issue with whitelist #1954
Description
Hi,
thanks for the hard work
I have an issue, I load the blocky dns and it is resolving well a domain in my local whitelist
but some minutes after i recive a nxdomain for the same domain
do you have an idea why?
and second question witch is the list that block it?
thanks
here the log when it resolve it correctly
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","groupsToCheck":"ads; local; malicious; special; tracking; windows","level":"debug","msg":"checking groups for request","prefix":"query_logging.custom_dns.blocking","question":"A (ca.monero.herominers.com.)","req_id":"f37ff001-6301-47ea-ae6a-5b39007ea3ae","time":"2025-12-08T22:38:13Z"}
{"level":"debug","msg":"regex '.herominers.com' matched with 'ca.monero.herominers.com'","prefix":"regex_cache","time":"2025-12-08T22:38:13Z"}
{"level":"debug","msg":"block rule 'ca.monero.herominers.com' matched with 'ca.monero.herominers.com'","prefix":"string_map","time":"2025-12-08T22:38:13Z"}
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","domain":"ca.monero.herominers.com","groups":["local"],"level":"debug","msg":"domain is allowlisted","prefix":"query_logging.custom_dns.blocking","question":"A (ca.monero.herominers.com.)","req_id":"f37ff001-6301-47ea-ae6a-5b39007ea3ae","time":"2025-12-08T22:38:13Z"}
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","domain":"ca.monero.herominers.com","level":"debug","msg":"domain is cached","prefix":"query_logging.custom_dns.blocking.dnssec.caching","question":"A (ca.monero.herominers.com.)","req_id":"f37ff001-6301-47ea-ae6a-5b39007ea3ae","time":"2025-12-08T22:38:13Z"}
here the log some minute after when i recive NXDOMAIN
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","groupsToCheck":"ads; local; malicious; special; tracking; windows","level":"debug","msg":"checking groups for request","prefix":"query_logging.custom_dns.blocking","question":"A (ca.monero.herominers.com.)","req_id":"5f05a863-5468-481f-af55-07a20944d55b","time":"2025-12-08T22:46:20Z"}
{"level":"debug","msg":"regex '.herominers.com' matched with 'ca.monero.herominers.com'","prefix":"regex_cache","time":"2025-12-08T22:46:20Z"}
{"level":"debug","msg":"block rule 'ca.monero.herominers.com' matched with 'ca.monero.herominers.com'","prefix":"string_map","time":"2025-12-08T22:46:20Z"}
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","domain":"ca.monero.herominers.com","groups":["local"],"level":"debug","msg":"domain is allowlisted","prefix":"query_logging.custom_dns.blocking","question":"A (ca.monero.herominers.com.)","req_id":"5f05a863-5468-481f-af55-07a20944d55b","time":"2025-12-08T22:46:20Z"}
{"client_ip":"192.168.xxx.xxx","client_names":"192.168.xxx.xxx","domain":"ca.monero.herominers.com","level":"debug","msg":"domain is cached","prefix":"query_logging.custom_dns.blocking.dnssec.caching","question":"A (ca.monero.herominers.com.)","req_id":"5f05a863-5468-481f-af55-07a20944d55b","time":"2025-12-08T22:46:20Z"}
no restart between those logs
here my config file
blocky v 0.28.1
not in docker
bootstrapDns:
- upstream: https://1.1.1.1/dns-query
# ips:
# - 1.1.1.1
- upstream: 1.1.1.1
- upstream: 8.8.8.8
#OpenDNS
- upstream: 208.67.222.222
- upstream: 208.67.220.220
#OpenNIC
- upstream: 168.235.111.72
- upstream: 147.93.130.20
upstreams:
timeout: 5s
strategy: parallel_best
groups:
default:
#- 1.1.1.1
#- 46.182.19.48
#- 80.241.218.68
- tcp-tls:dns.quad9.net
- https://freedns.controld.com/uncensored
- tcp-tls:uncensored.freedns.controld.com:853
#- tcp-tls:fdns1.dismail.de:853
- https://dns.digitale-gesellschaft.ch/dns-query
- https://dns.sev.monster/dns-query
- https://www.jabber-germany.de/dns-query
blocking:
denylists:
ads:
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://adaway.org/hosts.txt
- https://v.firebog.net/hosts/AdguardDNS.txt
#- https://big.oisd.nl/domainswild
#- https://nsfw.oisd.nl/domainswild
- https://o0.pages.dev/Pro/hosts.txt
tracking: # These hosts are used for tracking, which I want to avoid as hard as I can
- https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
- https://v.firebog.net/hosts/Easyprivacy.txt
- https://v.firebog.net/hosts/Prigent-Ads.txt
malicious: # These are phising, malware & crypto mining sites
- http://phishing.mailscanner.info/phishing.bad.sites.conf
windows:
- https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
special:
- https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
local:
- /opt/blocky/denylists/blocklist.txt
allowlists:
local:
- /opt/blocky/allowlists/whitelist.txt
clientGroupsBlock:
default:
- ads
- tracking
- malicious
- windows
- special
- local
prometheus:
enable: true
ports:
dns: 53
tls: 853
http: 4000
log:
level: debug
format: json
timestamp: true
privacy: false
queryLog:
type: mysql
target: blocky:XXXX@tcp(192.168.xxx.xxx:3306)/blocky?charset=utf8mb4&parseTime=True&loc=Local
logRetentionDays: 90
filtering:
queryTypes:
- AAAA
caching:
minTime: 5m # How long to cache responses at a minimum. If the entry's TTL is shorter, it will get overridden by this value
maxItemsCount: 10000 # How many DNS entries to keep in the cache at most. Unless your network is super busy, you probably won't ever have 10000 entries
prefetching: yes # If an entry is "hot", proactively keep it in the cache by re-fetching it in the background
prefetchMaxItemsCount: 2000 # How many entries to keep hot
customDNS:
customTTL: 1h
filterUnmappedTypes: true
zone: |
$ORIGIN xxx.local.
toto IN A 192.168.xxx.xxx