Using Unbound as an Ad-blocker: Difference between revisions

From Alpine Linux
(How to do pi-hole without pi-hole)
 
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Background ==
There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware.  It runs on the Raspberry <span style="color: red">Pi-</span> and claims to be a DNS Black <span style="color: red">Hole</span>.  It extends dnsmasq with filtering based on a downloadable blacklist.  There is a [https://gitlab.alpinelinux.org/alpine/aports/issues/9489 package request] for this software to run on Alpine Linux.
The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of dnsmasq to start.  The "basic installer" is over 2600 lines of Bash code. 
Our goal is to get 80% of the functionality with 10% of the work.
== Basic Components ==
== Basic Components ==


You should have dnsmasq (or another DHCP server) and [https://wiki.alpinelinux.org/wiki/Setting_up_unbound_DNS_server unbound] both working on your network.   
You should have {{Pkg|dnsmasq}} (or another DHCP server) and [[Setting_up_unbound_DNS_server|unbound]] both working on your network.   


== Setting up Unbound To Block/Refuse unwanted addresses ==
== Setting up Unbound To Block/Refuse unwanted addresses ==


There are a number of freely available blacklists on the net.  The installer mentioned above uses these lists by default:
There are a number of freely available blacklists on the net.  The installer mentioned above uses these lists by default:
<pre>
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://sysctl.org/cameleon/hosts
https://mirror1.malwaredomains.com/files/justdomains
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
http://sysctl.org/cameleon/hosts
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
</pre>


Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts.   There are various categories of lists there.   The format of the file is a "host" (so you can put it in /etc/hosts and be done.We will use the hosts file format:
Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done). We will use the hosts file format:


unbound needs to include the "blacklists.conf" file into its main configuration. To do so, we need to create the include file in the following format:
unbound needs to include the <code>blacklists.conf</code> file into its main configuration. To do so, we need to create the include file in the following format:


<pre>
{{Cat|/etc/unbound/blacklists.conf|server:
server:


local-zone: "bad-site.com" refuse
local-zone: "bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "xyz.ads-r-us.com" refuse
local-zone: "xyz.ads-r-us.com" refuse}}
</pre>
 
Here is an example shell script to download the StevenBlack hosts format file, and then format it for unbound:


Here is an example shell script to download the
[https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts StevenBlack]
hosts file, and then format it for unbound:


<pre>
<pre>
Line 53: Line 39:
You can run this once, or as part of a periodic cron task.
You can run this once, or as part of a periodic cron task.


In the /etc/unbound/unbound.conf, add the following line somewhere in the config:
In the {{path|/etc/unbound/unbound.conf}}, add the following line somewhere in the config:
 
<pre>
#include "/etc/unbound/blacklist.conf"
</pre>


{{Cat|/etc/unbound/unbound.conf|#include "/etc/unbound/blacklist.conf"}}


Reload unbound, and verify the config loads.
Reload unbound, and verify the config loads.


== Dnsmasq configuration ==
== Dnsmasq configuration ==


Dnsmasq defaults to using the resolver in /etc/resolv.conf - if unbound is listening on 127.0.0.1, then have it use that as the resolver.
Dnsmasq defaults to using the resolver in {{path|/etc/resolv.conf}} — if unbound is listening on <code>127.0.0.1</code>, then have it use that as the resolver.


Alternatively, if unbound is running on another interface, or on a separate machine - use the dhcp-option configuration in dnsmasq:
Alternatively, if unbound is running on another interface, or on a separate machine use the dhcp-option configuration in dnsmasq:


<pre>
<pre>
Line 75: Line 57:


Enjoy Ad-Free browsing!
Enjoy Ad-Free browsing!
[[Category:Networking]]

Latest revision as of 03:46, 16 February 2024

Basic Components

You should have dnsmasq (or another DHCP server) and unbound both working on your network.

Setting up Unbound To Block/Refuse unwanted addresses

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done). We will use the hosts file format:

unbound needs to include the blacklists.conf file into its main configuration. To do so, we need to create the include file in the following format:

Contents of /etc/unbound/blacklists.conf

server: local-zone: "bad-site.com" refuse local-zone: "bad-bad-site.com" refuse local-zone: "xyz.ads-r-us.com" refuse

Here is an example shell script to download the StevenBlack hosts file, and then format it for unbound:

#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
        grep ^0.0.0.0 - | \
        sed 's/ #.*$//;
        s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \
        >>/etc/unbound/blacklist.conf


You can run this once, or as part of a periodic cron task.

In the /etc/unbound/unbound.conf, add the following line somewhere in the config:

Contents of /etc/unbound/unbound.conf

#include "/etc/unbound/blacklist.conf"

Reload unbound, and verify the config loads.

Dnsmasq configuration

Dnsmasq defaults to using the resolver in /etc/resolv.conf — if unbound is listening on 127.0.0.1, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:

dhcp-option=6,[ip-of-unbound-server]


Enjoy Ad-Free browsing!