Using Unbound as an Ad-blocker

From Alpine Linux
Revision as of 20:03, 21 February 2020 by Nangel (talk | contribs) (How to do pi-hole without pi-hole)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Background

There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry Pi- and claims to be a DNS Black Hole. It extends dnsmasq with filtering based on a downloadable blacklist. There is a package request for this software to run on Alpine Linux.

The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of dnsmasq to start. The "basic installer" is over 2600 lines of Bash code.

Our goal is to get 80% of the functionality with 10% of the work.


Basic Components

You should have dnsmasq (or another DHCP server) and unbound both working on your network.

Setting up Unbound To Block/Refuse unwanted addresses

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done.) We will use the hosts file format:

unbound needs to include the "blacklists.conf" file into its main configuration. To do so, we need to create the include file in the following format:

server:

local-zone: "bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "xyz.ads-r-us.com" refuse

Here is an example shell script to download the StevenBlack hosts format file, and then format it for unbound:


#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
        grep ^0.0.0.0 - | \
        sed 's/ #.*$//;
        s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \
        >>/etc/unbound/blacklist.conf


You can run this once, or as part of a periodic cron task.

In the /etc/unbound/unbound.conf, add the following line somewhere in the config:

#include "/etc/unbound/blacklist.conf"


Reload unbound, and verify the config loads.


Dnsmasq configuration

Dnsmasq defaults to using the resolver in /etc/resolv.conf - if unbound is listening on 127.0.0.1, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine - use the dhcp-option configuration in dnsmasq:

dhcp-option=6,[ip-of-unbound-server]


Enjoy Ad-Free browsing!