There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry Pi- and claims to be a DNS Black Hole. It extends dnsmasq with filtering based on a downloadable blacklist. There is a package request for this software to run on Alpine Linux.
The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version ofto start. The "basic installer" is over 2600 lines of Bash code.
Our goal is to get 80% of the functionality with 10% of the work.
You should have unbound both working on your network.(or another DHCP server) and
Setting up Unbound To Block/Refuse unwanted addresses
There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://mirror1.malwaredomains.com/files/justdomains http://sysctl.org/cameleon/hosts https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://hosts-file.net/ad_servers.txt
Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in
/etc/hosts and be done). We will use the hosts file format:
unbound needs to include the
blacklists.conf file into its main configuration. To do so, we need to create the include file in the following format:
Here is an example shell script to download the [https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
StevenBlack] hosts format file, and then format it for unbound:
#!/bin/sh echo "server:" >/etc/unbound/blacklist.conf curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \ grep ^0.0.0.0 - | \ sed 's/ #.*$//; s/^0.0.0.0 \(.*\)/local-zone: "\1" refuse/' \ >>/etc/unbound/blacklist.conf
You can run this once, or as part of a periodic cron task.
/etc/unbound/unbound.conf, add the following line somewhere in the config:
Reload unbound, and verify the config loads.
Dnsmasq defaults to using the resolver in
/etc/resolv.conf — if unbound is listening on
127.0.0.1, then have it use that as the resolver.
Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:
Enjoy Ad-Free browsing!