I have created a OPNsense plugin for blocky DNS.
Anybody want to use this is welcome to try, available here (https://github.com/gspannu/OPN-Plugins).
Read on Blocky website (https://0xerr0r.github.io/blocky/latest/) for more details about Blocky and its extensive configuration options.
It is a beginner effort for a plugin, but have been using this for many months now, is stable and does a great job of providing DNS resolution, blocking ads, and caching dns queries. All configuration is done manually through the yaml file.
Anyone wants to use this base starting point to develop a full fledged plugin with logging, configuration, etc... please let me know and I will happily collaborate.
.... last but not the least, this was inspired and helped by hero member Monviech (https://forum.opnsense.org/index.php?action=profile;u=26898).
-------------------------------------------------------------------
Updated: 01 March 2025
This now includes various plugins... (AdGuardHome, Blocky, ControlD, NextDNS, Speedtest)
1) Here is the Github (https://github.com/gspannu/OPN-Plugins-Source) link for source code
2) And the Github (https://github.com/gspannu/OPN-Plugins) link for the plugin repos
I'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.
Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky
Quote from: Monviech on September 03, 2024, 04:38:07 PM
I'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.
Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky
The code is here on Github (https://github.com/gspannu/OPNsense-Plugins-source)
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.I would absolutely love it, if you would take this on and build a full fledged plugin as you did with os-caddy.
Really appreciate your work there... 🙏🏻
Thanks, I'll look at it but no promises. I don't have a lot of freetime lately. Hehe. Thanks for your work so far here.
Quote from: gspannu on September 03, 2024, 05:14:24 PM
The code is here on Github (https://github.com/gspannu/OPNsense-Plugins-source)
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.
What's the point? There is an AdGuard Home plugin, already.
Isnt choice a good thing?
Theres 4 reverse proxies too.
Edit:
Seems like the license of the plugin source code files is not an open source license. Its just a copyright.
Quote from: Monviech on September 03, 2024, 06:16:50 PM
Isnt choice a good thing?
Theres 4 reverse proxies too.
But they are not all built on the same code.
Quote from: Monviech on September 03, 2024, 06:16:50 PM
Isnt choice a good thing?
Theres 4 reverse proxies too.
Edit:
Seems like the license of the plugin source code files is not an open source license. Its just a copyright.
Quote from: Patrick M. Hausen on September 03, 2024, 06:27:31 PM
But they are not all built on the same code.
By built on the same code, I meant the
underlying principles of the plugin are very similar. AGH plugin provides AdGuardHome (https://github.com/AdguardTeam/AdguardHome), while my plugin provides Blocky (https://github.com/0xERR0R/blocky).
---
@Monviech:
The Github code that references my name at some places is not really a copyright. This plugin was just for my internal use, so my name is probably littered across a load of files.
There is nothing copyrighted about the code absolutely in any shape or form.
If you are looking to create a proper Blocky plugin (aka Caddy), please feel free to copy/use/discard/edit my code as deemed fit. Please disregard all copyright statements in my code and use freely.
I am honoured that you are looking to (possibly) create a Blocky plugin. Many thanks...
Quote from: gspannu on September 03, 2024, 09:40:32 PM
By built on the same code, I meant the underlying principles of the plugin are very similar.
AGH plugin provides AdGuardHome (https://github.com/AdguardTeam/AdguardHome), while my plugin provides Blocky (https://github.com/0xERR0R/blocky).
Thanks for clarifying. Not being familiar with Blocky I assumed you somehow cloned the AGH plugin and renamed it "Blocky" for "reasons". Apologies if that came across as a bit snarky.
Quote from: Patrick M. Hausen on September 03, 2024, 09:45:58 PM
Quote from: gspannu on September 03, 2024, 09:40:32 PM
By built on the same code, I meant the underlying principles of the plugin are very similar.
AGH plugin provides AdGuardHome (https://github.com/AdguardTeam/AdguardHome), while my plugin provides Blocky (https://github.com/0xERR0R/blocky).
