DNS#

Unbound#

Use a local DNS proxy server to:

  • improve name resoultion speed

  • hide unwanted websites

  • redirect names to specific local addresses

../../_images/hblock_unbound_0.png

Hblock in action#

See also

  1. install the dependencies

    apt-get install git bash unbound dnscrypt-proxy python3-requests python3-yaml make
    
  2. install fpyutils. See reference

  3. configure dnscrypt-proxy

    /etc/dnscrypt-proxy/dnscrypt-proxy.toml#
    # Comments removed for readability purposes.
    listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
    server_names = ['cleanbrowsing-adult']
    max_clients = 250
    ipv4_servers = true
    ipv6_servers = false
    dnscrypt_servers = true
    doh_servers = true
    require_dnssec = false
    require_nolog = true
    require_nofilter = true
    force_tcp = false
    timeout = 5000
    keepalive = 30
    use_syslog = true
    cert_refresh_delay = 1440
    ignore_system_dns = true
    netprobe_timeout = 60
    netprobe_address = '9.9.9.9:53'
    log_files_max_size = 10
    log_files_max_age = 7
    log_files_max_backups = 1
    block_ipv6 = false
    cache = true
    cache_size = 4096
    cache_min_ttl = 2400
    cache_max_ttl = 86400
    cache_neg_min_ttl = 60
    cache_neg_max_ttl = 600
    
    [query_log]
      file = '/var/log/dnscrypt-proxy/query.log'
      format = 'tsv'
    
    [nx_log]
      file = '/var/log/dnscrypt-proxy/nx.log'
      format = 'tsv'
    
    [sources]
      [sources.'public-resolvers']
      url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'
      cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
      minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
      refresh_delay = 72
      prefix = ''
    
  4. restart the dnscrypt-proxy service

    systemctl restart dnscrypt-proxy
    
  5. create the jobs directories. See reference

    mkdir -p /home/jobs/{scripts,services}/by-user/root
    
  6. clone the hblock repository

    pushd /home/jobs/scripts/by-user/root
    git clone https://software.franco.net.eu.org/mirrors-shell/hblock.git
    popd
    
  7. create the script

    /home/jobs/scripts/by-user/root/hblock_unbound.py#
    #!/usr/bin/env python3
    # -*- coding: utf-8 -*-
    #
    # hblock_unbound.py
    #
    # The MIT License (MIT)
    #
    # Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com)
    # Copyright © 2019 Héctor Molinero Fernández
    #
    # Permission is hereby granted, free of charge, to any person obtaining a copy
    # of this software and associated documentation files (the "Software"), to deal
    # in the Software without restriction, including without limitation the rights
    # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    # copies of the Software, and to permit persons to whom the Software is
    # furnished to do so, subject to the following conditions:
    #
    # The above copyright notice and this permission notice shall be included in all
    # copies or substantial portions of the Software.
    #
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    # SOFTWARE.
    r"""Filter domains."""
    
    import shlex
    import sys
    
    import fpyutils
    import yaml
    
    if __name__ == '__main__':
        configuration_file = shlex.quote(sys.argv[1])
        config = yaml.load(open(configuration_file, 'r'), Loader=yaml.SafeLoader)
        header_file = shlex.quote(config['files']['header'])
        footer_file = shlex.quote(config['files']['footer'])
        output_file = shlex.quote(config['files']['output'])
        sources_file = shlex.quote(config['files']['sources'])
        post_commands_file = shlex.quote(config['files']['post_commands'])
        hblock_root_directory = shlex.quote(
            config['files']['hblock_root_directory'])
    
        # Update the source code and the block lists.
        command = 'make -C ' + hblock_root_directory + ' clean && git -C ' + hblock_root_directory + ' pull'
        fpyutils.shell.execute_command_live_output(command)
    
        # Use unicode to avoid quotes mess.
        template = shlex.quote('local-zone: "%D" redirect' + '\u000A' +
                               'local-data: "%D A %R"')
        command = ('pushd ' + hblock_root_directory + '; ./hblock --template ' +
                   template + ' --comment "#" --header ' + header_file +
                   ' --footer ' + footer_file + ' --output ' + output_file +
                   ' --sources ' + sources_file +
                   ' ./resources/alt-formats/unbound.conf.sh; popd')
        fpyutils.shell.execute_command_live_output(command)
    
        with open(post_commands_file, 'r') as f:
            line = f.readline().rstrip('\n')
            while line:
                fpyutils.shell.execute_command_live_output(line)
                line = f.readline().rstrip('\n')
    
        message = 'hblock unbound completed'
        if config['notify']['gotify']['enabled']:
            m = config['notify']['gotify']['message'] + '\n' + message
            fpyutils.notify.send_gotify_message(
                config['notify']['gotify']['url'],
                config['notify']['gotify']['token'], m,
                config['notify']['gotify']['title'],
                config['notify']['gotify']['priority'])
        if config['notify']['email']['enabled']:
            fpyutils.notify.send_email(message,
                                       config['notify']['email']['smtp_server'],
                                       config['notify']['email']['port'],
                                       config['notify']['email']['sender'],
                                       config['notify']['email']['user'],
                                       config['notify']['email']['password'],
                                       config['notify']['email']['receiver'],
                                       config['notify']['email']['subject'])
    
