I like to use DNS blocklists to block ads, telemetry, and potential malware. Things like Pi-Hole have been popular for a while. If you search you can also find lists to block “offensive” website domains as well, such as adult sites.<\/p>\n\n\n\n
There is a similar tool called void-zones-tools<\/em><\/a> which is designed around FreeBSD. The void-zones-tools<\/em> project includes a number of DNS blocklists, and there is a method to add additional blocklists (I demonstrate one way below in the cron <\/em>section).<\/p>\n\n\n\n The default repository doesn’t quite run out of the box on OpenBSD. However, after a few simple changes you can get it working a treat!<\/p>\n\n\n\n First download the void-zones-tools<\/em> zipfile <\/a>from GitHub (or use git <\/em>to pull it if you prefer– all of this is covered in the README<\/a> on GitHub).<\/p>\n\n\n\n Expand the zip:<\/p>\n\n\n\n <\/p>\n\n\n\n Edit the Makefile for compilation on OpenBSD<\/strong><\/p>\n\n\n\n We need to modify the Make file to enable Position Independent Code for OpenBSD:<\/p>\n\n\n\n Then we can compile as usual:<\/p>\n\n\n\n <\/p>\n\n\n\n Modify the script to use ftp <\/em>instead of fetch<\/em> for OpenBSD<\/strong><\/p>\n\n\n\n The void-zones-tools<\/em> update script ( void-zones-update.sh<\/em> ) tries to find the fetch<\/em> program, which is FreeBSD’s equivalent of the multipurpose downloader called ftp<\/em> on OpenBSD (similar to wget <\/em>or curl<\/em>). For the purposes of void-zones-tools<\/em> you can use OpenBSD’s ftp <\/em>in place of fetch<\/em>. You can edit the void-zones-update.sh<\/em> (installed in \/usr\/local\/bin<\/em> by default) and set the FETCH variable to point to \/usr\/bin\/ftp<\/em> as well as delete or comment out the checks for fetch<\/em> like this:<\/p>\n\n\n\n Or <\/strong>you can simply make a symlink for fetch <\/em>that points to ftp<\/em> :<\/p>\n\n\n\n Either way works. OpenBSD purist may prefer to modify the script rather than create the symlink.<\/p>\n\n\n\n <\/p>\n\n\n\n Install<\/strong><\/p>\n\n\n\n Then install as root. <\/p>\n\n\n\n <\/p>\n\n\n\n Execution and Auto Update Configuration<\/strong><\/p>\n\n\n\n ** The following section is lifted from the README <\/a>of the original void-zones-tools<\/em> package with modifications to paths and command names to make it OpenBSD specific. These instructions use GNU nano as the editor. You can of course replace that with vi <\/em>or emacs<\/em>, etc.<\/p>\n\n\n\n The tools are placed by the above command sequence into \/usr\/local\/bin<\/em> .<\/p>\n\n\n\n On the first run of void-zones-update.sh<\/em>, a directory is created at \/usr\/local\/etc\/void-zones\/<\/em>, which serves as the storage location for the downloaded Hosts files and\/or Domain listings. In addition a template for a custom white\/black list my_void_hosts.txt<\/em> is placed into that directory, and this may be used for whitelisting some zones that are inadvertently part of the downloaded Hosts<\/em> files, or for blacklisting additional zones, which are missing from the downloads. Now execute the void-zones-update.sh<\/em> shell script:<\/p>\n\n\n\n You can look at the customizable file my_void_hosts.txt<\/em>:<\/p>\n\n\n\n For whitelisting use the IP address The downloaded Hosts<\/em> files are placed into \/usr\/local\/etc\/void-zones\/<\/em> as well:<\/p>\n\n\n\n And finally the void-zones-update.sh<\/em> compiles (converts & consolidates) all Hosts<\/em> files and Domain<\/em> listings into one single local-void.zones<\/em> include file, and moves this into \/var\/unbound\/<\/em> for direct usage with Unbound<\/em>:<\/p>\n\n\n\n <\/p>\n\n\n\n Configure Unbound to use the zones<\/strong><\/p>\n\n\n\n For using the void zones method, of course Unbound<\/em> must be up and running