Unbound and NextDNS - ad blocking is acting strangely
Hi!
I posted once yesterday with a similar title, only to delete it within 5 minutes, as I wanted to experiment more.
Our router uses Unbound on opnsense, using DNS over TLS to forward to NextDNS - up until 2 days ago, everything's worked fine - in particular, ad blocking has exactly as it should.
Starting a couple days ago, though, ads have begun slipping through, but only when browsing through our router - disconnected from the router (i.e. mobile using cell), ad blocking via the same profile as we use in the router behaves as expected.
All other things appear to work fine - blocklists, parental control, etc - it's only ad-blocking, and not all ad blocking, that's failing. We use Hagezi Pro++, Pro, and Normal, and OISD, along with short lists of denied and allowed sites.
When I do an nslookup, or run an adblock test, on a site that should be blocked, I can see the site appear as blocked in the logs, but looking at Unbound's logs, I also see the records return with valid IPs.
Nothing's changed on my router in more than a week - this just came out of nowhere, which is a bit unfortunate.
If anyone has any suggestions, I'd love to hear them - TIA!
5 replies
-
So, I identified the issue - while the first nextdns IP in the list replied 'nodata' appropriately, unbound moved to the second one, which replied _with_ an answer!
Am I wrong in thinking it should _NOT_ have replied with an answer?? In short, disabling the second dns entry in Unbound fixed the issue!
-
I think this may be a continuation of this issue: https://www.reddit.com/r/nextdns/comments/18jz7cv/synchro_issue_between_nextdns_servers/
-
I think this confirms that it's a very similar or same issue to this one from 10mos ago. In case, .28. returns the correct response, while .30. does not. Here's a link to the older issue: https://help.nextdns.io/t/h7y3mmh/synchro-issue-between-nextdns-server
Here's from 45.90.28.216:
dig +tcp chaos adtago.s3.amazonaws.com @45.90.28.216 ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.28.216 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35312 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 8 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 17 (Filtered): (Blocked by NextDNS) ;; QUESTION SECTION: ;adtago.s3.amazonaws.com. CH A ;; ANSWER SECTION: adtago.s3.amazonaws.com. 300 IN A 0.0.0.0 ;; ADDITIONAL SECTION: proto.nextdns.io. 0 CH TXT "TCP" server.nextdns.io. 0 CH TXT "vultr-chi-1" profile.nextdns.io. 0 CH TXT "<hidden - I verified it was correct>" client.nextdns.io. 0 CH TXT "xx.xx.xx.xx" client-name.nextdns.io. 0 CH TXT "unknown" lists.nextdns.io. 0 CH TXT "blocklist:hagezi-multi-pro" "blocklist:hagezi-multi-pro-plus" "blocklist:oisd" "blocklist:hagezi-multi-normal" smart-ecs.nextdns.io. 0 CH TXT "12.2.184.0/24" ;; Query time: 24 msec ;; SERVER: 45.90.28.216#53(45.90.28.216) (TCP) ;; WHEN: Wed Oct 23 14:36:20 EDT 2024 ;; MSG SIZE rcvd: 500
And here's from 45.90.30.216:
dig +tcp chaos adtago.s3.amazonaws.com @45.90.30.216 ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.30.216 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16361 ;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;adtago.s3.amazonaws.com. CH A ;; ANSWER SECTION: adtago.s3.amazonaws.com. 42821 IN CNAME s3-1-w.amazonaws.com. s3-1-w.amazonaws.com. 186 IN CNAME s3-w.us-east-1.amazonaws.com. s3-w.us-east-1.amazonaws.com. 5 IN A 54.231.204.41 s3-w.us-east-1.amazonaws.com. 5 IN A 52.216.35.113 s3-w.us-east-1.amazonaws.com. 5 IN A 52.217.124.169 s3-w.us-east-1.amazonaws.com. 5 IN A 52.217.74.124 s3-w.us-east-1.amazonaws.com. 5 IN A 3.5.27.212 s3-w.us-east-1.amazonaws.com. 5 IN A 3.5.21.107 s3-w.us-east-1.amazonaws.com. 5 IN A 52.217.101.252 s3-w.us-east-1.amazonaws.com. 5 IN A 54.231.230.49 ;; ADDITIONAL SECTION: client.nextdns.io. 0 CH TXT "xx.xx.xx.xx" client-name.nextdns.io. 0 CH TXT "unknown" proto.nextdns.io. 0 CH TXT "TCP" server.nextdns.io. 0 CH TXT "anexia-chi-1" profile.nextdns.io. 0 CH TXT "default" smart-ecs.nextdns.io. 0 CH TXT "not sent" ;; Query time: 98 msec ;; SERVER: 45.90.30.216#53(45.90.30.216) (TCP) ;; WHEN: Wed Oct 23 14:36:09 EDT 2024 ;; MSG SIZE rcvd: 761
-
Hello? Is anyone there?
-
It's concerning that there appears to be several ongoing issues and no responses.
Content aside
-
1
Likes
- 2 wk agoLast active
- 5Replies
- 106Views
-
2
Following