Thanks for clarifying. Not being familiar with Blocky I assumed you somehow cloned the AGH plugin and renamed it "Blocky" for "reasons". Apologies if that came across as a bit snarky.
No need to apologise, please... and no offence taken.I had half-guessed that you had probably misunderstood. And I think I could/should have worded my post more clearly that the plugin provides another adblocking DNS solution...
Before creating anything, whats the actual benefit of blocky?
I can see it using lists you have to prefetch, e.g. from github.
Is there any actual benefit here compared to just using Unbound with Blocklists? Thats already there and in core.
/ui/unbound/dnsbl/index
https://docs.opnsense.org/manual/unbound.html#blocklists
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf
Just enable it, select e.g. "Steven Black List" and it will block all of this list here: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Also, if the benefit is the micro management via client groups, that could make the plugin pretty complicated. And offering the full DNS server capabilities is kinda pointless, since Unbound is already in core doing everything it would do, and additionally there is also DNSmasq, in core. Extending whats there would make more sense imo.
It's not my intention to sound mean here, but I want to know the benefits in contrast to just using unbounds existing feature from /core.
The key benefits (over Unbound and AdGuard Home) are...
- Extensive support for individual client configurations and customisation
- Fine control over caching of DNS responses and prefetch (e.g. Blocky allows prefetch only for entries that have been queried 'a' times in 'b' time-period for a total max of 'x' entries in cache and pre-fetch of only 'y' entries, etc.). One can really lower DNS query times by caching/ pre-fetching frequently used items by customising these values Unbound and AGH also allow this, but blocky seems to allow much finer control.
- API support to enable/ disable individual block/allow lists, etc..
- regex support in block/allow lists
- Push query statistics to external databases like mysql, postgresql or locally as csv
- Prometheus metrics endpoint
- Redis/Sentinel support for multiple Blocky instances (if running redundant systems, DNS cache can be synced for superior DNS cache management)
- Acts as DoT/DoH end point (if needed for roadwarrior clients)
----------------
If Unbound in OPNsense would allow client level customisation regarding block/allow lists, I probably would have stuck with Unbound blocklists.
I believe that Unbound can do client level blocking customisation using tags and views - but it seems unsupported in OPNsense Unbound implementation at the moment.
Maybe expanding Unbound to support tags/ views to achieve client customisation may be a more popular/useful plugin project and that would have a wider audience appeal and long term usage.... and as you state, more inline with Unbound core.
Interesting. If thats the exact scope and usecase why people choose adguard home or blocky, and the same goal can be reached in Unbound, maybe create an issue with a feature request in Opnsense Core for this feature:
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html
Quote from: Monviech on September 08, 2024, 06:14:57 AM
Interesting. If thats the exact scope and usecase why people choose adguard home or blocky, and the same goal can be reached in Unbound, maybe create an issue with a feature request in Opnsense Core for this feature:
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html
OPnsense (a few versions back) used to allow custom configuration of Unbound and it was likely possible to achieve these enhanced configs. I think with the latest version of OPnsense's Unbound implementation, a lot of the custom configuration has been lost... hence a lot of movement towards AGH/Blocky.
I personally would just stick with Unbound - if it was possible to have different clients use different blocklists or bypass blocking completely, and still have everything routed through Unbound for its caching and resolver abilities.
Another thing need in Unbound is support of
sequential order of upstream DNS (something that dnsmasq does very well with its
strict-order parameter in the conf file and blocky supports it very well too).
With Unbound, there is no mechanism to control the behaviour if using unbound as a plain forwarder.
A lot of people run their own DNS servers (with redundancy across different addresses) and would like Unbound to only use the specific upstream if the first one fails.... sequential order.
Unbound is very powerful, but I think it needs some more options exposed in OPNsense to make it a real powerful DNS resolver/ forwarder/ adblocker, etc..... or at
the very minimum needs to support custom.conf files where users can configure it to behave as desired.
Thank you for looking into this...
So to lock down the scope, without promising anything:
- If there would be an additional field inside blocklists, in which multiple ip addressed/networks can be input, and these would be excempt from the blocklist, that would make the Unbound implementation already fit a lot more usecases?
