Advices to configure Unbound and Bind plugin for ad-block

[mayo]

I everybody,
I would like to configure my opnsense as internal dns server for home network.
I don't want to make mistakes, so may I ask how is the best way to configure Unbound and Bind to act (also) as an ad-block? I'm not sure how to route all traffic on lan to ask only opnsense for DNS...
Any advice is well accepted!

[tofaz]

Hi,

in my scenario I have configured OPNsense to use Unbound and to forward my requests to external servers (you can configure it as you wish). This is beneficial first as you can cache clients requests and save up a little bit of bandwidth and dropping down responses time (unnoticeable). But you have to enable Unbound to accomplish this;

My technique is to provide a list of ads sites URLs to Unbound and configure it to refuse DNS resolutions for all of them. So far it seemed to work very well and it catches most of ads around webpages.

You can download the config file with the list that I have collected on internet here: https://tofanos.com/gabri/media/ad-blacklist.conf.

Here the steps to enable the configuration:

1) Enable SSH access to the firewall by checking System -> Settings -> Administration -> Enable Secure Shell
2) Secure copy the file in /var/unbound
3) Add "include: /var/unbound/ad-blacklist.conf" into Services -> Unbound DNS -> General -> Custom options
4) Save and apply changes
3) Disable SSH access by un-checking System -> Settings -> Administration -> Enable Secure Shell

Your clients has to use your firewall LAN address now in order to use this feature.

You can test the new config by trying to resolve from a client in your network one of the URLs listed in the file. Let's use "adservices.google.com":

- On a laptop open the terminal and execute nslookup adservices.google.com
You should receive the following response: server can't find adservices.google.com: REFUSED

Now you can notice many "empty slots" in websites that you are viewing since all the ads are being blocked.

Hope this help you out!

[mayo]

Thank you!
no need of Bind?

[mimugmail]

Or with Bind:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

[mayo]

Thank you mimugmail, I followed your how-to, but I have a question: I made a firewall rule for all the clients for port 53 before this configuration (similar to the one on the link for port 535350) for DNS request. Do I have to disable it?

[mimugmail]

Do you use Unbound as primary resolver or just NAT to localhost/53530?

[mayo]

Unbound as primary resolver (default config).

[mimugmail]

Then you don't need a firewall rule.
Just add an ACL in BIND for 127.0.0.0/8 and put it in Recursion.
Then in Unbound do the forward via Advanced option like in the howto.

[mayo]

thank you so much!
Do I have to delete rule for DNS on port 53 only or also for 53530 like described in the link (I have now two rules)?
For the ACL right now I filled in with my lan address, I will delete it and put 127.0.0.0/8 .
Sorry but I'm quite new in firewalling  :)

[mimugmail]

You can remove Firewall rules as DNS is always allowed when using Unbound

[mayo]

Then you don't need a firewall rule.
Just add an ACL in BIND for 127.0.0.0/8 and put it in Recursion.
Then in Unbound do the forward via Advanced option like in the howto.

Tried to put 127.0.0/8 in ACL but bind plugin doesn't start.

[mimugmail]

Is the listen port already in use?
What about logs?

[mayo]

For listen I have the defaults: IP 127.0.0.1 on port 53530
no logs for Bind: File /var/log/named/named.log doesn't exist.

[mimugmail]

Can you reinstall the plugin? Also please check system.log

[mayo]

I've solved adding my lan /24 in the ACL. Also in ACL I have 127.0.0.0/8. Is it right?
(thank you for following me in the configuration  ;))
UPDATE: Bind started but there aren't  query logs for service
UPDATE 2: Firewall Rule created, Bind has start to log queries.