feat: update list config and code to use "allow/deny" language

README.md

@@ -20,10 +20,10 @@ Blocky is a DNS proxy and ad-blocker for the local network written in Go with fo
 
 ## Features
 
-- **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting
+- **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting
 
-  - Definition of black and white lists per client group (Kids, Smart home devices, etc.)
+  - Definition of allow/denylists per client group (Kids, Smart home devices, etc.)
-  - Periodical reload of external black and white lists
+  - Periodical reload of external allow/denylists
   - Regex support
   - Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists)
 

cmd/root_test.go

@@ -39,7 +39,7 @@ var _ = Describe("root command", func() {
 				"    default:",
 				"      - 1.1.1.1",
 				"blocking:",
-				"  blackLists:",
+				"  denylists:",
 				"    ads:",
 				"      - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
 				"  clientGroupsBlock:",

config/blocking.go

@@ -8,8 +8,8 @@ import (
 
 // Blocking configuration for query blocking
 type Blocking struct {
-	BlackLists        map[string][]BytesSource `yaml:"blackLists"`
+	Denylists         map[string][]BytesSource `yaml:"denylists"`
-	WhiteLists        map[string][]BytesSource `yaml:"whiteLists"`
+	Allowlists        map[string][]BytesSource `yaml:"allowlists"`
 	ClientGroupsBlock map[string][]string      `yaml:"clientGroupsBlock"`
 	BlockType         string                   `yaml:"blockType" default:"ZEROIP"`
 	BlockTTL          Duration                 `yaml:"blockTTL" default:"6h"`
@@ -17,19 +17,23 @@ type Blocking struct {
 
 	// Deprecated options
 	Deprecated struct {
-		DownloadTimeout       *Duration     `yaml:"downloadTimeout"`
+		BlackLists            *map[string][]BytesSource `yaml:"blackLists"`
-		DownloadAttempts      *uint         `yaml:"downloadAttempts"`
+		WhiteLists            *map[string][]BytesSource `yaml:"whiteLists"`
-		DownloadCooldown      *Duration     `yaml:"downloadCooldown"`
+		DownloadTimeout       *Duration                 `yaml:"downloadTimeout"`
-		RefreshPeriod         *Duration     `yaml:"refreshPeriod"`
+		DownloadAttempts      *uint                     `yaml:"downloadAttempts"`
-		FailStartOnListError  *bool         `yaml:"failStartOnListError"`
+		DownloadCooldown      *Duration                 `yaml:"downloadCooldown"`
-		ProcessingConcurrency *uint         `yaml:"processingConcurrency"`
+		RefreshPeriod         *Duration                 `yaml:"refreshPeriod"`
-		StartStrategy         *InitStrategy `yaml:"startStrategy"`
+		FailStartOnListError  *bool                     `yaml:"failStartOnListError"`
-		MaxErrorsPerFile      *int          `yaml:"maxErrorsPerFile"`
+		ProcessingConcurrency *uint                     `yaml:"processingConcurrency"`
+		StartStrategy         *InitStrategy             `yaml:"startStrategy"`
+		MaxErrorsPerFile      *int                      `yaml:"maxErrorsPerFile"`
 	} `yaml:",inline"`
 }
 
 func (c *Blocking) migrate(logger *logrus.Entry) bool {
 	return Migrate(logger, "blocking", c.Deprecated, map[string]Migrator{
+		"blackLists":       Move(To("denylists", c)),
+		"whiteLists":       Move(To("allowlists", c)),
 		"downloadTimeout":  Move(To("loading.downloads.timeout", &c.Loading.Downloads)),
 		"downloadAttempts": Move(To("loading.downloads.attempts", &c.Loading.Downloads)),
 		"downloadCooldown": Move(To("loading.downloads.cooldown", &c.Loading.Downloads)),
@@ -67,14 +71,14 @@ func (c *Blocking) LogConfig(logger *logrus.Entry) {
 	logger.Info("loading:")
 	log.WithIndent(logger, "  ", c.Loading.LogConfig)
 
-	logger.Info("blacklist:")
+	logger.Info("denylists:")
 	log.WithIndent(logger, "  ", func(logger *logrus.Entry) {
-		c.logListGroups(logger, c.BlackLists)
+		c.logListGroups(logger, c.Denylists)
 	})
 
-	logger.Info("whitelist:")
+	logger.Info("allowlists:")
 	log.WithIndent(logger, "  ", func(logger *logrus.Entry) {
-		c.logListGroups(logger, c.WhiteLists)
+		c.logListGroups(logger, c.Allowlists)
 	})
 }
 

config/blocking_test.go

@@ -17,7 +17,7 @@ var _ = Describe("BlockingConfig", func() {
 		cfg = Blocking{
 			BlockType: "ZEROIP",
 			BlockTTL:  Duration(time.Minute),
-			BlackLists: map[string][]BytesSource{
+			Denylists: map[string][]BytesSource{
 				"gr1": NewBytesSources("/a/file/path"),
 			},
 			ClientGroupsBlock: map[string][]string{
@@ -60,4 +60,30 @@ var _ = Describe("BlockingConfig", func() {
 			Expect(hook.Messages).Should(ContainElement(Equal("blockType = ZEROIP")))
 		})
 	})
+
+	Describe("migrate", func() {
+		It("should copy values", func() {
+			cfg, err := WithDefaults[Blocking]()
+			Expect(err).Should(Succeed())
+
+			cfg.Deprecated.BlackLists = &map[string][]BytesSource{
+				"deny-group": NewBytesSources("/deny.txt"),
+			}
+			cfg.Deprecated.WhiteLists = &map[string][]BytesSource{
+				"allow-group": NewBytesSources("/allow.txt"),
+			}
+
+			migrated := cfg.migrate(logger)
+			Expect(migrated).Should(BeTrue())
+
+			Expect(hook.Calls).ShouldNot(BeEmpty())
+			Expect(hook.Messages).Should(ContainElements(
+				ContainSubstring("blocking.allowlists"),
+				ContainSubstring("blocking.denylists"),
+			))
+
+			Expect(cfg.Allowlists).Should(Equal(*cfg.Deprecated.WhiteLists))
+			Expect(cfg.Denylists).Should(Equal(*cfg.Deprecated.BlackLists))
+		})
+	})
 })

config/config_test.go

@@ -988,8 +988,8 @@ func defaultTestFileConfig(config *Config) {
 	Expect(config.Conditional.Mapping.Upstreams["multiple.resolvers"]).Should(HaveLen(2))
 	Expect(config.ClientLookup.Upstream.Host).Should(Equal("192.168.178.1"))
 	Expect(config.ClientLookup.SingleNameOrder).Should(Equal([]uint{2, 1}))
-	Expect(config.Blocking.BlackLists).Should(HaveLen(2))
+	Expect(config.Blocking.Denylists).Should(HaveLen(2))
-	Expect(config.Blocking.WhiteLists).Should(HaveLen(1))
+	Expect(config.Blocking.Allowlists).Should(HaveLen(1))
 	Expect(config.Blocking.ClientGroupsBlock).Should(HaveLen(2))
 	Expect(config.Blocking.BlockTTL).Should(Equal(Duration(time.Minute)))
 	Expect(config.Blocking.Loading.RefreshPeriod).Should(Equal(Duration(2 * time.Hour)))
@@ -1029,7 +1029,7 @@ func writeConfigYml(tmpDir *helpertest.TmpFolder) *helpertest.TmpFile {
 		"fqdnOnly:",
 		"  enable: true",
 		"blocking:",
-		"  blackLists:",
+		"  denylists:",
 		"    ads:",
 		"      - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
 		"      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
@@ -1039,9 +1039,9 @@ func writeConfigYml(tmpDir *helpertest.TmpFolder) *helpertest.TmpFile {
 		"      - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt",
 		"    special:",
 		"      - https://hosts-file.net/ad_servers.txt",
-		"  whiteLists:",
+		"  allowlists:",
 		"    ads:",
-		"      - whitelist.txt",
+		"      - allowlist.txt",
 		"  clientGroupsBlock:",
 		"    default:",
 		"      - ads",
@@ -1119,7 +1119,7 @@ func writeConfigDir(tmpDir *helpertest.TmpFolder) {
 
