What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
The unbound-host is new. Tool similar to bind-utils.
 
The unbound-host is new. Tool similar to bind-utils.
Any special instructions with default RMerlin settings i.e. DoT should be disabled /enabled0and using diversion/skynet and what default settings you recommend using and/ usor not using???
 
Any special instructions with default RMerlin settings i.e. DoT should be disabled /enabled0and using diversion/skynet and what default settings you recommend using and/ usor not using???
  • DoT should be disabled since it won't be used with Unbound.
  • DNSSEC can be disabled in the GUI since Unbound will do its own DNSSEC.
I've amended my dnsmasq.postconf to account for any DNSMASQ DNSSEC directives from the GUI. I don't change any nvram because if I disable Unbound, I still want DNSSEC for my ISP DNS servers.
Code:
#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion

CONFIG=$1
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
        UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
        if [ -n "$UNBOUNDLISTENADDR" ]; then
                pc_delete "servers-file" "$CONFIG"
                pc_delete "no-negcache" "$CONFIG"
                pc_delete "trust-anchor=" "$CONFIG"
                pc_delete "dnssec" "$CONFIG"
                pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
                pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
                pc_append "proxy-dnssec" "$CONFIG"
        fi
fi
 
@dave14305 look
Code:
unbound-host -C /opt/var/lib/unbound/unbound.conf asuswrt-merlin.net
[1570553617] libunbound[4112:0] notice: init module 0: validator
[1570553617] libunbound[4112:0] error: unable to open /root.key for reading: No such file or directory
[1570553617] libunbound[4112:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553617] libunbound[4112:0] error: validator: error in trustanchors config
[1570553617] libunbound[4112:0] error: validator: could not apply configuration settings.
[1570553617] libunbound[4112:0] error: module init for module validator failed
resolve error: initialization failure

Code:
unbound-anchor  -C /opt/var/lib/unbound/unbound.conf
[1570553710] libunbound[4162:0] notice: init module 0: validator
[1570553710] libunbound[4162:0] error: unable to open /root.key for reading: No such file or directory
[1570553710] libunbound[4162:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553710] libunbound[4162:0] error: validator: error in trustanchors config
[1570553710] libunbound[4162:0] error: validator: could not apply configuration settings.
[1570553710] libunbound[4162:0] error: module init for module validator failed

Still unbound works with dnssec
 
@dave14305 look
Code:
unbound-host -C /opt/var/lib/unbound/unbound.conf asuswrt-merlin.net
[1570553617] libunbound[4112:0] notice: init module 0: validator
[1570553617] libunbound[4112:0] error: unable to open /root.key for reading: No such file or directory
[1570553617] libunbound[4112:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553617] libunbound[4112:0] error: validator: error in trustanchors config
[1570553617] libunbound[4112:0] error: validator: could not apply configuration settings.
[1570553617] libunbound[4112:0] error: module init for module validator failed
resolve error: initialization failure

Code:
unbound-anchor  -C /opt/var/lib/unbound/unbound.conf
[1570553710] libunbound[4162:0] notice: init module 0: validator
[1570553710] libunbound[4162:0] error: unable to open /root.key for reading: No such file or directory
[1570553710] libunbound[4162:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553710] libunbound[4162:0] error: validator: error in trustanchors config
[1570553710] libunbound[4162:0] error: validator: could not apply configuration settings.
[1570553710] libunbound[4162:0] error: module init for module validator failed

Still unbound works with dnssec
Maybe it works, but not certain how to establish trust if we don't seed a proper root.key file with "unbound-anchor -a /opt/var/lib/unbound/root.key".

I used the instructions here: https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/
 
Maybe it works, but not certain how to establish trust if we don't seed a proper root.key file with "unbound-anchor -a /opt/var/lib/unbound/root.key".
The returns I reported do not compromise the operation of unbound. From what I've verified, this is a communication with libunbound. I resolved by adding the logs:
Code:
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
From what I observe, libunbound needs the logs to interact with unbound-daemon. I noticed better operation of unbound.
 
Last edited:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. An example minimal config is given below.

For all the doubters and naysayers concerning GETDNS and STUBBY - they are developed by NLnet Labs - the same folks who bring us Unbound, NSD, OPENDNSSEC and now GETDNS ( and STUBBY ) see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/

Yes I run GETDNS and STUBBY. For those who wish to explore GETDNS and STUBBY - this method is the one recommended by DNSPRIVACY - see here :

https://getdnsapi.net/ 5

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 2

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound 3 - please read this carefully - you will note that it indicates :

Unbound As A DNS TLS Client Features:
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS.

With native stubby on FW Merlin it was not possible due to dependency on dnsmasq connectivity. The idea is to maintain unbound root servers resolution. I configured unbound with stubby via entware.

Let's go!

Code:
opkg install stubby
curl -o /opt/etc/init.d/S62stubby https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/S61stubby
chmod +x /opt/etc/init.d/S62stubby
curl -o /opt/etc/stubby/stubby.yml https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/stubby.yml

unbound.conf

Code:
server:
# port to answer queries from
port: 53535

verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
infra-cache-numhosts: 100000
unwanted-reply-threshold: 10000000
max-udp-size: 3072
ip-ratelimit: 300
ip-ratelimit-factor: 10

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: no
target-fetch-policy: "0 0 0 0 0"
val-clean-additional: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

root-hints: "/opt/var/lib/unbound/root.hints"

trust-anchor-file: "/opt/var/lib/unbound/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

forward-zone:
    name: "."
    forward-addr: 127.0.0.1@5453
    forward-addr: 0::1@5453
 
Last edited:
These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS.

