DNS#

Unbound#

Use a local DNS proxy server to:

  • improve name resoultion speed

  • hide unwanted websites

  • redirect names to specific local addresses

../../_images/hblock_unbound_0.png

Hblock in action#

See also

  • Unbound 1

  • dnscrypt-proxy 2 2

  • hblock 3

  • hmirror 4

  1. install the dependencies

    apt-get install git bash unbound dnscrypt-proxy python3-requests python3-yaml make
    
  2. install fpyutils. See reference

  3. configure dnscrypt-proxy

    /etc/dnscrypt-proxy/dnscrypt-proxy.toml#
     1# Comments removed for readability purposes.
     2listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
     3server_names = ['cleanbrowsing-adult']
     4max_clients = 250
     5ipv4_servers = true
     6ipv6_servers = false
     7dnscrypt_servers = true
     8doh_servers = true
     9require_dnssec = false
    10require_nolog = true
    11require_nofilter = true
    12force_tcp = false
    13timeout = 5000
    14keepalive = 30
    15use_syslog = true
    16cert_refresh_delay = 1440
    17ignore_system_dns = true
    18netprobe_timeout = 60
    19netprobe_address = '9.9.9.9:53'
    20log_files_max_size = 10
    21log_files_max_age = 7
    22log_files_max_backups = 1
    23block_ipv6 = false
    24cache = true
    25cache_size = 4096
    26cache_min_ttl = 2400
    27cache_max_ttl = 86400
    28cache_neg_min_ttl = 60
    29cache_neg_max_ttl = 600
    30
    31[query_log]
    32  file = '/var/log/dnscrypt-proxy/query.log'
    33  format = 'tsv'
    34
    35[nx_log]
    36  file = '/var/log/dnscrypt-proxy/nx.log'
    37  format = 'tsv'
    38
    39[sources]
    40  [sources.'public-resolvers']
    41  url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
    42  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
    43  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
    44  refresh_delay = 72
    45  prefix = ''
    
  4. restart the dnscrypt-proxy service

    systemctl restart dnscrypt-proxy
    
  5. create the jobs directories. See reference

    mkdir -p /home/jobs/{scripts,services}/by-user/root
    
  6. clone the hblock repository

    pushd /home/jobs/scripts/by-user/root
    git clone https://software.franco.net.eu.org/mirrors-shell/hblock.git
    popd
    
  7. create the script

    /home/jobs/scripts/by-user/root/hblock_unbound.py#
     1#!/usr/bin/env python3
     2# -*- coding: utf-8 -*-
     3#
     4# hblock_unbound.py
     5#
     6# The MIT License (MIT)
     7#
     8# Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com)
     9# Copyright © 2019 Héctor Molinero Fernández
    10#
    11# Permission is hereby granted, free of charge, to any person obtaining a copy
    12# of this software and associated documentation files (the "Software"), to deal
    13# in the Software without restriction, including without limitation the rights
    14# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    15# copies of the Software, and to permit persons to whom the Software is
    16# furnished to do so, subject to the following conditions:
    17#
    18# The above copyright notice and this permission notice shall be included in all
    19# copies or substantial portions of the Software.
    20#
    21# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    22# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    23# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    24# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    25# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    26# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    27# SOFTWARE.
    28r"""Filter domains."""
    29
    30import shlex
    31import sys
    32
    33import fpyutils
    34import yaml
    35
    36if __name__ == '__main__':
    37    configuration_file = shlex.quote(sys.argv[1])
    38    config = yaml.load(open(configuration_file, 'r'), Loader=yaml.SafeLoader)
    39    header_file = shlex.quote(config['files']['header'])
    40    footer_file = shlex.quote(config['files']['footer'])
    41    output_file = shlex.quote(config['files']['output'])
    42    sources_file = shlex.quote(config['files']['sources'])
    43    post_commands_file = shlex.quote(config['files']['post_commands'])
    44    hblock_root_directory = shlex.quote(
    45        config['files']['hblock_root_directory'])
    46
    47    # Update the source code and the block lists.
    48    command = 'make -C ' + hblock_root_directory + ' clean && git -C ' + hblock_root_directory + ' pull'
    49    fpyutils.shell.execute_command_live_output(command)
    50
    51    # Use unicode to avoid quotes mess.
    52    template = shlex.quote('local-zone: "%D" redirect' + '\u000A' +
    53                           'local-data: "%D A %R"')
    54    command = ('pushd ' + hblock_root_directory + '; ./hblock --template ' +
    55               template + ' --comment "#" --header ' + header_file +
    56               ' --footer ' + footer_file + ' --output ' + output_file +
    57               ' --sources ' + sources_file +
    58               ' ./resources/alt-formats/unbound.conf.sh; popd')
    59    fpyutils.shell.execute_command_live_output(command)
    60
    61    with open(post_commands_file, 'r') as f:
    62        line = f.readline().rstrip('\n')
    63        while line:
    64            fpyutils.shell.execute_command_live_output(line)
    65            line = f.readline().rstrip('\n')
    66
    67    message = 'hblock unbound completed'
    68    if config['notify']['gotify']['enabled']:
    69        m = config['notify']['gotify']['message'] + '\n' + message
    70        fpyutils.notify.send_gotify_message(
    71            config['notify']['gotify']['url'],
    72            config['notify']['gotify']['token'], m,
    73            config['notify']['gotify']['title'],
    74            config['notify']['gotify']['priority'])
    75    if config['notify']['email']['enabled']:
    76        fpyutils.notify.send_email(message,
    77                                   config['notify']['email']['smtp_server'],
    78                                   config['notify']['email']['port'],
    79                                   config['notify']['email']['sender'],
    80                                   config['notify']['email']['user'],
    81                                   config['notify']['email']['password'],
    82                                   config['notify']['email']['receiver'],
    83                                   config['notify']['email']['subject'])
    
