Any special instructions with default RMerlin settings i.e. DoT should be disabled /enabled0and using diversion/skynet and what default settings you recommend using and/ usor not using???The unbound-host is new. Tool similar to bind-utils.
Any special instructions with default RMerlin settings i.e. DoT should be disabled /enabled0and using diversion/skynet and what default settings you recommend using and/ usor not using???
#!/bin/sh
# Commented out here in case others do not use Diversion
#. /opt/share/diversion/file/post-conf.div # Added by Diversion
CONFIG=$1
. /usr/sbin/helper.sh
if [ -n "$(pidof unbound)" ]; then
UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
if [ -n "$UNBOUNDLISTENADDR" ]; then
pc_delete "servers-file" "$CONFIG"
pc_delete "no-negcache" "$CONFIG"
pc_delete "trust-anchor=" "$CONFIG"
pc_delete "dnssec" "$CONFIG"
pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
pc_append "proxy-dnssec" "$CONFIG"
fi
fi
unbound-host -C /opt/var/lib/unbound/unbound.conf asuswrt-merlin.net
[1570553617] libunbound[4112:0] notice: init module 0: validator
[1570553617] libunbound[4112:0] error: unable to open /root.key for reading: No such file or directory
[1570553617] libunbound[4112:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553617] libunbound[4112:0] error: validator: error in trustanchors config
[1570553617] libunbound[4112:0] error: validator: could not apply configuration settings.
[1570553617] libunbound[4112:0] error: module init for module validator failed
resolve error: initialization failure
unbound-anchor -C /opt/var/lib/unbound/unbound.conf
[1570553710] libunbound[4162:0] notice: init module 0: validator
[1570553710] libunbound[4162:0] error: unable to open /root.key for reading: No such file or directory
[1570553710] libunbound[4162:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key
[1570553710] libunbound[4162:0] error: validator: error in trustanchors config
[1570553710] libunbound[4162:0] error: validator: could not apply configuration settings.
[1570553710] libunbound[4162:0] error: module init for module validator failed
Maybe it works, but not certain how to establish trust if we don't seed a proper root.key file with "unbound-anchor -a /opt/var/lib/unbound/root.key".@dave14305 look
Code:unbound-host -C /opt/var/lib/unbound/unbound.conf asuswrt-merlin.net [1570553617] libunbound[4112:0] notice: init module 0: validator [1570553617] libunbound[4112:0] error: unable to open /root.key for reading: No such file or directory [1570553617] libunbound[4112:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key [1570553617] libunbound[4112:0] error: validator: error in trustanchors config [1570553617] libunbound[4112:0] error: validator: could not apply configuration settings. [1570553617] libunbound[4112:0] error: module init for module validator failed resolve error: initialization failure
Code:unbound-anchor -C /opt/var/lib/unbound/unbound.conf [1570553710] libunbound[4162:0] notice: init module 0: validator [1570553710] libunbound[4162:0] error: unable to open /root.key for reading: No such file or directory [1570553710] libunbound[4162:0] error: error reading auto-trust-anchor-file: /opt/var/lib/unbound/root.key [1570553710] libunbound[4162:0] error: validator: error in trustanchors config [1570553710] libunbound[4162:0] error: validator: could not apply configuration settings. [1570553710] libunbound[4162:0] error: module init for module validator failed
Still unbound works with dnssec
Match the commands I listed"unbound-anchor -a /opt/var/lib/unbound/root.key".
The returns I reported do not compromise the operation of unbound. From what I've verified, this is a communication with libunbound. I resolved by adding the logs:Maybe it works, but not certain how to establish trust if we don't seed a proper root.key file with "unbound-anchor -a /opt/var/lib/unbound/root.key".
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
opkg install stubby
curl -o /opt/etc/init.d/S62stubby https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/S61stubby
chmod +x /opt/etc/init.d/S62stubby
curl -o /opt/etc/stubby/stubby.yml https://raw.githubusercontent.com/Xentrk/Stubby-Installer-Asuswrt-Merlin/master/stubby.yml
server:
# port to answer queries from
port: 53535
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# don't be picky about interfaces but consider your firewall
interface: 0.0.0.0
interface: ::0
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
ip-ratelimit: 300
ip-ratelimit-factor: 10
incoming-num-tcp: 100
edns-buffer-size: 1472
# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
infra-cache-numhosts: 100000
unwanted-reply-threshold: 10000000
max-udp-size: 3072
ip-ratelimit: 300
ip-ratelimit-factor: 10
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
# gentle on recursion
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
harden-algo-downgrade: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: no
target-fetch-policy: "0 0 0 0 0"
val-clean-additional: yes
# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
# The pid file
pidfile: "/opt/var/run/unbound.pid"
root-hints: "/opt/var/lib/unbound/root.hints"
trust-anchor-file: "/opt/var/lib/unbound/root.key"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"
forward-zone:
name: "."
forward-addr: 127.0.0.1@5453
forward-addr: 0::1@5453
But now you have no recursive lookups from Unbound. All your DNS queries are sent to Cloudflare only, but at least they are encrypted.These are the reasons I choose to use GETDNS and STUBBY with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS.