 	tmpDir.CreateStringFile("config2.yaml",
 		"blocking:",
-		"  blackLists:",
+		"  denylists:",
 		"    ads:",
 		"      - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
 		"      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
@@ -1129,9 +1129,9 @@ func writeConfigDir(tmpDir *helpertest.TmpFolder) {
 		"      - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt",
 		"    special:",
 		"      - https://hosts-file.net/ad_servers.txt",
-		"  whiteLists:",
+		"  allowlists:",
 		"    ads:",
-		"      - whitelist.txt",
+		"      - allowlist.txt",
 		"  clientGroupsBlock:",
 		"    default:",
 		"      - ads",

docs/additional_information.md

@@ -33,7 +33,6 @@ To print runtime configuration / statistics, you can send `SIGUSR1` signal to ru
     INFO server: MEM NumGC =              1533
     INFO server: RUN NumCPU =                4
     INFO server: RUN NumGoroutine =         18
-    
     ```
 
 !!! hint
@@ -49,7 +48,7 @@ automatically.
 
 Some links/ideas for lists:
 
-### Blacklists
+### Denylists
 
 * [https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)
 * [https://github.com/nickspaargaren/no-google](https://github.com/nickspaargaren/no-google)
@@ -60,11 +59,11 @@ Some links/ideas for lists:
 
 !!! warning
 
-    Use only blacklists from the sources you trust!
+    Use only denylists from the sources you trust!
 
-### Whitelists
+### Allowlists
 
-* [https://github.com/anudeepND/whitelist](https://github.com/anudeepND/whitelist)
+* [https://github.com/anudeepND/whitelist](https://github.com/anudeepND/allowlist)
 
 ## List of public DNS servers
 
@@ -74,7 +73,7 @@ Some links/ideas for lists:
 
     Please read the description before using the DNS server as upstream. Some of them provide already an ad-blocker, some
     filters other content. If you use external DNS server with included ad-blocker, you can't choose which domains should be
-    blocked, and you can't use whitelisting.
+    blocked, and you can't use allowlisting.
 
 This is only a small excerpt of all free available DNS servers and should only be understood as an idee.
 

docs/api/openapi.yaml

@@ -8,10 +8,10 @@ info:
 
     ## Features
 
-    - **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting
+    - **Blocking** - Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting
 
-      - Definition of black and white lists per client group (Kids, Smart home devices, etc.)
+      - Definition of allow/denylists per client group (Kids, Smart home devices, etc.)
-      - Periodical reload of external black and white lists
+      - Periodical reload of external allow/denylists
       - Regex support
       - Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists)
 

docs/blocky-grafana.json

@@ -429,7 +429,7 @@
       "datasource": {
         "uid": "${DS_PROMETHEUS}"
       },
-      "description": "Number of blacklist entries",
+      "description": "Number of denylist entries",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -487,7 +487,7 @@
             "uid": "${DS_PROMETHEUS}"
           },
           "exemplar": true,
-          "expr": "sum(blocky_blacklist_cache) / sum(up{job=~\"$job\"})",
+          "expr": "sum(blocky_denylist_cache) / sum(up{job=~\"$job\"})",
           "format": "table",
           "instant": false,
           "interval": "",
@@ -495,7 +495,7 @@
           "refId": "A"
         }
       ],
-      "title": "Blacklist entries total",
+      "title": "Denylist entries total",
       "transparent": true,
       "type": "stat"
     },
@@ -1683,7 +1683,7 @@
             "uid": "${DS_PROMETHEUS}"
           },
           "exemplar": false,
-          "expr": "topk(1, blocky_blacklist_cache) by (group)",
+          "expr": "topk(1, blocky_denylist_cache) by (group)",
           "format": "time_series",
           "instant": true,
           "interval": "",
@@ -1691,7 +1691,7 @@
           "refId": "A"
         }
       ],
-      "title": "Blacklist by group",
+      "title": "Denylist by group",
       "transparent": true,
       "type": "piechart"
     },
@@ -1978,4 +1978,4 @@
   "uid": "JvOqE4gRk",
   "version": 1,
   "weekStart": ""
-}
+}

docs/blocky-query-grafana-postgres.json

@@ -243,7 +243,7 @@
           ]
         }
       ],
-      "title": "Blocked by Blacklist",
+      "title": "Blocked by Denylist",
       "type": "piechart"
     },
     {

docs/blocky-query-grafana.json

@@ -243,7 +243,7 @@
           ]
         }
       ],
-      "title": "Blocked by Blacklist",
+      "title": "Blocked by Denylist",
       "type": "piechart"
     },
     {

docs/config.yml

@@ -62,10 +62,10 @@ conditional:
     fritz.box: 192.168.178.1
     lan.net: 192.168.178.1,192.168.178.2
 
-# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
+# optional: use allow/denylists to block queries (for example ads, trackers, adult pages etc.)
 blocking:
-  # definition of blacklist groups. Can be external link (http/https) or local file
+  # definition of denylist groups. Can be external link (http/https) or local file
-  blackLists:
+  denylists:
     ads:
       - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
       - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
@@ -77,14 +77,16 @@ blocking:
         *.example.com
     special:
       - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
-  # definition of whitelist groups. Attention: if the same group has black and whitelists, whitelists will be used to disable particular blacklist entries. If a group has only whitelist entries -> this means only domains from this list are allowed, all other domains will be blocked
+  # definition of allowlist groups.
-  whiteLists:
+  # Note: if the same group has both allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed.
+  # If a group has only allowlist entries, only domains from this list are allowed, and all others be blocked.
+  allowlists:
     ads:
-      - whitelist.txt
+      - allowlist.txt
       - |
         # inline definition with YAML literal block scalar style
         # hosts format
-        whitelistdomain.com
+        allowlistdomain.com
         # this is a regex
         /^banners?[_.-]/
   # definition: which groups should be applied for which client
@@ -242,7 +244,7 @@ minTlsServeVersion: 1.3
 #certFile: server.crt
 #keyFile: server.key
 
-# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
+# optional: use these DNS servers to resolve denylist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
 bootstrapDns:
   - tcp+udp:1.1.1.1
   - https://1.1.1.1/dns-query

docs/configuration.md

@@ -395,16 +395,16 @@ contains a map of client name and multiple IP addresses.
 
     Use `192.168.178.1` for rDNS lookup. Take second name if present, if not take first name. IP address `192.168.178.29` is mapped to `laptop` as client name.
 
-## Blocking and whitelisting
+## Blocking and allowlisting
 
 Blocky can use lists of domains and IPs to block (e.g. advertisement, malware,
 trackers, adult sites). You can group several list sources together and define the blocking behavior per client.
 Blocking uses the [DNS sinkhole](https://en.wikipedia.org/wiki/DNS_sinkhole) approach. For each DNS query, the domain name from
