DNS
Contents
DNS#
Unbound#
Use a local DNS proxy server to:
improve name resoultion speed
hide unwanted websites
redirect names to specific local addresses

Hblock in action#
install the dependencies
apt-get install git bash unbound dnscrypt-proxy python3-requests python3-yaml make
install fpyutils. See reference
configure dnscrypt-proxy
/etc/dnscrypt-proxy/dnscrypt-proxy.toml#1# Comments removed for readability purposes. 2listen_addresses = ['127.0.0.1:53000', '[::1]:53000'] 3server_names = ['cleanbrowsing-adult'] 4max_clients = 250 5ipv4_servers = true 6ipv6_servers = false 7dnscrypt_servers = true 8doh_servers = true 9require_dnssec = false 10require_nolog = true 11require_nofilter = true 12force_tcp = false 13timeout = 5000 14keepalive = 30 15use_syslog = true 16cert_refresh_delay = 1440 17ignore_system_dns = true 18netprobe_timeout = 60 19netprobe_address = '9.9.9.9:53' 20log_files_max_size = 10 21log_files_max_age = 7 22log_files_max_backups = 1 23block_ipv6 = false 24cache = true 25cache_size = 4096 26cache_min_ttl = 2400 27cache_max_ttl = 86400 28cache_neg_min_ttl = 60 29cache_neg_max_ttl = 600 30 31[query_log] 32 file = '/var/log/dnscrypt-proxy/query.log' 33 format = 'tsv' 34 35[nx_log] 36 file = '/var/log/dnscrypt-proxy/nx.log' 37 format = 'tsv' 38 39[sources] 40 [sources.'public-resolvers'] 41 url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' 42 cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' 43 minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 44 refresh_delay = 72 45 prefix = ''
restart the dnscrypt-proxy service
systemctl restart dnscrypt-proxy
create the jobs directories. See reference
mkdir -p /home/jobs/{scripts,services}/by-user/root
clone the hblock repository
pushd /home/jobs/scripts/by-user/root git clone https://software.franco.net.eu.org/mirrors-shell/hblock.git popd
create the
script
/home/jobs/scripts/by-user/root/hblock_unbound.py#1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# 4# hblock_unbound.py 5# 6# The MIT License (MIT) 7# 8# Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com) 9# Copyright © 2019 Héctor Molinero Fernández 10# 11# Permission is hereby granted, free of charge, to any person obtaining a copy 12# of this software and associated documentation files (the "Software"), to deal 13# in the Software without restriction, including without limitation the rights 14# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 15# copies of the Software, and to permit persons to whom the Software is 16# furnished to do so, subject to the following conditions: 17# 18# The above copyright notice and this permission notice shall be included in all 19# copies or substantial portions of the Software. 20# 21# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 22# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 23# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 24# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 25# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 26# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 27# SOFTWARE. 28r"""Filter domains.""" 29 30import shlex 31import sys 32 33import fpyutils 34import yaml 35 36if __name__ == '__main__': 37 configuration_file = shlex.quote(sys.argv[1]) 38 config = yaml.load(open(configuration_file, 'r'), Loader=yaml.SafeLoader) 39 header_file = shlex.quote(config['files']['header']) 40 footer_file = shlex.quote(config['files']['footer']) 41 output_file = shlex.quote(config['files']['output']) 42 sources_file = shlex.quote(config['files']['sources']) 43 post_commands_file = shlex.quote(config['files']['post_commands']) 44 hblock_root_directory = shlex.quote( 45 config['files']['hblock_root_directory']) 46 47 # Update the source code and the block lists. 48 command = 'make -C ' + hblock_root_directory + ' clean && git -C ' + hblock_root_directory + ' pull' 49 fpyutils.shell.execute_command_live_output(command) 50 51 # Use unicode to avoid quotes mess. 52 template = shlex.quote('local-zone: "%D" redirect' + '\u000A' + 53 'local-data: "%D A %R"') 54 command = ('pushd ' + hblock_root_directory + '; ./hblock --template ' + 55 template + ' --comment "#" --header ' + header_file + 56 ' --footer ' + footer_file + ' --output ' + output_file + 57 ' --sources ' + sources_file + 58 ' ./resources/alt-formats/unbound.conf.sh; popd') 59 fpyutils.shell.execute_command_live_output(command) 60 61 with open(post_commands_file, 'r') as f: 62 line = f.readline().rstrip('\n') 63 while line: 64 fpyutils.shell.execute_command_live_output(line) 65 line = f.readline().rstrip('\n') 66 67 message = 'hblock unbound completed' 68 if config['notify']['gotify']['enabled']: 69 m = config['notify']['gotify']['message'] + '\n' + message 70 fpyutils.notify.send_gotify_message( 71 config['notify']['gotify']['url'], 72 config['notify']['gotify']['token'], m, 73 config['notify']['gotify']['title'], 74 config['notify']['gotify']['priority']) 75 if config['notify']['email']['enabled']: 76 fpyutils.notify.send_email(message, 77 config['notify']['email']['smtp_server'], 78 config['notify']['email']['port'], 79 config['notify']['email']['sender'], 80 config['notify']['email']['user'], 81 config['notify']['email']['password'], 82 config['notify']['email']['receiver'], 83 config['notify']['email']['subject'])
create a
configuration file
