Blocky DNS (Alternate to AdGuard Home) available as plugin

[Patrick M. Hausen]

I use firewall port forwarding rules to forward only the requests of clients I want to be protected/filtered to AGH while the rest goes to Unbound without any filtering.

I have yet to find a use case where I would need different policies in AGH for different clients.

[gspannu]

So to lock down the scope, without promising anything:

- If there would be an additional field inside blocklists, in which multiple ip addressed/networks can be input, and these would be excempt from the blocklist, that would make the Unbound implementation already fit a lot more usecases?

I imply, most people want to block everything, for example for kids/staff etc..., and excempt themselves from the same blocking.

Since it would be only one additional item in the menu, maybe that scope can be satisfied. (I didnt check yet, just implying here.)

I believe that will be an excellent addition to Unbound, adding the ability to exclude certain IP addresses, network ranges, etc from default blocking.

If you are going to look at the inbound code, is there any possibility of adding Regex to the blocking liss? I know I am being greedy !

[Monviech]

I dont know, I gonna talk with others whats possible and if its a good idea to add more options to Blocklists.

[gspannu]

I dont know, I gonna talk with others whats possible and if its a good idea to add more options to Blocklists.

Thanks.

I think the exclusion of configurable IP addresses/ networks for blocklists will provide the best bang for the buck...

[Monviech]

I just found out its a feature of the OPNsense Business Edition. So its already available in that version:

https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

[gspannu]

I just found out its a feature of the OPNsense Business Edition. So its already available in that version:

https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

Any chance to make this feature available on the community edition... or some patch at the moment to at least try out the feature.

I am a home user...

[gspannu]

I just found out its a feature of the OPNsense Business Edition. So its already available in that version:

https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html

@Franco/ @Monviech

Unbound extended blocklists (or more specifically the ability to exclude certain IP addresses/ranges from default adblocking) - can this feature be made available in the community edition please?
Or some mechanism/ hack to try it out in the community version?

Many thanks…

[Patrick M. Hausen]

You can do that with AGuard Home already.

[cookiemonster]

and, from all the posts over time with people encountering problems with lists in Unbound, makes more sense to me to leave this on the add-ons that already do it like AdGH.

[gspannu]

and, from all the posts over time with people encountering problems with lists in Unbound, makes more sense to me to leave this on the add-ons that already do it like AdGH.

You can do that with AGuard Home already.

Thank you for the suggestions. I am already using AGH and also Blocky (this conversation started with a plugin for the same).

The whole idea is to have this feature in Unbound, and since it appears that this is already available in OPNsense Business Edition, my request is to also make it accessible in the Community Edition as well - I am guessing it should be relatively easy (barring any commercial implications)

There will be all types of users, some will use AGH, some will use Blocky, some will stick with plain old simple dnsmasq and some will use core Unbound (if it gains this additional functionality)…. essentially providing more choice.

[cookiemonster]

fair enough

[Monviech]

Let's focus on Blocky again.

I can't really help much there, but I have looked at it.

You need proper templating with jinja2 to build the YAML file for it from the configuration items in the GUi.

Also you would have to build a better menu with the volt templates and controller form dialogues. You probably need to use Bootgrids for it, since you want multiple items per subnet/tag/etc.... Just look at the work I have done for Caddy (best the version in plugins/master since I refactored a lot), or a different plugin, and try to replicate that.

You would need to spend some more time to ensure everything you use yourself can be only configured from the GUI. I personally would focus on the most essential options first and the nice to haves later. Think about the core use of the plugin and why you need it, and build that GUI.

Afterwards you can open a PR in the OPNsense Plugins if you want, then we can look at it.

[cgone]

You can do that with AGuard Home already.

I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.

That's why I prefer using extended blocklists as my solution.

[gspannu]

I'm more drawn to a lightweight solution that doesn't require installing the large AdGuard binary on my firewall.
I'm debating whether to install AdGuard Home on the firewall device, but Blocky is also a (big) binary.

That's why I prefer using extended blocklists as my solution.

So do you mean blocklists in Unbound?

How do you configure certain specific clients to bypass adblocking but still use Unbound?

[Patrick M. Hausen]

If one does not mind to install AdGuard Home ...

I have Unbound listening on *:53
I have AGH listening on 127.0.0.1:53530
I have AGH configured to use 127.0.0.1:53 as upstream

In each network where I want client systems to query AGH instead of Unbound I have a NAT Port Forwarding rule saying: destination TCP/UDP:53, "this firewall", forward to 127.0.0.1:53530

Works like a charm.