[Dnsmasq-discuss] URIBL_BLOCKED with dnsmasq and server options

[Buck Horn]

On 30.08.2022 21:09:33, Jelle de Jong wrote

>On 8/30/22 17:41, Buck Horn wrote:
>>
>>You could start by giving the following line a try:
>>server=/uribl.com/<URIBL DNS mirror here>
>
>I tried this, but that is not working, as expected as the mirrors are not DNS resolving mirrors but just alternatives for uribl.com as far as I can see.
>

You may verify that 54.153.32.255 is answering DNS requests as 
advertised, by running a lookup using one of the test points mentioned 
in https://uribl.com/about.shtml#testing

~$ dig +short 2.0.0.127.multi.uribl.com @54.153.32.255
127.0.0.14

>server=/uribl.com/ff.uribl.com
>server=/uribl.com/54.153.32.255

Try again after removing that first line:
Only the second *server* line above is stating an IP address 
(54.153.32.255) as the target upstream resolver for domains ending in 
uribl.com. Don't forget to restart dnsmasq to apply your changed 
configuration.

To test whether dnsmasq would correctly forward DNS requests for 
*.uribl.com, you may omit @54.72.143.21, or replace it with 127.0.0.1 or 
your dnsmasq's private range IP address (whatever is appropriate for 
your situation).

Since you indeed seem to intend to forward specific domains to a 
separate upstream resolver, and dnsmasq can easily handle that, 
installing unbound for just that purpose seems a little oversized.

If your dnsmasq host system is severly restricted, it may be beneficial 
to revert to using dnsmasq only.

On the other hand, if you'd have other, additional reasons to use 
unbound, it's probably ok to stick with it.
Note that port 533 is registered for a different purpose, though - for 
choosing a custom port for unbound, refer to
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=533

Even then, having dnsmasq forward *.uribl.com to their DNS mirrors could 
be applied and would even save a few cpu cycles, by avoiding unbound's 
full recursion.

Regards,
     Buck