DNS
Contents
DNS#
Unbound#
Use a local DNS proxy server to:
improve name resoultion speed
hide unwanted websites
redirect names to specific local addresses
Hblock in action#
install the dependencies
apt-get install git bash unbound dnscrypt-proxy python3-requests python3-yaml makeinstall fpyutils. See reference
configure dnscrypt-proxy
/etc/dnscrypt-proxy/dnscrypt-proxy.toml## Comments removed for readability purposes. listen_addresses = ['127.0.0.1:53000', '[::1]:53000'] server_names = ['cleanbrowsing-adult'] max_clients = 250 ipv4_servers = true ipv6_servers = false dnscrypt_servers = true doh_servers = true require_dnssec = false require_nolog = true require_nofilter = true force_tcp = false timeout = 5000 keepalive = 30 use_syslog = true cert_refresh_delay = 1440 ignore_system_dns = true netprobe_timeout = 60 netprobe_address = '9.9.9.9:53' log_files_max_size = 10 log_files_max_age = 7 log_files_max_backups = 1 block_ipv6 = false cache = true cache_size = 4096 cache_min_ttl = 2400 cache_max_ttl = 86400 cache_neg_min_ttl = 60 cache_neg_max_ttl = 600 [query_log] file = '/var/log/dnscrypt-proxy/query.log' format = 'tsv' [nx_log] file = '/var/log/dnscrypt-proxy/nx.log' format = 'tsv' [sources] [sources.'public-resolvers'] url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = ''
restart the dnscrypt-proxy service
systemctl restart dnscrypt-proxycreate the jobs directories. See reference
mkdir -p /home/jobs/{scripts,services}/by-user/rootclone the hblock repository
pushd /home/jobs/scripts/by-user/root git clone https://software.franco.net.eu.org/mirrors-shell/hblock.git popd
create the
script/home/jobs/scripts/by-user/root/hblock_unbound.py##!/usr/bin/env python3 # -*- coding: utf-8 -*- # # hblock_unbound.py # # The MIT License (MIT) # # Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com) # Copyright © 2019 Héctor Molinero Fernández # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. r"""Filter domains.""" import shlex import sys import fpyutils import yaml if __name__ == '__main__': configuration_file = shlex.quote(sys.argv[1]) config = yaml.load(open(configuration_file, 'r'), Loader=yaml.SafeLoader) header_file = shlex.quote(config['files']['header']) footer_file = shlex.quote(config['files']['footer']) output_file = shlex.quote(config['files']['output']) sources_file = shlex.quote(config['files']['sources']) post_commands_file = shlex.quote(config['files']['post_commands']) hblock_root_directory = shlex.quote( config['files']['hblock_root_directory']) # Update the source code and the block lists. command = 'make -C ' + hblock_root_directory + ' clean && git -C ' + hblock_root_directory + ' pull' fpyutils.shell.execute_command_live_output(command) # Use unicode to avoid quotes mess. template = shlex.quote('local-zone: "%D" redirect' + '\u000A' + 'local-data: "%D A %R"') command = ('pushd ' + hblock_root_directory + '; ./hblock --template ' + template + ' --comment "#" --header ' + header_file + ' --footer ' + footer_file + ' --output ' + output_file + ' --sources ' + sources_file + ' ./resources/alt-formats/unbound.conf.sh; popd') fpyutils.shell.execute_command_live_output(command) with open(post_commands_file, 'r') as f: line = f.readline().rstrip('\n') while line: fpyutils.shell.execute_command_live_output(line) line = f.readline().rstrip('\n') message = 'hblock unbound completed' if config['notify']['gotify']['enabled']: m = config['notify']['gotify']['message'] + '\n' + message fpyutils.notify.send_gotify_message( config['notify']['gotify']['url'], config['notify']['gotify']['token'], m, config['notify']['gotify']['title'], config['notify']['gotify']['priority']) if config['notify']['email']['enabled']: fpyutils.notify.send_email(message, config['notify']['email']['smtp_server'], config['notify']['email']['port'], config['notify']['email']['sender'], config['notify']['email']['user'], config['notify']['email']['password'], config['notify']['email']['receiver'], config['notify']['email']['subject'])
create a
configuration file/home/jobs/scripts/by-user/root/hblock_unbound.yaml## # hblock_unbound.yaml # # The MIT License (MIT) # # Copyright (C) 2019-2022 Franco Masotti (franco \D\o\T masotti {-A-T-} tutanota \D\o\T com) # Copyright © 2019 Héctor Molinero Fernández # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. files: sources: '/home/jobs/scripts/by-user/root/hblock_unbound_list.txt' header: '/home/jobs/scripts/by-user/root/hblock_unbound.header.conf' footer: '/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf' output: '/etc/unbound/unbound.conf' post_commands: '/home/jobs/scripts/by-user/root/hblock_unbound.post_commands.conf' hblock_root_directory: '/home/jobs/scripts/by-user/root/hblock' notify: email: enabled: true smtp_server: 'smtp.gmail.com' port: 465 sender: 'myusername@gmail.com' user: 'myusername' password: 'my awesome password' receiver: 'myusername@gmail.com' subject: 'hblock unbound' gotify: enabled: true url: '<gotify url>' token: '<app token>' title: 'hblock unbound' message: 'hblock unbound completed' priority: 5
create the
hblock header file/home/jobs/scripts/by-user/root/hblock_unbound.header.conf#server: interface: 0.0.0.0@53 use-syslog: yes username: "unbound" directory: "/etc/unbound" # Subnet. access-control: 192.168.0.0/24 allow cache-min-ttl: 3600 num-threads: 4 outgoing-range: 200 do-daemonize: no # DISABLE IPv6. # https://community.nethserver.org/t/solved-unbound-service-problem-service-doesnt-start/11086/2 do-ip6: no do-not-query-localhost: no # Router. local-zone: "fritz.box." redirect local-data: "fritz.box. A 192.168.0.1" # Static censorship. local-zone: "play.google.com." redirect local-data: "play.google.com. A 0.0.0.0" local-zone: "apple.com." redirect local-data: "apple.com. A 0.0.0.0" # Local address redirect. local-data: "server. 31536000 IN A 192.168.0.3" local-data: "myotherserver. 31536000 IN A 192.168.0.4"
create the
hblock footer file/home/jobs/scripts/by-user/root/hblock_unbound.footer.conf#forward-zone: name: "." # IPv6. # forward-addr: ::1@53000 forward-addr: 127.0.0.1@53000 # Fallback to use in case dnscrypt-proxy doesn't work. # forward-addr: 8.8.8.8
configure you
