HOWTO: Setup void-zones-tools dnsbl DNS Blocklist (like Pi-Hole) on OpenBSD

I like to use DNS blocklists to block ads, telemetry, and potential malware. Things like Pi-Hole have been popular for a while. If you search you can also find lists to block “offensive” website domains as well, such as adult sites.

There is a similar tool called void-zones-tools which is designed around FreeBSD. The void-zones-tools project includes a number of DNS blocklists, and there is a method to add additional blocklists (I demonstrate one way below in the cron section).

The default repository doesn’t quite run out of the box on OpenBSD. However, after a few simple changes you can get it working a treat!

First download the void-zones-tools zipfile from GitHub (or use git to pull it if you prefer– all of this is covered in the README on GitHub).

>  ftp https://github.com/cyclaero/void-zones-tools/archive/refs/heads/master.zip

Expand the zip:

>  unzip master.zip

Edit the Makefile for compilation on OpenBSD

We need to modify the Make file to enable Position Independent Code for OpenBSD:

>  cd void-zones-tools-master
>  sed -i 's/-fno-pic/-fPIC/g' Makefile

Then we can compile as usual:

>  make

Modify the script to use ftp instead of fetch for OpenBSD

The void-zones-tools update script ( void-zones-update.sh ) tries to find the fetch program, which is FreeBSD’s equivalent of the multipurpose downloader called ftp on OpenBSD (similar to wget or curl). For the purposes of void-zones-tools you can use OpenBSD’s ftp in place of fetch. You can edit the void-zones-update.sh (installed in /usr/local/bin by default) and set the FETCH variable to point to /usr/bin/ftp as well as delete or comment out the checks for fetch like this:

...

#### verify the path to the fetch utility
#if [ -e "/usr/bin/fetch" ]; then
#   FETCH="/usr/bin/fetch"
#elif [ -e "/usr/local/bin/fetch" ]; then
#   FETCH="/usr/local/bin/fetch"
#elif [ -e "/opt/local/bin/fetch" ]; then
#   FETCH="/opt/local/bin/fetch"
#else
#   echo "No fetch utility can be found on the system -- Stopping."                                                                                 #   echo "On Mac OS X, execute either 'sudo port install fetch' or install"
#   echo "fetch from source into '/usr/local/bin', and then try again."
#   exit 1
#fi

# Set FETCH for OpenBSD
FETCH="/usr/bin/ftp"

...

Or you can simply make a symlink for fetch that points to ftp :

#  ln -s /usr/bin/ftp /usr/bin/fetch

Either way works. OpenBSD purist may prefer to modify the script rather than create the symlink.

Install

Then install as root.

#  make install

Execution and Auto Update Configuration

** The following section is lifted from the README of the original void-zones-tools package with modifications to paths and command names to make it OpenBSD specific. These instructions use GNU nano as the editor. You can of course replace that with vi or emacs, etc.

The tools are placed by the above command sequence into /usr/local/bin .

On the first run of void-zones-update.sh, a directory is created at /usr/local/etc/void-zones/, which serves as the storage location for the downloaded Hosts files and/or Domain listings. In addition a template for a custom white/black list my_void_hosts.txt is placed into that directory, and this may be used for whitelisting some zones that are inadvertently part of the downloaded Hosts files, or for blacklisting additional zones, which are missing from the downloads. Now execute the void-zones-update.sh shell script:

# void-zones-update.sh

You can look at the customizable file my_void_hosts.txt:

# nano /usr/local/etc/void-zones/my_void_hosts.txt

# white list
1.1.1.1 my.white.dom

# black list
0.0.0.0 my.black.dom

For whitelisting use the IP address 1.1.1.1, and for blacklisting 0.0.0.0 shall be used. This /usr/local/etc/void-zones/my_void_hosts.txt file is where you would add any personal exceptions to the downloaded rules, like whitelisting specific sites that don’t work correctly if blocked, or blacklisting sites not covered by the downloaded rules, etc.

The downloaded Hosts files are placed into /usr/local/etc/void-zones/ as well:

# ls -l /usr/local/etc/void-zones

total 1876
-rw-r--r--  1 root  wheel   13722 Jan 31  2017 away_void_hosts.txt
-rw-r--r--  1 root  wheel  640858 Aug 17 19:16 jdom_void_list.txt
-rw-r--r--  1 root  wheel   36982 Jun 29 19:52 mdl_void_hosts.txt
-rw-r--r--  1 root  wheel  497673 Aug  7 11:07 mvps_void_hosts.txt
-rw-r--r--  1 root  wheel   60257 Aug 21 05:43 pgl_void_hosts.txt
-rw-r--r--  1 root  wheel  376421 Aug 20 14:40 sowc_void_hosts.txt
-rw-r--r--  1 root  wheel     618 Aug 22 09:29 ucky_void_host.txt
-rw-r--r--  1 root  wheel    9977 Aug 22 09:29 w10telm_void_hosts.txt
-rw-r--r--  1 root  wheel     886 Aug 22 09:29 w7telm_void_hosts.txt
-rw-r--r--  1 root  wheel    1142 Aug 22 09:29 w81telm_void_hosts.txt

