################################################################### # unbound-adblock 0.4 OpenBSD Installation Instructions # Copyright 2020 Jordan Geoghegan ################################################################### ################################################################### # Notes: ################################################################### 1) This guide assumes you know how to setup Unbound. If not, there are plenty of online guides to setting up Unbound. An easy introductory guide to setting up unbound can be found here: https://www.openbsd.org/faq/pf/example1.html#dns OpenBSD Unbound Quick Start: ftp https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example install -m 644 -o root -g wheel unbound.conf.example /var/unbound/etc/unbound.conf # Modify unbound.conf to suit your needs: vi /var/unbound/etc/unbound.conf # Enable and Start rcctl enable unbound rcctl start unbound ################################################################### # Upgrade from unbound-adblock 0.3 ################################################################### 1) Download updated script: $ ftp https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh 2) Install script with appropriate permissions # install -m 755 -o root -g bin unbound-adblock.sh /usr/local/bin/unbound-adblock.sh ################################################################### # Fresh Installation Guide ################################################################### 1) Configure Unbound as a local recursive DNS server An example unbound.conf can be found here: https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example 1) Create a new user (we'll call ours "_adblock") The user should be created with default shell of "nologin" and an empty password (disables password logins). # useradd -s /sbin/nologin _adblock 2) Download script: $ ftp https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh 3) Install script with appropriate permissions # install -m 755 -o root -g bin unbound-adblock.sh /usr/local/bin/unbound-adblock.sh 4) Create /var/unbound/etc/adblock.conf: # install -m 640 -o _adblock -g _unbound /dev/null /var/unbound/etc/adblock.conf 5) Give user '_adblock' strict doas permission for the exact command the script needs run as superuser. NOTE: Unlike 'sudo', _ALL_ users must be explicitly granted permission to use doas, even the root user. $ cat /etc/doas.conf permit root permit nopass _adblock cmd rcctl args reload unbound 6) Add a line to your unbound.conf located BEFORE the forwarders section: ... include: /var/unbound/etc/adblock.conf ... 7) Run script manually to parse and load the adblock ruleset # doas -u _adblock sh /usr/local/bin/unbound-adblock.sh unbound(ok) 8) For good measure, we'll run the unbound-adblock.sh script once more # doas -u _adblock sh /usr/local/bin/unbound-adblock.sh 9) Edit _adblock crontab to run unbound-adblock.sh every night at midnight # crontab -u _adblock -e @midnight /bin/sh /usr/local/bin/unbound-adblock.sh Yay! unbound-adblock is now installed! With the nightly cron job, the list will be be regularly updated with the latest known bad hosts. X) OPTIONAL -- Add the following line to your pf.conf: NOTE: This rule intercepts DNS traffic bound for Google DNS servers Google mandates the use of their DNS servers in many apps and services Many devices also use hardcoded Google DNS that cannot be changed. This is both a privacy and freedom concern. This should help rectify the issue: (This rule should be run on your router/gateway) ... # Replace $adblock with the IP address of the Unbound machine pass in quick to {8.8.8.8, 8.8.4.4} rdr-to $adblock ... -- Reload your pf rule set: # pfctl -f /etc/pf.conf