hblock lists/home/jobs/scripts/by-user/root/hblock_unbound_list.txt## Default lists. https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adaway.org/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adblock-nocoin-list/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-cname-trackers/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/adguard-simplified/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/antipopads/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-adservers/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-coinminer/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/anudeepnd-facebook/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/blocklist.kowabit.de/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dandelionsprout-nordic/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/digitalside-threat-intel/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-ad/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malvertising/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-malware/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/disconnect.me-tracking/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-high/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-low/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/dshield.org-medium/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ara/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-bul/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ces-slk/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-deu/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-fra/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-heb/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ind/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-ita/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-kor/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lav/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-lit/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-nld/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-por/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-rus/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-spa/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easylist-zho/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/easyprivacy/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/eth-phishing-detect/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.2o7net/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.dead/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.risk/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fademind-add.spam/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-annoyance/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-cookiemonster/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/fanboy-social/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/gfrogeye-firstparty-trackers/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/hostsvn/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kadhosts/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/kowabit.de-kwbtlist/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/lightswitch05-ads-and-tracking/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomainlist.com/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-immortaldomains/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/malwaredomains.com-justdomains/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/matomo.org-spammers/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mitchellkrogza-badd-boyz-hosts/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/molinero.dev/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-advertising/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/mozilla-shavar-analytics/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/pgl.yoyo.org/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/phishing.army-extended/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ransomwaretracker.abuse.ch/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/socram8888-notonmyshift/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/someonewhocares.org/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/spam404.com/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stevenblack/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/stopforumspam.com/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-abuse/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-annoyances/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-badware/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/ublock-privacy/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/urlhaus/list.txt https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/winhelp2002.mvps.org/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-browser/list.txt #https://software.franco.net.eu.org/mirrors-other/hmirror/raw/branch/master/data/zerodot1-coinblockerlists-optional/list.txt # Personal lists. https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/mozilla/list.txt https://software.franco.net.eu.org/frnmst/hblock-personal-lists/raw/branch/master/data/xiaomi/list.txt
use this
Systemd service unit file/home/jobs/services/by-user/root/hblock-unbound.service#[Unit] Description=Update hblock and patch unbound rules Requires=network-online.target After=network-online.target [Service] Type=simple ExecStart=/home/jobs/scripts/by-user/root/hblock_unbound.py /home/jobs/scripts/by-user/root/hblock_unbound.yaml User=root Group=root
fix the permissions
chmod 700 /home/jobs/scripts/by-user/root/hblock-unbound.* chmod 700 -R /home/jobs/services/by-user/root
run the deploy script
Important
In case something goes wrong with the deployment you can use these fallback commands
pushd /home/jobs/scripts/by-user/root
cat hblock_unbound.header.conf hblock_unbound.footer.conf > /etc/unbound/unbound.conf
popd
systemctl restart unbound
- 1
https://nlnetlabs.nl/projects/unbound/about/ BSD 3-Clause License, Copyright (c) 2007, NLnet Labs. All rights reserved
- 2
https://github.com/jedisct1/dnscrypt-proxy ISC License, Copyright (c) 2018-2022, Frank Denis <j at pureftpd dot org>
- 3
https://github.com/hectorm/hblock MIT, Copyright © 2022, Héctor Molinero Fernández
- 4
https://github.com/hectorm/hmirror MIT, Copyright © 2022, Héctor Molinero Fernández