I like to use DNS blocklists to block ads, telemetry, and potential malware. Things like Pi-Hole have been popular for a while. If you search you can also find lists to block “offensive” website domains as well, such as adult sites.
There is a similar tool called void-zones-tools which is designed around FreeBSD. The void-zones-tools project includes a number of DNS blocklists, and there is a method to add additional blocklists (I demonstrate one way below in the cron section).
The default repository doesn’t quite run out of the box on OpenBSD. However, after a few simple changes you can get it working a treat!
First download the void-zones-tools zipfile from GitHub (or use git to pull it if you prefer– all of this is covered in the README on GitHub).
> ftp https://github.com/cyclaero/void-zones-tools/archive/refs/heads/master.zip
Expand the zip:
> unzip master.zip
Edit the Makefile for compilation on OpenBSD
We need to modify the Make file to enable Position Independent Code for OpenBSD:
> cd void-zones-tools-master
> sed -i 's/-fno-pic/-fPIC/g' Makefile
Then we can compile as usual:
> make
Modify the script to use ftp instead of fetch for OpenBSD
The void-zones-tools update script ( void-zones-update.sh ) tries to find the fetch program, which is FreeBSD’s equivalent of the multipurpose downloader called ftp on OpenBSD (similar to wget or curl). For the purposes of void-zones-tools you can use OpenBSD’s ftp in place of fetch. You can edit the void-zones-update.sh (installed in /usr/local/bin by default) and set the FETCH variable to point to /usr/bin/ftp as well as delete or comment out the checks for fetch like this:
...
#### verify the path to the fetch utility
#if [ -e "/usr/bin/fetch" ]; then
# FETCH="/usr/bin/fetch"
#elif [ -e "/usr/local/bin/fetch" ]; then
# FETCH="/usr/local/bin/fetch"
#elif [ -e "/opt/local/bin/fetch" ]; then
# FETCH="/opt/local/bin/fetch"
#else
# echo "No fetch utility can be found on the system -- Stopping." # echo "On Mac OS X, execute either 'sudo port install fetch' or install"
# echo "fetch from source into '/usr/local/bin', and then try again."
# exit 1
#fi
# Set FETCH for OpenBSD
FETCH="/usr/bin/ftp"
...
Or you can simply make a symlink for fetch that points to ftp :
# ln -s /usr/bin/ftp /usr/bin/fetch
Either way works. OpenBSD purist may prefer to modify the script rather than create the symlink.
Install
Then install as root.
# make install
Execution and Auto Update Configuration
** The following section is lifted from the README of the original void-zones-tools package with modifications to paths and command names to make it OpenBSD specific. These instructions use GNU nano as the editor. You can of course replace that with vi or emacs, etc.
The tools are placed by the above command sequence into /usr/local/bin .
On the first run of void-zones-update.sh, a directory is created at /usr/local/etc/void-zones/, which serves as the storage location for the downloaded Hosts files and/or Domain listings. In addition a template for a custom white/black list my_void_hosts.txt is placed into that directory, and this may be used for whitelisting some zones that are inadvertently part of the downloaded Hosts files, or for blacklisting additional zones, which are missing from the downloads. Now execute the void-zones-update.sh shell script:
# void-zones-update.sh
You can look at the customizable file my_void_hosts.txt:
# nano /usr/local/etc/void-zones/my_void_hosts.txt
# white list
1.1.1.1 my.white.dom
# black list
0.0.0.0 my.black.dom
For whitelisting use the IP address 1.1.1.1
, and for blacklisting 0.0.0.0
shall be used. This /usr/local/etc/void-zones/my_void_hosts.txt file is where you would add any personal exceptions to the downloaded rules, like whitelisting specific sites that don’t work correctly if blocked, or blacklisting sites not covered by the downloaded rules, etc.
The downloaded Hosts files are placed into /usr/local/etc/void-zones/ as well:
# ls -l /usr/local/etc/void-zones
total 1876
-rw-r--r-- 1 root wheel 13722 Jan 31 2017 away_void_hosts.txt
-rw-r--r-- 1 root wheel 640858 Aug 17 19:16 jdom_void_list.txt
-rw-r--r-- 1 root wheel 36982 Jun 29 19:52 mdl_void_hosts.txt
-rw-r--r-- 1 root wheel 497673 Aug 7 11:07 mvps_void_hosts.txt
-rw-r--r-- 1 root wheel 60257 Aug 21 05:43 pgl_void_hosts.txt
-rw-r--r-- 1 root wheel 376421 Aug 20 14:40 sowc_void_hosts.txt
-rw-r--r-- 1 root wheel 618 Aug 22 09:29 ucky_void_host.txt
-rw-r--r-- 1 root wheel 9977 Aug 22 09:29 w10telm_void_hosts.txt
-rw-r--r-- 1 root wheel 886 Aug 22 09:29 w7telm_void_hosts.txt
-rw-r--r-- 1 root wheel 1142 Aug 22 09:29 w81telm_void_hosts.txt
And finally the void-zones-update.sh compiles (converts & consolidates) all Hosts files and Domain listings into one single local-void.zones include file, and moves this into /var/unbound/ for direct usage with Unbound:
# head /var/unbound/local-void.zones
local-zone: "clk.cloudyisland.com" static
local-zone: "click.silvercash.com" static
local-zone: "oascentral.pressdemocrat.com" static
local-zone: "s29.cnzz.com" static
local-zone: "www.spywarespy.com" static
local-zone: "republika.onet.pl" static
local-zone: "preview.msn.com" static
local-zone: "pos.baidu.com" static
...
Configure Unbound to use the zones
For using the void zones method, of course Unbound must be up and running already on the given OpenBSD machine. Then edit the configuration file /var/unbound/etc/unbound.conf in order to activate ad, tracking, malware and telemetry domain filtering by Unbound:
# nano /var/unbound/etc/unbound.conf
Before any forwarder directives, e.g. forward-zone:
or include: /var/unbound/forward.conf
add the following line:
include: /var/unbound/local-void.zones
(ed note) I like to put it as shown here with some context from the default unbound.conf:
...
# Serve zones authoritatively from Unbound to resolver clients.
# Not for external service.
#
include: /var/unbound/local-void.zones
#local-zone: "local." static
#local-data: "mycomputer.local. IN A 192.0.2.51"
...
Then restart Unbound:
# /usr/sbin/rcctl restart unbound
For future updates execute the following command sequence which may be placed into a cron job:
# /usr/local/bin/void-zones-update.sh && /usr/sbin/rcctl restart unbound
In order to facilitate inclusion of listings which are not part of the automated updating, 3 additional input files are passed by void-zones-update.sh to the conversion tool host2zones :
x_void_list.txt
y_void_list.txt
z_void_list.txt
This mechanism can be used to include for example the Disconnect.me listings to the hosts2zones
processing by executing the following command before updating the other zones:
# ftp -o - \
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt \
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt \
> /usr/local/etc/void-zones/x_void_list.txt
Said command would place the respective lists joined together into /usr/local/etc/void-zones/x_void_list.txt , and on the next run of void-zones-update.sh that one would be converted & consolidated & included into the local-void.zones for filtering by Unbound. In the case these additional files are missing, the tool simply ignores these parameters.
Example cron setup for OpenBSD
Here is an example cron setup for OpenBSD. Edit your crontab for root with:
# crontab -e
Then add something like the following at the bottom:
~ 5 * * * ftp -o - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts >! /usr/local/etc/void-zones/y_void_list.txt
~ 6 * * * /usr/local/bin/void-zones-update.sh && /usr/sbin/rcctl restart unbound
Note that the first line is all on a single line with no line breaks. You could put that in a script and run the script from cron if you want your crontab cleaner.
The first crontab entry runs sometime (randomly) within the 5AM hour and uses ftp to download a series of additional blocklists (these are not included by default and you may want to use them, especially the first one is particularly good) and concatenates them into /usr/local/etc/void-zones/y_void_list.txt , which is one of the “extra” files for customization as describe above.
The second line (remember this should be just two lines in the crontab, without line breaks) runs some time randomly within the 6AM hour and runs the void-zones-update.sh script and then restarts unbound to load the new data.
Note you may prefer to use:
/usr/sbin/rcctl reload unbound
which should force unbound to reload the configs without clearing its cache, but I have seen some occasional issues with this; YMMV.
Conclusion
Hopefully you are now about to get the void-zones-tools dnsbl blocklist (blacklist) set up under OpenBSD in order to block ads and telemetry or block malware. Someday when I have time I will submit a pull request for updates to make the master branch work under OpenBSD by default.