already on the given OpenBSD machine. Then edit the configuration file \/var\/unbound\/etc\/unbound.conf<\/em> in order to activate ad, tracking, malware and telemetry domain filtering by Unbound<\/em>:<\/p>\n\n\n\n Before<\/strong> any forwarder directives, e.g. (ed note<\/em>) I like to put it as shown here with some context from the default unbound.conf<\/em>:<\/p>\n\n\n\n <\/p>\n\n\n\n Then restart Unbound<\/em>:<\/p>\n\n\n\n For future updates execute the following command sequence which may be placed into a cron job:<\/p>\n\n\n\n In order to facilitate inclusion of listings which are not part of the automated updating, 3 additional input files are passed by void-zones-update.sh<\/em> to the conversion tool host2zones <\/em>:<\/p>\n\n\n\n This mechanism can be used to include for example the Disconnect.me<\/a> listings to the Said command would place the respective lists joined together into \/usr\/local\/etc\/void-zones\/x_void_list.txt<\/em> , and on the next run of void-zones-update.sh<\/em> that one would be converted & consolidated & included into the local-void.zones<\/em> for filtering by Unbound<\/em>. In the case these additional files are missing, the tool simply ignores these parameters.<\/p>\n\n\n\n <\/p>\n\n\n\n Example cron setup for OpenBSD<\/strong><\/p>\n\n\n\n Here is an example cron setup for OpenBSD. Edit your crontab for root with:<\/p>\n\n\n\n Then add something like the following at the bottom:<\/p>\n\n\n\n Note <\/strong>that the first line is all on a single line with no line breaks. You could put that in a script and run the script from cron if you want your crontab cleaner.<\/p>\n\n\n\n The first crontab entry runs sometime (randomly) within the 5AM hour and uses ftp <\/em>to download a series of additional blocklists (these are not included by default and you may want to use them, especially the first one is particularly good) and concatenates them into \/usr\/local\/etc\/void-zones\/y_void_list.txt <\/em>, which is one of the “extra” files for customization as describe above.<\/p>\n\n\n\n The second line (remember this should be just two lines in the crontab, without line breaks) runs some time randomly within the 6AM hour and runs the void-zones-update.sh<\/em> script and then restarts unbound <\/em>to load the new data. <\/p>\n\n\n\n Note you may prefer to use:<\/p>\n\n\n\n which should force unbound to reload the configs without clearing its cache, but I have seen some occasional issues with this; YMMV.<\/p>\n\n\n\n <\/p>\n\n\n\n Conclusion<\/strong><\/p>\n\n\n\n Hopefully you are now about to get the void-zones-tools dnsbl blocklist (blacklist) set up under OpenBSD in order to block ads and telemetry or block malware. Someday when I have time I will submit a pull request for updates to make the master branch work under OpenBSD by default.<\/p>\n","protected":false},"excerpt":{"rendered":" I like to use DNS blocklists to block ads, telemetry, and potential malware. Things like Pi-Hole have been popular for a while. If you search you can also find lists to block “offensive” website domains as well, such as adult … Continue reading > ftp https:\/\/github.com\/cyclaero\/void-zones-tools\/archive\/refs\/heads\/master.zip<\/a><\/code><\/pre>\n\n\n\n> unzip master.zip<\/code><\/pre>\n\n\n\n> cd void-zones-tools-master\n> sed -i 's\/-fno-pic\/-fPIC\/g' Makefile<\/code><\/pre>\n\n\n\n> make<\/code><\/pre>\n\n\n\n...\n\n#### verify the path to the fetch utility\n#if [ -e \"\/usr\/bin\/fetch\" ]; then\n# FETCH=\"\/usr\/bin\/fetch\"\n#elif [ -e \"\/usr\/local\/bin\/fetch\" ]; then\n# FETCH=\"\/usr\/local\/bin\/fetch\"\n#elif [ -e \"\/opt\/local\/bin\/fetch\" ]; then\n# FETCH=\"\/opt\/local\/bin\/fetch\"\n#else\n# echo \"No fetch utility can be found on the system -- Stopping.\" # echo \"On Mac OS X, execute either 'sudo port install fetch' or install\"\n# echo \"fetch from source into '\/usr\/local\/bin', and then try again.\"\n# exit 1\n#fi\n\n# Set FETCH for OpenBSD\nFETCH=\"\/usr\/bin\/ftp\"\n\n...\n<\/code><\/pre>\n\n\n\n# ln -s \/usr\/bin\/ftp \/usr\/bin\/fetch<\/code><\/pre>\n\n\n\n# make install<\/code><\/pre>\n\n\n\n# void-zones-update.sh<\/code><\/pre>\n\n\n\n# nano \/usr\/local\/etc\/void-zones\/my_void_hosts.txt
