Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
Any special instructions with default RMerlin settings i.e. DoT should be disabled /enabled0and using diversion/skynet and what default settings you recommend using and/ usor not using???
- DoT should be disabled since it won't be used with Unbound.
- DNSSEC can be disabled in the GUI since Unbound will do its own DNSSEC.
Code:
#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion
CONFIG=$1
. /usr/sbin/helper.sh
if [ -n "$(pidof unbound)" ]; then
UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
if [ -n "$UNBOUNDLISTENADDR" ]; then
pc_delete "servers-file" "$CONFIG"
pc_delete "no-negcache" "$CONFIG"
pc_delete "trust-anchor=" "$CONFIG"
pc_delete "dnssec" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
pc_append "proxy-dnssec" "$CONFIG"
fi
fi
rgnldo
Very Senior Member
@dave14305 look
Still unbound works with dnssec
Code:
unbound-host -C /opt/var/lib/unbound/unbound.conf asuswrt-merlin.net
[1570553617] libunbound[4112:0] notice: init module 0: validator
[1570553617] libunbound[4112:0] error: unable to open /root.key for reading: No such file or directory
[1570553617] libunbound[4112:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553617] libunbound[4112:0] error: validator: error in trustanchors config
[1570553617] libunbound[4112:0] error: validator: could not apply configuration settings.
[1570553617] libunbound[4112:0] error: module init for module validator failed
resolve error: initialization failure
Code:
unbound-anchor -C /opt/var/lib/unbound/unbound.conf
[1570553710] libunbound[4162:0] notice: init module 0: validator
[1570553710] libunbound[4162:0] error: unable to open /root.key for reading: No such file or directory
[1570553710] libunbound[4162:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553710] libunbound[4162:0] error: validator: error in trustanchors config
[1570553710] libunbound[4162:0] error: validator: could not apply configuration settings.
[1570553710] libunbound[4162:0] error: module init for module validator failedStill unbound works with dnssec
Maybe it works, but not certain how to establish trust if we don't seed a proper root.key file with "unbound-anchor -a /opt/var/lib/unbound/root.key".
I used the instructions here: https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/
rgnldo
Very Senior Member
Match the commands I listed
rgnldo
Very Senior Member
The returns I reported do not compromise the operation of unbound. From what I've verified, this is a communication with libunbound. I resolved by adding the logs:
Code:
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
Last edited:
rgnldo
Very Senior Member
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. An example minimal config is given below.
For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/
Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here :
https://getdnsapi.net/ 5
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates :
Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).
These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS.
With native stubby on FW Merlin it was not possible due to dependency on dnsmasq connectivity. The idea is to maintain unbound root servers resolution. I configured unbound with stubby via entware.
Let's go!
unbound.conf
For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/
Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here :
https://getdnsapi.net/ 5
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates :
Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).
These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS.
With native stubby on FW Merlin it was not possible due to dependency on dnsmasq connectivity. The idea is to maintain unbound root servers resolution. I configured unbound with stubby via entware.
Let's go!
Code:
opkg install stubby
curl -o /opt/etc/init.d/S62stubby https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/S61stubby
chmod +x /opt/etc/init.d/S62stubby
curl -o /opt/etc/stubby/stubby.yml https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/stubby.ymlunbound.conf
Code:
server:
# port to answer queries from
port: 53535
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# don't be picky about interfaces but consider your firewall
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
infra-cache-numhosts: 100000
unwanted-reply-threshold: 10000000
max-udp-size: 3072
ip-ratelimit: 300
ip-ratelimit-factor: 10
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
# gentle on recursion
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: no
target-fetch-policy: "0 0 0 0 0"
val-clean-additional: yes
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
root-hints: "/opt/var/lib/unbound/root.hints"
trust-anchor-file: "/opt/var/lib/unbound/root.key"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
forward-zone:
name: "."
forward-addr: 127.0.0.1@5453
forward-addr: 0::1@5453
Last edited:
But now you have no recursive lookups from Unbound. All your DNS queries are sent to Cloudflare only, but at least they are encrypted.
rgnldo
Very Senior Member
This is not the logic. Unbound will query root servers but return via stubby, without dnsmasq. It is recommended by dnsprivacy. Stubby looks like a stub-zone
Code:
[1570969319] unbound[12942:0] info: query response was nodata ANSWER
[1570969319] unbound[12942:0] info: NSEC3s for the referral proved no DS.
