-
Notifications
You must be signed in to change notification settings - Fork 693
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blocked CNAME of allowed domain not able to easily be allowed #6722
Comments
This is entirely correct.
The statistics are from the perspective of the incoming queries, therefore showing two entries here will likely pollute the counters. The current code is somewhat aware of this situation, but pretends to be the original query so domains don't appear out of nowhere for the person reviewing the logs. The easiest solution would likely be to drop logging the incoming query (e.g. |
Isn't that exactly what I listed as the first alternative? |
I am simply eliminating ambiguity.. "exactly" does not quite fit. |
I've discovered another issue related to Unbound DNSBL and CNAME records. I'm not sure if it needs to be opened as a separate issue or rolled into this one. https://forum.opnsense.org/index.php?topic=36068.0 The TLDR is that CNAME records that resolve to a CNAME record appear to be broken. |
I am also experiencing the same issue. Some domains in my "Whitelist" work fine but the most recent one added does not, regardless of restarts and waiting out TTL. Interesting observations that I hope can shed light on this:
|
Hello, I'm currently using the versions listed below and I can confirm this bug
The domain I tried to whitelist is |
Hello, Running same version reported by OP here and same issue.
In this case the domain that is not being whitelisted is Disabling DNSBL "solves" the issue, but is not really what we want. |
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
I have plans to work on this issue along with some other improvements to the whole DNSBL handling and reporting but with everything else I have going on I have no idea when I'll be able to dedicate time to it. In the meantime, anyone coming across this issue can use a DNS lookup tool(local or online) to find out what the next CNAME in the chain is until they get to the actual domain and unblock each one of those. While cumbersome, it does work to allow you to access something that is on a downloaded DNSBL. |
In order to watch live sports on Paramount+ I have to allow pubads.g.doubleclick.net. I added it and its other cname pubads46.g.doubleclick.net to whitelist domains and its still blocked by DNSBL. I don't watch often but when I do I have to disable blocklist altogether and clear my local dns cache to get it to work. EDIT: I was able to get this working by using regex that I found in the forums (hopefully this helps someone else): |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I've tested this with 23.1.11 but I don't believe any changes in 23.7 would have affected this. If the CNAME of an allowed domain is on a blocklist, there is not a simple way to allow that query to successfully complete.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Whitelisted click.redditmail.com should resolve
Describe alternatives you considered
Current workaround is to manually query the allowed domain, get the resulting CNAME and then whitelist that in the DNSBL screen. Alternative would be for Unbound Reporting to show the both the original and resulting CNAME and/or recognize that the CNAME is what is still blocked and therefore show the whitelist option instead of block.
Probably the least feasible option would be for Unbound to realize that the original query is allowed and therefore not check the resulting CNAME against the blocklist. This would likely cause more problems than it solves as well as reducing security provided by the blocklist.
Screenshots
https://imgur.com/N3dFp03
https://imgur.com/79oddsl
Additional context
See thread for more context. https://forum.opnsense.org/index.php?topic=35218.0
The text was updated successfully, but these errors were encountered: