gemini/gemlog/2025-01-05-my-network-wide-bullshit-blocking-setup.gmi at main · hyperreal.bsky.moonshadow.dev/hyperreal.coffee

hyperreal.bsky.moonshadow.dev / hyperreal.coffee

My personal website and Gemini capsule

hyperreal.coffee / gemini / gemlog / 2025-01-05-my-network-wide-bullshit-blocking-setup.gmi

at main 2.6 kB view raw

 1# My network-wide bullshit-blocking setup
 2
 3## Orange Pi 5 Plus
 4* Unbound for recursive DNS resolver on 127.0.0.1:5335.
 5* Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
 6* Tailscale with `--accept-dns=false`.
 7* unbound-resolvconf.service is disabled, and /etc/resolv.conf is not managed by any service, so I just put nameserver 9.9.9.9 in it for local DNS resolution.
 8
 9I intend on eventually making this fault-tolerant by using another device as a failover with keepalived. Where and what that other device will be is to be determined. I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost server it will fallback to the next one, which is Quad9. An idea I have is to setup a cheap VPS on Vultr and run a public DNS resolver on it, but Quad9 is fine for now. Using a completely self-hosted recursive DNS resolver is fairly important to me, but as long as it's not going through Google or my ISP it is fine.
10
11I have the Orange Pi 5 Plus Tailnet IP address configured to be my Tailnet's global nameserver. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.
12
13## Blocky configuration
14
15```yaml
16upstreams:
17  strategy: strict
18  groups:
19    default:
20      - 127.0.0.1:5335
21      - 9.9.9.9
22      - 149.112.112.112
23
24blocking:
25  denylists:
26    ads:
27      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
28      - https://adaway.org/hosts.txt
29      - https://v.firebog.net/hosts/AdguardDNS.txt
30    suspicious:
31      - https://v.firebog.net/hosts/static/w3kbl.txt
32    tracking:
33      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
34      - https://v.firebog.net/hosts/Easyprivacy.txt
35      - https://v.firebog.net/hosts/Prigent-Ads.txt
36    malicious:
37      - http://phishing.mailscanner.info/phishing.bad.sites.conf
38      - https://v.firebog.net/hosts/Prigent-Crypto.txt
39      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
40
41  clientGroupsBlock:
42    default:
43      - ads
44      - suspicious
45      - tracking
46      - malicious
47
48ports:
49  dns: 53
50  http: 4000
51
52prometheus:
53  enable: yes
54
55caching:
56  minTime: 60s
57  maxItemsCount: 10000
58  prefetching: yes
59  prefetchMaxItemsCount: 2000
60
61queryLog:
62  type: csv-client
63  target: /home/jas/dns-query-logs
64  logRetentionDays: 5
65
66clientLookup:
67  upstream: 10.0.0.1
68  singleNameOrder:
69    - 1
70```
71
72## END
73Last updated: 2025-01-05
74
75=> ../gemlog Gemlog archive
76=> ../ hyperreal.coffee