I imply, most people want to block everything, for example for kids/staff etc..., and excempt themselves from the same blocking.
Since it would be only one additional item in the menu, maybe that scope can be satisfied. (I didnt check yet, just implying here.)
I use firewall port forwarding rules to forward only the requests of clients I want to be protected/filtered to AGH while the rest goes to Unbound without any filtering.
I have yet to find a use case where I would need different policies in AGH for different clients.
Quote from: Monviech on September 08, 2024, 05:49:35 PM
So to lock down the scope, without promising anything:
- If there would be an additional field inside blocklists, in which multiple ip addressed/networks can be input, and these would be excempt from the blocklist, that would make the Unbound implementation already fit a lot more usecases?
I imply, most people want to block everything, for example for kids/staff etc..., and excempt themselves from the same blocking.
Since it would be only one additional item in the menu, maybe that scope can be satisfied. (I didnt check yet, just implying here.)
I believe that will be an excellent addition to Unbound, adding the ability to exclude certain IP addresses, network ranges, etc from default blocking.
If you are going to look at the inbound code, is there any possibility of adding Regex to the blocking liss? I know I am being greedy !
I dont know, I gonna talk with others whats possible and if its a good idea to add more options to Blocklists.
Quote from: Monviech on September 08, 2024, 09:04:29 PM
I dont know, I gonna talk with others whats possible and if its a good idea to add more options to Blocklists.
Thanks.
I think the exclusion of configurable IP addresses/ networks for blocklists will provide the best bang for the buck...
I just found out its a feature of the OPNsense Business Edition. So its already available in that version:
https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html
Quote from: Monviech on September 09, 2024, 09:29:03 AM
I just found out its a feature of the OPNsense Business Edition. So its already available in that version:
https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html
Any chance to make this feature available on the community edition... or
some patch at the moment to at least try out the feature.
I am a home user...
Quote from: Monviech on September 09, 2024, 09:29:03 AM
I just found out its a feature of the OPNsense Business Edition. So its already available in that version:
https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html
@Franco/ @Monviech
Unbound extended blocklists (or more specifically
the ability to exclude certain IP addresses/ranges from default adblocking) - can this feature be made available in the community edition
please?
Or some mechanism/ hack to try it out in the community version?
Many thanks...
You can do that with AGuard Home already.
and, from all the posts over time with people encountering problems with lists in Unbound, makes more sense to me to leave this on the add-ons that already do it like AdGH.
Quote from: cookiemonster on September 10, 2024, 12:19:16 AM
and, from all the posts over time with people encountering problems with lists in Unbound, makes more sense to me to leave this on the add-ons that already do it like AdGH.
Quote from: Patrick M. Hausen on September 09, 2024, 11:52:59 PM
You can do that with AGuard Home already.
Thank you for the suggestions. I am already using AGH and also Blocky (this conversation started with a plugin for the same).
The whole idea is to have this feature in Unbound, and since it appears that
this is already available in OPNsense Business Edition, my request is to also
make it accessible in the Community Edition as well - I am guessing it should be relatively easy (barring any commercial implications)
There will be all types of users, some will use AGH, some will use Blocky, some will stick with plain old simple dnsmasq and some will use core Unbound (if it gains this additional functionality)....
essentially providing more choice.
fair enough
Let's focus on Blocky again.
I can't really help much there, but I have looked at it.
You need proper templating with jinja2 to build the YAML file for it from the configuration items in the GUi.
Also you would have to build a better menu with the volt templates and controller form dialogues. You probably need to use Bootgrids for it, since you want multiple items per subnet/tag/etc.... Just look at the work I have done for Caddy (best the version in plugins/master since I refactored a lot), or a different plugin, and try to replicate that.
You would need to spend some more time to ensure everything you use yourself can be only configured from the GUI. I personally would focus on the most essential options first and the nice to haves later. Think about the core use of the plugin and why you need it, and build that GUI.
Afterwards you can open a PR in the OPNsense Plugins if you want, then we can look at it.
