1

Unbound and NextDNS - ad blocking is acting strangely

Hi!

I posted once yesterday with a similar title, only to delete it within 5 minutes, as I wanted to experiment more.

Our router uses Unbound on opnsense, using DNS over TLS to forward to NextDNS - up until 2 days ago, everything's worked fine - in particular, ad blocking has exactly as it should.

Starting a couple days ago, though, ads have begun slipping through, but only when browsing through our router - disconnected from the router (i.e. mobile using cell), ad blocking via the same profile as we use in the router behaves as expected.

All other things appear to work fine - blocklists, parental control, etc - it's only ad-blocking, and not all ad blocking, that's failing. We use Hagezi Pro++, Pro, and Normal, and OISD, along with short lists of denied and allowed sites.

When I do an nslookup, or run an adblock test, on a site that should be blocked, I can see the site appear as blocked in the logs, but looking at Unbound's logs, I also see the records return with valid IPs.

Nothing's changed on my router in more than a week - this just came out of nowhere, which is a bit unfortunate.

If anyone has any suggestions, I'd love to hear them - TIA!

5 replies

null
    • John_M.1
    • 2 mths ago
    • Reported - view

    So, I identified the issue - while the first nextdns IP in the list replied 'nodata' appropriately, unbound moved to the second one, which replied _with_ an answer!

    Am I wrong in thinking it should _NOT_ have replied with an answer?? In short, disabling the second dns entry in Unbound fixed the issue!

    • John_M.1
    • 2 mths ago
    • Reported - view
    • John_M.1
    • 2 mths ago
    • Reported - view

    I think this confirms that it's a very similar or same issue to this one from 10mos ago. In case, .28. returns the correct response, while .30. does not. Here's a link to the older issue: https://help.nextdns.io/t/h7y3mmh/synchro-issue-between-nextdns-server

     

    Here's from 45.90.28.216:

     dig +tcp chaos adtago.s3.amazonaws.com @45.90.28.216
    ;; Warning: Message parser reports malformed message packet.
    ; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.28.216
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35312
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 8
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ; EDE: 17 (Filtered): (Blocked by NextDNS)
    ;; QUESTION SECTION:
    ;adtago.s3.amazonaws.com.       CH      A
    ;; ANSWER SECTION:
    adtago.s3.amazonaws.com. 300    IN      A       0.0.0.0
    ;; ADDITIONAL SECTION:
    proto.nextdns.io.       0       CH      TXT     "TCP"
    server.nextdns.io.      0       CH      TXT     "vultr-chi-1"
    profile.nextdns.io.     0       CH      TXT     "<hidden - I verified it was correct>"
    client.nextdns.io.      0       CH      TXT     "xx.xx.xx.xx"
    client-name.nextdns.io. 0       CH      TXT     "unknown"
    lists.nextdns.io.       0       CH      TXT     "blocklist:hagezi-multi-pro" "blocklist:hagezi-multi-pro-plus" "blocklist:oisd" "blocklist:hagezi-multi-normal"
    smart-ecs.nextdns.io.   0       CH      TXT     "12.2.184.0/24"
    ;; Query time: 24 msec
    ;; SERVER: 45.90.28.216#53(45.90.28.216) (TCP)
    ;; WHEN: Wed Oct 23 14:36:20 EDT 2024
    ;; MSG SIZE  rcvd: 500

    And here's from 45.90.30.216:

    dig +tcp chaos adtago.s3.amazonaws.com @45.90.30.216
    ;; Warning: Message parser reports malformed message packet.
    ; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.30.216
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16361
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 7
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;adtago.s3.amazonaws.com.       CH      A
    ;; ANSWER SECTION:
    adtago.s3.amazonaws.com. 42821  IN      CNAME   s3-1-w.amazonaws.com.
    s3-1-w.amazonaws.com.   186     IN      CNAME   s3-w.us-east-1.amazonaws.com.
    s3-w.us-east-1.amazonaws.com. 5 IN      A       54.231.204.41
    s3-w.us-east-1.amazonaws.com. 5 IN      A       52.216.35.113
    s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.124.169
    s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.74.124
    s3-w.us-east-1.amazonaws.com. 5 IN      A       3.5.27.212
    s3-w.us-east-1.amazonaws.com. 5 IN      A       3.5.21.107
    s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.101.252
    s3-w.us-east-1.amazonaws.com. 5 IN      A       54.231.230.49
    ;; ADDITIONAL SECTION:
    client.nextdns.io.      0       CH      TXT     "xx.xx.xx.xx"
    client-name.nextdns.io. 0       CH      TXT     "unknown"
    proto.nextdns.io.       0       CH      TXT     "TCP"
    server.nextdns.io.      0       CH      TXT     "anexia-chi-1"
    profile.nextdns.io.     0       CH      TXT     "default"
    smart-ecs.nextdns.io.   0       CH      TXT     "not sent"
    ;; Query time: 98 msec
    ;; SERVER: 45.90.30.216#53(45.90.30.216) (TCP)
    ;; WHEN: Wed Oct 23 14:36:09 EDT 2024
    ;; MSG SIZE  rcvd: 761
    • John_M.1
    • 2 mths ago
    • Reported - view

    Hello? Is anyone there?

    • ryan_k
    • 2 mths ago
    • Reported - view

    It's concerning that there appears to be several ongoing issues and no responses.

Content aside

  • 1 Likes
  • 1 mth agoLast active
  • 5Replies
  • 136Views
  • 2 Following