Configure unbound and hblock to enhance privacy and block ads in Linux

2023-07-29 (Updated 2023-07-31)

There is an android app named Adaway, which automatically updates your system hosts file to redirect ads domain to localhost.

However, changing hosts file on linux can cause problems, because when you autocomplete shell commands like ssh and nmap, domains in hosts file will be pulled, which generates a lot of lag since there are way too many. One good way to work around this is to add blocklist in your dns server instead.

Since I don't see many info around the web that covers these setups, I decided to write it myself and explain the incentives along the way.

TLDR

Set up unbound and change default dns server in NetworkManager

Unbound is a fast and privacy-centric DNS server, you can learn more here.

Installing unbound is easy, just follow your distro's instructions. For redora:

sudo dnf install unbound

It's recommended to also set up Dns Over TLS as it enhances your privacy and helps to circumvent internet censership present in Russia, Iran and China.

Set up DoT(Dns over TLS)

Add the following to /etc/unbound/unbound.conf or save as /etc/unbound/conf.d/dns-over-tls.conf and source it in the main config file:

forward-zone:
        name: "."
        forward-tls-upstream: yes
        ## Google
        forward-addr: 8.8.8.8@853#dns.google
        forward-addr: 8.8.4.4@853#dns.google
        forward-addr: 2001:4860:4860::8888@853#dns.google
        forward-addr: 2001:4860:4860::8844@853#dns.google

        ## Cloudflare
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

        ## Quad9  ( Slowest, only serve as backup when the faster are temporarily down. )
        forward-addr: 9.9.9.9@853#dns.quad9.net
        forward-addr: 149.112.112.112@853#dns.quad9.net
        forward-addr: 2620:fe::fe@853#dns.quad9.net
        forward-addr: 2620:fe::9@853#dns.quad9.net

For extra security, you can also set up Encrypted DNS and DNSSEC in unbound, there are a lot of tutorials online, and these features is not available in my area, so I will skip these steps.

Change Default DNS server

Your default DNS server will be set to whatever the router promtes, which in some cases will be a huge privacy leak, since the router will know what you are browsing online. This along with Deep Packet Inspection is two common ways of censoring Internet.

Save the following as /etc/NetworkManager/conf.d/unbound-dns.conf:

[global-dns-domain-*]
servers=::1,127.0.0.1

This sets your default DNS server to the one running on your local computer, along with DoT or DoH setup, it will stop the router from knowing your browsing history with the DNS method.

Hblock and integrating it with unbound

Hblock is the best alternative I found to Adaway in linux, it is fast, available in basically any Linux Distros, and has reputable Adblocking sources. In the following section I will explain how to install, use and setup systemd timers to auto-update the blocklists.

Installation and usage

Follow the instructions on the official repo, and if your distro is not there, use the generic methos on the project page:

curl -o /tmp/hblock 'https://raw.githubusercontent.com/hectorm/hblock/v3.4.2/hblock' \
  && echo 'a7d748b69db9f94932333a5b5f0c986dd60a39fdf4fe675ad58364fea59c74b4  /tmp/hblock' | shasum -c \
  && sudo mv /tmp/hblock /usr/local/bin/hblock \
  && sudo chown 0:0 /usr/local/bin/hblock \
  && sudo chmod 755 /usr/local/bin/hblock

By the time you read this, the software is most likely to be updated, so be sure to check out the official instructions here

After installing, run the following command to test it:

hblock -O ./hosts_unbound.conf -H none -F none -T 'local-zone: "%D" always_nxdomain' -f

Since hblock prioritizes curl as downloading utility, you can use proxies by prepending env ALL_PROXY=[protocol://]<host>[:port] in the beginning.

The program will generate a file named hosts_unbound.conf at your current working directory.

Set up Systemd Timer to auto run it

First we need to create a Systemd Service that updates the hosts file

Put the following into /etc/systemd/system/update-hblock.service:

[Unit]
Description=Updates dynamic dns
Wants=update-hblock.timer

[Service]
Type=oneshot
Environment=HBLOCK_HEADER=''
Environment=HBLOCK_FOOTER=''
Environment=HBLOCK_TEMPLATE='local-zone: %%D always_nxdomain'
# Environment=ALL_PROXY=socks5://localhost:1984
ExecStart=/bin/sh -c 'exec /usr/local/bin/hblock -O /etc/unbound/local.d/hosts_unbound.conf -f'

The double % is used because systemd will interpret single % as other stuff.

Now, you can try running systemctl start update-hblock.service to see if it works as intended

Then, we need to use a timer to run it at a specific interval, add it to /etc/systemd/system/update-hblock.timer

[Unit]
Description=Update hblock adblock every week

[Timer]
OnCalendar=Sun *-*-* 00:00:00
Persistent=true
Unit=update-hblock.service

[Install]
WantedBy=timers.target

Now, everything is done, run systemctl reload unbound and pick some entries to test. If you get nxdomain, the adblock is working, like this:

❯ nslookup say.ac
Server:  ::1
Address: ::1#53

** server can't find say.ac: NXDOMAIN