unbound: update reporting / blocklist documentation

1 year ago · 7b3e1a7a31
parent 79e598ce19
commit 7b3e1a7a31
2 changed files with 20 additions and 6 deletions
--- a/source/manual/reporting_unbound_dns.rst
+++ b/source/manual/reporting_unbound_dns.rst
@ -42,7 +42,9 @@ Every query counter shows the percentage as part of to the total amount of queri
 Also included in the report are two DNS traffic graphs, the first one being the query graph, and the second one
 being the client graph. Both graphs show the amount of **incoming** queries over a selectable span of time.
 The query graph also shows the amount of blocked queries. You can hover over the dots in the client graph
-to see which client it is, as well as the amount of queries associated with this client.
+to see which client it is, as well as the amount of queries associated with this client. If you proceed to click
+on this point of data, you will be referred to the Details grid containing every query within this time interval
+made by this client.

 Both the query and client graph have the option to display the data on a logarithmic scale in order to catch outliers
 properly while preserving your perspective of the normal flow of traffic.
@ -67,7 +69,7 @@ You can refresh the list by clicking the refresh button on the top right of the
  not be serviced due to an internal error.
 * The source of the response. This can be either Recursion, Local, Local-data or cache. Local refers to a decision
  made by Unbound to either block or drop the query. Local-data refers to the custom host overrides and its associated
-  aliases.
+  aliases or internal local-data entries generated by the system.
 * The return code of the DNS query. Refer to the
  `IANA DNS Parameters <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__
  for its meaning.
--- a/source/manual/unbound.rst
+++ b/source/manual/unbound.rst
@ -283,14 +283,26 @@ URLs of Blacklists                    Additional http[s] location to download bl
                                      files containing a list of fqdn's (e.g. :code:`my.evil.domain.com`) are
                                      supported.
 Whitelist Domains                     When a blacklist item contains a pattern defined in this list it will
-                                      be ommitted from the results.  e.g. :code:`.*\.nl` would exclude all .nl domains
+                                      be ommitted from the results.  e.g. :code:`.*\.nl` would exclude all .nl domains.
+                                      Blocked domains explicitly whitelisted using the :doc:`/manual/reporting_unbound_dns`
+                                      page will show up in this list.
+Blocklist Domains                     List of domains to explicitly block. Regular expressions are not supported.
+                                      Passed domains explicitly blocked using the :doc:`/manual/reporting_unbound_dns`
+                                      page will show up in this list.
+Destination Address                   Specify an IP address to return when DNS records are blocked. Can be used to
+                                      redirect such domains to a separate webserver informing the user that the
+                                      content has been blocked. The default is 0.0.0.0. Any value in this field
+                                      is skipped if "Return NXDOMAIN" is checked.
+Return NXDOMAIN                       Instead of returning the "Destination Address", return the DNS return code
+                                      "NXDOMAIN". This is useful in cases where devices cannot cope
+                                      with the 0.0.0.0 destination address, such as certain Apple devices.
 ====================================  ===============================================================================

 .. Note::

-    As of 22.7.9, the blocklist implementation has internally been decoupled from Unbound, this means that
-    an apply from the blocklist settings will not have effect immediately, rather it might take some time for Unbound
-    to pick up on it. This prevents the need for excessive restarts of Unbound.
+    Applying the blocklist settings will not restart Unbound, rather it will signal to Unbound to dynamically
+    process the blocklists as soon as they're downloaded. There may be up to a minute of delay before Unbound
+    has loaded everything. During this time Unbound will still be just as responsive.

 When any of the DNSBL types are used, the content will be fetched directly from its original source, to
 get a better understanding of the source of the lists we compiled the list below containing references to