Allow list does not bypass blocked TLDs
When blocking a TLD from the security tab, and adding a FQDN to the allow list, the allow list is not honored.
For example, I block '.work' as a TLD. If I add frame.work to my account's allow list, it still does not resolve it.
If I remove the .work TLD block, I can then resolve the frame.work domain again.
Troubleshooting I have done is to clear my DNS cache and restart local network DNS resolvers (Unbound). Doing this when adding to the allow list does not resolve anything. Performing these steps when removing the TLD block works.
I would expect an allow list entry to override TLD blocks because of the following statement at the top of the allow list page:
"Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features."
11 replies
-
"Allowing a domain will automatically allow all its subdomains. Allowing takes precedence over everything else, including security features."
It works as described for me. I have blocked nearly every TLD and make exceptions as needed.
-
That is indeed strange. For troubleshooting can you switch unbound to use old fashioned plaintext UDP 53 to NextDNS and get a packet capture of UDP 53 of your router’s WAN traffic?
-
Just to help out, I have also tested this for you.
Like Calvin Hobbes, I already have .work blocked in the TLD section of the Security tab. I first tested that frame.work was blocked by trying to browse to it in my web browser. I also verified this against the Nextdns logs and could see that it was blocked. I then added frame.work into the allowlist and I could then browse to frame.work in my web browser, without needing to refresh any DNS cache. I also verified in my Nextdns logs that frame.work was now allowed.
Check your Nextdns logs to see whether frame.work is being allowed or denied, this will help you determine if the problem is with Nextdns or with your equipment. -
Glad you were now able to pinpoint the issue down further and can rule out NextDns.
I’m afraid I don’t know anything about Unbound so I’ll leave you to troubleshoot that further.
But just remember that your web browser also has its own dns cache, independent of the OS. -
what is your Unbound configurations forward-zone? can you show that.
untill You do not configure you Forward zone in Unbound . unbound will not work properly to over ride local dns
forward-addr: 45.90.28.0#xxxxxx.dns1.nextdns.io
forward-addr: 2a07:a8c0::#xxxxxx.dns1.nextdns.io
forward-addr: 45.90.30.0#xxxxxx.dns2.nextdns.io
forward-addr: 2a07:a8c1::#xxxxxx.dns2.nextdns.io
including you need to setup NEXTDNS.conf
Content aside
- 2 wk agoLast active
- 11Replies
- 79Views
-
4
Following