 the request, IP address from the response, and any CNAME records will be checked to determine whether to block the query or not.
 
-To avoid over-blocking, you can use whitelists.
+To avoid over-blocking, you can use allowlists.
 
-### Definition black and whitelists
+### Definition allow/denylists
 
 Lists are defined in groups. This allows using different sets of lists for different clients.
 
@@ -421,7 +421,7 @@ The supported list formats are:
 
     ```yaml
     blocking:
-      blackLists:
+      denylists:
         ads:
           - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
           - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
@@ -436,25 +436,24 @@ The supported list formats are:
             /^banners?[_.-]/
         special:
           - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
-      whiteLists:
+      allowlists:
         ads:
-          - whitelist.txt
+          - allowlist.txt
           - /path/to/file.txt
           - |
             # inline definition with YAML literal block scalar style
-            whitelistdomain.com
+            allowlistdomain.com
     ```
 
     In this example you can see 2 groups: **ads** and **special** with one list. The **ads** group includes 2 inline lists.
 
 !!! warning
 
-    If the same group has black and whitelists, whitelists will be used to disable particular blacklist entries.
+    If the same group has **both** allow/denylists, allowlists take precedence. Meaning if a domain is both blocked and allowed, it will be allowed.
-    If a group has **only** whitelist entries -> this means only domains from this list are allowed, all other domains will
+    If a group has **only allowlist** entries, only domains from this list are allowed, and all others be blocked.
-    be blocked.
 
 !!! warning
-    You must also define client group mapping, otherwise you black and whitelist definition will have no effect.
+    You must also define a client group mapping, otherwise the allow/denylist definitions will have no effect.
 
 #### Wildcard support
 
@@ -833,7 +832,7 @@ These settings apply only to the resolver under which they are nested.
     ```yaml
     blocking:
       loading:
-        # only applies to white/blacklists
+        # only applies to allow/denylists
 
     hostsFile:
       loading:

docs/index.md

@@ -8,10 +8,10 @@ Blocky is a DNS proxy and ad-blocker for the local network written in Go with fo
 
 ## Features
 
-- **Blocking** - :no_entry: Blocking of DNS queries with external lists (Ad-block, malware) and whitelisting
+- **Blocking** - :no_entry: Blocking of DNS queries with external lists (Ad-block, malware) and allowlisting
 
-    * Definition of black and white lists per client group (Kids, Smart home devices, etc.)
+    * Definition of allow/denylists per client group (Kids, Smart home devices, etc.)
-    * Periodical reload of external black and white lists
+    * Periodical reload of external allow/denylists
     * Regex support
     * Blocking of request domain, response CNAME (deep CNAME inspection) and response IP addresses (against IP lists)
 

docs/installation.md

@@ -20,7 +20,7 @@ upstream:
     - tcp-tls:fdns1.dismail.de:853
     - https://dns.digitale-gesellschaft.ch/dns-query
 blocking:
-  blackLists:
+  denylists:
     ads:
       - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
   clientGroupsBlock:
@@ -95,8 +95,8 @@ docker-compose up -d
 ### Advanced setup
 
 Following example shows, how to run blocky in a docker container and store query logs on a SAMBA share. Local black and
-whitelists directories are mounted as volume. You can create own black or whitelists in these directories and define the
+allowlists directories are mounted as volume. You can create own black or allowlists in these directories and define the
-path like '/app/whitelists/whitelist.txt' in the config file.
+path like '/app/allowlists/allowlist.txt' in the config file.
 
 !!! example
 
@@ -118,9 +118,9 @@ services:
       - ./config.yml:/app/config.yml
       # write query logs in this volume
       - queryLogs:/logs
-      # put your custom white and blacklists in these directories
+      # put your custom allow/denylists in these directories
-      - ./blacklists:/app/blacklists/
+      - ./denylists:/app/denylists/
-      - ./whitelists:/app/whitelists/
+      - ./allowlists:/app/allowlists/
 
 volumes:
   queryLogs:

docs/interfaces.md

@@ -27,7 +27,7 @@ To run the CLI, please ensure, that blocky DNS server is running, then execute `
 - `./blocky blocking status` to print current status of blocking
 - `./blocky query <domain>` execute DNS query (A) (simple replacement for dig, useful for debug purposes)
 - `./blocky query <domain> --type <queryType>` execute DNS query with passed query type (A, AAAA, MX, ...)
-- `./blocky lists refresh` reloads all white and blacklists
+- `./blocky lists refresh` reloads all allow/denylists
 
 !!! tip 
 

docs/prometheus_grafana.md

@@ -10,7 +10,7 @@ Following metrics will be exported:
 
 | name                                             |   Description                                            |
 | ------------------------------------------------ | -------------------------------------------------------- |
-| blocky_blacklist_cache / blocky_whitelist_cache  | Number of entries in blacklist/whitelist cache, partitioned by group |
+| blocky_denylist_cache / blocky_allowlist_cache   | Number of entries in denylist/allowlist cache, partitioned by group |
 | blocky_error_total                | Number of total queries that ended in error for any reason |
 | blocky_query_total                | Number of total queries, partitioned by client and DNS request type (A, AAAA, PTR, etc) |
 | blocky_request_duration_ms_bucket | Request duration histogram, partitioned by response type (Blocked, cached, etc)  |

e2e/blocking_test.go

@@ -24,7 +24,7 @@ var _ = Describe("External lists and query blocking", func() {
 		Expect(err).Should(Succeed())
 	})
 	Describe("List download on startup", func() {
-		When("external blacklist ist not available", func() {
+		When("external denylist ist not available", func() {
 			Context("loading.strategy = blocking", func() {
 				BeforeEach(func(ctx context.Context) {
 					blocky, err = createBlockyContainer(ctx, e2eNet,
@@ -37,7 +37,7 @@ var _ = Describe("External lists and query blocking", func() {
 						"blocking:",
 						"  loading:",
 						"    strategy: blocking",
-						"  blackLists:",
+						"  denylists:",
 						"    ads:",
 						"      - http://wrong.domain.url/list.txt",
 						"  clientGroupsBlock:",
@@ -72,7 +72,7 @@ var _ = Describe("External lists and query blocking", func() {
 						"blocking:",
 						"  loading:",
 						"    strategy: failOnError",
-						"  blackLists:",
+						"  denylists:",
 						"    ads:",
 						"      - http://wrong.domain.url/list.txt",
 						"  clientGroupsBlock:",
@@ -96,8 +96,8 @@ var _ = Describe("External lists and query blocking", func() {
 			})
 		})
 	})
-	Describe("Query blocking against external blacklists", func() {
+	Describe("Query blocking against external denylists", func() {
-		When("external blacklists are defined and available", func() {
+		When("external denylists are defined and available", func() {
