Using Unbound as an Ad-blocker: Difference between revisions

From Alpine Linux
m (→‎Dnsmasq configuration: use path template.)
Line 15: Line 15:
There are a number of freely available blacklists on the net.  The installer mentioned above uses these lists by default:
There are a number of freely available blacklists on the net.  The installer mentioned above uses these lists by default:
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://mirror1.malwaredomains.com/files/justdomains
*https://sysctl.org/cameleon/hosts
*https://sysctl.org/cameleon/hosts
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
*https://hosts-file.net/ad_servers.txt


Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done). We will use the hosts file format:
Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done). We will use the hosts file format:

Revision as of 06:38, 15 February 2024

Background

There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry Pi- and claims to be a DNS Black Hole. It extends dnsmasq with filtering based on a downloadable blacklist. There is a package request for this software to run on Alpine Linux.

The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of dnsmasq to start. The "basic installer" is over 2600 lines of Bash code.

Our goal is to get 80% of the functionality with 10% of the work.

Basic Components

You should have dnsmasq (or another DHCP server) and unbound both working on your network.

Setting up Unbound To Block/Refuse unwanted addresses

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done). We will use the hosts file format:

unbound needs to include the blacklists.conf file into its main configuration. To do so, we need to create the include file in the following format:

Contents of /etc/unbound/blacklists.conf

server: local-zone: "bad-site.com" refuse local-zone: "bad-bad-site.com" refuse local-zone: "xyz.ads-r-us.com" refuse

Here is an example shell script to download the StevenBlack hosts file, and then format it for unbound:

#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
        grep ^0.0.0.0 - | \
        sed 's/ #.*$//;
        s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \
        >>/etc/unbound/blacklist.conf


You can run this once, or as part of a periodic cron task.

In the /etc/unbound/unbound.conf, add the following line somewhere in the config:

Contents of /etc/unbound/unbound.conf

#include "/etc/unbound/blacklist.conf"

Reload unbound, and verify the config loads.

Dnsmasq configuration

Dnsmasq defaults to using the resolver in /etc/resolv.conf — if unbound is listening on 127.0.0.1, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:

dhcp-option=6,[ip-of-unbound-server]


Enjoy Ad-Free browsing!