http/content/posts/2025-01-04-my-network-wide-bullshit-blocking-setup.md at main · hyperreal.bsky.moonshadow.dev/hyperreal.coffee

hyperreal.bsky.moonshadow.dev / hyperreal.coffee

My personal website and Gemini capsule

hyperreal.coffee / http / content / posts / 2025-01-04-my-network-wide-bullshit-blocking-setup.md

at main 2.8 kB view raw view rendered

 1+++
 2title = 'My network-wide bullshit blocking setup'
 3date = 2025-01-04
 4tags = ['networking', 'dns', 'adblock', 'blocky', 'tailscale', 'sbc']
 5+++
 6
 7## Orange Pi 5 Plus
 8
 9* Unbound for recursive DNS resolver on 127.0.0.1:5335.
10* [Blocky](https://0xerr0r.github.io/blocky/latest/) for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
11* Tailscale with `--accept-dns=false`.
12* `unbound-resolvconf.service` is disabled, and `/etc/resolv.conf` is not managed by any service, so I just put `nameserver 9.9.9.9` in it for local DNS resolution.
13
14I intend on eventually making this fault-tolerant by using another device as a failover with keepalived. Where and what that other device will be is to be determined. I have Blocky configured to use the `strict` strategy for the `upstreams` setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9. An idea I have is to setup a cheap VPS on Vultr and run a public DNS resolver on it, but Quad9 is fine for now. Using a completely self-hosted recursive DNS resolver is fairly important to me, but as long as it's not going through Google or my ISP it is fine.
15
16I have the Orange Pi 5 Plus Tailnet IP address configured to be my Tailnet's global nameserver. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.
17
18## Blocky configuration
19
20```yaml
21upstreams:  
22  strategy: strict  
23  groups:  
24    default:  
25      - 127.0.0.1:5335  
26      - 9.9.9.9  
27      - 149.112.112.112  
28  
29blocking:  
30  denylists:  
31    ads:  
32      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts  
33      - https://adaway.org/hosts.txt  
34      - https://v.firebog.net/hosts/AdguardDNS.txt  
35    suspicious:  
36      - https://v.firebog.net/hosts/static/w3kbl.txt  
37    tracking:  
38      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt  
39      - https://v.firebog.net/hosts/Easyprivacy.txt  
40      - https://v.firebog.net/hosts/Prigent-Ads.txt  
41    malicious:  
42      - http://phishing.mailscanner.info/phishing.bad.sites.conf  
43      - https://v.firebog.net/hosts/Prigent-Crypto.txt  
44      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts  
45  
46  clientGroupsBlock:  
47    default:  
48      - ads  
49      - suspicious  
50      - tracking  
51      - malicious  
52  
53ports:  
54  dns: 53  
55  http: 4000  
56  
57prometheus:  
58  enable: yes  
59  
60caching:  
61  minTime: 60s  
62  maxItemsCount: 10000  
63  prefetching: yes  
64  prefetchMaxItemsCount: 2000  
65  
66queryLog:  
67  type: csv-client  
68  target: /home/jas/dns-query-logs  
69  logRetentionDays: 5  
70clientLookup:  
71  upstream: 10.0.0.1  
72  singleNameOrder:  
73    - 1  
74```