 			BeforeEach(func(ctx context.Context) {
 				_, err = createHTTPServerContainer(ctx, "httpserver", e2eNet, "list.txt", "blockeddomain.com")
 				Expect(err).Should(Succeed())
@@ -110,7 +110,7 @@ var _ = Describe("External lists and query blocking", func() {
 					"    default:",
 					"      - moka",
 					"blocking:",
-					"  blackLists:",
+					"  denylists:",
 					"    ads:",
 					"      - http://httpserver:8080/list.txt",
 					"  clientGroupsBlock:",

e2e/metrics_test.go

@@ -49,7 +49,7 @@ var _ = Describe("Metrics functional tests", func() {
 				"    default:",
 				"      - moka1",
 				"blocking:",
-				"  blackLists:",
+				"  denylists:",
 				"    group1:",
 				"      - http://httpserver1:8080/list1.txt",
 				"    group2:",
@@ -129,8 +129,8 @@ var _ = Describe("Metrics functional tests", func() {
 			It("Should expose list cache sizes per group as metrics", func(ctx context.Context) {
 				Eventually(fetchBlockyMetrics).WithArguments(ctx, metricsURL).
 					Should(ContainElements(
-						"blocky_blacklist_cache{group=\"group1\"} 1",
+						"blocky_denylist_cache{group=\"group1\"} 1",
-						"blocky_blacklist_cache{group=\"group2\"} 3",
+						"blocky_denylist_cache{group=\"group2\"} 3",
 					))
 			})
 		})

lists/list_cache.go

@@ -24,8 +24,8 @@ const (
 )
 
 // ListCacheType represents the type of cached list ENUM(
-// blacklist // is a list with blocked domains
+// denylist // is a list with blocked domains
-// whitelist // is a list with whitelisted domains / IPs
+// allowlist // is a list with allowlisted domains / IPs
 // )
 type ListCacheType int
 

lists/list_cache_benchmark_test.go

@@ -20,7 +20,7 @@ func BenchmarkRefresh(b *testing.B) {
 		RefreshPeriod: config.Duration(-1),
 	}
 	downloader := NewDownloader(config.Downloader{}, nil)
-	cache, _ := NewListCache(context.Background(), ListCacheTypeBlacklist, cfg, lists, downloader)
+	cache, _ := NewListCache(context.Background(), ListCacheTypeDenylist, cfg, lists, downloader)
 
 	b.ReportAllocs()
 

lists/list_cache_enum.go

@@ -12,21 +12,21 @@ import (
 )
 
 const (
-	// ListCacheTypeBlacklist is a ListCacheType of type Blacklist.
+	// ListCacheTypeDenylist is a ListCacheType of type Denylist.
 	// is a list with blocked domains
-	ListCacheTypeBlacklist ListCacheType = iota
+	ListCacheTypeDenylist ListCacheType = iota
-	// ListCacheTypeWhitelist is a ListCacheType of type Whitelist.
+	// ListCacheTypeAllowlist is a ListCacheType of type Allowlist.
-	// is a list with whitelisted domains / IPs
+	// is a list with allowlisted domains / IPs
-	ListCacheTypeWhitelist
+	ListCacheTypeAllowlist
 )
 
 var ErrInvalidListCacheType = fmt.Errorf("not a valid ListCacheType, try [%s]", strings.Join(_ListCacheTypeNames, ", "))
 
-const _ListCacheTypeName = "blacklistwhitelist"
+const _ListCacheTypeName = "denylistallowlist"
 
 var _ListCacheTypeNames = []string{
-	_ListCacheTypeName[0:9],
+	_ListCacheTypeName[0:8],
-	_ListCacheTypeName[9:18],
+	_ListCacheTypeName[8:17],
 }
 
 // ListCacheTypeNames returns a list of possible string values of ListCacheType.
@@ -37,8 +37,8 @@ func ListCacheTypeNames() []string {
 }
 
 var _ListCacheTypeMap = map[ListCacheType]string{
-	ListCacheTypeBlacklist: _ListCacheTypeName[0:9],
+	ListCacheTypeDenylist:  _ListCacheTypeName[0:8],
-	ListCacheTypeWhitelist: _ListCacheTypeName[9:18],
+	ListCacheTypeAllowlist: _ListCacheTypeName[8:17],
 }
 
 // String implements the Stringer interface.
@@ -57,8 +57,8 @@ func (x ListCacheType) IsValid() bool {
 }
 
 var _ListCacheTypeValue = map[string]ListCacheType{
-	_ListCacheTypeName[0:9]:  ListCacheTypeBlacklist,
+	_ListCacheTypeName[0:8]:  ListCacheTypeDenylist,
-	_ListCacheTypeName[9:18]: ListCacheTypeWhitelist,
+	_ListCacheTypeName[8:17]: ListCacheTypeAllowlist,
 }
 
 // ParseListCacheType attempts to convert a string to a ListCacheType.

lists/list_cache_test.go

@@ -46,7 +46,7 @@ var _ = Describe("ListCache", func() {
 		ctx, cancelFn = context.WithCancel(context.Background())
 		DeferCleanup(cancelFn)
 
-		listCacheType = ListCacheTypeBlacklist
+		listCacheType = ListCacheTypeDenylist
 
 		sutConfig, err = config.WithDefaults[config.SourceLoading]()
 		Expect(err).Should(Succeed())
@@ -306,7 +306,7 @@ var _ = Describe("ListCache", func() {
 				}
 			})
 			It("should match", func() {
-				sut, err = NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader)
+				sut, err = NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader)
 				Expect(err).Should(Succeed())
 
 				Expect(sut.groupedCache.ElementCount("gr1")).Should(Equal(lines1 + lines2 + lines3))
@@ -408,7 +408,7 @@ var _ = Describe("ListCache", func() {
 		})
 
 		It("should print list configuration", func() {
-			sut, err = NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader)
+			sut, err = NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader)
 			Expect(err).Should(Succeed())
 
 			sut.LogConfig(logger)
@@ -432,7 +432,7 @@ var _ = Describe("ListCache", func() {
 			})
 
 			It("should never return an error", func() {
-				_, err := NewListCache(ctx, ListCacheTypeBlacklist, sutConfig, lists, downloader)
+				_, err := NewListCache(ctx, ListCacheTypeDenylist, sutConfig, lists, downloader)
 				Expect(err).Should(Succeed())
 			})
 		})

metrics/metrics_event_publisher.go

@@ -28,14 +28,14 @@ func registerApplicationEventListeners() {
 }
 
 func versionNumberGauge() *prometheus.GaugeVec {
-	blacklistCnt := prometheus.NewGaugeVec(
+	denylistCnt := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Name: "blocky_build_info",
 			Help: "Version number and build info",
 		}, []string{"version", "build_time"},
 	)
 
-	return blacklistCnt
+	return denylistCnt
 }
 
 func registerBlockingEventListeners() {
@@ -51,23 +51,23 @@ func registerBlockingEventListeners() {
 		}
 	})
 
-	blacklistCnt := blacklistGauge()
+	denylistCnt := denylistGauge()
 
-	whitelistCnt := whitelistGauge()
+	allowlistCnt := allowlistGauge()
 
 	lastListGroupRefresh := lastListGroupRefresh()
 
-	RegisterMetric(blacklistCnt)
+	RegisterMetric(denylistCnt)
-	RegisterMetric(whitelistCnt)
+	RegisterMetric(allowlistCnt)
 	RegisterMetric(lastListGroupRefresh)
 
 	subscribe(evt.BlockingCacheGroupChanged, func(listType lists.ListCacheType, groupName string, cnt int) {
 		lastListGroupRefresh.Set(float64(time.Now().Unix()))
 		switch listType {
-		case lists.ListCacheTypeBlacklist:
+		case lists.ListCacheTypeDenylist:
-			blacklistCnt.WithLabelValues(groupName).Set(float64(cnt))
+			denylistCnt.WithLabelValues(groupName).Set(float64(cnt))
-		case lists.ListCacheTypeWhitelist:
+		case lists.ListCacheTypeAllowlist:
-			whitelistCnt.WithLabelValues(groupName).Set(float64(cnt))
+			allowlistCnt.WithLabelValues(groupName).Set(float64(cnt))
 		}
 	})
 }
@@ -82,26 +82,26 @@ func enabledGauge() prometheus.Gauge {
 	return enabledGauge
 }
 
-func blacklistGauge() *prometheus.GaugeVec {
+func denylistGauge() *prometheus.GaugeVec {
-	blacklistCnt := prometheus.NewGaugeVec(
+	denylistCnt := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
-			Name: "blocky_blacklist_cache",
+			Name: "blocky_denylist_cache",
-			Help: "Number of entries in the blacklist cache",
+			Help: "Number of entries in the denylist cache",
 		}, []string{"group"},
 	)
 
-	return blacklistCnt
+	return denylistCnt
 }
 
-func whitelistGauge() *prometheus.GaugeVec {
+func allowlistGauge() *prometheus.GaugeVec {
-	whitelistCnt := prometheus.NewGaugeVec(
+	allowlistCnt := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
-			Name: "blocky_whitelist_cache",
+			Name: "blocky_allowlist_cache",
-			Help: "Number of entries in the whitelist cache",
+			Help: "Number of entries in the allowlist cache",
 		}, []string{"group"},
 	)
 
-	return whitelistCnt
+	return allowlistCnt
 }
 
 func lastListGroupRefresh() prometheus.Gauge {

resolver/blocking_resolver.go

@@ -79,16 +79,16 @@ type status struct {
 	lock           sync.RWMutex
 }
 
-// BlockingResolver checks request's question (domain name) against black and white lists
+// BlockingResolver checks request's question (domain name) against allow/denylists
 type BlockingResolver struct {
 	configurable[*config.Blocking]
 	NextResolver
 	typed
 
-	blacklistMatcher    *lists.ListCache
+	denylistMatcher     *lists.ListCache
-	whitelistMatcher    *lists.ListCache
+	allowlistMatcher    *lists.ListCache
 	blockHandler        blockHandler
-	whitelistOnlyGroups map[string]bool
+	allowlistOnlyGroups map[string]bool
 	status              *status
 	clientGroupsBlock   map[string][]string
 	redisClient         *redis.Client
@@ -125,11 +125,11 @@ func NewBlockingResolver(ctx context.Context,
 
 	downloader := lists.NewDownloader(cfg.Loading.Downloads, bootstrap.NewHTTPTransport())
 
-	blacklistMatcher, blErr := lists.NewListCache(ctx, lists.ListCacheTypeBlacklist,
+	denylistMatcher, blErr := lists.NewListCache(ctx, lists.ListCacheTypeDenylist,
-		cfg.Loading, cfg.BlackLists, downloader)
+		cfg.Loading, cfg.Denylists, downloader)
-	whitelistMatcher, wlErr := lists.NewListCache(ctx, lists.ListCacheTypeWhitelist,
+	allowlistMatcher, wlErr := lists.NewListCache(ctx, lists.ListCacheTypeAllowlist,
-		cfg.Loading, cfg.WhiteLists, downloader)
+		cfg.Loading, cfg.Allowlists, downloader)
-	whitelistOnlyGroups := determineWhitelistOnlyGroups(&cfg)
+	allowlistOnlyGroups := determineAllowlistOnlyGroups(&cfg)
 
 	err = multierror.Append(err, blErr, wlErr).ErrorOrNil()
 	if err != nil {
@@ -141,9 +141,9 @@ func NewBlockingResolver(ctx context.Context,
 		typed:        withType("blocking"),
 
 		blockHandler:        blockHandler,
-		blacklistMatcher:    blacklistMatcher,
+		denylistMatcher:     denylistMatcher,
-		whitelistMatcher:    whitelistMatcher,
+		allowlistMatcher:    allowlistMatcher,
-		whitelistOnlyGroups: whitelistOnlyGroups,
+		allowlistOnlyGroups: allowlistOnlyGroups,
 		status: &status{
 			enabled:     true,
 			enableTimer: time.NewTimer(0),
@@ -198,18 +198,18 @@ func (r *BlockingResolver) redisSubscriber(ctx context.Context) {
 	}
 }
 
-// RefreshLists triggers the refresh of all black and white lists in the cache
+// RefreshLists triggers the refresh of all allow/denylists in the cache
 func (r *BlockingResolver) RefreshLists() error {
 	var err *multierror.Error
 
-	err = multierror.Append(err, r.blacklistMatcher.Refresh())
+	err = multierror.Append(err, r.denylistMatcher.Refresh())
-	err = multierror.Append(err, r.whitelistMatcher.Refresh())
+	err = multierror.Append(err, r.allowlistMatcher.Refresh())
 
 	return err.ErrorOrNil()
 }
 
 func (r *BlockingResolver) retrieveAllBlockingGroups() []string {
-	result := maps.Keys(r.cfg.BlackLists)
+	result := maps.Keys(r.cfg.Denylists)
 
 	result = append(result, "default")
 	slices.Sort(result)
@@ -217,7 +217,7 @@ func (r *BlockingResolver) retrieveAllBlockingGroups() []string {
 	return result
 }
 
-// EnableBlocking enables the blocking against the blacklists
+// EnableBlocking enables the blocking against the denylists
 func (r *BlockingResolver) EnableBlocking(ctx context.Context) {
 	r.internalEnableBlocking()
 
@@ -310,13 +310,13 @@ func (r *BlockingResolver) BlockingStatus() api.BlockingStatus {
 	}
 }
 
-// returns groups, which have only whitelist entries
+// returns groups, which have only allowlist entries
-func determineWhitelistOnlyGroups(cfg *config.Blocking) (result map[string]bool) {
+func determineAllowlistOnlyGroups(cfg *config.Blocking) (result map[string]bool) {
-	result = make(map[string]bool, len(cfg.WhiteLists))
+	result = make(map[string]bool, len(cfg.Allowlists))
 
-	for g, links := range cfg.WhiteLists {
+	for g, links := range cfg.Allowlists {
 		if len(links) > 0 {
-			if _, found := cfg.BlackLists[g]; !found {
+			if _, found := cfg.Denylists[g]; !found {
 				result[g] = true
 			}
 		}
@@ -343,16 +343,16 @@ func (r *BlockingResolver) handleBlocked(logger *logrus.Entry,
 func (r *BlockingResolver) LogConfig(logger *logrus.Entry) {
 	r.cfg.LogConfig(logger)
 
-	logger.Info("blacklist cache entries:")
+	logger.Info("denylist cache entries:")
-	log.WithIndent(logger, "  ", r.blacklistMatcher.LogConfig)
+	log.WithIndent(logger, "  ", r.denylistMatcher.LogConfig)
 
-	logger.Info("whitelist cache entries:")
+	logger.Info("allowlist cache entries:")
-	log.WithIndent(logger, "  ", r.whitelistMatcher.LogConfig)
+	log.WithIndent(logger, "  ", r.allowlistMatcher.LogConfig)
 }
 
-func (r *BlockingResolver) hasWhiteListOnlyAllowed(groupsToCheck []string) bool {
+func (r *BlockingResolver) hasAllowlistOnlyAllowed(groupsToCheck []string) bool {
 	for _, group := range groupsToCheck {
-		if _, found := r.whitelistOnlyGroups[group]; found {
+		if _, found := r.allowlistOnlyGroups[group]; found {
 			return true
 		}
 	}
@@ -360,31 +360,31 @@ func (r *BlockingResolver) hasWhiteListOnlyAllowed(groupsToCheck []string) bool
 	return false
 }
 
-func (r *BlockingResolver) handleBlacklist(ctx context.Context, groupsToCheck []string,
+func (r *BlockingResolver) handleDenylist(ctx context.Context, groupsToCheck []string,
 	request *model.Request, logger *logrus.Entry,
 ) (bool, *model.Response, error) {
 	logger.WithField("groupsToCheck", strings.Join(groupsToCheck, "; ")).Debug("checking groups for request")
-	whitelistOnlyAllowed := r.hasWhiteListOnlyAllowed(groupsToCheck)
+	allowlistOnlyAllowed := r.hasAllowlistOnlyAllowed(groupsToCheck)
 
 	for _, question := range request.Req.Question {
 		domain := util.ExtractDomain(question)
 		logger := logger.WithField("domain", domain)
 
-		if groups := r.matches(groupsToCheck, r.whitelistMatcher, domain); len(groups) > 0 {
+		if groups := r.matches(groupsToCheck, r.allowlistMatcher, domain); len(groups) > 0 {
-			logger.WithField("groups", groups).Debugf("domain is whitelisted")
+			logger.WithField("groups", groups).Debugf("domain is allowlisted")
 
 			resp, err := r.next.Resolve(ctx, request)
 
 			return true, resp, err
 		}
 
-		if whitelistOnlyAllowed {
+		if allowlistOnlyAllowed {
-			resp, err := r.handleBlocked(logger, request, question, "BLOCKED (WHITELIST ONLY)")
+			resp, err := r.handleBlocked(logger, request, question, "BLOCKED (ALLOWLIST ONLY)")
 
 			return true, resp, err
 		}
 
-		if groups := r.matches(groupsToCheck, r.blacklistMatcher, domain); len(groups) > 0 {
+		if groups := r.matches(groupsToCheck, r.denylistMatcher, domain); len(groups) > 0 {
 			resp, err := r.handleBlocked(logger, request, question, fmt.Sprintf("BLOCKED (%s)", strings.Join(groups, ",")))
 