  8. create a configuration file

    /home/jobs/scripts/by-user/root/hblock_unbound.yaml#
     1#
     2# hblock_unbound.yaml
     3#
     4# The MIT License (MIT)
     5#
     6# Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com)
     7# Copyright © 2019 Héctor Molinero Fernández
     8#
     9# Permission is hereby granted, free of charge, to any person obtaining a copy
    10# of this software and associated documentation files (the "Software"), to deal
    11# in the Software without restriction, including without limitation the rights
    12# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    13# copies of the Software, and to permit persons to whom the Software is
    14# furnished to do so, subject to the following conditions:
    15#
    16# The above copyright notice and this permission notice shall be included in all
    17# copies or substantial portions of the Software.
    18#
    19# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    20# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    21# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    22# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    23# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    24# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    25# SOFTWARE.
    26
    27files:
    28    sources: '/home/jobs/scripts/by-user/root/hblock_unbound_list.txt'
    29    header: '/home/jobs/scripts/by-user/root/hblock_unbound.header.conf'
    30    footer: '/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf'
    31    output: '/etc/unbound/unbound.conf'
    32    post_commands: '/home/jobs/scripts/by-user/root/hblock_unbound.post_commands.conf'
    33    hblock_root_directory: '/home/jobs/scripts/by-user/root/hblock'
    34
    35notify:
    36    email:
    37        enabled: true
    38        smtp_server: 'smtp.gmail.com'
    39        port: 465
    40        sender: 'myusername@gmail.com'
    41        user: 'myusername'
    42        password: 'my awesome password'
    43        receiver: 'myusername@gmail.com'
    44        subject: 'hblock unbound'
    45    gotify:
    46        enabled: true
    47        url: '<gotify url>'
    48        token: '<app token>'
    49        title: 'hblock unbound'
    50        message: 'hblock unbound completed'
    51        priority: 5
    
  9. create the hblock header file

    /home/jobs/scripts/by-user/root/hblock_unbound.header.conf#
     1server:
     2  interface: 0.0.0.0@53
     3  use-syslog: yes
     4  username: "unbound"
     5  directory: "/etc/unbound"
     6
     7  # Subnet.
     8  access-control: 192.168.0.0/24 allow
     9
    10  cache-min-ttl: 3600
    11  num-threads: 4
    12  outgoing-range: 200
    13  do-daemonize: no
    14
    15  # DISABLE IPv6.
    16  # https://community.nethserver.org/t/solved-unbound-service-problem-service-doesnt-start/11086/2
    17  do-ip6: no
    18do-not-query-localhost: no
    19
    20# Router.
    21local-zone: "fritz.box." redirect
    22local-data: "fritz.box. A 192.168.0.1"
    23
    24# Static censorship.
    25local-zone: "play.google.com." redirect
    26local-data: "play.google.com. A 0.0.0.0"
    27local-zone: "apple.com." redirect
    28local-data: "apple.com. A 0.0.0.0"
    29
    30# Local address redirect.
    31local-data: "server. 31536000 IN A 192.168.0.3"
    32local-data: "myotherserver. 31536000 IN A 192.168.0.4"
    
  10. create the hblock footer file

    /home/jobs/scripts/by-user/root/hblock_unbound.footer.conf#
    1forward-zone:
    2    name: "."
    3
    4    # IPv6.
    5    #     forward-addr: ::1@53000
    6    forward-addr: 127.0.0.1@53000
    7
    8    # Fallback to use in case dnscrypt-proxy doesn't work.
    9    #     forward-addr: 8.8.8.8
    
