Using Unbound as an Ad-blocker: Difference between revisions

From Alpine Linux
m (→‎Setting up Unbound To Block/Refuse unwanted addresses: Convert list of URLs from preformatted to bulleted. Use path template.)
(added heading)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Background ==
This page documents the steps to use Unbound as an Ad-blocker by using a publicly available blacklist in '''hosts''' file format.


There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware.  It runs on the Raspberry <span style="color: red">Pi-</span> and claims to be a DNS Black <span style="color: red">Hole</span>.  It extends dnsmasq with filtering based on a downloadable blacklist.  There is a [https://gitlab.alpinelinux.org/alpine/aports/issues/9489 package request] for this software to run on Alpine Linux.
== Prerequisites ==


The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of {{Pkg|dnsmasq}} to start.  The "basic installer" is over 2600 lines of Bash code.   
* You should have a {{Pkg|dnsmasq}} (or another DHCP server) and [[Setting_up_unbound_DNS_server|unbound]] both working on your network.   


Our goal is to get 80% of the functionality with 10% of the work.
== Ad-blocker blacklists ==


== Basic Components ==
There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
 
You should have {{Pkg|dnsmasq}} (or another DHCP server) and [[Setting_up_unbound_DNS_server|unbound]] both working on your network. 
 
== Setting up Unbound To Block/Refuse unwanted addresses ==
 
There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://mirror1.malwaredomains.com/files/justdomains
*https://sysctl.org/cameleon/hosts
*https://sysctl.org/cameleon/hosts
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
*https://hosts-file.net/ad_servers.txt


Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done). We will use the hosts file format:
Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done).  
 
== Configuration ==


unbound needs to include the <code>blacklists.conf</code> file into its main configuration. To do so, we need to create the include file in the following format:
There are few steps to setup Unbound to Block/Refuse unwanted addresses. In this guide, we will use the hosts file format from https://github.com/StevenBlack/hosts.  Unbound needs to include the <code>blacklists.conf</code> file into its main configuration. To do so, we need to create the include file in the following format:


{{Cat|/etc/unbound/blacklists.conf|server:
{{Cat|/etc/unbound/blacklists.conf|server:
Line 31: Line 25:
local-zone: "xyz.ads-r-us.com" refuse}}
local-zone: "xyz.ads-r-us.com" refuse}}


Here is an example shell script to download the
Here is an example shell script to download the [https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts StevenBlack] hosts file, and then format it for unbound:  
[https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts StevenBlack]
hosts file, and then format it for unbound:


<pre>
<pre>
Line 45: Line 37:
         >>/etc/unbound/blacklist.conf
         >>/etc/unbound/blacklist.conf
</pre>
</pre>


You can run this once, or as part of a periodic cron task.
You can run this once, or as part of a periodic cron task.


In the <code>/etc/unbound/unbound.conf</code>, add the following line somewhere in the config:
In the {{path|/etc/unbound/unbound.conf}}, add the following line somewhere in the config: {{Cat|/etc/unbound/unbound.conf|#include "/etc/unbound/blacklist.conf"}}
 
{{Cat|/etc/unbound/unbound.conf|#include "/etc/unbound/blacklist.conf"}}


Reload unbound, and verify the config loads.
Reload unbound, and verify the config loads.
Line 57: Line 46:
== Dnsmasq configuration ==
== Dnsmasq configuration ==


Dnsmasq defaults to using the resolver in <code>/etc/resolv.conf</code> — if unbound is listening on <code>127.0.0.1</code>, then have it use that as the resolver.
Dnsmasq defaults to using the resolver in {{path|/etc/resolv.conf}} — if unbound is listening on <code>127.0.0.1</code>, then have it use that as the resolver.


Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:
Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:
Line 65: Line 54:
</pre>
</pre>


Enjoy Ad-Free browsing!


Enjoy Ad-Free browsing!
== See also ==
* [[Setting_up_unbound_DNS_server|unbound]]
* [[Using Pi-hole with Unbound]]


[[Category:Networking]]
[[Category:Networking]]

Latest revision as of 15:40, 6 November 2025

This page documents the steps to use Unbound as an Ad-blocker by using a publicly available blacklist in hosts file format.

Prerequisites

  • You should have a dnsmasq (or another DHCP server) and unbound both working on your network.

Ad-blocker blacklists

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done).

Configuration

There are few steps to setup Unbound to Block/Refuse unwanted addresses. In this guide, we will use the hosts file format from https://github.com/StevenBlack/hosts. Unbound needs to include the blacklists.conf file into its main configuration. To do so, we need to create the include file in the following format:

Contents of /etc/unbound/blacklists.conf

server: local-zone: "bad-site.com" refuse local-zone: "bad-bad-site.com" refuse local-zone: "xyz.ads-r-us.com" refuse

Here is an example shell script to download the StevenBlack hosts file, and then format it for unbound: 

#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
        grep ^0.0.0.0 - | \
        sed 's/ #.*$//;
        s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \
        >>/etc/unbound/blacklist.conf

You can run this once, or as part of a periodic cron task.

In the /etc/unbound/unbound.conf, add the following line somewhere in the config:

Contents of /etc/unbound/unbound.conf

#include "/etc/unbound/blacklist.conf"

Reload unbound, and verify the config loads.

Dnsmasq configuration

Dnsmasq defaults to using the resolver in /etc/resolv.conf — if unbound is listening on 127.0.0.1, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq: 

dhcp-option=6,[ip-of-unbound-server]

Enjoy Ad-Free browsing!

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Using_Unbound_as_an_Ad-blocker&oldid=31416"