.github.io/Lists/alt-version/phishing-nl.txt
https://blocklistproject.github.io/Lists/alt-version/ransomware-nl.txt
https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt
https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt
https://blocklistproject.github.io/Lists/alt-version/porn-nl.txt
Screenshots
Relevant log files
Log file shown above in screenshot.
Additional context
N/A
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 23.1.6-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
The text was updated successfully, but these errors were encountered: