Unbound Pi-hole without scripts

now with more RPZ

For those of you who want to block ad's and trackers and not use pi-hole, but would like it to be fully automated.

I use to run shell scripts on a cronjob to download domain blocklists and reload unbound. Some good reference examples: unbound-adblock Blocking Ads using unbound(8) on OpenBSD

In early 2020 nlnetlabs added support for Response Policy Zones which makes it possible to use unbound as a dns firewall. This is a similar concept to using unbound.conf's local-zone:, but incorporates a few different ways to get your RPZ feed or data without having to reload or wait for unbound to reload. In fact unbound will handle refreshing it's data without a cronjob to reach out and download and reformat it.

There are paid subscriptions available for DNS rpz feeds, but I have been using the spark list from Energized Pro. Their repo on github provides lots of info on what list sources are incorporated into their block lists.

To get started using the spark list, I've posted the relevant snippets that need to be added to your config file for unbound. Along with a plain text file where you can override the blocklist.

unbound.conf:

server:
	# Needed to use the rpz policy files
	module-config: "respip validator iterator"

	# Needed for cert checking your rpz URL
	tls-cert-bundle: /etc/ssl/cert.pem
	

rpz:
	# this is where we list any domains that we don't want blocked
	# first match wins the rpz action
        name: "allowed list"
	zonefile: "/var/unbound/etc/allowed_domains.txt"
rpz:
	name: "energized spark"
	url: https://block.energized.pro/spark/formats/rpz.txt

Sometimes you want certain domains to always be available. They can be allowed by using rpz-passthru action. Documentation for Policy Actions. Unbound currently only supports 4 of the 6 actions, which are NXDOMAIN, NODATA, PASSTHRU, and DROP.

+----------+---------------------+
|  Action  |  RR type and RDATA  |
+----------+---------------------+
| NXDOMAIN | CNAME .             |
| NODATA   | CNAME *.            |
| PASSTHRU | CNAME rpz-passthru. |
| DROP     | CNAME rpz-drop.     |
+----------+---------------------+

allowed_domains.txt:

$TTL 2h
@ IN SOA localhost. root.localhost. (1 6h 1h 1w 2h)
  IN NS  localhost.
;
;
example.com	CNAME	rpz-passthru.
*.example.com	CNAME	rpz-passthru.