Using Unbound as an Ad-blocker
Background
There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry Pi- and claims to be a DNS Black Hole. It extends dnsmasq with filtering based on a downloadable blacklist. There is a package request for this software to run on Alpine Linux.
The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of dnsmasq to start. The "basic installer" is over 2600 lines of Bash code.
Our goal is to get 80% of the functionality with 10% of the work.
Basic Components
You should have dnsmasq (or another DHCP server) and unbound both working on your network.
Setting up Unbound To Block/Refuse unwanted addresses
There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://mirror1.malwaredomains.com/files/justdomains
- https://sysctl.org/cameleon/hosts
- https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
- https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
- https://hosts-file.net/ad_servers.txt
Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done). We will use the hosts file format:
unbound needs to include the blacklists.conf
file into its main configuration. To do so, we need to create the include file in the following format:
Contents of /etc/unbound/blacklists.conf
Here is an example shell script to download the StevenBlack hosts file, and then format it for unbound:
#!/bin/sh echo "server:" >/etc/unbound/blacklist.conf curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \ grep ^0.0.0.0 - | \ sed 's/ #.*$//; s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \ >>/etc/unbound/blacklist.conf
You can run this once, or as part of a periodic cron task.
In the /etc/unbound/unbound.conf, add the following line somewhere in the config:
Contents of /etc/unbound/unbound.conf
Reload unbound, and verify the config loads.
Dnsmasq configuration
Dnsmasq defaults to using the resolver in /etc/resolv.conf — if unbound is listening on 127.0.0.1
, then have it use that as the resolver.
Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:
dhcp-option=6,[ip-of-unbound-server]
Enjoy Ad-Free browsing!