With native stubby on FW Merlin it was not possible due to dependency on dnsmasq connectivity. The idea is to maintain unbound root servers resolution. I configured unbound with stubby via entware.
This is not the logic. Unbound will query root servers but return via stubby, without dnsmasq. It is recommended by dnsprivacy. Stubby looks like a stub-zoneBut now you have no recursive lookups from Unbound. All your DNS queries are sent to Cloudflare only, but at least they are encrypted.
[1570969319] unbound[12942:0] info: query response was nodata ANSWER
[1570969319] unbound[12942:0] info: NSEC3s for the referral proved no DS.
[1570969319] unbound[12942:0] info: Verified that unsigned response is INSECURE
[1570969319] unbound[12942:0] info: 127.0.0.1 pl-gl-aquarius-01.folha.com.br. AAAA IN NOERROR 0.235386 0 113
[1570969319] unbound[12942:0] info: 127.0.0.1 mozilla.org. AAAA IN
[1570969319] unbound[12942:0] info: resolving mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: response for mozilla.org. AAAA IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was nodata ANSWER
[1570969320] unbound[12942:0] info: resolving org. DS IN
[1570969320] unbound[12942:0] info: response for org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS org. DS IN
[1570969320] unbound[12942:0] info: resolving org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY org. DNSKEY IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DS IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DS IN
[1570969320] unbound[12942:0] info: reply from <.> ::1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DS mozilla.org. DS IN
[1570969320] unbound[12942:0] info: resolving mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: response for mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453
[1570969320] unbound[12942:0] info: query response was ANSWER
[1570969320] unbound[12942:0] info: validated DNSKEY mozilla.org. DNSKEY IN
[1570969320] unbound[12942:0] info: validate(nodata): sec_status_secure
[1570969320] unbound[12942:0] info: validation success mozilla.org. AAAA IN
This shows unbound validating dnssec, but not doing recursive lookups. It’s an encrypted configuration, but not a recursive one.This is not the logic. Unbound will query root servers but return via stubby, without dnsmasq. It is recommended by dnsprivacy. Stubby looks like a stub-zone
Code:[1570969319] unbound[12942:0] info: query response was nodata ANSWER [1570969319] unbound[12942:0] info: NSEC3s for the referral proved no DS. [1570969319] unbound[12942:0] info: Verified that unsigned response is INSECURE [1570969319] unbound[12942:0] info: 127.0.0.1 pl-gl-aquarius-01.folha.com.br. AAAA IN NOERROR 0.235386 0 113 [1570969319] unbound[12942:0] info: 127.0.0.1 mozilla.org. AAAA IN [1570969319] unbound[12942:0] info: resolving mozilla.org. AAAA IN [1570969320] unbound[12942:0] info: response for mozilla.org. AAAA IN [1570969320] unbound[12942:0] info: reply from <.> ::1#5453 [1570969320] unbound[12942:0] info: query response was nodata ANSWER [1570969320] unbound[12942:0] info: resolving org. DS IN [1570969320] unbound[12942:0] info: response for org. DS IN [1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453 [1570969320] unbound[12942:0] info: query response was ANSWER [1570969320] unbound[12942:0] info: validated DS org. DS IN [1570969320] unbound[12942:0] info: resolving org. DNSKEY IN [1570969320] unbound[12942:0] info: response for org. DNSKEY IN [1570969320] unbound[12942:0] info: reply from <.> ::1#5453 [1570969320] unbound[12942:0] info: query response was ANSWER [1570969320] unbound[12942:0] info: validated DNSKEY org. DNSKEY IN [1570969320] unbound[12942:0] info: resolving mozilla.org. DS IN [1570969320] unbound[12942:0] info: response for mozilla.org. DS IN [1570969320] unbound[12942:0] info: reply from <.> ::1#5453 [1570969320] unbound[12942:0] info: query response was ANSWER [1570969320] unbound[12942:0] info: validated DS mozilla.org. DS IN [1570969320] unbound[12942:0] info: resolving mozilla.org. DNSKEY IN [1570969320] unbound[12942:0] info: response for mozilla.org. DNSKEY IN [1570969320] unbound[12942:0] info: reply from <.> 127.0.0.1#5453 [1570969320] unbound[12942:0] info: query response was ANSWER [1570969320] unbound[12942:0] info: validated DNSKEY mozilla.org. DNSKEY IN [1570969320] unbound[12942:0] info: validate(nodata): sec_status_secure [1570969320] unbound[12942:0] info: validation success mozilla.org. AAAA IN
Understand, there will be no recursive root server queries, that is, root queries, but trust validation continues with unbound-anchor's root.key. It will not be trusted solely on stubby servers.This shows unbound validating dnssec, but not doing recursive lookups. It’s an encrypted configuration, but not a recursive one.
