hyperreal.coffee

My network-wide bullshit-blocking setup

· hyperreal

Orange Pi 5 Plus

  • Unbound for recursive DNS resolver on 127.0.0.1:5335.
  • Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
  • Tailscale with --accept-dns=false.
  • unbound-resolvconf.service is disabled, and /etc/resolv.conf is not managed by any service, so I just put nameserver 9.9.9.9 in it for local DNS resolution.

I intend on eventually making this fault-tolerant by using another device as a failover with keepalived. Where and what that other device will be is to be determined. I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9. An idea I have is to setup a cheap VPS on Vultr and run a public DNS resolver on it, but Quad9 is fine for now. Using a completely self-hosted recursive DNS resolver is fairly important to me, but as long as it's not going through Google or my ISP it is fine.

I have the Orange Pi 5 Plus Tailnet IP address configured to be my Tailnet's global nameserver. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.

Blocky configuration

 1upstreams:
 2  strategy: strict
 3  groups:
 4    default:
 5      - 127.0.0.1:5335
 6      - 9.9.9.9
 7      - 149.112.112.112
 8
 9blocking:
10  denylists:
11    ads:
12      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
13      - https://adaway.org/hosts.txt
14      - https://v.firebog.net/hosts/AdguardDNS.txt
15    suspicious:
16      - https://v.firebog.net/hosts/static/w3kbl.txt
17    tracking:
18      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
19      - https://v.firebog.net/hosts/Easyprivacy.txt
20      - https://v.firebog.net/hosts/Prigent-Ads.txt
21    malicious:
22      - http://phishing.mailscanner.info/phishing.bad.sites.conf
23      - https://v.firebog.net/hosts/Prigent-Crypto.txt
24      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
25
26  clientGroupsBlock:
27    default:
28      - ads
29      - suspicious
30      - tracking
31      - malicious
32
33ports:
34  dns: 53
35  http: 4000
36
37prometheus:
38  enable: yes
39
40caching:
41  minTime: 60s
42  maxItemsCount: 10000
43  prefetching: yes
44  prefetchMaxItemsCount: 2000
45
46queryLog:
47  type: csv-client
48  target: /home/jas/dns-query-logs
49  logRetentionDays: 5
50clientLookup:
51  upstream: 10.0.0.1
52  singleNameOrder:
53    - 1

#networking #dns #ad-block #blocky #tailscale #sbc

Reply to this post by email ↪