 			return true, resp, err
@@ -394,13 +394,13 @@ func (r *BlockingResolver) handleBlacklist(ctx context.Context, groupsToCheck []
 	return false, nil, nil
 }
 
-// Resolve checks the query against the blacklist and delegates to next resolver if domain is not blocked
+// Resolve checks the query against the denylist and delegates to next resolver if domain is not blocked
 func (r *BlockingResolver) Resolve(ctx context.Context, request *model.Request) (*model.Response, error) {
 	ctx, logger := r.log(ctx)
 	groupsToCheck := r.groupsToCheckForClient(request)
 
 	if len(groupsToCheck) > 0 {
-		handled, resp, err := r.handleBlacklist(ctx, groupsToCheck, request, logger)
+		handled, resp, err := r.handleDenylist(ctx, groupsToCheck, request, logger)
 		if handled {
 			return resp, err
 		}
@@ -414,9 +414,9 @@ func (r *BlockingResolver) Resolve(ctx context.Context, request *model.Request)
 			if len(entryToCheck) > 0 {
 				logger := logger.WithField("response_entry", entryToCheck)
 
-				if groups := r.matches(groupsToCheck, r.whitelistMatcher, entryToCheck); len(groups) > 0 {
+				if groups := r.matches(groupsToCheck, r.allowlistMatcher, entryToCheck); len(groups) > 0 {
-					logger.WithField("groups", groups).Debugf("%s is whitelisted", tName)
+					logger.WithField("groups", groups).Debugf("%s is allowlisted", tName)
-				} else if groups := r.matches(groupsToCheck, r.blacklistMatcher, entryToCheck); len(groups) > 0 {
+				} else if groups := r.matches(groupsToCheck, r.denylistMatcher, entryToCheck); len(groups) > 0 {
 					return r.handleBlocked(logger, request, request.Req.Question[0], fmt.Sprintf("BLOCKED %s (%s)", tName,
 						strings.Join(groups, ",")))
 				}

resolver/blocking_resolver_test.go

@@ -97,7 +97,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			sutConfig = config.Blocking{
 				BlockType: "ZEROIP",
 				BlockTTL:  config.Duration(time.Minute),
-				BlackLists: map[string][]config.BytesSource{
+				Denylists: map[string][]config.BytesSource{
 					"gr1": config.NewBytesSources(group1File.Path),
 					"gr2": config.NewBytesSources(group2File.Path),
 				},
@@ -125,7 +125,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			sutConfig = config.Blocking{
 				BlockType: "ZEROIP",
 				BlockTTL:  config.Duration(time.Minute),
-				BlackLists: map[string][]config.BytesSource{
+				Denylists: map[string][]config.BytesSource{
 					"gr1": config.NewBytesSources(group1File.Path),
 					"gr2": config.NewBytesSources(group2File.Path),
 				},
@@ -164,7 +164,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			sutConfig = config.Blocking{
 				BlockType: "ZEROIP",
 				BlockTTL:  config.Duration(time.Minute),
-				BlackLists: map[string][]config.BytesSource{
+				Denylists: map[string][]config.BytesSource{
 					"gr1": {config.TextBytesSource("/regex/")},
 				},
 				ClientGroupsBlock: map[string][]string{
@@ -176,7 +176,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			}
 		})
 
-		When("Domain is on the black list", func() {
+		When("Domain is on the denylist", func() {
 			It("should block request", func() {
 				Eventually(sut.Resolve).
 					WithContext(ctx).
@@ -196,7 +196,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		BeforeEach(func() {
 			sutConfig = config.Blocking{
 				BlockTTL: config.Duration(6 * time.Hour),
-				BlackLists: map[string][]config.BytesSource{
+				Denylists: map[string][]config.BytesSource{
 					"gr1":          config.NewBytesSources(group1File.Path),
 					"gr2":          config.NewBytesSources(group2File.Path),
 					"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
@@ -216,7 +216,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		})
 
 		When("client name is defined in client groups block", func() {
-			It("should block the A query if domain is on the black list (single)", func() {
+			It("should block the A query if domain is on the denylist (single)", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client1"))).
 					Should(
 						SatisfyAll(
@@ -227,7 +227,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the A query if domain is on the black list (multipart 1)", func() {
+			It("should block the A query if domain is on the denylist (multipart 1)", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client2"))).
 					Should(
 						SatisfyAll(
@@ -238,7 +238,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the A query if domain is on the black list (multipart 2)", func() {
+			It("should block the A query if domain is on the denylist (multipart 2)", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "client3"))).
 					Should(
 						SatisfyAll(
@@ -249,7 +249,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the A query if domain is on the black list (merged)", func() {
+			It("should block the A query if domain is on the denylist (merged)", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "client3"))).
 					Should(
 						SatisfyAll(
@@ -260,7 +260,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the AAAA query if domain is on the black list", func() {
+			It("should block the AAAA query if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", AAAA, "1.2.1.2", "client1"))).
 					Should(
 						SatisfyAll(
@@ -271,18 +271,18 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the HTTPS query if domain is on the black list", func() {
+			It("should block the HTTPS query if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", HTTPS, "1.2.1.2", "client1"))).
 					Should(HaveReturnCode(dns.RcodeNameError))
 			})
-			It("should block the MX query if domain is on the black list", func() {
+			It("should block the MX query if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", MX, "1.2.1.2", "client1"))).
 					Should(HaveReturnCode(dns.RcodeNameError))
 			})
 		})
 
 		When("Client ip is defined in client groups block", func() {
-			It("should block the query if domain is on the black list", func() {
+			It("should block the query if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "192.168.178.55", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -295,7 +295,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			})
 		})
 		When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() {
-			It("should not block the query for 10.43.8.63 if domain is on the black list", func() {
+			It("should not block the query for 10.43.8.63 if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.63", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -307,7 +307,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 				// was delegated to next resolver
 				m.AssertExpectations(GinkgoT())
 			})
-			It("should not block the query for 10.43.8.80 if domain is on the black list", func() {
+			It("should not block the query for 10.43.8.80 if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.80", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -322,7 +322,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		})
 
 		When("Client CIDR (10.43.8.64 - 10.43.8.79) is defined in client groups block", func() {
-			It("should block the query for 10.43.8.64 if domain is on the black list", func() {
+			It("should block the query for 10.43.8.64 if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.64", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -333,7 +333,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 							HaveReturnCode(dns.RcodeSuccess),
 						))
 			})
-			It("should block the query for 10.43.8.79 if domain is on the black list", func() {
+			It("should block the query for 10.43.8.79 if domain is on the denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "10.43.8.79", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -402,7 +402,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockTTL: config.Duration(time.Minute),
-					BlackLists: map[string][]config.BytesSource{
+					Denylists: map[string][]config.BytesSource{
 						"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
 					},
 					ClientGroupsBlock: map[string][]string{
@@ -428,7 +428,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockType: "ZEROIP",
-					BlackLists: map[string][]config.BytesSource{
+					Denylists: map[string][]config.BytesSource{
 						"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
 					},
 					ClientGroupsBlock: map[string][]string{
@@ -473,7 +473,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockTTL: config.Duration(6 * time.Hour),
-					BlackLists: map[string][]config.BytesSource{
+					Denylists: map[string][]config.BytesSource{
 						"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
 					},
 					ClientGroupsBlock: map[string][]string{
@@ -511,7 +511,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		When("BlockType is custom IP only for ipv4", func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
-					BlackLists: map[string][]config.BytesSource{
+					Denylists: map[string][]config.BytesSource{
 						"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
 					},
 					ClientGroupsBlock: map[string][]string{
@@ -535,13 +535,13 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			})
 		})
 
-		When("Blacklist contains IP", func() {
+		When("Denylist contains IP", func() {
 			When("IP4", func() {
 				BeforeEach(func() {
 					// return defined IP as response
 					mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145")
 				})
-				It("should block query, if lookup result contains blacklisted IP", func() {
+				It("should block query, if lookup result contains denylisted IP", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
 						Should(
 							SatisfyAll(
@@ -561,7 +561,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 						AAAA, "2001:0db8:85a3:08d3::0370:7344",
 					)
 				})
-				It("should block query, if lookup result contains blacklisted IP", func() {
+				It("should block query, if lookup result contains denylisted IP", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", AAAA, "1.2.1.2", "unknown"))).
 						Should(
 							SatisfyAll(
@@ -575,7 +575,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			})
 		})
 
-		When("blacklist contains domain which is CNAME in response", func() {
+		When("denylist contains domain which is CNAME in response", func() {
 			BeforeEach(func() {
 				// reconfigure mock, to return CNAMEs
 				rr1, _ := dns.NewRR("example.com 300 IN CNAME domain.com")
@@ -584,7 +584,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 				mockAnswer = new(dns.Msg)
 				mockAnswer.Answer = []dns.RR{rr1, rr2, rr3}
 			})
-			It("should block the query, if response contains a CNAME with domain on a blacklist", func() {
+			It("should block the query, if response contains a CNAME with domain on a denylist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -598,14 +598,14 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		})
 	})
 
-	Describe("Whitelisting", func() {
+	Describe("Allowlisting", func() {
-		When("Requested domain is on black and white list", func() {
+		When("Requested domain is on black and allowlist", func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockType:  "ZEROIP",
 					BlockTTL:   config.Duration(time.Minute),
-					BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
+					Denylists:  map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
-					WhiteLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
+					Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
 					ClientGroupsBlock: map[string][]string{
 						"default": {"gr1"},
 					},
@@ -625,12 +625,12 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			})
 		})
 
-		When("Only whitelist is defined", func() {
+		When("Only allowlist is defined", func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockType: "zeroIP",
 					BlockTTL:  config.Duration(60 * time.Second),
-					WhiteLists: map[string][]config.BytesSource{
+					Allowlists: map[string][]config.BytesSource{
 						"gr1": config.NewBytesSources(group1File.Path),
 						"gr2": config.NewBytesSources(group2File.Path),
 					},
@@ -642,8 +642,8 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 					},
 				}
 			})
-			It("should block everything else except domains on the white list with default group", func() {
+			It("should block everything else except domains on the allowlist with default group", func() {
-				By("querying domain on the whitelist", func() {
+				By("querying domain on the allowlist", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "unknown"))).
 						Should(
 							SatisfyAll(
@@ -656,7 +656,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 					m.AssertExpectations(GinkgoT())
 				})
 
-				By("querying another domain, which is not on the whitelist", func() {
+				By("querying another domain, which is not on the allowlist", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("google.com.", A, "1.2.1.2", "unknown"))).
 						Should(
 							SatisfyAll(
@@ -664,15 +664,15 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 								HaveTTL(BeNumerically("==", 60)),
 								HaveResponseType(ResponseTypeBLOCKED),
 								HaveReturnCode(dns.RcodeSuccess),
-								HaveReason("BLOCKED (WHITELIST ONLY)"),
+								HaveReason("BLOCKED (ALLOWLIST ONLY)"),
 							))
 
 					Expect(m.Calls).Should(HaveLen(1))
 				})
 			})
-			It("should block everything else except domains on the white list "+
+			It("should block everything else except domains on the allowlist "+
-				"if multiple white list only groups are defined", func() {
+				"if multiple allowlist only groups are defined", func() {
-				By("querying domain on the whitelist", func() {
+				By("querying domain on the allowlist", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "one-client"))).
 						Should(
 							SatisfyAll(
@@ -685,7 +685,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 					m.AssertExpectations(GinkgoT())
 				})
 
-				By("querying another domain, which is not on the whitelist", func() {
+				By("querying another domain, which is not on the allowlist", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "one-client"))).
 						Should(
 							SatisfyAll(
@@ -693,14 +693,14 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 								HaveTTL(BeNumerically("==", 60)),
 								HaveResponseType(ResponseTypeBLOCKED),
 								HaveReturnCode(dns.RcodeSuccess),
-								HaveReason("BLOCKED (WHITELIST ONLY)"),
+								HaveReason("BLOCKED (ALLOWLIST ONLY)"),
 							))
 					Expect(m.Calls).Should(HaveLen(1))
