Hi,

First of all, I wonder what you are trying to blacklist, because it
would probably be simpler to just implement something using Unbound's
local zones.

Now, about dynamic blacklisting in real-time... (especially when you
need to do it for everything under the Sun)
You will have to be aware of the following :
- Unbound will cache results that resolve positively
- If you decide to reject something with a SERVFAIL, cache won't apply.
- Cache hits will not trigger the python module
- But any cache miss will trigger the python module, which can become a
big problem.

So, it will greatly depend on how many clients are accessing your DNS
server, but a complex blacklist for which you have to access the
database backend each and every time will be a pain to use. Keep in
mind, with the python module on top of things, you will have to react
extremely fast, which means you will probably need to store a lot of
data in-memory, or at the very least, access your backend with a local
UNIX socket.

As an experiment against water torture attacks, I had tried the
following structure as an experiment :
Unbound -> Python module (client) -> UNIX daemon (doing the purging of
data) -> Postgres

It works fine for less than a thousand clients, but once you go above
that threshold, it just takes too much time to process anything and
every query ends with a timeout.

You also have the following article where someone linked Unbound to an
LDAP server :
http://jpmens.net/2011/08/09/extending-unbound-with-python-module/
Though, this probably has the same performance issues I mentioned.

Cheers,