Quote from: Patrick M. Hausen on September 09, 2024, 11:52:59 PM
You can do that with AGuard Home already.
I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.
That's why I prefer using extended blocklists as my solution.
Quote from: cgone on September 26, 2024, 06:35:26 PM
I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.
That's why I prefer using extended blocklists as my solution.
So do you mean blocklists in Unbound?
How do you configure certain specific clients to bypass adblocking but still use Unbound?
If one does not mind to install AdGuard Home ...
I have Unbound listening on *:53
I have AGH listening on 127.0.0.1:53530
I have AGH configured to use 127.0.0.1:53 as upstream
In each network where I want client systems to query AGH instead of Unbound I have a NAT Port Forwarding rule saying: destination TCP/UDP:53, "this firewall", forward to 127.0.0.1:53530
Works like a charm.
Quote from: gspannu on September 03, 2024, 05:14:24 PMQuote from: Monviech on September 03, 2024, 04:38:07 PMI'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.
Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky
The code is here on Github (https://github.com/gspannu/OPNsense-Plugins-source)
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.
I would absolutely love it, if you would take this on and build a full fledged plugin as you did with os-caddy.
Really appreciate your work there... 🙏🏻
Was the source code removed?
Opening the link results in error 404:
Github (https://github.com/gspannu/OPNsense-Plugins-source)
Quote from: Firewire on February 28, 2025, 10:25:54 PMQuote from: gspannu on September 03, 2024, 05:14:24 PMQuote from: Monviech on September 03, 2024, 04:38:07 PMI'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.
Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky
The code is here on Github (https://github.com/gspannu/OPNsense-Plugins-source)
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.
I would absolutely love it, if you would take this on and build a full fledged plugin as you did with os-caddy.
Really appreciate your work there... 🙏🏻
Was the source code removed?
Opening the link results in error 404:
Github (https://github.com/gspannu/OPNsense-Plugins-source)
Apologies... I had updated the repository and it was marked private,
made it public again.
This now includes various plugins... (AdGuardHome, Blocky, ControlD, NextDNS, Speedtest)
1) Here is the Github (https://github.com/gspannu/OPN-Plugins-Source) link for
source code2) And the Github (https://github.com/gspannu/OPN-Plugins) link for the
plugin repos
Just installed the Blocky package, thanks so much for providing an OPNsense version.
It works great and was out of the box compatible with my existing config.yml from my Blocky docker instance.
That's one thing why Blocky is great, the config.yml is easily deployable and requires minimal to no changes between platforms with setting it up in mintues.
Would be great if your plugin could offer more functionalities over the OPNsense WebUI in future, for example editing the config.yml or showing the logs.
Now I have two blocky instances running on different hardware.
My DNS maintenance windows won't affect my family anymore. :)
Quote from: Firewire on March 01, 2025, 03:58:39 AMJust installed the Blocky package, thanks so much for providing an OPNsense version.
It works great and was out of the box compatible with my existing config.yml from my Blocky docker instance.
That's one thing why Blocky is great, the config.yml is easily deployable and requires minimal to no changes between platforms with setting it up in mintues.
Would be great if your plugin could offer more functionalities over the OPNsense WebUI in future, for example editing the config.yml or showing the logs.
Now I have two blocky instances running on different hardware.
My DNS maintenance windows won't affect my family anymore. :)
Thanks for the kind words.
Config options are going to be difficult, as there are far too many; however, the option of being able to edit the file directly within OPNsense GUI may still be a possibility.
Also, the idea of log file is good.
Will look at these at some point.
I do not actively develop anything, just tinker around with things when I have some time....
Hello, any reason why the Github page was removed?
https://github.com/gspannu/OPN-Plugins
Recognized it when my OPNsense told me the repo is unavailable when updating my packages.
You probably will have to ask the author: https://github.com/gspannu/
Quote from: Firewire on March 09, 2025, 09:52:19 AMHello, any reason why the Github page was removed?
https://github.com/gspannu/OPN-Plugins
Recognized it when my OPNsense told me the repo is unavailable when updating my packages.
Working now...
Thanks! It's working fine again