Blocky DNS (Alternate to AdGuard Home) available as plugin

[gspannu]

I have created a OPNsense plugin for blocky DNS.

Anybody want to use this is welcome to try, available here.

Read on Blocky website for more details about Blocky and its extensive configuration options.

It is a beginner effort for a plugin, but have been using this for many months now, is stable and does a great job of providing DNS resolution, blocking ads, and caching dns queries. All configuration is done manually through the yaml file.

Anyone wants to use this base starting point to develop a full fledged plugin with logging, configuration, etc... please let me know and I will happily collaborate.

.... last but not the least, this was inspired and helped by hero member Monviech.

-------------------------------------------------------------------
Updated: 01 March 2025
This now includes various plugins... (AdGuardHome, Blocky, ControlD, NextDNS, Speedtest)

1) Here is the Github link for source code
2) And the Github link for the plugin repos

[Monviech (Cedrik)]

I'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.

Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky

[gspannu]

I'd like to look at the source code of the plugin itself, but I can only see the compiled package in that repository. Would just interest me without having to install the package first.

Essentially I'm interested in this plugin since it uses a go binary and its available in the freebsd ports.
https://cgit.freebsd.org/ports/tree/dns/blocky

The code is here on Github
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.

I would absolutely love it, if you would take this on and build a full fledged plugin as you did with os-caddy.
Really appreciate your work there... 🙏🏻

[Monviech (Cedrik)]

Thanks, I'll look at it but no promises. I don't have a lot of freetime lately. Hehe. Thanks for your work so far here.

[Patrick M. Hausen]

The code is here on Github
It is a very simple plugin, identical to AdGuard Home plugin and built on the same code.

What's the point? There is an AdGuard Home plugin, already.

[Monviech (Cedrik)]

Isnt choice a good thing?

Theres 4 reverse proxies too.

Edit:

Seems like the license of the plugin source code files is not an open source license. Its just a copyright.

[Patrick M. Hausen]

Isnt choice a good thing?

Theres 4 reverse proxies too.

But they are not all built on the same code.

[gspannu]

Isnt choice a good thing?

Theres 4 reverse proxies too.

Edit:

Seems like the license of the plugin source code files is not an open source license. Its just a copyright.

But they are not all built on the same code.

By built on the same code, I meant the underlying principles of the plugin are very similar.
AGH plugin provides AdGuardHome, while my plugin provides Blocky.

---

@Monviech:
The Github code that references my name at some places is not really a copyright. This plugin was just for my internal use, so my name is probably littered across a load of files.
There is nothing copyrighted about the code absolutely in any shape or form.

If you are looking to create a proper Blocky plugin (aka Caddy), please feel free to copy/use/discard/edit my code as deemed fit.  Please disregard all copyright statements in my code and use freely.

I am honoured that you are looking to (possibly) create a Blocky plugin. Many thanks...

[Patrick M. Hausen]

By built on the same code, I meant the underlying principles of the plugin are very similar.
AGH plugin provides AdGuardHome, while my plugin provides Blocky.

Thanks for clarifying. Not being familiar with Blocky I assumed you somehow cloned the AGH plugin and renamed it "Blocky" for "reasons". Apologies if that came across as a bit snarky.

[gspannu]

By built on the same code, I meant the underlying principles of the plugin are very similar.
AGH plugin provides AdGuardHome, while my plugin provides Blocky.

Thanks for clarifying. Not being familiar with Blocky I assumed you somehow cloned the AGH plugin and renamed it "Blocky" for "reasons". Apologies if that came across as a bit snarky.

No need to apologise, please... and no offence taken.
I had half-guessed that you had probably misunderstood. And I think I could/should have worded my post more clearly that the plugin provides another adblocking DNS solution...

[Monviech (Cedrik)]

Before creating anything, whats the actual benefit of blocky?

I can see it using lists you have to prefetch, e.g. from github.

