My network-wide bullshit blocking setup

2025-01-04

Orange Pi 5 Plus

Unbound for recursive DNS resolver on 127.0.0.1:5335.
Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
Tailscale with --accept-dns=false.
unbound-resolvconf.service is disabled, and /etc/resolv.conf is not managed by any service, so I just put nameserver 9.9.9.9 in it for local DNS resolution.

I intend on eventually making this fault-tolerant by using another device as a failover with keepalived. Where and what that other device will be is to be determined. I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9. An idea I have is to setup a cheap VPS on Vultr and run a public DNS resolver on it, but Quad9 is fine for now. Using a completely self-hosted recursive DNS resolver is fairly important to me, but as long as it’s not going through Google or my ISP it is fine.

I have the Orange Pi 5 Plus Tailnet IP address configured to be my Tailnet’s global nameserver. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.

Blocky configuration

 1upstreams:  
 2  strategy: strict  
 3  groups:  
 4    default:  
 5      - 127.0.0.1:5335  
 6      - 9.9.9.9  
 7      - 149.112.112.112  
 8  
 9blocking:  
10  denylists:  
11    ads:  
12      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts  
13      - https://adaway.org/hosts.txt  
14      - https://v.firebog.net/hosts/AdguardDNS.txt  
15    suspicious:  
16      - https://v.firebog.net/hosts/static/w3kbl.txt  
17    tracking:  
18      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt  
19      - https://v.firebog.net/hosts/Easyprivacy.txt  
20      - https://v.firebog.net/hosts/Prigent-Ads.txt  
21    malicious:  
22      - http://phishing.mailscanner.info/phishing.bad.sites.conf  
23      - https://v.firebog.net/hosts/Prigent-Crypto.txt  
24      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts  
25  
26  clientGroupsBlock:  
27    default:  
28      - ads  
29      - suspicious  
30      - tracking  
31      - malicious  
32  
33ports:  
34  dns: 53  
35  http: 4000  
36  
37prometheus:  
38  enable: yes  
39  
40caching:  
41  minTime: 60s  
42  maxItemsCount: 10000  
43  prefetching: yes  
44  prefetchMaxItemsCount: 2000  
45  
46queryLog:  
47  type: csv-client  
48  target: /home/jas/dns-query-logs  
49  logRetentionDays: 5  
50clientLookup:  
51  upstream: 10.0.0.1  
52  singleNameOrder:  
53    - 1

#networking #dns #adblock #blocky #tailscale #sbc

Reply to this post by email ↪