Replacing DNSMasq DNS with Unbound

[kvic]

Sounds good.

Hope the Entware team finally releases the required OpenSSL update...

I tried DNS over TLS in Unbound 1.9.0. Really brief (<10mins). It seems speed-up feature such as session resumption still not available.

On a test domain, DNS over TLS to Cloudflare takes 400ms. Plain DNS takes 60ms. Not worth the penalty to me. OpenSSL 1.1.1a won't magically solve this problem.

 

[XIII]

Hope the Entware team finally releases the required OpenSSL update...

They did!

With OpenSSL 1.1.1 and unbound 1.9 I finally went from:

[1553415713] unbound-checkconf[27736:0] error: no name verification functionality in ssl library, ignored name for 1.0.0.1@853#cloudflare-dns.com
[1553415713] unbound-checkconf[27736:0] error: no name verification functionality in ssl library, ignored name for 1.1.1.1@853#cloudflare-dns.com

to:

unbound-checkconf: no errors in /opt/etc/unbound/unbound.conf

 

[rgnldo]

I use Unbound. I configured it that way. Start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 40.

1) install unbound

opkg install unbound unbound-anchor unbound-control-setup

2) run unbound-anchor and unbound-control-setup

unbound-anchor
unbound-control-setup

3) create /opt/var/lib/unbound directory

mkdir /opt/var/lib/unbound

4) copy root.key to unbound directory

cp -f /opt/etc/unbound/root.key /opt/var/lib/unbound/root.key

5) change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

chown nobody /opt/var/lib/unbound

6) edit /opt/var/lib/unbound/unbound.conf

server:

# port to answer queries from

port: 40

verbosity: 1

do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow

private-address: 192.168.0.0/24
private-domain: "domain.lan"
local-zone: "0.192.in-addr.arpa." nodefault

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
key-cache-slabs: 4

# this limits TCP service but uses less buffers
outgoing-num-tcp: 10
incoming-num-tcp: 10

# use somewhat higher port numbers versus possible NAT issue
outgoing-port-permit: "10240-65335"

# uses less memory but less performance
outgoing-range: 200
num-queries-per-thread: 900

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 4m
rrset-cache-size: 8m
infra-host-ttl: 900
cache-min-ttl: 3600
cache-max-ttl: 86400
edns-buffer-size: 1472
so-rcvbuf: 1m

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
qname-minimisation: yes
use-caps-for-id: no
do-not-query-localhost: no
val-clean-additional: yes
harden-glue: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt

# The pid file
pidfile: "/opt/var/run/unbound.pid"

local-zone: "localhost." static
local-data: "localhost. 10800 IN NS localhost."
local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
local-data: "127.in-addr.arpa. 10800 IN NS localhost."
local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

# Adblock blacklist
include: /opt/etc/unbound/adservers

remote-control:
control-enable: yes
control-interface: 0.0.0.0
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

7) start unbound daemon

/opt/etc/unbound/init.d/S61unbound start

8) Edit dnsmasq custom configuration in GUI and save it:

cache-size=0
server=127.0.0.1#40
no-resolv
no-poll

AdBloking on Unbound:

Create a scheduler on cron:

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /jffs/adservers.txt

Configure the unbound.conf file in the directory:

# Adblock blacklist
include: /jffs/adservers.txt

# override for whitelisted domains to resolve normally
local-zone: "zanox.com" transparent
local-zone: "omguk.com" transparent
local-zone: "pmstrk.mercadolivre.com.br" transparent
local-zone: "googleadservices.com" transparent

local-zone: " " transparent ---> Domain settings whitelist

NOTE: Implementing Adblock on Unbound requires sufficient RAM. It is advisable to configure swap memory.

 

[Xentrk]

I use Unbound. I configured it that way. Start unbound from Entware (I assume default prefix /opt is used). I still forward queries from dnsmasq (well it is a query forwarder) to unbound, listening to port 40.

