CNAME not resolving

[ali45345478]

Using blocky in the latest version in docker...

the website ravelry.com does not work.
The host style-cdn.ravelrycache.com resolves as CNAME to g2s2z8r3.stackpathcdn.com but that does not work with blocky.
The domain is not blocked (blacklisted), there is simply no entry that this host was queried.

With pihole, there is no problem.....

[0xERR0R]

Just tried this site, it works on my machine ;)

My output from "dig style-cdn.ravelrycache.com"

; <<>> DiG 9.16.11 <<>> style-cdn.ravelrycache.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60347
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;style-cdn.ravelrycache.com.    IN      A

;; ANSWER SECTION:
style-cdn.ravelrycache.com. 35946 IN    CNAME   g2s2z8r3.stackpathcdn.com.
g2s2z8r3.stackpathcdn.com. 35946 IN     A       151.139.128.11

;; Query time: 6 msec
;; SERVER: 192.168.178.3#53(192.168.178.3)
;; WHEN: Sun Feb 28 22:23:04 CET 2021
;; MSG SIZE  rcvd: 150

Do you see something interesting in your query logs?

[ali45345478]

I have blocky on my linux server (manjaro) and my workstation is Windows.. No, there is no entry in the query log for the Windows machine - that is what surprises me

[0xERR0R]

What is the output from dig (or nslookup)?

[ali45345478]

C:\Users\home>nslookup style-cdn.ravelrycache.com
Server: UnKnown
Address: 192.168.88.20

Nicht autorisierende Antwort:
Name: style-cdn.ravelrycache.com
Addresses: ::
0.0.0.0

BUT with pihole
C:\Users\home>nslookup style-cdn.ravelrycache.com
Server: 81939c995035
Address: 192.168.88.20

Nicht autorisierende Antwort:
Name: g2s2z8r3.stackpathcdn.com
Address: 151.139.128.11
Aliases: style-cdn.ravelrycache.com

[ali45345478]

Ok, I think I found it... the domain seems to be blocked, but there is no entry in the query logfile

I tried to use the whitelist.txt... but no luck. How is the whitelist.txt included/evaluated in docker as it is not give in the docker-compose

[0xERR0R]

Did you try to set the loglevel to debug? Can you share you config.yaml?

[ali45345478]

Ok, something strange... the blocked domain is now working. Maybe caching, don't know.
Sorry for the time spent.

[0xERR0R]

Please share you config (upstream resolvers part). I had similar case in the past, but I need to check it

[ali45345478]

upstream:
externalResolvers:
- unbound:5053

I use a local unbound

[0xERR0R]

ok, and which external resolvers are used by unbound?

[ali45345478]

How can I use the whitelist.txt with docker? My docker-compose looks like

version: "2.1"
services:
blocky:
image: spx01/blocky
container_name: blocky
restart: unless-stopped
depends_on:
- unbound
ports:
- "53:53/tcp"
- "53:53/udp"
- "4000:4000/tcp" # Prometheus stats (if enabled).
environment:
- TZ=Europe/Berlin
volumes:
# config file
- ./config.yml:/app/config.yml
# write query logs in this directory. You can also use a volume
- /var/log/blocky:/logs

unbound:
image: klutchell/unbound
container_name: unbound
restart: unless-stopped
ports:
- '5053:5053/udp'

where I pass the config.yml... do I have to pass the whitelist.txt as well?

[ali45345478]

ok, and which external resolvers are used by unbound?

None

[0xERR0R]

My configuration: 2 directories "blacklists" and "whitelists" mounted as docker volume.

    volumes:
      - ./config.yml:/app/config.yml
      - ./blacklists:/app/blacklists/
      - ./whitelists:/app/whitelists/

Configuration in config.yml

blocking:
  whiteLists:
    ads:
      - /app/whitelists/whitelist.txt

[0xERR0R]

ok, and which external resolvers are used by unbound?

None

Ok... But somehow an external DNS server should be asked for the result?

I had in the past 4 external resolvers in my configuration. 1 of them had ad-block filter (so basically, the external DNS server filtered some domains). Blocky peeks random 2 resolvers and uses the answer from the fastest. So I had periodically 0.0.0.0 as DNS response for one particular domain and this domain was on the whitelist. Later I realized, that it was not possible for blocky to whitelist a domain, which was already filtered by external DNS

[ali45345478]

Already took that into consideration.. I added the domain now to the whitelist with the configuration above, works!
Maybe it is worth updating the documentation with the whitelist and docker compose as the examples do not describe this configuration. Great work BTW!

[0xERR0R]

I'm working currently on the documentation site and I'll add it to the advanced docker-compose example