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'
echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
Does this work well in conjunction with pi hole? And how do we add this to unbound.conf?Good news, the new version 1.9.3 of repo entware unbound came with major improvements in adblock. There is no need for Diversion, which is focused on dnsmasq. The fewer dnsmasq features, the better for unbound. Follows the script that I prepared.
Code:#!/bin/bash destinationIP="0.0.0.0" tempoutlist="/jffs/Adblock/adlist.tmp" outlist='/jffs/Adblock/tmp.host' finalist='/jffs/Adblock/tmp.finalhost' permlist='/jffs/Adblock/adpermitidos.txt' adlist='/jffs/Adblock/adservers.txt' echo "Removing Possible Temporary Files.." [ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp [ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host [ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost echo "Downloading StevenBlack ad list..." curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist echo "Downloading AntiSocial ad list..." curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist echo "Downloading StreamingAds ad list..." curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist echo "Downloading CoinBlockerLists ad list..." curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist echo "Baixando CoinBlockerLists Browser ad list..." curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist echo "Removing Duplicate Domain list formats..." cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//') echo "$numberOfAdsBlocked suspicious and blocked domains" echo "Edit list of allowed domains..." fgrep -vf $permlist $outlist > $finalist echo "Generating Unbound Adlist..." cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//') echo "$numberOfAdsBlocked suspicious and blocked domains" echo "Removing temporary files.." [ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp [ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host [ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost echo "Restarting DNS servers..." /opt/etc/init.d/S61unbound restart
The generated format is for Unbound. Pi-hole has a format similar to Diversion.work well in conjunction with pi hole?
And how do we add this to unbound.conf?
include: /jffs/Adblock/adservers.txt
# DNSSEC
module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
domain-insecure: "ntp1.rnp.br"
domain-insecure: "3.br.pool.ntp.org"
Yea I do something similar using DNS filter for specific devices i need to be segregated.Intercepting Google DNS traffic, rather than blocking
There are several reports that some Google based devices like Android tablets don't seem to like having the Google public DNS resolvers sinkholed. If you experience problems streaming with devices like Chromecasts, Google tablets etc. after blocking Google DNS requests, you might want to instead intercept the requests rather than block them. This can also be achieved via iptables:
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 192.168.x.x
iptables -t nat -A PREROUTING -s 192.168.x.x/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 192.168.x.x
This method essentially allows DNS requests to 8.8.8.8 or 8.8.4.4, but the request itself will be intercepted and actually resolved by a DNS server of the users choosing, alebit transparently. You can run the Google DNS test example if you apply this method and confirm that no AAAA records are returned, because the DNS server used was actually something else.
- 192.168.x.x/24 - Range of your LAN, example: 192.168.1.0/24
- 192.168.x.x - The device that is running DNS i.e. router 192.168.1.1
DNS traffic is typically UDP based, but there are circumstances where TCP is used as well, however, it is unlikely any Google DNS request will be using TCP, hence why the rules above only target UDP and should be fine for this purpose.
https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adpermitidos.txt'
adlist='/jffs/Adblock/adservers.txt'
echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading StevenBlack ad list..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading AntiSocial ad list..."
curl --progress-bar https://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading StreamingAds ad list..."
curl --progress-bar https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading CoinBlockerLists Browser ad list..."
curl --progress-bar https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_browser | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist
echo "Downloading Custom ad list..."
curl https://pastebin.com >> $tempoutlist ### create custom blacklist on pastebin or other host site
echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed -r -e 's/[[:space:]]+/\t/g' | sed -e 's/\t*#.*$//g' | sed -e 's/[^a-zA-Z0-9\.\_\t\-]//g' | sed -e 's/\t$//g' | sed -e '/^#/d' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Edit list of allowed domains..."
curl --progress-bar https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt >> /jffs/Adblock/perm.txt
cat /jffs/Adblock/perm.txt /jffs/Adblock/pattern.txt > $permlist
fgrep -vf $permlist $outlist > $finalist
echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"
echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost
echo "Downloading root servers DNS.."
curl -o /opt/var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!