1) install unbound

2) run unbound-anchor and unbound-control-setup

3) create /opt/var/lib/unbound directory

4) copy root.key to unbound directory

5) change directory ownership to nobody, in case you want to drop daemon privileges from root to nobody

6) edit /opt/var/lib/unbound/unbound.conf


7) start unbound daemon

8) Edit dnsmasq custom configuration in GUI and save it:


AdBloking on Unbound:

Create a scheduler on cron:


Configure the unbound.conf file in the directory:


local-zone: " " transparent ---> Domain settings whitelist

NOTE: Implementing Adblock on Unbound requires sufficient RAM. It is advisable to configure swap memory.

Thank you very much for posting this. I have made some attempts at getting Unbound to work on Asuswrt-Merlin and failed every time. I use Unbound on pfSense with success. On pfSense, everything can be configure in the web interface though.

 

[rgnldo]

Thank you very much for posting this. I have made some attempts at getting Unbound to work on Asuswrt-Merlin and failed every time. I use Unbound on pfSense with success. On pfSense, everything can be configure in the web interface though.

root@rgnldo-lan:/tmp/home/root# unbound-control stats_noreset
thread0.num.queries=9706
thread0.num.queries_ip_ratelimited=0
thread0.num.cachehits=7688
thread0.num.cachemiss=2018
thread0.num.prefetch=2122
thread0.num.zero_ttl=1853
thread0.num.recursivereplies=2018
thread0.requestlist.avg=13.2688
thread0.requestlist.max=67
thread0.requestlist.overwritten=0
thread0.requestlist.exceeded=0
thread0.requestlist.current.all=0
thread0.requestlist.current.user=0
thread0.recursion.time.avg=16.852336
thread0.recursion.time.median=2.40376
thread0.tcpusage=0
total.num.queries=9706
total.num.queries_ip_ratelimited=0
total.num.cachehits=7688
total.num.cachemiss=2018
total.num.prefetch=2122
total.num.zero_ttl=1853
total.num.recursivereplies=2018
total.requestlist.avg=13.2688
total.requestlist.max=67
total.requestlist.overwritten=0
total.requestlist.exceeded=0
total.requestlist.current.all=0
total.requestlist.current.user=0
total.recursion.time.avg=16.852336
total.recursion.time.median=2.40376
total.tcpusage=0
time.now=1554769850.816279
time.up=1554769829.826325
time.elapsed=1554769829.826325

Edit /opt/etc/unbound/init.d/S61unbound

#!/bin/sh

ENABLED=yes
PROCS=unbound
ARGS="-c /opt/var/lib/unbound/unbound.conf"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Set NTP with IP numbers, without domains for DNSSEC boot

 

[Xentrk]

@rgnldo
I am interested in combining Unbound with Stubby.

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

Note that some users use stubby in combination wtih Unbound - Unbound provides a local cache and Stubby manages the upstream TLS connections (since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connections). And example configuration is available on this page.

Now that you have posted the install instructions for Unbound, I will be able to test out the combination to the two.

 

[rgnldo]

@rgnldo
I am interested in combining Unbound with Stubby.

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

Now that you have posted the install instructions for Unbound, I will be able to test out the combination to the two.

I already configured with stubby. I am no longer an admirer of these solutions. I think you'd better invest in OpnSense, with Squid 4, with SSL. I prefer the local DoT solutions, without intermediate commercial servers.

This is my current unbound.conf, without Fowader zone.

server:

    # port to answer queries from

    port: 40

    verbosity: 1

    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes

    # don't be picky about interfaces but consider your firewall
    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.30.0/24 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow

    # private networks:
        private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16

    # no threads and no memory slabs for threads
    num-threads: 1
    msg-cache-slabs: 2
    rrset-cache-slabs: 2
    infra-cache-slabs: 2
    key-cache-slabs: 2

    # tiny memory cache
    key-cache-size: 8m
    msg-cache-size: 4m
    rrset-cache-size: 4m
    cache-min-ttl: 300
    cache-max-ttl: 86400
    edns-buffer-size: 1472
    delay-close: 10000
    neg-cache-size: 4M
    serve-expired: yes

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

    # gentle on recursion
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-algo-downgrade: no
    harden-glue: yes
    aggressive-nsec: yes

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"
    root-hints: "/opt/var/lib/unbound/root.hints"

    # DNSSEC and DNS-over-TLS
    module-config: "validator iterator"
    auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    domain-insecure: "vaka.me"

    # The pid file
    pidfile: "/opt/var/run/unbound.pid"

    # Adblock blacklist
    include: /jffs/adservers.txt

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: "/opt/var/lib/unbound/unbound_server.key"
    server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
    control-key-file: "/opt/var/lib/unbound/unbound_control.key"
    control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

 

[rgnldo]

I will be able to test out the combination to the two.

