diff --git a/conf/unbound.conf b/conf/unbound.conf index ae6d53bb..30880afe 100644 --- a/conf/unbound.conf +++ b/conf/unbound.conf @@ -18,6 +18,14 @@ server: access-control: 127.0.0.1/8 allow access-control: ::1/128 allow + # Private IP ranges, which shall never be returned or forwarded as public DNS response. + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + # Functionality do-ip4: yes do-ip6: yes @@ -49,8 +57,12 @@ server: rrset-roundrobin: yes minimal-responses: yes - identity: "Server" # + identity: "Server" + + # Include possible white/blacklists + include: /etc/unbound/lists.d/*.conf remote-control: control-enable: yes control-port: 953 + diff --git a/setup/system.sh b/setup/system.sh index 04b3dc0a..be605475 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -323,6 +323,10 @@ apt_install unbound python3-unbound bind9-dnsutils # Configure unbound cp -f conf/unbound.conf /etc/unbound/unbound.conf.d/miabunbound.conf +if [ -d /etc/unbound/lists.d ]; then + mkdir /etc/unbound/lists.d +fi + # Modify systemd settings rm -f /etc/resolv.conf tools/editconf.py /etc/systemd/resolved.conf \ diff --git a/tools/create_dns_blocklist.sh b/tools/create_dns_blocklist.sh new file mode 100755 index 00000000..5b8bab86 --- /dev/null +++ b/tools/create_dns_blocklist.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -euo pipefail + +# Download select set of malware blocklists from The Firebog's "The Big Blocklist +# Collection" [0] and block access to them with Unbound by returning NXDOMAIN. +# +# [0]: https://firebog.net +( + # Malicious Lists + curl -sSf "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" ; + curl -sSf "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" ; + curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" ; + curl -sSf "https://v.firebog.net/hosts/Prigent-Crypto.txt" ; + curl -sSf "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt" ; + curl -sSf "https://phishing.army/download/phishing_army_blocklist_extended.txt" ; + curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" ; + curl -sSf "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" ; + curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" ; + curl -sSf "https://urlhaus.abuse.ch/downloads/hostfile/" ; +# curl -sSf "https://v.firebog.net/hosts/Prigent-Malware.txt" ; +# curl -sSf "https://v.firebog.net/hosts/Shalla-mal.txt" ; + +) | + cat | # Combine all lists into one + grep -v '#' | # Remove comments lines + grep -v '::' | # Remove universal ipv6 address + tr -d '\r' | # Normalize line endings by removing Windows carriage returns + sed -e 's/0\.0\.0\.0\s\{0,\}//g' | # Remove ip address from start of line + sed -e 's/127\.0\.0\.1\s\{0,\}//g' | + sed -e '/^$/d' | # Remove empty line + sort -u | # Sort and remove duplicates + awk '{print "local-zone: " ""$1"" " always_nxdomain"}' # Convert to Unbound configuration + \ No newline at end of file