/home/jobs/scripts/by-user/root/hblock_unbound.yaml#1# 2# hblock_unbound.yaml 3# 4# The MIT License (MIT) 5# 6# Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com) 7# Copyright © 2019 Héctor Molinero Fernández 8# 9# Permission is hereby granted, free of charge, to any person obtaining a copy 10# of this software and associated documentation files (the "Software"), to deal 11# in the Software without restriction, including without limitation the rights 12# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 13# copies of the Software, and to permit persons to whom the Software is 14# furnished to do so, subject to the following conditions: 15# 16# The above copyright notice and this permission notice shall be included in all 17# copies or substantial portions of the Software. 18# 19# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 20# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 21# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 22# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 23# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 24# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 25# SOFTWARE. 26 27files: 28 sources: '/home/jobs/scripts/by-user/root/hblock_unbound_list.txt' 29 header: '/home/jobs/scripts/by-user/root/hblock_unbound.header.conf' 30 footer: '/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf' 31 output: '/etc/unbound/unbound.conf' 32 post_commands: '/home/jobs/scripts/by-user/root/hblock_unbound.post_commands.conf' 33 hblock_root_directory: '/home/jobs/scripts/by-user/root/hblock' 34 35notify: 36 email: 37 enabled: true 38 smtp_server: 'smtp.gmail.com' 39 port: 465 40 sender: 'myusername@gmail.com' 41 user: 'myusername' 42 password: 'my awesome password' 43 receiver: 'myusername@gmail.com' 44 subject: 'hblock unbound' 45 gotify: 46 enabled: true 47 url: '<gotify url>' 48 token: '<app token>' 49 title: 'hblock unbound' 50 message: 'hblock unbound completed' 51 priority: 5
create the
hblock header file
/home/jobs/scripts/by-user/root/hblock_unbound.header.conf#1server: 2 interface: 0.0.0.0@53 3 use-syslog: yes 4 username: "unbound" 5 directory: "/etc/unbound" 6 7 # Subnet. 8 access-control: 192.168.0.0/24 allow 9 10 cache-min-ttl: 3600 11 num-threads: 4 12 outgoing-range: 200 13 do-daemonize: no 14 15 # DISABLE IPv6. 16 # https://community.nethserver.org/t/solved-unbound-service-problem-service-doesnt-start/11086/2 17 do-ip6: no 18do-not-query-localhost: no 19 20# Router. 21local-zone: "fritz.box." redirect 22local-data: "fritz.box. A 192.168.0.1" 23 24# Static censorship. 25local-zone: "play.google.com." redirect 26local-data: "play.google.com. A 0.0.0.0" 27local-zone: "apple.com." redirect 28local-data: "apple.com. A 0.0.0.0" 29 30# Local address redirect. 31local-data: "server. 31536000 IN A 192.168.0.3" 32local-data: "myotherserver. 31536000 IN A 192.168.0.4"
create the
hblock footer file
/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf#1forward-zone: 2 name: "." 3 4 # IPv6. 5 # forward-addr: ::1@53000 6 forward-addr: 127.0.0.1@53000 7 8 # Fallback to use in case dnscrypt-proxy doesn't work. 9 # forward-addr: 8.8.8.8
configure you
hblock lists
/home/jobs/scripts/by-user/root/hblock_unbound_list.txt#1# Default lists. 2https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adaway.org/list.txt 3#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adblock-nocoin-list/list.txt 4https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-cname-trackers/list.txt 5https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-simplified/list.txt 6https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/antipopads/list.txt 7https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-adservers/list.txt 8#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-coinminer/list.txt 9#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-facebook/list.txt 10https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/blocklist.kowabit.de/list.txt 11https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dandelionsprout-nordic/list.txt 12https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/digitalside-threat-intel/list.txt 13https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-ad/list.txt 14https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malvertising/list.txt 15https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malware/list.txt 16https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-tracking/list.txt 17https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-high/list.txt 18https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-low/list.txt 19https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-medium/list.txt 20https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist/list.txt 21https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ara/list.txt 22https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-bul/list.txt 23https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ces-slk/list.txt 24https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-deu/list.txt 25https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-fra/list.txt 26https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-heb/list.txt 27https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ind/list.txt 28https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ita/list.txt 29https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-kor/list.txt 