DNS level adblocking

etc-cron.daily-unbound-block

#!/bin/sh

su -c/usr/local/bin/unbound-block - unbound-block

if [ $? -eq 0 ];
then
	service unbound reload >/dev/null;
fi

etc-unbound-unbound.conf

server:
        # The following line will configure unbound to perform cryptographic
        # DNSSEC validation using the root trust anchor.
        auto-trust-anchor-file: "/var/lib/unbound/root.key"

        interface: 127.0.0.1
        access-control: 127.0.0.0/8 allow

        include: /etc/unbound/unbound-block.conf

remote-control:
        control-interface: 127.0.0.1

forward-zone:
        name: "yubico.org"
        forward-addr: 192.168.1.1
        forward-first: yes

INSTALL

sudo apt-get install unbound

sudo vi /usr/local/bin/unbound-block
sudo chmod +x /usr/local/bin/unbound-block

sudo vi /etc/cron.daily/unbound-block
sudo chmod +x /etc/cron.daily/unbound-block

sudo vi /etc/unbound/unbound.conf

sudo adduser --system --home /nonexistent --no-create-home --shell /bin/sh --group --disabled-password unbound-block
sudo touch /etc/unbound/unbound-block.conf
sudo chown unbound-block:unbound-block /etc/unbound/unbound-block.conf
sudo chmod 0644 /etc/unbound/unbound-block.conf

sudo service unbound restart
sudo /etc/cron.daily/unbound-block

# point /etc/resolv.conf or your network manager to 127.0.0.1

usr-local-bin-unbound-block

#!/bin/sh

set -e

DST=/etc/unbound/unbound-block.conf

TMPDIR="$(mktemp -d)"
trap 'rm -rf "$TMPDIR"' EXIT

wget -q -O - -- 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts' >"$TMPDIR/malware"
wget -q -O - -- 'https://raw.githubusercontent.com/StevenBlack/hosts/master/extensions/gambling/hosts' >"$TMPDIR/gambling"
wget -q -O - -- 'https://raw.githubusercontent.com/StevenBlack/hosts/master/extensions/porn/hosts' >"$TMPDIR/porn"
wget -q -O - -- 'https://raw.githubusercontent.com/StevenBlack/hosts/master/extensions/social/hosts' >"$TMPDIR/social"

# drop social but not twitter and linkedin.
#
# considered hardcoding this,
#	but then it will never be updated.
sed -e "

# look for the line similar to '# twitter' and comment all
# subsequent lines until an empty line is found.

/^#.*twitter.*$/I ,  /^\s*$/ s/^/#/
/^#.*linkedin.*$/I , /^\s*$/ s/^/#/

" -i "$TMPDIR/social"

# merge
cat "$TMPDIR/malware" "$TMPDIR/gambling" "$TMPDIR/porn" "$TMPDIR/social" >"$TMPDIR/all"

# create include file for unbound.
#
# for each hostname to block: echo "local-zone: $hostname static".
#
# this will instruct unbound to only reply with static data for such $hostname,
#	and we don't declare any A/AAAA/NS/etc. for $hostname,
#	forcing unbound to reply with NXDOMAIN.
sed -n -e "

# force all lists to use one convention
s/^127\.0\.0\.1/0.0.0.0/;

# keep blocked hostnames only; drop empty lines, etc.
/^0\.0\.0\.0\s\s*/!d;

# drop ip addr from 'ip\thostname # possible comment'
s/^0\.0\.0\.0\s\s*//;

# drop any end of line comment
s/#.*$//;

# drop any end of line whitespace
s/\s*$//;

# make sure we are working with safe data;
#   skip line if any other character is found.
/[^a-zA-Z0-9\._-]/d;

# printf 'local-zone: %s static'
s/^/local-zone: /;
s/$/ static/;

# print
p
" -i "$TMPDIR/all"

# avoid duplicates which cause unbound to exit
sort "$TMPDIR/all" | uniq > "$TMPDIR/unique"

# exit with code if there's no update to be made.
if cmp -s "$TMPDIR/unique" "$DST" ;
then
	exit 2
fi

cat "$TMPDIR/unique" >"$DST"
exit 0