Re: Feedback on issues with DNSFW in CU201 Testing

[Adolf Belka <adolf.belka@ipfire.org>]

Hi Michael and Jon,

On 25/03/2026 10:30, Michael Tremer wrote:
> Hello Jon,
> 
> Why would it be necessary to manually change the configuration?
> 
> Can you explain to us what you are thinking?

I think the argument is that the define-tag and access-control-tag options should not be multiple entries but single entries with multiple tags space separated in the "" section.

> 
>> On 24 Mar 2026, at 21:03, Jon Murphy <jon.murphy@ipfire.org> wrote:
>>
>> Try this in the dnsbl.conf file.
>>
>> server:
>>     define-tag: "ads.rpz.ipfire.org dating.rpz.ipfire.org"
>>
>> server:
>>     access-control-tag: 192.168.74.0/24 "ads.rpz.ipfire.org dating.rpz.ipfire.org"

Tried this but it made no difference. I suspect this might be that unbound needs to reload the config file if it has been changed and running unbound reload results in the dnsbl.conf file being updated with what is on the WUI page, so it goes back to the version before it was manually edited.

However this made me wonder what would happen if I only had the porn entry selected and not both the porn and gambling.

The result, with the browser network option set to No Proxy was that all porn sites were now blocked.

I then wondered what would happen if I chose two different categories where the working gambling one was after another category. So I tested out Dating and Gambling.

First tested out Dating on its own.

It blocked for academysingles.com and loopylove.com

Then I enabled both Dating and Gambling. In this case the two dating urls were still blocked but now all the urls that I had previously used, when testing out Gambling and Porn categories together, were no longer blocked.

If I disabled the Dating category then the Gambling sites were blocked again.

This was also found in the DNS: Unbound logs.

So it looks like if there are multiple categories selected then only the urls from the first category get blocked.

Regards,

Adolf.


