Wong's Cafe
2023-07-29 (Updated 2023-07-31)
There is an android app named Adaway, which automatically updates your system hosts file to redirect ads domain to localhost.
However, changing hosts file on linux can cause problems, because when you autocomplete shell commands like ssh
and nmap
, domains in hosts file will be pulled, which generates a lot of lag since there are way too many. One good way to work around this is to add blocklist in your dns server instead.
Since I don't see many info around the web that covers these setups, I decided to write it myself and explain the incentives along the way.
Unbound is a fast and privacy-centric DNS server, you can learn more here.
Installing unbound is easy, just follow your distro's instructions. For redora:
sudo dnf install unbound
It's recommended to also set up Dns Over TLS as it enhances your privacy and helps to circumvent internet censership present in Russia, Iran and China.
Add the following to /etc/unbound/unbound.conf
or save as /etc/unbound/conf.d/dns-over-tls.conf
and source it in the main config file:
forward-zone:
name: "."
forward-tls-upstream: yes
## Google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 2001:4860:4860::8888@853#dns.google
forward-addr: 2001:4860:4860::8844@853#dns.google
## Cloudflare
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
## Quad9 ( Slowest, only serve as backup when the faster are temporarily down. )
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
For extra security, you can also set up Encrypted DNS and DNSSEC in unbound, there are a lot of tutorials online, and these features is not available in my area, so I will skip these steps.
Your default DNS server will be set to whatever the router promtes, which in some cases will be a huge privacy leak, since the router will know what you are browsing online. This along with Deep Packet Inspection is two common ways of censoring Internet.
Save the following as /etc/NetworkManager/conf.d/unbound-dns.conf
:
[global-dns-domain-*]
servers=::1,127.0.0.1
This sets your default DNS server to the one running on your local computer, along with DoT or DoH setup, it will stop the router from knowing your browsing history with the DNS method.
Hblock is the best alternative I found to Adaway in linux, it is fast, available in basically any Linux Distros, and has reputable Adblocking sources. In the following section I will explain how to install, use and setup systemd timers to auto-update the blocklists.
Follow the instructions on the official repo, and if your distro is not there, use the generic methos on the project page:
curl -o /tmp/hblock 'https://raw.githubusercontent.com/hectorm/hblock/v3.4.2/hblock' \
&& echo 'a7d748b69db9f94932333a5b5f0c986dd60a39fdf4fe675ad58364fea59c74b4 /tmp/hblock' | shasum -c \
&& sudo mv /tmp/hblock /usr/local/bin/hblock \
&& sudo chown 0:0 /usr/local/bin/hblock \
&& sudo chmod 755 /usr/local/bin/hblock
By the time you read this, the software is most likely to be updated, so be sure to check out the official instructions here
After installing, run the following command to test it:
hblock -O ./hosts_unbound.conf -H none -F none -T 'local-zone: "%D" always_nxdomain' -f
Since hblock prioritizes curl
as downloading utility, you can use proxies by prepending env ALL_PROXY=[protocol://]<host>[:port]
in the beginning.
The program will generate a file named hosts_unbound.conf
at your current working directory.
First we need to create a Systemd Service that updates the hosts file
Put the following into /etc/systemd/system/update-hblock.service
:
[Unit]
Description=Updates dynamic dns
Wants=update-hblock.timer
[Service]
Type=oneshot
Environment=HBLOCK_HEADER=''
Environment=HBLOCK_FOOTER=''
Environment=HBLOCK_TEMPLATE='local-zone: %%D always_nxdomain'
# Environment=ALL_PROXY=socks5://localhost:1984
ExecStart=/bin/sh -c 'exec /usr/local/bin/hblock -O /etc/unbound/local.d/hosts_unbound.conf -f'
The double %
is used because systemd will interpret single %
as other stuff.
Now, you can try running systemctl start update-hblock.service
to see if it works as intended
Then, we need to use a timer to run it at a specific interval, add it to /etc/systemd/system/update-hblock.timer
[Unit]
Description=Update hblock adblock every week
[Timer]
OnCalendar=Sun *-*-* 00:00:00
Persistent=true
Unit=update-hblock.service
[Install]
WantedBy=timers.target
Now, everything is done, run systemctl reload unbound
and pick some entries to test. If you get nxdomain, the adblock is working, like this:
❯ nslookup say.ac
Server: ::1
Address: ::1#53
** server can't find say.ac: NXDOMAIN