unbound: update reporting/advanced/blocklist documentation

source/manual/reporting_unbound_dns.rst

@@ -65,11 +65,23 @@ The details tab shows a livefeed of **completed** queries along with reply infor
 You can refresh the list by clicking the refresh button on the top right of the screen. In it you can find:
 
 * Which client queried which domain with its associated DNS record type.
+
+.. Note::
+
+    It's possible that a queried domain with a record type other than a CNAME (e.g. A or AAAA) might show as blocked
+    with a CNAME as the record type in the details table. This is because a response to a query can contain
+    CNAME records which ultimately point to the queried record type within the same answer (try doing a dig on
+    www.azure.com for example). If any of these CNAME records contain domain names that occur within the
+    configured blocklists, the blocklist system will also block this query, but can only do so after Unbound has
+    resolved the relevant domain. The resolve time will therefore be higher on these types of block actions.
+
 * The action taken by Unbound, this can either be pass, block or drop. The latter only occurs when a query could
-  not be serviced due to an internal error.
-* The source of the response. This can be either Recursion, Local, Local-data or cache. Local refers to a decision
-  made by Unbound to either block or drop the query. Local-data refers to the custom host overrides and its associated
-  aliases or internal local-data entries generated by the system.
+  not be serviced due to an internal error. "Internal error" can be anything, ranging from a loss of internet connectivity
+  to a crash of Unbound. The common factor is that Unbound marks the return code as SERVFAIL. If the Unbound logs
+  do not show any reason for a drop occuring, the most likely candidate will be a loss of connectivity.
+* The source of the response. This can be either Recursion, Local, Local-data or cache. 'Local' refers to a decision
+  made by Unbound to either block or drop the query. 'Local-data' refers to the custom host overrides and its associated
+  aliases or internal local-data entries generated by the system. 'Cache' shows responses to clients utilizing the cache.
 * The return code of the DNS query. Refer to the
   `IANA DNS Parameters <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__
   for its meaning.

source/manual/unbound.rst

@@ -229,6 +229,11 @@ Minimum TTL for RRsets and messages   Configure a minimum Time to live in second
                                       trouble as the data in the cache might not match up with the actual data anymore.
 TTL for Host cache entries            Time to live in seconds for entries in the host cache.
                                       The host cache contains round-trip timing, lameness and EDNS support information.
+Keep probing down hosts               Keep probing hosts that are down in the infrastructure host cache. Hosts that are down
+                                      are probed about every 120 seconds with an exponential backoff. If hosts do not respond
+                                      within this time period, they are marked as down for the duration of the host cache TTL.
+                                      This setting can be used in conjunction with "TTL for Host cache entries" to increase
+                                      responsiveness if internet connectivity bounces happen frequently.
 Number of Hosts to cache              Number of hosts for which information is cached.
 Unwanted Reply Threshold              If enabled, a total number of unwanted replies is kept track of in every
                                       thread. When it reaches the threshold, a defensive action is taken and
@@ -278,6 +283,7 @@ Enable integrated dns blacklisting using one of the predefined sources or custom
 
 ====================================  ===============================================================================
 Enable                                Enable blacklists
+Enable SafeSearch                     Force the usage of SafeSearch on Google, DuckDuckGo, Bing, Qwant, PixaBay and YouTube.
 Type of DNSBL                         Predefined external sources
 URLs of Blacklists                    Additional http[s] location to download blacklists from, only plain text
                                       files containing a list of fqdn's (e.g. :code:`my.evil.domain.com`) are
@@ -289,6 +295,8 @@ Whitelist Domains                     When a blacklist item contains a pattern d
 Blocklist Domains                     List of domains to explicitly block. Regular expressions are not supported.
                                       Passed domains explicitly blocked using the :doc:`/manual/reporting_unbound_dns`
                                       page will show up in this list.
+Wildcard Domains                      List of wildcard domains to blocklist. All subdomains of the given domain will
+                                      be blocked. Blocking first-level domains (e.g. 'com') is not supported.
 Destination Address                   Specify an IP address to return when DNS records are blocked. Can be used to
                                       redirect such domains to a separate webserver informing the user that the
                                       content has been blocked. The default is 0.0.0.0. Any value in this field