My network-wide bullshit blocking setup

2025-01-04

Orange Pi 5 Plus

Unbound for recursive DNS resolver on 127.0.0.1:5335.
Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
Tailscale with --accept-dns=false.
unbound-resolvconf.service is disabled, and /etc/resolv.conf is not managed by any service, so I just put nameserver 9.9.9.9 in it for local DNS resolution.

I intend on eventually making this fault-tolerant by using another device as a failover with keepalived. Where and what that other device will be is to be determined. I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9. An idea I have is to setup a cheap VPS on Vultr and run a public DNS resolver on it, but Quad9 is fine for now. Using a completely self-hosted recursive DNS resolver is fairly important to me, but as long as it’s not going through Google or my ISP it is fine.

I have the Orange Pi 5 Plus Tailnet IP address configured to be my Tailnet’s global nameserver. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.

Blocky configuration

upstreams:  
  strategy: strict  
  groups:  
    default:  
      - 127.0.0.1:5335  
      - 9.9.9.9  
      - 149.112.112.112  
  
blocking:  
  denylists:  
    ads:  
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts  
      - https://adaway.org/hosts.txt  
      - https://v.firebog.net/hosts/AdguardDNS.txt  
    suspicious:  
      - https://v.firebog.net/hosts/static/w3kbl.txt  
    tracking:  
      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt  
      - https://v.firebog.net/hosts/Easyprivacy.txt  
      - https://v.firebog.net/hosts/Prigent-Ads.txt  
    malicious:  
      - http://phishing.mailscanner.info/phishing.bad.sites.conf  
      - https://v.firebog.net/hosts/Prigent-Crypto.txt  
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts  
  
  clientGroupsBlock:  
    default:  
      - ads  
      - suspicious  
      - tracking  
      - malicious  
  
ports:  
  dns: 53  
  http: 4000  
  
prometheus:  
  enable: yes  
  
caching:  
  minTime: 60s  
  maxItemsCount: 10000  
  prefetching: yes  
  prefetchMaxItemsCount: 2000  
  
queryLog:  
  type: csv-client  
  target: /home/jas/dns-query-logs  
  logRetentionDays: 5  
clientLookup:  
  upstream: 10.0.0.1  
  singleNameOrder:  
    - 1

#networking #dns #adblock #blocky #tailscale #sbc

Reply to this post by email ↪