  11. configure you hblock lists

    /home/jobs/scripts/by-user/root/hblock_unbound_list.txt#
     1# Default lists.
     2https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adaway.org/list.txt
     3#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adblock-nocoin-list/list.txt
     4https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-cname-trackers/list.txt
     5https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-simplified/list.txt
     6https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/antipopads/list.txt
     7https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-adservers/list.txt
     8#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-coinminer/list.txt
     9#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-facebook/list.txt
    10https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/blocklist.kowabit.de/list.txt
    11https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dandelionsprout-nordic/list.txt
    12https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/digitalside-threat-intel/list.txt
    13https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-ad/list.txt
    14https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malvertising/list.txt
    15https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malware/list.txt
    16https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-tracking/list.txt
    17https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-high/list.txt
    18https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-low/list.txt
    19https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-medium/list.txt
    20https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist/list.txt
    21https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ara/list.txt
    22https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-bul/list.txt
    23https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ces-slk/list.txt
    24https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-deu/list.txt
    25https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-fra/list.txt
    26https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-heb/list.txt
    27https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ind/list.txt
    28https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ita/list.txt
    29https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-kor/list.txt
    30https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lav/list.txt
    31https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lit/list.txt
    32https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-nld/list.txt
    33https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-por/list.txt
    34https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-rus/list.txt
    35https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-spa/list.txt
    36https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-zho/list.txt
    37https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easyprivacy/list.txt
    38https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/eth-phishing-detect/list.txt
    39https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.2o7net/list.txt
    40https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.dead/list.txt
    41https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.risk/list.txt
    42https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.spam/list.txt
    43https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-annoyance/list.txt
    44https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-cookiemonster/list.txt
    45https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt
    46https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt
    47https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/gfrogeye-firstparty-trackers/list.txt
    48https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/hostsvn/list.txt
    49https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kadhosts/list.txt
    50https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kowabit.de-kwbtlist/list.txt
    51https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/lightswitch05-ads-and-tracking/list.txt
    52https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomainlist.com/list.txt
    53https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-immortaldomains/list.txt
    54https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-justdomains/list.txt
    55https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/matomo.org-spammers/list.txt
    56https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mitchellkrogza-badd-boyz-hosts/list.txt
    57https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/molinero.dev/list.txt
    58#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-advertising/list.txt
    59https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-analytics/list.txt
    60https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/pgl.yoyo.org/list.txt
    61https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army/list.txt
    62https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army-extended/list.txt
    63https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ransomwaretracker.abuse.ch/list.txt
    64https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/socram8888-notonmyshift/list.txt
    65https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/someonewhocares.org/list.txt
    66https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/spam404.com/list.txt
    67https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stevenblack/list.txt
    68https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stopforumspam.com/list.txt
    69https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock/list.txt
    70https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-abuse/list.txt
    71https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-annoyances/list.txt
    72https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-badware/list.txt
    73https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-privacy/list.txt
    74https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/urlhaus/list.txt
    75https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/winhelp2002.mvps.org/list.txt
    76#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists/list.txt
    77#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-browser/list.txt
    78#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-optional/list.txt
    79
    80# Personal lists.
    81https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/mozilla/list.txt
    82https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/xiaomi/list.txt
    
  12. use this Systemd service unit file

    /home/jobs/services/by-user/root/hblock-unbound.service#
     1[Unit]
     2Description=Update hblock and patch unbound rules
     3Requires=network-online.target
     4After=network-online.target
     5
     6[Service]
     7Type=simple
     8ExecStart=/home/jobs/scripts/by-user/root/hblock_unbound.py /home/jobs/scripts/by-user/root/hblock_unbound.yaml
     9User=root
    10Group=root
    
  13. fix the permissions

    chmod 700 /home/jobs/scripts/by-user/root/hblock-unbound.*
    chmod 700 -R /home/jobs/services/by-user/root
    
  14. run the deploy script

Important

In case something goes wrong with the deployment you can use these fallback commands

pushd /home/jobs/scripts/by-user/root
cat hblock_unbound.header.conf hblock_unbound.footer.conf > /etc/unbound/unbound.conf
popd
systemctl restart unbound
1

https://nlnetlabs.nl/projects/unbound/about/ BSD 3-Clause License, Copyright (c) 2007, NLnet Labs. All rights reserved

2

https://github.com/jedisct1/dnscrypt-proxy ISC License, Copyright (c) 2018-2022, Frank Denis <j at pureftpd dot org>

3

https://github.com/hectorm/hblock MIT, Copyright © 2022, Héctor Molinero Fernández

4

https://github.com/hectorm/hmirror MIT, Copyright © 2022, Héctor Molinero Fernández