 				})
 			})
-			It("should block everything else except domains on the white list "+
+			It("should block everything else except domains on the allowlist "+
-				"if multiple white list only groups are defined", func() {
+				"if multiple allowlist only groups are defined", func() {
-				By("querying domain on the whitelist group 1", func() {
+				By("querying domain on the allowlist group 1", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("domain1.com.", A, "1.2.1.2", "all-client"))).
 						Should(
 							SatisfyAll(
@@ -713,7 +713,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 					m.AssertExpectations(GinkgoT())
 				})
 
-				By("querying another domain, which is in the whitelist group 1", func() {
+				By("querying another domain, which is in the allowlist group 1", func() {
 					Expect(sut.Resolve(ctx, newRequestWithClient("blocked2.com.", A, "1.2.1.2", "all-client"))).
 						Should(
 							SatisfyAll(
@@ -726,20 +726,20 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			})
 		})
 
-		When("IP address is on black and white list", func() {
+		When("IP address is on black and allowlist", func() {
 			BeforeEach(func() {
 				sutConfig = config.Blocking{
 					BlockType:  "ZEROIP",
 					BlockTTL:   config.Duration(time.Minute),
-					BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
+					Denylists:  map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
-					WhiteLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(defaultGroupFile.Path)},
+					Allowlists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(defaultGroupFile.Path)},
 					ClientGroupsBlock: map[string][]string{
 						"default": {"gr1"},
 					},
 				}
 				mockAnswer, _ = util.NewMsgWithAnswer("example.com.", 300, A, "123.145.123.145")
 			})
-			It("should not block if DNS answer contains IP from the white list", func() {
+			It("should not block if DNS answer contains IP from the allowlist", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
 					Should(
 						SatisfyAll(
@@ -756,9 +756,9 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 	Describe("Delegate request to next resolver", func() {
 		BeforeEach(func() {
 			sutConfig = config.Blocking{
-				BlockType:  "ZEROIP",
+				BlockType: "ZEROIP",
-				BlockTTL:   config.Duration(time.Minute),
+				BlockTTL:  config.Duration(time.Minute),
-				BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
+				Denylists: map[string][]config.BytesSource{"gr1": config.NewBytesSources(group1File.Path)},
 				ClientGroupsBlock: map[string][]string{
 					"default": {"gr1"},
 				},
@@ -768,7 +768,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 			// was delegated to next resolver
 			m.AssertExpectations(GinkgoT())
 		})
-		When("domain is not on the black list", func() {
+		When("domain is not on the denylist", func() {
 			It("should delegate to next resolver", func() {
 				Expect(sut.Resolve(ctx, newRequestWithClient("example.com.", A, "1.2.1.2", "unknown"))).
 					Should(
@@ -801,7 +801,7 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 	Describe("Control status via API", func() {
 		BeforeEach(func() {
 			sutConfig = config.Blocking{
-				BlackLists: map[string][]config.BytesSource{
+				Denylists: map[string][]config.BytesSource{
 					"defaultGroup": config.NewBytesSources(defaultGroupFile.Path),
 					"group1":       config.NewBytesSources(group1File.Path),
 				},
@@ -1124,8 +1124,8 @@ var _ = Describe("BlockingResolver", Label("blockingResolver"), func() {
 		When("strategy is failOnError", func() {
 			It("should fail if lists can't be downloaded", func() {
 				_, err := NewBlockingResolver(ctx, config.Blocking{
-					BlackLists: map[string][]config.BytesSource{"gr1": config.NewBytesSources("wrongPath")},
+					Denylists:  map[string][]config.BytesSource{"gr1": config.NewBytesSources("wrongPath")},
-					WhiteLists: map[string][]config.BytesSource{"whitelist": config.NewBytesSources("wrongPath")},
+					Allowlists: map[string][]config.BytesSource{"allowlist": config.NewBytesSources("wrongPath")},
 					Loading: config.SourceLoading{
 						Init: config.Init{Strategy: config.InitStrategyFailOnError},
 					},

server/server_test.go

@@ -117,7 +117,7 @@ var _ = BeforeSuite(func() {
 			},
 		},
 		Blocking: config.Blocking{
-			BlackLists: map[string][]config.BytesSource{
+			Denylists: map[string][]config.BytesSource{
 				"ads": config.NewBytesSources(
 					doubleclickFile.Path,
 					bildFile.Path,
@@ -125,13 +125,13 @@ var _ = BeforeSuite(func() {
 				),
 				"youtube": config.NewBytesSources(youtubeFile.Path),
 			},
-			WhiteLists: map[string][]config.BytesSource{
+			Allowlists: map[string][]config.BytesSource{
 				"ads":       config.NewBytesSources(heiseFile.Path),
-				"whitelist": config.NewBytesSources(heiseFile.Path),
+				"allowlist": config.NewBytesSources(heiseFile.Path),
 			},
 			ClientGroupsBlock: map[string][]string{
 				"default":         {"ads"},
-				"clWhitelistOnly": {"whitelist"},
+				"clAllowlistOnly": {"allowlist"},
 				"clAdsAndYoutube": {"ads", "youtube"},
 				"clYoutubeOnly":   {"youtube"},
 			},
@@ -263,7 +263,7 @@ var _ = Describe("Running DNS server", func() {
 			})
 		})
 		Context("no blocking default group with sub domain", func() {
-			It("Query with should not be blocked, sub domain is not in blacklist", func() {
+			It("Query with should not be blocked, sub domain is not in denylist", func() {
 				Expect(requestServer(util.NewMsgWithQuestion("bild.de.", A))).
 					Should(
 						SatisfyAll(
@@ -272,8 +272,8 @@ var _ = Describe("Running DNS server", func() {
 						))
 			})
 		})
-		Context("domain is on white and blacklist default group", func() {
+		Context("domain is on allow/denylist default group", func() {
-			It("Query with should not be blocked, domain is on white and blacklist", func() {
+			It("Query with should not be blocked, domain is on allow/denylist", func() {
 				Expect(requestServer(util.NewMsgWithQuestion("heise.de.", A))).
 					Should(
 						SatisfyAll(
@@ -282,9 +282,9 @@ var _ = Describe("Running DNS server", func() {
 						))
 			})
 		})
-		Context("domain is on client specific white list", func() {
+		Context("domain is on client specific allowlist", func() {
-			It("Query with should not be blocked, domain is on client's white list", func() {
+			It("Query with should not be blocked, domain is on client's allowlist", func() {
-				mockClientName.Store("clWhitelistOnly")
+				mockClientName.Store("clAllowlistOnly")
 				Expect(requestServer(util.NewMsgWithQuestion("heise.de.", A))).
 					Should(
 						SatisfyAll(
@@ -293,9 +293,9 @@ var _ = Describe("Running DNS server", func() {
 						))
 			})
 		})
-		Context("block client whitelist only", func() {
+		Context("block client allowlist only", func() {
-			It("Query with should be blocked, client has only whitelist, domain is not on client's white list", func() {
+			It("Query with should be blocked, client has only allowlist, domain is not on client's allowlist", func() {
-				mockClientName.Store("clWhitelistOnly")
+				mockClientName.Store("clAllowlistOnly")
 				Expect(requestServer(util.NewMsgWithQuestion("google.de.", A))).
 					Should(
 						SatisfyAll(