add possibility for unbound blocklist
This commit is contained in:
parent
600c07fb47
commit
a4b6b15c14
|
@ -18,6 +18,14 @@ server:
|
||||||
access-control: 127.0.0.1/8 allow
|
access-control: 127.0.0.1/8 allow
|
||||||
access-control: ::1/128 allow
|
access-control: ::1/128 allow
|
||||||
|
|
||||||
|
# Private IP ranges, which shall never be returned or forwarded as public DNS response.
|
||||||
|
private-address: 10.0.0.0/8
|
||||||
|
private-address: 172.16.0.0/12
|
||||||
|
private-address: 192.168.0.0/16
|
||||||
|
private-address: 169.254.0.0/16
|
||||||
|
private-address: fd00::/8
|
||||||
|
private-address: fe80::/10
|
||||||
|
|
||||||
# Functionality
|
# Functionality
|
||||||
do-ip4: yes
|
do-ip4: yes
|
||||||
do-ip6: yes
|
do-ip6: yes
|
||||||
|
@ -49,8 +57,12 @@ server:
|
||||||
|
|
||||||
rrset-roundrobin: yes
|
rrset-roundrobin: yes
|
||||||
minimal-responses: yes
|
minimal-responses: yes
|
||||||
identity: "Server" #
|
identity: "Server"
|
||||||
|
|
||||||
|
# Include possible white/blacklists
|
||||||
|
include: /etc/unbound/lists.d/*.conf
|
||||||
|
|
||||||
remote-control:
|
remote-control:
|
||||||
control-enable: yes
|
control-enable: yes
|
||||||
control-port: 953
|
control-port: 953
|
||||||
|
|
||||||
|
|
|
@ -323,6 +323,10 @@ apt_install unbound python3-unbound bind9-dnsutils
|
||||||
# Configure unbound
|
# Configure unbound
|
||||||
cp -f conf/unbound.conf /etc/unbound/unbound.conf.d/miabunbound.conf
|
cp -f conf/unbound.conf /etc/unbound/unbound.conf.d/miabunbound.conf
|
||||||
|
|
||||||
|
if [ -d /etc/unbound/lists.d ]; then
|
||||||
|
mkdir /etc/unbound/lists.d
|
||||||
|
fi
|
||||||
|
|
||||||
# Modify systemd settings
|
# Modify systemd settings
|
||||||
rm -f /etc/resolv.conf
|
rm -f /etc/resolv.conf
|
||||||
tools/editconf.py /etc/systemd/resolved.conf \
|
tools/editconf.py /etc/systemd/resolved.conf \
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Download select set of malware blocklists from The Firebog's "The Big Blocklist
|
||||||
|
# Collection" [0] and block access to them with Unbound by returning NXDOMAIN.
|
||||||
|
#
|
||||||
|
# [0]: https://firebog.net
|
||||||
|
(
|
||||||
|
# Malicious Lists
|
||||||
|
curl -sSf "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt" ;
|
||||||
|
curl -sSf "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" ;
|
||||||
|
curl -sSf "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt" ;
|
||||||
|
curl -sSf "https://v.firebog.net/hosts/Prigent-Crypto.txt" ;
|
||||||
|
curl -sSf "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt" ;
|
||||||
|
curl -sSf "https://phishing.army/download/phishing_army_blocklist_extended.txt" ;
|
||||||
|
curl -sSf "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" ;
|
||||||
|
curl -sSf "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" ;
|
||||||
|
curl -sSf "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" ;
|
||||||
|
curl -sSf "https://urlhaus.abuse.ch/downloads/hostfile/" ;
|
||||||
|
# curl -sSf "https://v.firebog.net/hosts/Prigent-Malware.txt" ;
|
||||||
|
# curl -sSf "https://v.firebog.net/hosts/Shalla-mal.txt" ;
|
||||||
|
|
||||||
|
) |
|
||||||
|
cat | # Combine all lists into one
|
||||||
|
grep -v '#' | # Remove comments lines
|
||||||
|
grep -v '::' | # Remove universal ipv6 address
|
||||||
|
tr -d '\r' | # Normalize line endings by removing Windows carriage returns
|
||||||
|
sed -e 's/0\.0\.0\.0\s\{0,\}//g' | # Remove ip address from start of line
|
||||||
|
sed -e 's/127\.0\.0\.1\s\{0,\}//g' |
|
||||||
|
sed -e '/^$/d' | # Remove empty line
|
||||||
|
sort -u | # Sort and remove duplicates
|
||||||
|
awk '{print "local-zone: " ""$1"" " always_nxdomain"}' # Convert to Unbound configuration
|
||||||
|
|
Loading…
Reference in New Issue