 Unbound as a local caching forwarder listening on port 53, configured with stub zones as you need and then forwarding all other zones to Stubby on a different port.

An Unbound config file something like the following:

   do-not-query-localhost:  no

forward-zone:
  name: "."
    forward-addr: 127.0.0.1@5453

Combined with an updated stubby.yml that uses:

listen_addresses:
  - 127.0.0.1@5453
  - ::1@5453

 

[L&LD]

I already configured with stubby. I am no longer an admirer of these solutions. I think you'd better invest in OpnSense, with Squid 4, with SSL. I prefer the local DoT solutions, without intermediate commercial servers.

This is my current unbound.conf, without Fowader zone.

server:

    # port to answer queries from

    port: 40

    verbosity: 1

    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes

    # don't be picky about interfaces but consider your firewall
    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.30.0/24 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow

    # private networks:
        private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16

    # no threads and no memory slabs for threads
    num-threads: 1
    msg-cache-slabs: 2
    rrset-cache-slabs: 2
    infra-cache-slabs: 2
    key-cache-slabs: 2

    # tiny memory cache
    key-cache-size: 8m
    msg-cache-size: 4m
    rrset-cache-size: 4m
    cache-min-ttl: 300
    cache-max-ttl: 86400
    edns-buffer-size: 1472
    delay-close: 10000
    neg-cache-size: 4M
    serve-expired: yes

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

    # gentle on recursion
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-algo-downgrade: no
    harden-glue: yes
    aggressive-nsec: yes

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"
    root-hints: "/opt/var/lib/unbound/root.hints"

    # DNSSEC and DNS-over-TLS
    module-config: "validator iterator"
    auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    domain-insecure: "vaka.me"

    # The pid file
    pidfile: "/opt/var/run/unbound.pid"

    # Adblock blacklist
    include: /jffs/adservers.txt

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: "/opt/var/lib/unbound/unbound_server.key"
    server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
    control-key-file: "/opt/var/lib/unbound/unbound_control.key"
    control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

Might you expand on your alternative solution? What works better in one than the other that you prefer?

 

[XIII]

Since Unbound cannot yet authentication upstreams, or re-use TCP/TLS connection

Is that still true?

I thought upstream authentication is possible with OpenSSL 1.1.1 and unbound 1.9?

No clue about reusing connections though.

 

[rgnldo]

Best and most efficient adblock standard for unbound. Consume less memory and faster queries

local-zone: "000free.us" refuse

 

[rgnldo]

@Xentrk I need your help in this script.

#!/bin/bash

destinationIP="0.0.0.0"

tempoutlist="$outlist.tmp"

outlist='/tmp/tmp.host'
finalist='/tmp/tmp.finalhost'
permlist='/jffs/adpermitidos.txt'
adlist='/jffs/adservers.txt'

#echo "Get StevenBlack ad list..."
#curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get EnergizedProtection ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/spark/formats/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Piwik ad list..."
curl --progress-bar https://raw.githubusercontent.com/piwik/referrer--progress-barpam-blacklist/master/spammers.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Mitchellkrogza ad list..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web--progress-barites/master/.dev-tools/output/domains/ACTIVE/list | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Antipopads ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/antipopads.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get eth-phishing-detect ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/eth-phishing-detect.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Adguard-spyware-firstparty ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/adguard-spyware-firstparty.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get adguard-spyware ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/adguard-spyware.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Piwik ad list..."
curl --progress-bar https://raw.githubusercontent.com/piwik/referrer--progress-barpam-blacklist/master/spammers.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Mitchellkrogza ad list..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web--progress-barites/master/.dev-tools/output/domains/ACTIVE/list | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Yhonay ad list..."
curl --progress-bar https://raw.githubusercontent.com/Yhonay/antipopads/master/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get AdguardMobileAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist

echo "Removing duplicate formatting from the domain list ..."

cat $tempoutlist | sed $'s/\r$//' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist

numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked compiled domains"

echo "Editing the list of allowed domains..."

fgrep -vf $permlist $outlist > $finalist

echo "Generating adblock list Unbound..."

cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" refuse"}' > $adlist

numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files..."

