What's new

Unbound Impressive Unbound native RPZ files collection for adblocking and more

  • Thread starter Deleted member 62525
  • Start date
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

Code:
rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.
 
Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.
 
Nice, thanks for sharing. This has really grown for rpz support as when I researched last year there was very little. This is a better way to block ads as well then the built in script, but only just slightly, as the current adblocking scripts do unload and reload rules without restarting unbound.
Major advantage is that it is a "standard" way to manage domain access and policies. There are still not many providers of native RPZ files, however that said it is very simple to convert and host files with 0.0.0.0 to a standard RPZ format. This is what I have done. I like the fact that I am able to have multiple files and not a combined list - this way I can specify how unbound responds to each list by including override directive and if I need to disable specific zone.

Also, many sites include "last-modified" field in the http header and using that one can determine if the file needs to be downloaded. This is specially good for a very large files.
 
More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

Code:
rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.
Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:
Code:
#unbound.conf.firewall
rpz:#RPZ                                                            
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone             
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru
Code:
#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:
Code:
unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus
 
Hi,

Thank you for this thread. I have tried to build a local white list. But I am not able to use those sites because the domains loaded with this own list it seems that are still treated as NXDOMAINS..

The file is loading, is active, I have no error.

This is how we tested:
Code:
#unbound.conf.firewall
rpz:#RPZ                                                           
name: rpz.permit.zone
zonefile: /opt/var/lib/unbound/rpz.permit.zone            
rpz-log: yes
rpz-log-name: "rpz.permit.zone"
rpz-action-override: passthru
Code:
#sample rpz.permit.zone
scdn.cxense.com CNAME rpz-passthru.
entitlements.jwplayer.com CNAME rpz-passthru.

I checked if is loaded:
Code:
unbound-control list_auth_zones
.    serial 2021032700
rpz.urlhaus.abuse.ch.    serial 2104202121
rpz.blu.energized.pro.    serial 1
rpz.permit.zone.    no serial

But the mentioned domains are still in NXDOMAIN list because of another list.
Please, what should I try? There is a specify order when loading RPZ files?

Much appreciated,
amplatfus
 
It works for me without issue;

My config example
Code:
rpz:
    name: rpz.whitelist.local.zone
    zonefile: /opt/var/lib/zones/rpz.whitelist.zone

rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

I first blocked asus.com in rpz.block.host.local.zone eg:
Code:
$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ manual block hosts
asus.com CNAME .

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

Then, whitelist zone file
Code:
$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
; RPZ created from url -> https://orca.pet/notonmyshift/hosts.txt
;
asus.com CNAME  rpz-passthru.

dig asus.com

; <<>> DiG 9.10.6 <<>> asus.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12009
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;asus.com. IN A

;; ANSWER SECTION:
asus.com. 14400 IN A 103.10.4.216
 
More for advanced users that use Unbound and want to use RPZ files this is a good source. In my current config as I have the following unbound.conf.rpz

Code:
rpz:
    name: rpz.block.host.local.zone
    zonefile: /opt/var/lib/zones/rpz.block.hosts.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.trend.micro.local.zone
    zonefile: /opt/var/lib/zones/rpz.trend.micro.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.stevenblack.zone
    #url: https://scripttiger.github.io/alts/rpz/blacklist.txt
    zonefile: /opt/var/lib/zones/rpz.stevenblack.zone
    rpz-action-override: nxdomain

rpz:
    name: rpz.urlhause.abuse.ch.zone
    #https://urlhaus.abuse.ch/downloads/rpz/
    zonefile: /opt/var/lib/zones/rpz.urlhause.zone
    rpz-action-override: nxdomain

I use a simple utility to convert any host file eg: StevenBlack to RZP format. The advantage of this RPZ approach is that when refreshing individual zones unbound does not need to be restarted and as you can see from the example above each zone can have different override specified. It is more flexible solution to manage multiple separate zones. Whitelist zone can be added with your own file with the override set to pass-through and each zone can be enabled/disabled with a command line as per Unbound API.

From this example I have my own zone called rpz.block.host.local.zone where I manually list domains that I want to block. The last 2 zones I reload every 15 minutes from cru.
Hi,
I got a problem when i config rpz in unbound.
/etc/unbound/unbound.conf:36: error: unknown keyword 'rpz'
/etc/unbound/unbound.conf:36: error: stray ':'
/etc/unbound/unbound.conf:37: error: syntax error

Plz help me
Thanks
 
I though I will post it and share. Energized Protection has an impressive collection of many format files (including native Unbound RPZ files) used to manage blocking malware, ad blockers and more. Check it out. They use many sources and create combined listing in many categories.

Link -> https://github.com/EnergizedProtection/block#sources
Thank you for this!

Appending https://block.energized.pro/porn/formats/hosts to /opt/share/unbound/configs/blocksites does a wonderful job at blocking pr0n.

Now if there was an easy way to block all of Reddit’s NSFW subs…
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top