I have unbound, Diversion and Skynet installed. Should I enable unbound's dns firewall? If so, it seems to load the following blacklist. Can I/should I hook in Diversion/Skynet blacklist? If so how do I do that? I found "ad" in advanced tools which states "ad = Analyse Diversion White/Block lists [ file_name ] ["type=adblock"] ["action=merge"]". When I type "ad" it returns "Diversion () file '/opt/share/diversion/list/action=merge' NOT Found!".
unbound dns firewall loads:
https://urlhaus.abuse.ch/downloads/rpz/
If you can get something like these to work with your unbound RPZ, you would have a pretty responsive DNS firewall.
Code:
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.0.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.1.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.2.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.3.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.4.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.5.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.6.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.7.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.8.rpzv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.9.rpzv2
The problem is you will hit a brick wall once your router runs out of ram. RPZ format files demand a lot of memory. The larger and more intense the list, the more memory unbound requires.
Instead when blocking with unbound, I recommend lists like this:
Code:
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.0.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.1.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.2.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.3.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.4.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.5.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.6.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.7.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.8.confv2
https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/refs/heads/master/GeneratedDomainsFull.9.confv2
The point is, there is no need to Layer two levels of DNS blockers. This is a way too much strain on the router. If you are using Diversion, by
@thelonelycoder , along side unbound, only block with Diversion because if you block with diversion, it will not forward the domains requests upstream to unbound. Hence the blocked request will always be handled at dnsmasq and never get sent to unbound. This is efficient and will save the router on the intensive memory requirements of unbound blocking. If you are going to block using unbound, skip using Diversion because this is all extra strain on your router. Let it be noted I think it is more efficient to block with Diversion (DNSMASQ), than it is with unbound, because DNSMASQ is the first layer the DNS request goes to. Unbound is the next layer the request gets sent to.
You can use this list with diversion:
Code:
https://urlhaus.abuse.ch/downloads/hostfile/
Anything else you can't block at the Diversion level, you should use a browser extension for.
