What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unbound unbound dns firewall

BeachGuy

Senior Member
I have unbound, Diversion and Skynet installed. Should I enable unbound's dns firewall? If so, it seems to load the following blacklist. Can I/should I hook in Diversion/Skynet blacklist? If so how do I do that? I found "ad" in advanced tools which states "ad = Analyse Diversion White/Block lists [ file_name ] ["type=adblock"] ["action=merge"]". When I type "ad" it returns "Diversion () file '/opt/share/diversion/list/action=merge' NOT Found!".

unbound dns firewall loads: https://urlhaus.abuse.ch/downloads/rpz/
 
Last edited:
I have unbound, Diversion and Skynet installed. Should I enable unbound's dns firewall? If so, it seems to load the following blacklist. Can I/should I hook in Diversion/Skynet blacklist? If so how do I do that? I found "ad" in advanced tools which states "ad = Analyse Diversion White/Block lists [ file_name ] ["type=adblock"] ["action=merge"]". When I type "ad" it returns "Diversion () file '/opt/share/diversion/list/action=merge' NOT Found!".

unbound dns firewall loads: https://urlhaus.abuse.ch/downloads/rpz/
FWIW, I would. It’s just another ‘layer’ of blocking, in addition to Skynet & Diversion.
 
I have unbound, Diversion and Skynet installed. Should I enable unbound's dns firewall? If so, it seems to load the following blacklist. Can I/should I hook in Diversion/Skynet blacklist? If so how do I do that? I found "ad" in advanced tools which states "ad = Analyse Diversion White/Block lists [ file_name ] ["type=adblock"] ["action=merge"]". When I type "ad" it returns "Diversion () file '/opt/share/diversion/list/action=merge' NOT Found!".

unbound dns firewall loads: https://urlhaus.abuse.ch/downloads/rpz/
If you can get something like these to work with your unbound RPZ, you would have a pretty responsive DNS firewall.

Code:
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.0.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.1.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.2.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.3.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.4.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.5.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.6.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.7.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.8.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.9.rpzv2

The problem is you will hit a brick wall once your router runs out of ram. RPZ format files demand a lot of memory. The larger and more intense the list, the more memory unbound requires.

Instead when blocking with unbound, I recommend lists like this:

Code:
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.0.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.1.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.2.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.3.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.4.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.5.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.6.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.7.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.8.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.9.confv2

The point is, there is no need to Layer two levels of DNS blockers. This is a way too much strain on the router. If you are using Diversion, by @thelonelycoder , along side unbound, only block with Diversion because if you block with diversion, it will not forward the domains requests upstream to unbound. Hence the blocked request will always be handled at dnsmasq and never get sent to unbound. This is efficient and will save the router on the intensive memory requirements of unbound blocking. If you are going to block using unbound, skip using Diversion because this is all extra strain on your router. Let it be noted I think it is more efficient to block with Diversion (DNSMASQ), than it is with unbound, because DNSMASQ is the first layer the DNS request goes to. Unbound is the next layer the request gets sent to.

You can use this list with diversion:

Code:
https://urlhaus.abuse.ch/downloads/hostfile/

Anything else you can't block at the Diversion level, you should use a browser extension for.
 
Last edited:
Thank you Rainbow. I have the GT-AX6000, it has the following specs. I turned off unbound firewall. I will add https://urlhaus.abuse.ch/downloads/hostfile/ to the Diversion blocking list.

2.0 GHz quad-core processor
Memory
256 MB Flash, 1 GB RAM
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top