With native stubby on FW Merlin it was not possible due to dependency on dnsmasq connectivity. The idea is to maintain unbound root servers resolution. I configured unbound with stubby via entware.
But now you have no recursive lookups from Unbound. All your DNS queries are sent to Cloudflare only, but at least they are encrypted.
 
But now you have no recursive lookups from Unbound. All your DNS queries are sent to Cloudflare only, but at least they are encrypted.
This is not the logic. Unbound will query root servers but return via stubby, without dnsmasq. It is recommended by dnsprivacy. Stubby looks like a stub-zone
Code:
[1570969319] unbound[12942:0] info: query response was nodata ANSWER
[1570969319] unbound[12942:0] info: NSEC3s for the referral proved no DS.
[1570969319] unbound[12942:0] info: Verified that unsigned response is INSECURE
[1570969319] unbound[12942:0] info: 127.0.0.1 pl-gl-aquarius-01.folha.com.br. AAAA IN NOERROR 0.235386 0 113
[1570969319] unbound[12942:0] info: 127.0.0.1 mozilla.org. AAAA IN
[1570969319] unbound[12942:0] info: resolving mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: response for mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was nodata ANSWER
[1570969320] unbound[12942:0] info: resolving org. DS IN
[1570969320] unbound[12942:0] info: response for org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS org. DS IN
[1570969320] unbound[12942:0] info: resolving org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY org. DNSKEY IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DS IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS mozilla.org. DS IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: validate(nodata): sec_status_secure
[1570969320] unbound[12942:0] info: validation success mozilla.org. AAAA IN
 
This is not the logic. Unbound will query root servers but return via stubby, without dnsmasq. It is recommended by dnsprivacy. Stubby looks like a stub-zone
Code:
[1570969319] unbound[12942:0] info: query response was nodata ANSWER
[1570969319] unbound[12942:0] info: NSEC3s for the referral proved no DS.
[1570969319] unbound[12942:0] info: Verified that unsigned response is INSECURE
[1570969319] unbound[12942:0] info: 127.0.0.1 pl-gl-aquarius-01.folha.com.br. AAAA IN NOERROR 0.235386 0 113
[1570969319] unbound[12942:0] info: 127.0.0.1 mozilla.org. AAAA IN
[1570969319] unbound[12942:0] info: resolving mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: response for mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was nodata ANSWER
[1570969320] unbound[12942:0] info: resolving org. DS IN
[1570969320] unbound[12942:0] info: response for org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS org. DS IN
[1570969320] unbound[12942:0] info: resolving org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY org. DNSKEY IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DS IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS mozilla.org. DS IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: validate(nodata): sec_status_secure
[1570969320] unbound[12942:0] info: validation success mozilla.org. AAAA IN
This shows unbound validating dnssec, but not doing recursive lookups. It’s an encrypted configuration, but not a recursive one.
 
This shows unbound validating dnssec, but not doing recursive lookups. It’s an encrypted configuration, but not a recursive one.
Understand, there will be no recursive root server queries, that is, root queries, but trust validation continues with unbound-anchor's root.key. It will not be trusted solely on stubby servers.
Configure server randomization in stubby. Queries will alternate, avoiding any log history on certain servers.
 
the answer to the age long question to forward or not to forward....

Why not enable forward-first: yes option... this will first try to forward , but if fails it will resort to recursion... best of both worlds.
 
Good news, the new version 1.9.3 of repo entware unbound came with major improvements in adblock. There is no need for Diversion, which is focused on dnsmasq. The fewer dnsmasq features, the better for unbound. Follows the script that I prepared.

Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'

echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist

echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
 
Last edited:
Good news, the new version 1.9.3 of repo entware unbound came with major improvements in adblock. There is no need for Diversion, which is focused on dnsmasq. The fewer dnsmasq features, the better for unbound. Follows the script that I prepared.

Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'

echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Baixando CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist

echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
Does this work well in conjunction with pi hole? And how do we add this to unbound.conf?
 
Last edited:
And how do we add this to unbound.conf?
Code:
include: /jffs/Adblock/adservers.txt
It is functional in unbound version 1.9.3. Can now ignore adblock detector

There is an interesting trick to bypassing DNSSEC validation on configured NTP servers on Merlin, making synchronization faster.
Code:
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
domain-insecure: "ntp1.rnp.br"
domain-insecure: "3.br.pool.ntp.org"
 
Last edited:
Intercepting Google DNS traffic, rather than blocking
There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:

iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x

  • 192.168.x.x/24 - Range of your LAN, example: 192.168.1.0/24
  • 192.168.x.x - The device that is running DNS i.e. router 192.168.1.1
This method essentially allows DNS requests to 8.8.8.8 or 8.8.4.4, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.

DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.

https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
 
Intercepting Google DNS traffic, rather than blocking
There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:

iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x

  • 192.168.x.x/24 - Range of your LAN, example: 192.168.1.0/24
  • 192.168.x.x - The device that is running DNS i.e. router 192.168.1.1
This method essentially allows DNS requests to 8.8.8.8 or 8.8.4.4, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.

DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.

https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
Yea I do something similar using DNS filter for specific devices i need to be segregated.
 
Script custom adblock Unbound
create custom blacklist on pastebin or other host site

Code:
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'

echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading  CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading Custom ad list..."
curl https://pastebin.com >> $tempoutlist ### create custom blacklist on pastebin or other host site

echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Edit list of allowed domains..."
curl --progress-bar https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt >> /jffs/Adblock/perm.txt
cat /jffs/Adblock/perm.txt /jffs/Adblock/pattern.txt > $permlist
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading root servers DNS.."
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache

echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top