30https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lav/list.txt 31https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lit/list.txt 32https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-nld/list.txt 33https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-por/list.txt 34https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-rus/list.txt 35https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-spa/list.txt 36https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-zho/list.txt 37https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easyprivacy/list.txt 38https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/eth-phishing-detect/list.txt 39https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.2o7net/list.txt 40https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.dead/list.txt 41https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.risk/list.txt 42https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.spam/list.txt 43https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-annoyance/list.txt 44https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-cookiemonster/list.txt 45https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt 46https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt 47https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/gfrogeye-firstparty-trackers/list.txt 48https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/hostsvn/list.txt 49https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kadhosts/list.txt 50https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kowabit.de-kwbtlist/list.txt 51https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/lightswitch05-ads-and-tracking/list.txt 52https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomainlist.com/list.txt 53https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-immortaldomains/list.txt 54https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-justdomains/list.txt 55https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/matomo.org-spammers/list.txt 56https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mitchellkrogza-badd-boyz-hosts/list.txt 57https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/molinero.dev/list.txt 58#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-advertising/list.txt 59https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-analytics/list.txt 60https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/pgl.yoyo.org/list.txt 61https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army/list.txt 62https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army-extended/list.txt 63https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ransomwaretracker.abuse.ch/list.txt 64https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/socram8888-notonmyshift/list.txt 65https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/someonewhocares.org/list.txt 66https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/spam404.com/list.txt 67https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stevenblack/list.txt 68https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stopforumspam.com/list.txt 69https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock/list.txt 70https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-abuse/list.txt 71https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-annoyances/list.txt 72https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-badware/list.txt 73https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-privacy/list.txt 74https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/urlhaus/list.txt 75https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/winhelp2002.mvps.org/list.txt 76#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists/list.txt 77#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-browser/list.txt 78#https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-optional/list.txt 79 80# Personal lists. 81https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/mozilla/list.txt 82https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/xiaomi/list.txt
use this
Systemd service unit file
/home/jobs/services/by-user/root/hblock-unbound.service#1[Unit] 2Description=Update hblock and patch unbound rules 3Requires=network-online.target 4After=network-online.target 5 6[Service] 7Type=simple 8ExecStart=/home/jobs/scripts/by-user/root/hblock_unbound.py /home/jobs/scripts/by-user/root/hblock_unbound.yaml 9User=root 10Group=root
fix the permissions
chmod 700 /home/jobs/scripts/by-user/root/hblock-unbound.* chmod 700 -R /home/jobs/services/by-user/root
run the deploy script
Important
In case something goes wrong with the deployment you can use these fallback commands
pushd /home/jobs/scripts/by-user/root
cat hblock_unbound.header.conf hblock_unbound.footer.conf > /etc/unbound/unbound.conf
popd
systemctl restart unbound
- 1
https://nlnetlabs.nl/projects/unbound/about/ BSD 3-Clause License, Copyright (c) 2007, NLnet Labs. All rights reserved
- 2
https://github.com/jedisct1/dnscrypt-proxy ISC License, Copyright (c) 2018-2022, Frank Denis <j at pureftpd dot org>
- 3
https://github.com/hectorm/hblock MIT, Copyright © 2022, Héctor Molinero Fernández
- 4
https://github.com/hectorm/hmirror MIT, Copyright © 2022, Héctor Molinero Fernández