Unbound whitelist isn't working in v25

[piracyquest]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guidelines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Allowlists (whitelists) fail to bypass blocklists in DNS filtering. Explicitly allowed domains remain blocked if they match an active blocklist entry.

Example: Whitelisting 0.beer (or any other) while using Hagezi Ultimate blocklist still prevents domain resolution (nslookup fails) unless the blocklist is disabled.

To Reproduce

Steps to reproduce the behavior:

1. Go to Services > Unbound > Blocklist
2. Enable "Hagezi Multi Ultimate" blocklist
3. Go to Whitelist
4. Add domain 0.beer (or any other) and save (use regex or regular domains)
5. Apply changes and restart the service. Wait all you want :)
6. Execute from client: nslookup 0.beer or dig 0.beer
7. Observe DNS resolution failure

Expected behavior

Allowlisted domains should override blocklist entries, permitting resolution of specified domains.

Actual behavior

Allowlisted domains remain blocked when present in active blocklist.

Workarounds tested

• Success: Disabling entire blocklist (confirming whitelist works without blocklist)
• Failed: Whitelist entry alone while blocklist is active

Relevant log files

• Unbound logs register a red entry, signaling it's blocking the domain even though the unblock button turns into a "block" button (giving me the option to block the domain, meaning it should be already unblocked)

Environment

Software version:
OPNsense 25.x (amd64)
Hagezi Blocklist Ultimate

Additional context

• Verified with Unbound resolver
• Reproducible after service restarts
• Test domain 0.beer confirmed present in Hagezi blocklist

[JasMan78]

I can confirm that whitelisting e.g. 00fun.com does not work in 24.7.12_4 and 25.1.
Whitelisting other domains that does not start with a zero work in both versions.

[piracyquest]

Not in my case: no domain can be whitelisted.

[samham77]

try .*beer

[JasMan78]

Not in my case: no domain can be whitelisted.

Most times I need to "Apply" and restart Unbound to whitelist a domain. Have you tried that?
Does not help for whitelisting domains which starts with a zero!

[bm55]

I am also experiencing similar issue with hagezi block list on opnsense 25.1. For example unable to access Facebook - adding Facebook.com, graph.facebook.com, web.facebook.com, and its cname in whitelist still blocks those addresses. Restarted the service, even restarted the firewall, don’t see any related error on unbound logs so I just turned off one of the hagezi lists that was blocking Facebook for now

[piracyquest]

Not in my case: no domain can be whitelisted.

Most times I need to "Apply" and restart Unbound to whitelist a domain. Have you tried that? Does not help for whitelisting domains which starts with a zero!

I have tried that, yes. Still no way to unblock anything. For example, whenever I try to update fedora 41 I get this:

Curl error (7): Could not connect to server for https://mirror.karneval.cz/pub/linux/fedora/linux/updates/41/Everything/x86_64/Packages/p/python3-dnf-4.22.0-2.fc41.noarch

I have confirmed it's Hagezi's Badware Hoster list the one blocking the domain karneval.cz.

I then go to Unbound > Whitelist > type (^|\.)karneval\.cz$, restart the service with cache deletion, and type in my terminal sudo systemd-resolve --flush-caches. Then, whenever I type dig karneval.cz I get:

~$ dig karneval.cz

; <<>> DiG 9.18.30 <<>> karneval.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61426
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;karneval.cz. IN A

;; ANSWER SECTION:
karneval.cz. 3600 IN A 0.0.0.0

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Feb 04 10:26:03 CET 2025
;; MSG SIZE rcvd: 56

Not working! :(

[bm55]

Regular expression like (.)?(.)? seems to work. (.)?(.)?apple.com allows the apple visual search on new iPhone which was blocked by Hagezi DOH list

[piracyquest]

Regular expression like (.)?(.)? seems to work. (.)?(.)?apple.com allows the apple visual search on new iPhone which was blocked by Hagezi DOH list

Unfortunately this is not a permanent solution. This issue should be investigated further.

[oyxnaut]

Regular expression like (.)?(.)? seems to work. (.)?(.)?apple.com allows the apple visual search on new iPhone which was blocked by Hagezi DOH list

The regex workaround doesn't work for me. I'm on 25.1

[peanut18]

I run many Hagezi lists and upgraded to 25.1 from 24.7 and my whitelists still work. These ones are all blocked in the DOH feed and I have selectively whitelisted them.

Strange the asterisks in the text don't show up on here so i had to use a screenshot

[VartanS]

I have same issue on 25.1.
Regex did not help.
(.*)?(.)?loganalytics.io

[oyxnaut]

Another observation: All changes to the blocklists, and exceptions show up as expected in /usr/local/etc/unbound/unbound-blocklists.conf, but some domains on the whitelist get somehow ignored.

Example:

[settings]
rcode=NXDOMAIN
address=0.0.0.0

[blocklists]
predefined_atf=https://threatfox.abuse.ch/downloads/hostfile
predefined_aa=https://adaway.org/hosts.txt
predefined_ag=https://v.firebog.net/hosts/AdguardDNS.txt
predefined_el=https://v.firebog.net/hosts/Easylist.txt
predefined_ep=https://v.firebog.net/hosts/Easyprivacy.txt
predefined_hgz003=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.txt
predefined_hgz009=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/fake.txt
predefined_hgz010=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/popupads.txt
predefined_hgz011=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif.txt
predefined_hgz017=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/hoster.txt
predefined_hgz018=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/anti.piracy.txt
predefined_hgz019=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/gambling.txt
predefined_sb=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
predefined_yy=http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&mimetype=plaintext

[exclude]
# exclude localhost entries
default_pattern_1=.*localhost$
# user defined
# censored custom_pattern_1 through custom_pattern_9
custom_pattern_10=weakpass.com
custom_pattern_11=security-explorations.com
custom_pattern_12=j00ru.vexillium.org
custom_pattern_13=googleprojectzero.blogspot.com

[include]
# user defined
custom_pattern_1=use-application-dns.net
custom_pattern_2=global.rel.tunnels.api.visualstudio.com

Resolving custom_pattern_10 to 12 (added on 24.7) is no problem at all, but the P0 blog (custom_pattern_13) still returns NXDOMAIN.

I couldn't find any code that handles this file, but I found /var/unbound/data/dnsbl.json, which does not contain any of the domains on the whitelist, so to my understanding, they should be resolvable. My guess is that the bug is somewhere in src/opnsense/service/templates/OPNsense/Unbound/core/dnsbl_module.py.