>>
>>
>> Separate "access-control-tag" don’t seem to work.
> 
> What is this supposed to mean?
> 
> -Michael
> 
>>
>> The above changes allows RPZ to work as expected.
>>
>>
>>
>> ------ Original Message ------
>>  From "Michael Tremer" <michael.tremer@ipfire.org>
>> To "Adolf Belka" <adolf.belka@ipfire.org>
>> Cc development@lists.ipfire.org; dbl@lists.ipfire.org
>> Date 3/23/2026 9:41:07 AM
>> Subject Re: Feedback on issues with DNSFW in CU201 Testing
>>
>>> Hello,
>>>
>>> So this looks good. The list has been properly loaded into Unbound.
>>>
>>> I don’t quite know what could be going wrong now.
>>>
>>> -Michael
>>>
>>>> On 23 Mar 2026, at 12:22, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>
>>>> Hi Michael,
>>>>
>>>> On 23/03/2026 12:10, Michael Tremer wrote:
>>>>> Hello Adolf,
>>>>> What is the output of unbound-control list_auth_zones?
>>>>
>>>> porn.rpz.ipfire.org.    serial 1773964805        since 1774267487 2026-03-23T13:04:47
>>>> gambling.rpz.ipfire.org       serial 1773997205        since 1774267487 2026-03-23T13:04:47
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>>> -Michael
>>>>>> On 20 Mar 2026, at 16:59, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>> On 20/03/2026 16:56, Michael Tremer wrote:
>>>>>>> Hello Adolf,
>>>>>>> I am copying the DBL list, too.
>>>>>>
>>>>>> Good idea. I was just thinking of it being related to Testing issue.
>>>>>>> So this is obviously not normal, but we can debug this step by step:
>>>>>>> First of all, we should check if Unbound was able to successfully fetch the DNS zones. Gambling has clearly been downloaded, but it seems that the Porn list might not. You can check in /var/cache/unbound if there is the zone file. If yes, then you can try to resolve a couple of things on the console and check if they are being blocked:
>>>>>>
>>>>>> I should have already mentioned this but forgot. It was one of the first things I checked and I have just re-confirmed now. The porn zone file is present. It was updated at 11:40 CET and the Gambling zone was updated at 12:53 CET.
>>>>>>
>>>>>> I also checked that the zone file contained the url's being used and it did and does.
>>>>>>
>>>>>>> # dig @localhost some.porn.website.com <http://some.porn.website.com/>
>>>>>>> You should see NXDOMAIN if the domain exists and has been blocked and you should see the log entries just like gambling.
>>>>>>
>>>>>> Got
>>>>>>
>>>>>> ;; Got answer:
>>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54293
>>>>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>>>>>
>>>>>> So NXDOMAIN is in the answer but there was nothing additional in the unbound log. The last entry in it was from 12:58:50 when I did the tests with the gambling sites and if there was an entry it should have a timestamp for around 17:45
>>>>>>
>>>>>>> This rules out anything that is going wrong between the browser and Unbound.
>>>>>>> In case of the URL filter, it simply seems that squidguard is not seeing the requests. You might as well try something like:
>>>>>>
>>>>>> With the URL Filter enabled and DNSFW disabled then the URL Filter blocks and logs both the Gambling and Porn site accesses. Sorry if that came across as differently in my mail. The URL Filter works fine for me with both CU200 and CU201 Testing.
>>>>>>
>>>>>>> # http_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> https_proxy=http://1.2.3.4:800 <http://1.2.3.4:800/> wget -d http://some.porn.website.com <http://some.porn.website.com/>
>>>>>>> The squidguard.log should also contain some interesting information if something didn’t go as planned.
>>>>>>> -Michael
>>>>>>>> On 20 Mar 2026, at 12:30, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> I am having issues with getting DNSFW to work properly, it fails in many conditions to block things from the list.
>>>>>>>>
>>>>>>>> The dbl list works fine for me in the URL Filter for both CU200 and CU201 Testing.
>>>>>>>>
>>>>>>>> For my testing I created a new install of CU201 Testing and just went straight to DNSFW and enabled the Gambling and Pornography categories and Saved.
>>>>>>>>
>>>>>>>> Then selected the Green network for both categories using the pencil edit option.
>>>>>>>>
>>>>>>>> In this setup I had no Web Proxy enabled.
>>>>>>>>
>>>>>>>> I then cleared the browser cache and set the Browser to No Proxy.
>>>>>>>>
>>>>>>>> I then tested out nl.onecasino.com and www.xnxx.com in Firefox and in Netsurf
>>>>>>>>
>>>>>>>> The gambling site was blocked and gave the message
>>>>>>>>
>>>>>>>> Unable to connect
>>>>>>>> Firefox can’t establish a connection to the server at nl.onecasino.com.
>>>>>>>>
>>>>>>>> For the porn site it was not blocked but opened up.
>>>>>>>> I tried with two other gambling and porn sites. All three gambling sites were blocked. All three porn sites were allowed through.
>>>>>>>>
>>>>>>>> In the DND: Unbound System Logs I found
>>>>>>>>
>>>>>>>> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44247 www.postcodeloterij.nl. A IN
>>>>>>>> 12:52:26 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.postcodeloterij.nl. rpz-nxdomain 192.168.200.11@44356 www.postcodeloterij.nl. HTTPS IN
>>>>>>>> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@55955 nl.onecasino.com. A IN
>>>>>>>> 12:51:32 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.onecasino.com. rpz-nxdomain 192.168.200.11@49136 nl.onecasino.com. HTTPS IN
>>>>>>>> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@47229 welkom.hollandcasino.nl. A IN
>>>>>>>> 12:50:41 unbound: [1820:0]  info: rpz: applied [gambling.rpz.ipfire.org] *.hollandcasino.nl. rpz-nxdomain 192.168.200.11@43346 welkom.hollandcasino.nl. HTTPS IN
>>>>>>>>
>>>>>>>> So the blocked gambling sites were in the logs but not any of the pornography sites  had tested.
>>>>>>>>
>>>>>>>> Then tried the browser with the Network Settings set to Use system proxy settings and the same result occurred.
>>>>>>>>
>>>>>>>> I then turned on the Web Proxy with conventional connection on port 800. Saved and restarted and then Cleared the web proxy cache.
>>>>>>>> Then I cleared the browser cache and set the Network Settings to Manual proxy configuration with the IP of my IPFire system being tested.
>>>>>>>>
>>>>>>>> I then tested the same three gambling URL's and Porn URL's.
>>>>>>>> All of the sites were opened up.
>>>>>>>> In the DNS: Unbound system log there were no new entries.
>>>>>>>> In the Proxy Logs there were entries for the gambling and porn sites.
>>>>>>>>
>>>>>>>> I have also tested the browser out using the web proxy with the Automatic proxy configuration URL accessing the wpad file via dhcp and that also had the same results as using the Manual proxy configuration option.
>>>>>>>>
>>>>>>>> I have repeated a lot of my tests multiple times, also with repeated new installs and for me, as long as I ensured I had cleared the web proxy and browser caches, always came up with the same results as I have described above.
>>>>>>>>
>>>>>>>> It would be good to know if any of you also experience the same effect or if it works without problems for yourselves.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Adolf.
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
> 
>