Block Google

Started by Mecallie, April 21, 2020, 03:56:10 PM

Previous topic - Next topic
Hi folks,

I have set up unbound for my lan dns server. I use opendns for my upstream (via OPNSense).
A couple of days ago I installed the blacklist plugin for OPNSense. It seems to work: I get no ads.

However, I want to block everything Google (except Youtube). I have tried to find a nice list that blocks all the google domains, but to no avail. So I put my own .txt file on my domain with, etc. in it: does not work. After that I thought I'd block all search engines via opendns and make some exceptions for DuckDuckgo and Bing (maps): does not work either! For some reason I can still reach all the Google domains.

At least the opendns way used to work fine. Is there something I am missing? Can there still be a different place where Unbounds gets it's names from?

I have not used your setup and mine works but gets wonky once in a big while...

My firewall is using port forwarding to listen on port 53 and forward those requests  to a dns server listening on another port like 5353. The dns server listening is dnscrypt and it can get lists of domains to block that gets automatically updated periodically. The lists I find are on GitHub such as social media, Microsoft, ads and tracking. In fact it is blocking too much and I find myself adding to the whitelist in the GUI often.

Not sure how much longer this will work for since the big browsers out there (Mozilla, Chrome..) plan to encrypt inside the program system similar to dnscrypt.

Just throwing this out there incase you give up on opendns. I assume opendns is unencrypted and your ISP is sniffing that traffic?

Thank you for your reply.

First: I found out what I did wrong. I had disabled forwarding in Unbound, thinking that it would forward all my requests to the upstream dns at once, without looking in the cache. Turns out "forwarding" just means "disable recursion". No idea why they would not just name it disable recursion :?

As for your setup: I think in the future I will need to configure a dnssec server for Mozilla or Windows. As for Chrome: I am guessing Google is going to do all to use their DNS servers in there. That's why they are using dns over https: way harder to block and filter, thus generating more data for them.

OPNDns actually supports dnssec, so I would hope that is what's used when I configure it in OPNSense? As for my isp looking in: I really don't mind that much. I want to spread my data, so that there is not ONE source that knows everything about me (Google). A few others that have data that they are mostly not allowed to use does not bother me that much :)

If you are looking to block certain malicious or annoying domains with unbound install the Unbound-Plus Plugin and configure the blacklist setting. Very easy to maintain and you can also add additional ones via URL. A good place to start is Steven Black on github