Hello people, i need some advice how to enable downloaded dns blocklists on Unbound and use them. I'm trying to use multiple blocklists from the hagezi github and using the links provided specially for use in Unbound. In the logs i see that the domain names for the download links are resolved but it would not download them ? Im attaching a screenshot with the logs.
Nvm i figured it out..
Additional http location to download blacklists from, only plain text files containing a list of fqdn's (e.g. my.evil.domain.com) are supported.
could you explain what exactly you have figured out? I was searching for this topic and found your question here. Would be great if you could elaborate on it a bit. thanks
Hi, i cant recall now. I ended up using AdGuard Home for dns blocking, together with Unbound and DNSCrypt-Proxy.
Glad you found a solution with adguard.
You already mentioned in first post that the lists are specially for unbound following it's config format.
As documented, you would've needed a simple list of domains: https://docs.opnsense.org/manual/unbound.html#blocklists
But host files are working too and with recent update also lists including wildcard domains should work.
Hi, I would like to stick just with the native blocklists in opnsense. Do you know which kind of lists should be preferred? Which ones are best for performance? Wildcard or hosts/domains?
Wildcard domains will make list a lot smaller, which should be preferred IMO, but i have no experience with as it is pretty new.
Between domain list and hosts file there shouldn't be much difference.
You really shouldn't see much of a performance difference regarding the lists. I'm currently using half a dozen of them which results in about a quarter of a million entries and I'm not seeing any issues.
There's two ways to determine what lists to run and it's really dependent on your tolerance for nitpicking. Both require you to turn on the Unbound Reporting.
1. Enable all lists. When something doesn't work, go to the Unbound Reporting page and see what was blocked and by which list. Either add it as an allowed domain or disable the list. If you add it as an allowed domain, keep track of which list blocked it. If you start getting a bunch from the same list, you're probably better offer disabling that list.
2. Enable a list. If it doesn't break anything and you're happy with the results, enable another. Keep going until you're satisfied.
In turns of getting started, you really can't go wrong with the Stephen Black list. That will work for the vast majority of people with no tweaking.