[1570969319] unbound[12942:0] info: Verified that unsigned response is INSECURE
[1570969319] unbound[12942:0] info: 127.0.0.1 pl-gl-aquarius-01.folha.com.br. AAAA IN NOERROR 0.235386 0 113
[1570969319] unbound[12942:0] info: 127.0.0.1 mozilla.org. AAAA IN
[1570969319] unbound[12942:0] info: resolving mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: response for mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was nodata ANSWER
[1570969320] unbound[12942:0] info: resolving org. DS IN
[1570969320] unbound[12942:0] info: response for org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS org. DS IN
[1570969320] unbound[12942:0] info: resolving org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY org. DNSKEY IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DS IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS mozilla.org. DS IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: validate(nodata): sec_status_secure
[1570969320] unbound[12942:0] info: validation success mozilla.org. AAAA INThis shows unbound validating dnssec, but not doing recursive lookups. It’s an encrypted configuration, but not a recursive one.
rgnldo
Very Senior Member
Understand, there will be no recursive root server queries, that is, root queries, but trust validation continues with unbound-anchor's root.key. It will not be trusted solely on stubby servers.
Configure server randomization in stubby. Queries will alternate, avoiding any log history on certain servers.
SomeWhereOverTheRainBow
Part of the Furniture
the answer to the age long question to forward or not to forward....
Why not enable forward-first: yes option... this will first try to forward , but if fails it will resort to recursion... best of both worlds.
Why not enable forward-first: yes option... this will first try to forward , but if fails it will resort to recursion... best of both worlds.
rgnldo
Very Senior Member
Good news, the new version 1.9.3 of repo entware unbound came with major improvements in adblock. There is no need for Diversion, which is focused on dnsmasq. The fewer dnsmasq features, the better for unbound. Follows the script that I prepared.
Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'
echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
Last edited:
SomeWhereOverTheRainBow
Part of the Furniture
Does this work well in conjunction with pi hole? And how do we add this to unbound.conf?
Last edited:
rgnldo
Very Senior Member
The generated format is for Unbound. Pi-hole has a format similar to Diversion.
rgnldo
Very Senior Member
Code:
include: /jffs/Adblock/adservers.txtThere is an interesting trick to bypassing DNSSEC validation on configured NTP servers on Merlin, making synchronization faster.
Code:
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
domain-insecure: "ntp1.rnp.br"
domain-insecure: "3.br.pool.ntp.org"
Last edited:
rgnldo
Very Senior Member
Intercepting Google DNS traffic, rather than blocking
There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
- 192.168.x.x/24 - Range of your LAN, example: 192.168.1.0/24
- 192.168.x.x - The device that is running DNS i.e. router 192.168.1.1
DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
SomeWhereOverTheRainBow
Part of the Furniture
Yea I do something similar using DNS filter for specific devices i need to be segregated.
rgnldo
Very Senior Member
Script custom adblock Unbound
create custom blacklist on pastebin or other host site
create custom blacklist on pastebin or other host site
Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'
echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading Custom ad list..."
curl https://pastebin.com >> $tempoutlist ### create custom blacklist on pastebin or other host site
echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Edit list of allowed domains..."
curl --progress-bar https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt >> /jffs/Adblock/perm.txt
cat /jffs/Adblock/perm.txt /jffs/Adblock/pattern.txt > $permlist
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading root servers DNS.."
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart- Status
Similar threads
Similar threads
-
Can't connect to DYNDNS when Unbound is enabled !
- Started by ComputerSteve
- Replies: 10
-
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
Latest threads
-
Corrupted router specific partition on AX88U
- Started by nomad_surfer
- Replies: 1
-
-
-
ASUS ROG Rapture GT-BE98 current experience
- Started by BailA
- Replies: 0
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!
Staff online
-
thigginsMr. Easy