[ -f /tmp/tmp.host ] && rm -f /tmp/tmp.host
[ -f /tmp/tmp.finalhost ] && rm -f /tmp/tmp.finalhost
echo "Restarting dns servers..."
/opt/etc/init.d/S61unbound restart

I'm thinking of applying these IPTABLES rules to adblock

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable

I'm trying to fool the plugin Xenforo plugin rellect with unbound. I'm not getting. with unbound. I'm not getting. With Dnsmasq it works.

 

[Xentrk]

@Xentrk I need your help in this script.

#!/bin/bash

destinationIP="0.0.0.0"

tempoutlist="$outlist.tmp"

outlist='/tmp/tmp.host'
finalist='/tmp/tmp.finalhost'
permlist='/jffs/adpermitidos.txt'
adlist='/jffs/adservers.txt'

#echo "Get StevenBlack ad list..."
#curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get EnergizedProtection ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/spark/formats/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Piwik ad list..."
curl --progress-bar https://raw.githubusercontent.com/piwik/referrer--progress-barpam-blacklist/master/spammers.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Mitchellkrogza ad list..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web--progress-barites/master/.dev-tools/output/domains/ACTIVE/list | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Antipopads ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/antipopads.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get eth-phishing-detect ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/eth-phishing-detect.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Adguard-spyware-firstparty ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/adguard-spyware-firstparty.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get adguard-spyware ad list..."
curl --progress-bar https://raw.githubusercontent.com/EnergizedProtection/block/master/assets/active/filter/adguard-spyware.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Piwik ad list..."
curl --progress-bar https://raw.githubusercontent.com/piwik/referrer--progress-barpam-blacklist/master/spammers.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Mitchellkrogza ad list..."
curl --progress-bar https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web--progress-barites/master/.dev-tools/output/domains/ACTIVE/list | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get Yhonay ad list..."
curl --progress-bar https://raw.githubusercontent.com/Yhonay/antipopads/master/hosts | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist
echo "Get AdguardMobileAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt | grep -v "#" | grep -v "::1" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$' | sort >> $tempoutlist

echo "Removing duplicate formatting from the domain list ..."

cat $tempoutlist | sed $'s/\r$//' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist

numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked compiled domains"

echo "Editing the list of allowed domains..."

fgrep -vf $permlist $outlist > $finalist

echo "Generating adblock list Unbound..."

cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" refuse"}' > $adlist

numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files..."

[ -f /tmp/tmp.host ] && rm -f /tmp/tmp.host
[ -f /tmp/tmp.finalhost ] && rm -f /tmp/tmp.finalhost
echo "Restarting dns servers..."
/opt/etc/init.d/S61unbound restart

I'm thinking of applying these IPTABLES rules to adblock

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable

I'm trying to fool the plugin Xenforo plugin rellect with unbound. I'm not getting. with unbound. I'm not getting. With Dnsmasq it works.

The host file ad blockers require dnsmasq to work. I use the Adblock package available on OpenWRT on my gl-iNet travel router. On AsusWRT-Merlin, Diversion is the ad blocker of choice. Host file ad blockers use dnsmasq to send sends requests to 0.0.0.0 or the router loop back address 127.0.0.1. I have not looked at the Adblock package source code in detail.

 

[rgnldo]

The host file ad blockers require dnsmasq to work

this script converts hostfile to unbound format

 

[Xentrk]

this script converts hostfile to unbound format

I can look how unbound is working with the pfBlockerNG ad blocker package on my pfSense appliance for clues when I return home in a few more days. It also uses hosts files and must be doing some transformation to work with unbound.

 

[Xentrk]

this script converts hostfile to unbound format

Found this link
https://deadc0de.re/articles/unbound-blocking-ads.html