Unbound recursive DNS resolver
3 min read

Unbound recursive DNS resolver

Use Unbound as local DNS adblocker
Unbound recursive DNS resolver
with adblocking functionality

To install unbound on on Ubuntu run this:
apt update && apt install unbound

After it finished installing open the unbound resolve conf nano /etc/unbound/unbound.confand paste this:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a
# commented reference config file.
server:
# Use the root servers key for DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Respond to DNS requests on all interfaces
interface: 0.0.0.0
interface: ::0
# DNS request port, IP and protocol
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
# Authorized IPs to access the DNS Server (use you local subnet) access-control:
#127.0.0.0/8 allow access-control: 192.168.1.0/24 allow
access-control: 192.168.0.1/24 allow
access-control: fe80::/10 allow
# Root servers information (To download here:
# ftp://ftp.internic.net/domain/named.cache)
root-hints: "/var/lib/unbound/root.hints"
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Improve the security of your DNS Server (Limit DNS Fraud and
# use DNSSEC)
harden-glue: yes
harden-dnssec-stripped: yes
# Rewrite URLs written in CAPS
use-caps-for-id: yes
# TTL Min (Seconds)
cache-min-ttl: 3600
# TTL Max (Seconds)
cache-max-ttl: 86400
# Enable the prefetch
prefetch: yes
# Number of maximum threads to use
num-threads: 2
### Tweaks and optimizations
# Number of slabs to use (Must be a multiple of num-threads
# value)
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Cache and buffer size (in mb)
rrset-cache-size: 51m
msg-cache-size: 25m
so-rcvbuf: 1m
# Make sure your DNS Server treat your local network requests
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96
# Add an unwanted reply threshold to clean the cache and avoid
# when possible a DNS Poisoning
unwanted-reply-threshold: 10000
# Authorize or not the localhost requests
do-not-query-localhost: no
# Use the root.key file for DNSSEC auto-trust-anchor-file:
#"/var/lib/unbound/root.key"
val-clean-additional: yes
# Block popular advertising companies
include: /etc/unbound/ads.conf

Then populate the anchor for DNSSEC:

unbound-anchor -a /var/lib/unbound/root.key

and populate the root-hints:

wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints

After that you set up unbound control with unbound-control-setup.

Then you set up the AdBlock script in /opt/dns (or whatever directory you want to):

mkdir -p /opt/dns/backup
cd /opt/dns
touch script.sh && touch whitelist
nano script.sh
And paste this:

#!/bin/bash
#set dir containing script and "mkdir backup && touch whitelist" in it
DIR="/opt/dns"
#set dir for the unbound adblock config and add this to the unbound config: "include: /etc/unbound/ads.conf"
UNBOUND="/etc/unbound/ads.conf"

#download the hostfiles
echo downloading and formatting...
(curl --silent https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/
hosts | grep '^0\.0\.0\.0' | sort) | awk '{print "local-zone: \""$2"\" always_nxdomain"}' > $DIR/list

#removing lines containing domains from whitelist
echo including whitelist...
grep -Fvf $DIR/whitelist $DIR/list > $UNBOUND

#dump dns-cache
echo dumping dns cache...
unbound-control dump_cache > $DIR/cache

#backup cache
echo backing up the dns cache...
cat cache > $DIR/backup/cache$(date +%Y-%m-%d).bak

#restart the server (start stop worked better for me than restart)
echo stopping unbound...
service unbound stop
echo starting unbound...
service unbound start

#load dns-cache after restart
echo loading dns cache...
cat $DIR/cache | unbound-control load_cache
echo done!

After that run bash /opt/dns/script.sh.
This will download the hostlist and format it so unbound can read it. Then the whitelist file will be read and domains contained in the whitelist will be removed from the formatted list. This file will be copied to ' /etc/unbound/ads.conf '.

Unbound will cache requests to deliver them faster, but when you restart unbound the cache gets deleted. The script will dump the cache to the cache file and an backup with the date in the filename to backup/cache[date].
Then unbound gets restartet to read the ads.conf and block the domains in it. After the restart the cache gets loaded back from the cache file.

If you want to load the backup cache you can run cat /opt/dns/backup/[cache backup you want to load] | unbound-control load_cache

Now you just have to point your clients to the ip of your server ip addr and you can enjoy adless browsing.