################################################################### # unbound-adblock 0.4 NetBSD Installation Instructions # Copyright 2020 Jordan Geoghegan ################################################################### ################################################################### # Notes: ################################################################### 1) This guide assumes you know how to setup Unbound. If not, there are plenty of online guides to setting up Unbound. NetBSD Unbound Quick Start: pkgin install unbound mozilla-rootcerts ftp https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example install -m 644 -o root -g unbound unbound.conf.example /etc/unbound/unbound.conf # Modify unbound.conf to suit your needs: vi /etc/unbound/unbound.conf # Enable and Start echo 'unbound="YES"' >> /etc/rc.conf service unbound start ################################################################### # Fresh Installation Guide ################################################################### 1) Install and configure Unbound as a local recursive DNS server An example unbound.conf can be found here: https://www.geoghegan.ca/pub/unbound-adblock/0.4/unbound.conf.example 2) Download script: $ ftp https://geoghegan.ca/pub/unbound-adblock/0.4/unbound-adblock.sh 3) Create a new user (we'll call ours "_adblock") The user should be created with default shell of "nologin" and an empty password (disables password logins). # useradd -s /sbin/nologin _adblock 4) Install script with appropriate permissions # install -m 755 -o root -g bin unbound-adblock.sh /usr/pkg/bin/unbound-adblock.sh 5) Create /etc/unbound/adblock.conf: # install -m 640 -o _adblock -g unbound /dev/null /etc/unbound/adblock.conf 6) install 'doas' utility # pkgin install doas 7) Give user '_adblock' strict doas permission for the exact command the script needs run as superuser. NOTE: Unlike 'sudo', _ALL_ users must be explicitly granted permission to use doas, even the root user. $ cat /usr/pkg/etc/doas.conf permit root permit nopass _adblock cmd service args unbound restart 7) Add a line to your unbound.conf located BEFORE the forwarders section: ... include: /etc/unbound/adblock.conf ... 8) Run script manually using the '-netbsd' argument # doas -u _adblock sh /usr/pkg/bin/unbound-adblock.sh -netbsd unbound(ok) 9) For good measure, we'll run the unbound-adblock.sh script once more # doas -u _adblock sh /usr/pkg/bin/unbound-adblock.sh -netbsd 10) Edit _adblock crontab to run unbound-adblock.sh every night at midnight # crontab -u _adblock -e @midnight /bin/sh /usr/pkg/bin/unbound-adblock.sh -netbsd Yay! unbound-adblock is now installed! With the nightly cron job, the list will be be regularly updated with the latest known bad hosts. X) OPTIONAL -- Add the following line to your pf.conf: NOTE: This rule intercepts DNS traffic bound for Google DNS servers Google mandates the use of their DNS servers in many apps and services Many devices also use hardcoded Google DNS that cannot be changed. This is both a privacy and freedom concern. This should help rectify the issue: (This rule should be run on your router/gateway) ... # Replace $adblock with the IP address of the Unbound machine pass in quick to {8.8.8.8, 8.8.4.4} rdr-to $adblock ... -- Reload your pf rule set: # pfctl -f /etc/pf.conf