  8. create a configuration file

    /home/jobs/scripts/by-user/root/hblock_unbound.yaml#
    #
    # hblock_unbound.yaml
    #
    # The MIT License (MIT)
    #
    # Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com)
    # Copyright © 2019 Héctor Molinero Fernández
    #
    # Permission is hereby granted, free of charge, to any person obtaining a copy
    # of this software and associated documentation files (the "Software"), to deal
    # in the Software without restriction, including without limitation the rights
    # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    # copies of the Software, and to permit persons to whom the Software is
    # furnished to do so, subject to the following conditions:
    #
    # The above copyright notice and this permission notice shall be included in all
    # copies or substantial portions of the Software.
    #
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    # SOFTWARE.
    
    files:
        sources: '/home/jobs/scripts/by-user/root/hblock_unbound_list.txt'
        header: '/home/jobs/scripts/by-user/root/hblock_unbound.header.conf'
        footer: '/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf'
        output: '/etc/unbound/unbound.conf'
        post_commands: '/home/jobs/scripts/by-user/root/hblock_unbound.post_commands.conf'
        hblock_root_directory: '/home/jobs/scripts/by-user/root/hblock'
    
    notify:
        email:
            enabled: true
            smtp_server: 'smtp.gmail.com'
            port: 465
            sender: 'myusername@gmail.com'
            user: 'myusername'
            password: 'my awesome password'
            receiver: 'myusername@gmail.com'
            subject: 'hblock unbound'
        gotify:
            enabled: true
            url: '<gotify url>'
            token: '<app token>'
            title: 'hblock unbound'
            message: 'hblock unbound completed'
            priority: 5
    
  9. create the hblock header file

    /home/jobs/scripts/by-user/root/hblock_unbound.header.conf#
    server:
      interface: 0.0.0.0@53
      use-syslog: yes
      username: "unbound"
      directory: "/etc/unbound"
    
      # Subnet.
      access-control: 192.168.0.0/24 allow
    
      cache-min-ttl: 3600
      num-threads: 4
      outgoing-range: 200
      do-daemonize: no
    
      # DISABLE IPv6.
      # https://community.nethserver.org/t/solved-unbound-service-problem-service-doesnt-start/11086/2
      do-ip6: no
    do-not-query-localhost: no
    
    # Router.
    local-zone: "fritz.box." redirect
    local-data: "fritz.box. A 192.168.0.1"
    
    # Static censorship.
    local-zone: "play.google.com." redirect
    local-data: "play.google.com. A 0.0.0.0"
    local-zone: "apple.com." redirect
    local-data: "apple.com. A 0.0.0.0"
    
    # Local address redirect.
    local-data: "server. 31536000 IN A 192.168.0.3"
    local-data: "myotherserver. 31536000 IN A 192.168.0.4"
    
  10. create the hblock footer file

    /home/jobs/scripts/by-user/root/hblock_unbound.footer.conf#
    forward-zone:
        name: "."
    
        # IPv6.
        #     forward-addr: ::1@53000
        forward-addr: 127.0.0.1@53000
    
        # Fallback to use in case dnscrypt-proxy doesn't work.
        #     forward-addr: 8.8.8.8
    
  11. configure you hblock lists

    /home/jobs/scripts/by-user/root/hblock_unbound_list.txt#
    # Default lists.
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adaway.org/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adblock-nocoin-list/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-cname-trackers/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-simplified/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/antipopads/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-adservers/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-coinminer/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-facebook/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/blocklist.kowabit.de/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dandelionsprout-nordic/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/digitalside-threat-intel/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-ad/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malvertising/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malware/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-tracking/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-high/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-low/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-medium/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ara/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-bul/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ces-slk/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-deu/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-fra/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-heb/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ind/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ita/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-kor/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lav/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lit/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-nld/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-por/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-rus/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-spa/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-zho/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easyprivacy/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/eth-phishing-detect/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.2o7net/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.dead/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.risk/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.spam/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-annoyance/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-cookiemonster/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/gfrogeye-firstparty-trackers/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/hostsvn/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kadhosts/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kowabit.de-kwbtlist/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/lightswitch05-ads-and-tracking/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomainlist.com/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-immortaldomains/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-justdomains/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/matomo.org-spammers/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mitchellkrogza-badd-boyz-hosts/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/molinero.dev/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-advertising/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-analytics/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/pgl.yoyo.org/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army-extended/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ransomwaretracker.abuse.ch/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/socram8888-notonmyshift/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/someonewhocares.org/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/spam404.com/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stevenblack/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stopforumspam.com/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-abuse/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-annoyances/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-badware/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-privacy/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/urlhaus/list.txt
    https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/winhelp2002.mvps.org/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-browser/list.txt
    #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-optional/list.txt
    
    # Personal lists.
    https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/mozilla/list.txt
    https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/xiaomi/list.txt
    
  12. use this Systemd service unit file

    /home/jobs/services/by-user/root/hblock-unbound.service#
    [Unit]
    Description=Update hblock and patch unbound rules
    Requires=network-online.target
    After=network-online.target
    
    [Service]
    Type=simple
    ExecStart=/home/jobs/scripts/by-user/root/hblock_unbound.py /home/jobs/scripts/by-user/root/hblock_unbound.yaml
    User=root
    Group=root
    
  13. fix the permissions

    chmod 700 /home/jobs/scripts/by-user/root/hblock-unbound.*
    chmod 700 -R /home/jobs/services/by-user/root
    
  14. run the deploy script

Important

In case something goes wrong with the deployment you can use these fallback commands

pushd /home/jobs/scripts/by-user/root
cat hblock_unbound.header.conf hblock_unbound.footer.conf > /etc/unbound/unbound.conf
popd
systemctl restart unbound