Is there any actual benefit here compared to just using Unbound with Blocklists? Thats already there and in core.

Code Select Expand

/ui/unbound/dnsbl/index

https://docs.opnsense.org/manual/unbound.html#blocklists

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf

Just enable it, select e.g. "Steven Black List" and it will block all of this list here: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

Also, if the benefit is the micro management via client groups, that could make the plugin pretty complicated. And offering the full DNS server capabilities is kinda pointless, since Unbound is already in core doing everything it would do, and additionally there is also DNSmasq, in core. Extending whats there would make more sense imo.

It's not my intention to sound mean here, but I want to know the benefits in contrast to just using unbounds existing feature from /core.

[gspannu]

The key benefits (over Unbound and AdGuard Home) are...

- Extensive support for individual client configurations and customisation
- Fine control over caching of DNS responses and prefetch (e.g. Blocky allows prefetch only for entries that have been queried 'a' times in 'b' time-period for a total max of 'x' entries in cache and pre-fetch of only 'y' entries, etc.). One can really lower DNS query times by caching/ pre-fetching frequently used items by customising these values Unbound and AGH also allow this, but blocky seems to allow much finer control.
- API support to enable/ disable individual block/allow lists, etc..
- regex support in block/allow lists
- Push query statistics to external databases like mysql, postgresql or locally as csv
- Prometheus metrics endpoint
- Redis/Sentinel support for multiple Blocky instances (if running redundant systems, DNS cache can be synced for superior DNS cache management)
-  Acts as DoT/DoH end point (if needed for roadwarrior clients)

----------------
If Unbound in OPNsense would allow client level customisation regarding block/allow lists, I probably would have stuck with Unbound blocklists.
I believe that Unbound can do client level blocking customisation using tags and views - but it seems unsupported in OPNsense Unbound implementation at the moment.

Maybe expanding Unbound to support tags/ views to achieve client customisation may be a more popular/useful plugin project and that would have a wider audience appeal and long term usage.... and as you state, more inline with Unbound core.

[Monviech (Cedrik)]

Interesting. If thats the exact scope and usecase why people choose adguard home or blocky, and the same goal can be reached in Unbound, maybe create an issue with a feature request in Opnsense Core for this feature:

https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html

[gspannu]

Interesting. If thats the exact scope and usecase why people choose adguard home or blocky, and the same goal can be reached in Unbound, maybe create an issue with a feature request in Opnsense Core for this feature:

https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html

OPnsense (a few versions back) used to allow custom configuration of Unbound and it was likely possible to achieve these enhanced configs. I think with the latest version of OPnsense's Unbound implementation, a lot of the custom configuration has been lost... hence a lot of movement towards AGH/Blocky.

I personally would just stick with Unbound - if it was possible to have different clients use different blocklists or bypass blocking completely, and still have everything routed through Unbound for its caching and resolver abilities.

Another thing need in Unbound is support of sequential order of upstream DNS (something that dnsmasq does very well with its strict-order parameter in the conf file and blocky supports it very well too).

With Unbound, there is no mechanism to control the behaviour if using unbound as a plain forwarder.
A lot of people run their own DNS servers (with redundancy across different addresses) and would like Unbound to only use the specific upstream if the first one fails.... sequential order.

Unbound is very powerful, but I think it needs some more options exposed in OPNsense to make it a real powerful DNS resolver/ forwarder/ adblocker, etc..... or at the very minimum needs to support custom.conf files where users can configure it to behave as desired.

Thank you for looking into this...

[Monviech (Cedrik)]

So to lock down the scope, without promising anything:

- If there would be an additional field inside blocklists, in which multiple ip addressed/networks can be input, and these would be excempt from the blocklist, that would make the Unbound implementation already fit a lot more usecases?

I imply, most people want to block everything, for example for kids/staff etc..., and excempt themselves from the same blocking.

Since it would be only one additional item in the menu, maybe that scope can be satisfied. (I didnt check yet, just implying here.)