And finally the void-zones-update.sh compiles (converts & consolidates) all Hosts files and Domain listings into one single local-void.zones include file, and moves this into /var/unbound/ for direct usage with Unbound:

# head /var/unbound/local-void.zones

local-zone: "clk.cloudyisland.com" static
local-zone: "click.silvercash.com" static
local-zone: "oascentral.pressdemocrat.com" static
local-zone: "s29.cnzz.com" static
local-zone: "www.spywarespy.com" static
local-zone: "republika.onet.pl" static
local-zone: "preview.msn.com" static
local-zone: "pos.baidu.com" static
...

Configure Unbound to use the zones

For using the void zones method, of course Unbound must be up and running already on the given OpenBSD machine. Then edit the configuration file /var/unbound/etc/unbound.conf in order to activate ad, tracking, malware and telemetry domain filtering by Unbound:

# nano /var/unbound/etc/unbound.conf

Before any forwarder directives, e.g. forward-zone: or include: /var/unbound/forward.conf add the following line:

include: /var/unbound/local-void.zones

(ed note) I like to put it as shown here with some context from the default unbound.conf:

...    
    # Serve zones authoritatively from Unbound to resolver clients.
    # Not for external service.
    #
    
    include: /var/unbound/local-void.zones

    #local-zone: "local." static
    #local-data: "mycomputer.local. IN A 192.0.2.51"
...

Then restart Unbound:

# /usr/sbin/rcctl restart unbound

For future updates execute the following command sequence which may be placed into a cron job:

# /usr/local/bin/void-zones-update.sh && /usr/sbin/rcctl restart unbound

In order to facilitate inclusion of listings which are not part of the automated updating, 3 additional input files are passed by void-zones-update.sh to the conversion tool host2zones :

x_void_list.txt
y_void_list.txt
z_void_list.txt

This mechanism can be used to include for example the Disconnect.me listings to the hosts2zones processing by executing the following command before updating the other zones:

# ftp -o - \
        https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \
        https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt \
        https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \
        https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt \
        > /usr/local/etc/void-zones/x_void_list.txt

Said command would place the respective lists joined together into /usr/local/etc/void-zones/x_void_list.txt , and on the next run of void-zones-update.sh that one would be converted & consolidated & included into the local-void.zones for filtering by Unbound. In the case these additional files are missing, the tool simply ignores these parameters.

Example cron setup for OpenBSD

Here is an example cron setup for OpenBSD. Edit your crontab for root with:

# crontab -e

Then add something like the following at the bottom:

~ 5 * * * ftp -o - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts http://sysctl.org/cameleon/hosts >! /usr/local/etc/void-zones/y_void_list.txt

~ 6 * * * /usr/local/bin/void-zones-update.sh && /usr/sbin/rcctl restart unbound

Note that the first line is all on a single line with no line breaks. You could put that in a script and run the script from cron if you want your crontab cleaner.

The first crontab entry runs sometime (randomly) within the 5AM hour and uses ftp to download a series of additional blocklists (these are not included by default and you may want to use them, especially the first one is particularly good) and concatenates them into /usr/local/etc/void-zones/y_void_list.txt , which is one of the “extra” files for customization as describe above.

The second line (remember this should be just two lines in the crontab, without line breaks) runs some time randomly within the 6AM hour and runs the void-zones-update.sh script and then restarts unbound to load the new data.

Note you may prefer to use:

/usr/sbin/rcctl reload unbound

which should force unbound to reload the configs without clearing its cache, but I have seen some occasional issues with this; YMMV.

Conclusion

Hopefully you are now about to get the void-zones-tools dnsbl blocklist (blacklist) set up under OpenBSD in order to block ads and telemetry or block malware. Someday when I have time I will submit a pull request for updates to make the master branch work under OpenBSD by default.

This entry was posted in Uncategorized and tagged , , , , , , , , , , , , , . Bookmark the permalink.

One Response to HOWTO: Setup void-zones-tools dnsbl DNS Blocklist (like Pi-Hole) on OpenBSD

  1. Pingback: HOWTO: Make iPhone / iPad (IOS) Use Your Own DNS Server or DNSBL Like Pi-Hole, void-zones-tools, or pfBlockerNG by ByPassing iCloud Private Relay for DNS | SourceOpen

Leave a Reply