################################################################### # unbound-adblock 0.4 FreeBSD Installation Instructions # Copyright 2020 Jordan Geoghegan ################################################################### ################################################################### # Notes: ################################################################### 1) This guide assumes you know how to setup Unbound. If not, there are plenty of online guides to setting up Unbound. FreeBSD Unbound Quick Start: pkg install unbound fetch https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example install -m 644 -o root -g unbound unbound.conf.example /etc/unbound/unbound.conf # Modify unbound.conf to suit your needs: vi /etc/unbound/unbound.conf # Enable and Start sysrc unbound_enable="YES" service unbound start ################################################################### # Fresh Installation Guide ################################################################### 1) Install and configure Unbound as a local recursive DNS server An example unbound.conf can be found here: https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example 2) Download script: $ fetch https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh 3) Create a new user (we'll call ours "_adblock") The user should be created with default shell of "nologin" and an empty password (disables password logins). # pw useradd _adblock -s /sbin/nologin 4) Install script with appropriate permissions # install -m 755 -o root -g bin unbound-adblock.sh /usr/local/bin/unbound-adblock.sh 5) Create /etc/unbound/adblock.conf: # install -m 640 -o _adblock -g unbound /dev/null /etc/unbound/adblock.conf 6) install 'doas' utility # pkg install doas 7) Give user '_adblock' strict doas permission for the exact command the script needs run as superuser. NOTE: Unlike 'sudo', _ALL_ users must be explicitly granted permission to use doas, even the root user. $ cat /usr/local/etc/doas.conf permit root permit nopass _adblock cmd service args unbound restart 7) Add a line to your unbound.conf located BEFORE the forwarders section: ... include: /etc/unbound/adblock.conf ... 8) Run script manually using the '-freebsd' argument # doas -u _adblock sh /usr/local/bin/unbound-adblock.sh -freebsd unbound(ok) 9) For good measure, we'll run the unbound-adblock.sh script once more # doas -u _adblock sh /usr/local/bin/unbound-adblock.sh -freebsd 10) Edit _adblock crontab to run unbound-adblock.sh every night at midnight # crontab -u _adblock -e @midnight /bin/sh /usr/local/bin/unbound-adblock.sh -freebsd Yay! unbound-adblock is now installed! With the nightly cron job, the list will be be regularly updated with the latest known bad hosts. X) OPTIONAL -- Add the following line to your pf.conf: NOTE: This rule intercepts DNS traffic bound for Google DNS servers Google mandates the use of their DNS servers in many apps and services Many devices also use hardcoded Google DNS that cannot be changed. This is both a privacy and freedom concern. This should help rectify the issue: (This rule should be run on your router/gateway) ... # Replace $adblock with the IP address of the Unbound machine pass in quick to {8.8.8.8, 8.8.4.4} rdr-to $adblock ... -- Reload your pf rule set: # pfctl -f /etc/pf.conf