# white list
1.1.1.1 my.white.dom
# black list
0.0.0.0 my.black.dom<\/code><\/pre>\n\n\n\n1.1.1.1<\/code>, and for blacklisting 0.0.0.0<\/code> shall be used. This \/usr\/local\/etc\/void-zones\/my_void_hosts.txt<\/em> file is where you would add any personal exceptions to the downloaded rules, like whitelisting specific sites that don’t work correctly if blocked, or blacklisting sites not covered by the downloaded rules, etc.<\/p>\n\n\n\n# ls -l \/usr\/local\/etc\/void-zones\n\ntotal 1876\n-rw-r--r-- 1 root wheel 13722 Jan 31 2017 away_void_hosts.txt\n-rw-r--r-- 1 root wheel 640858 Aug 17 19:16 jdom_void_list.txt\n-rw-r--r-- 1 root wheel 36982 Jun 29 19:52 mdl_void_hosts.txt\n-rw-r--r-- 1 root wheel 497673 Aug 7 11:07 mvps_void_hosts.txt\n-rw-r--r-- 1 root wheel 60257 Aug 21 05:43 pgl_void_hosts.txt\n-rw-r--r-- 1 root wheel 376421 Aug 20 14:40 sowc_void_hosts.txt\n-rw-r--r-- 1 root wheel 618 Aug 22 09:29 ucky_void_host.txt\n-rw-r--r-- 1 root wheel 9977 Aug 22 09:29 w10telm_void_hosts.txt\n-rw-r--r-- 1 root wheel 886 Aug 22 09:29 w7telm_void_hosts.txt\n-rw-r--r-- 1 root wheel 1142 Aug 22 09:29 w81telm_void_hosts.txt\n<\/code><\/pre>\n\n\n\n# head \/var\/unbound\/local-void.zones\n\nlocal-zone: \"clk.cloudyisland.com\" static\nlocal-zone: \"click.silvercash.com\" static\nlocal-zone: \"oascentral.pressdemocrat.com\" static\nlocal-zone: \"s29.cnzz.com\" static\nlocal-zone: \"www.spywarespy.com\" static\nlocal-zone: \"republika.onet.pl\" static\nlocal-zone: \"preview.msn.com\" static\nlocal-zone: \"pos.baidu.com\" static\n...\n<\/code><\/pre>\n\n\n\n# nano \/var\/unbound\/etc\/unbound.conf<\/code><\/pre>\n\n\n\nforward-zone:<\/code> or include: \/var\/unbound\/forward.conf<\/code> add the following line:<\/p>\n\n\n\ninclude: \/var\/unbound\/local-void.zones<\/code><\/pre>\n\n\n\n... \n # Serve zones authoritatively from Unbound to resolver clients.\n # Not for external service.\n #\n \n include: \/var\/unbound\/local-void.zones\n\n #local-zone: \"local.\" static\n #local-data: \"mycomputer.local. IN A 192.0.2.51\"\n...<\/code><\/pre>\n\n\n\n# \/usr\/sbin\/rcctl restart unbound<\/code><\/pre>\n\n\n\n# \/usr\/local\/bin\/void-zones-update.sh && \/usr\/sbin\/rcctl restart unbound<\/code><\/pre>\n\n\n\nx_void_list.txt\ny_void_list.txt\nz_void_list.txt\n<\/code><\/pre>\n\n\n\nhosts2zones<\/code> processing by executing the following command before updating the other zones:<\/p>\n\n\n\n# ftp -o - \\\n https:\/\/s3.amazonaws.com\/lists.disconnect.me\/simple_ad.txt \\\n https:\/\/s3.amazonaws.com\/lists.disconnect.me\/simple_malware.txt \\\n https:\/\/s3.amazonaws.com\/lists.disconnect.me\/simple_tracking.txt \\\n https:\/\/s3.amazonaws.com\/lists.disconnect.me\/simple_malvertising.txt \\\n > \/usr\/local\/etc\/void-zones\/x_void_list.txt\n<\/code><\/pre>\n\n\n\n# crontab -e<\/code><\/pre>\n\n\n\n~ 5 * * * ftp -o - https:\/\/raw.githubusercontent.com\/StevenBlack\/hosts\/master\/hosts http:\/\/sysctl.org\/cameleon\/hosts http:\/\/sysctl.org\/cameleon\/hosts http:\/\/sysctl.org\/cameleon\/hosts http:\/\/sysctl.org\/cameleon\/hosts http:\/\/sysctl.org\/cameleon\/hosts >! \/usr\/local\/etc\/void-zones\/y_void_list.txt\n\n~ 6 * * * \/usr\/local\/bin\/void-zones-update.sh && \/usr\/sbin\/rcctl restart unbound<\/code><\/pre>\n\n\n\n\/usr\/sbin\/rcctl reload unbound<\/code><\/pre>\n\n\n\n