Techne

A practical knowledge base

User Tools

Site Tools

Trace:
network-wide-bullshit-blocking-setup-with-blocky-and-tailscale

This is an old revision of the document!

Table of Contents

Network-wide bullshit-blocking setup with Blocky and Tailscale

I will use an Orange Pi 5 Plus, but any device, including single board computers, should work, as long as they can run the latest stable Debian or Armbian release.

Orange Pi 5 Plus

  • Unbound for recursive DNS resolver on 127.0.0.1:5335
  • Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver.
  • Tailscale with –accept-dns=false
  • unbound-resolveconf.service should be disabled, and /etc/resolv.conf should not be managed by any other service.

I just put the following contents into /etc/resolv.conf for the Orange Pi 5 Plus's local DNS resolution: 

nameserver 9.9.9.9
nameserver 149.112.112.112

I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9.

An idea I have is to setup a cheap VPS on Vultr or something and run a public DNS resolver on it, but Quad9 is fine for now.

I have the Orange Pi 5 Plus's Tailnet IP address configured to be my Tailnet's global nameserver. This can be done through the Tailscale admin console under the DNS tab. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound.

Blocky configuration

upstreams:  
  strategy: strict  
  groups:  
    default:  
      - 127.0.0.1:5335  
      - 9.9.9.9  
      - 149.112.112.112  
  
blocking:  
  denylists:  
    ads:  
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts  
      - https://adaway.org/hosts.txt  
      - https://v.firebog.net/hosts/AdguardDNS.txt  
    suspicious:  
      - https://v.firebog.net/hosts/static/w3kbl.txt  
    tracking:  
      - https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt  
      - https://v.firebog.net/hosts/Easyprivacy.txt  
      - https://v.firebog.net/hosts/Prigent-Ads.txt  
    malicious:  
      - http://phishing.mailscanner.info/phishing.bad.sites.conf  
      - https://v.firebog.net/hosts/Prigent-Crypto.txt  
      - https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts  
  
  clientGroupsBlock:  
    default:  
      - ads  
      - suspicious  
      - tracking  
      - malicious  
  
ports:  
  dns: 53  
  http: 4000  
  
prometheus:  
  enable: yes  
  
caching:  
  minTime: 60s  
  maxItemsCount: 10000  
  prefetching: yes  
  prefetchMaxItemsCount: 2000  
  
queryLog:  
  type: csv-client  
  target: /home/jas/dns-query-logs  
  logRetentionDays: 5  
clientLookup:  
  upstream: 10.0.0.1  
  singleNameOrder:  
    - 1

network-wide-bullshit-blocking-setup-with-blocky-and-tailscale.1771833965.txt.gz · Last modified: by hyperreal
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain