1

Unbound and NextDNS - ad blocking is acting strangely

Hi!

I posted once yesterday with a similar title, only to delete it within 5 minutes, as I wanted to experiment more.

Our router uses Unbound on opnsense, using DNS over TLS to forward to NextDNS - up until 2 days ago, everything's worked fine - in particular, ad blocking has exactly as it should.

Starting a couple days ago, though, ads have begun slipping through, but only when browsing through our router - disconnected from the router (i.e. mobile using cell), ad blocking via the same profile as we use in the router behaves as expected.

All other things appear to work fine - blocklists, parental control, etc - it's only ad-blocking, and not all ad blocking, that's failing. We use Hagezi Pro++, Pro, and Normal, and OISD, along with short lists of denied and allowed sites.

When I do an nslookup, or run an adblock test, on a site that should be blocked, I can see the site appear as blocked in the logs, but looking at Unbound's logs, I also see the records return with valid IPs.

Nothing's changed on my router in more than a week - this just came out of nowhere, which is a bit unfortunate.

If anyone has any suggestions, I'd love to hear them - TIA!

5 replies

null
    • John_M.1
    • 1 mth ago
    • Reported - view

    So, I identified the issue - while the first nextdns IP in the list replied 'nodata' appropriately, unbound moved to the second one, which replied _with_ an answer!

    Am I wrong in thinking it should _NOT_ have replied with an answer?? In short, disabling the second dns entry in Unbound fixed the issue!

    • John_M.1
    • 1 mth ago
    • Reported - view

    I think this may be a continuation of this issue: https://www.reddit.com/r/nextdns/comments/18jz7cv/synchro_issue_between_nextdns_servers/

    • John_M.1
    • 1 mth ago
    • Reported - view

    I think this confirms that it's a very similar or same issue to this one from 10mos ago. In case, .28. returns the correct response, while .30. does not. Here's a link to the older issue: https://help.nextdns.io/t/h7y3mmh/synchro-issue-between-nextdns-server

     

    Here's from 45.90.28.216:

     dig +tcp chaos adtago.s3.amazonaws.com @45.90.28.216
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.28.216
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 8
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 17 (Filtered): (Blocked by NextDNS)
;; QUESTION SECTION:
;adtago.s3.amazonaws.com.       CH      A
;; ANSWER SECTION:
adtago.s3.amazonaws.com. 300    IN      A       0.0.0.0
;; ADDITIONAL SECTION:
proto.nextdns.io.       0       CH      TXT     "TCP"
server.nextdns.io.      0       CH      TXT     "vultr-chi-1"
profile.nextdns.io.     0       CH      TXT     "<hidden - I verified it was correct>"
client.nextdns.io.      0       CH      TXT     "xx.xx.xx.xx"
client-name.nextdns.io. 0       CH      TXT     "unknown"
lists.nextdns.io.       0       CH      TXT     "blocklist:hagezi-multi-pro" "blocklist:hagezi-multi-pro-plus" "blocklist:oisd" "blocklist:hagezi-multi-normal"
smart-ecs.nextdns.io.   0       CH      TXT     "12.2.184.0/24"
;; Query time: 24 msec
;; SERVER: 45.90.28.216#53(45.90.28.216) (TCP)
;; WHEN: Wed Oct 23 14:36:20 EDT 2024
;; MSG SIZE  rcvd: 500

    And here's from 45.90.30.216:

    dig +tcp chaos adtago.s3.amazonaws.com @45.90.30.216
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.20.2 <<>> +tcp chaos adtago.s3.amazonaws.com @45.90.30.216
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16361
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;adtago.s3.amazonaws.com.       CH      A
;; ANSWER SECTION:
adtago.s3.amazonaws.com. 42821  IN      CNAME   s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com.   186     IN      CNAME   s3-w.us-east-1.amazonaws.com.
s3-w.us-east-1.amazonaws.com. 5 IN      A       54.231.204.41
s3-w.us-east-1.amazonaws.com. 5 IN      A       52.216.35.113
s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.124.169
s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.74.124
s3-w.us-east-1.amazonaws.com. 5 IN      A       3.5.27.212
s3-w.us-east-1.amazonaws.com. 5 IN      A       3.5.21.107
s3-w.us-east-1.amazonaws.com. 5 IN      A       52.217.101.252
s3-w.us-east-1.amazonaws.com. 5 IN      A       54.231.230.49
;; ADDITIONAL SECTION:
client.nextdns.io.      0       CH      TXT     "xx.xx.xx.xx"
client-name.nextdns.io. 0       CH      TXT     "unknown"
proto.nextdns.io.       0       CH      TXT     "TCP"
server.nextdns.io.      0       CH      TXT     "anexia-chi-1"
profile.nextdns.io.     0       CH      TXT     "default"
smart-ecs.nextdns.io.   0       CH      TXT     "not sent"
;; Query time: 98 msec
;; SERVER: 45.90.30.216#53(45.90.30.216) (TCP)
;; WHEN: Wed Oct 23 14:36:09 EDT 2024
;; MSG SIZE  rcvd: 761
    • John_M.1
    • 4 wk ago
    • Reported - view

    Hello? Is anyone there?

    • ryan_k
    • 4 wk ago
    • Reported - view

    It's concerning that there appears to be several ongoing issues and no responses.

Login to reply

Content aside

  • 1 Likes
  • 3 wk agoLast active
  • 5Replies
  • 116Views
  • 2 Following