Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/seheyah/unbound

Unbound file configuration with some scripts building RPZ lists.
https://github.com/seheyah/unbound

dns dns-servers dns-service rpz unbound unbound-dns unbound-server

Last synced: 5 days ago
JSON representation

Unbound file configuration with some scripts building RPZ lists.

Awesome Lists containing this project

README 

        
# Unbound file configuration and some others tweaks

🎯 This repository hosts a version of Unbound server for [OpenBSD](https://www.openbsd.org) with some tweaks cleaning your web experience.



📝 Here the [man](https://man.openbsd.org/unbound.conf) for unbound configuration file.


📝 Here the [documentation](https://www.nlnetlabs.nl/documentation/unbound/howto-optimise/) to optimize your Unbound with your ressources.


📝 Here the Response Policy Zones (__RPZ__) [documentation](https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/rpz.html).



🛡️ Secure your external DNS request with DNS over TLS, configure RPZ option and build lists for a better and more efficient (reducing your carbon impact) web experience.

 

## Prerequisites

 * You need to have an account with doas set correctly.

 * Unbound enable and start:

   * `rcctl enable unbound` 

   * `rcctl start unbound` 

   

 * Activate modules here below in your configuration file `unbound.conf`:

   * module-config: "respip validator iterator"

 * Check your configuration file before reload:

   * `unbound-checkconf /var/unbound/etc/unbound.conf`

   * `rcctl reload unbound`

 

## Usage

For [unbound.conf](https://github.com/seheyah/unbound/blob/main/unbound.conf) change these values:


   * access-control: `your_network_here/CIDR_prefix` allow

   * interface: `your_ip_here`

   * private-address: `your_network_here/CIDR_prefix`



For [unbound-ph15h1n9-001.sh](https://github.com/seheyah/unbound/blob/main/unbound-ph15h1n9-001.sh) update the backup path:


  * filebkp01="your_backup_path/2pz-l1s7-ph15h1n9-001.bkp"



Depend of the context but sometimes we need to play with redirect or with __RPZ__.

 * __Redirect__ is used when you want to block all subdomains under a TLD, including those which do not yet exist. 

 * __RPZ__ in more fine tuning you can apply policy for eachs records, compare to __redirect__, if a record is not under __RPZ__ policy, resolution is provided❗️



## Redirect (2d2)

 * [2d2-l1s7-8l4ckh4t-001](https://github.com/seheyah/unbound/blob/main/2d2-l1s7-8l4ckh4t-001.txt)


 This list is a redirect receiving all TLD known as bad.

 * [2d2-l1s7-ph15h1n9-003.txt](https://github.com/seheyah/unbound/blob/main/2d2-l1s7-ph15h1n9-003.txt)


 This list is a redirect receiving all TLD coming from 🇫🇷 SMS services not listed in the list __2d2-l1s7-ph15h1n9-001.txt__.



## RPZ (2pz)

 * [2pz-l1s7-71k70k-001.txt](https://github.com/seheyah/unbound/blob/main/2pz-l1s7-71k70k-001.txt)


 This list is a RPZ disabling all T1kT0k.

 * [2pz-l1s7-8l4ckh4t-001.txt](https://github.com/seheyah/unbound/blob/main/2pz-l1s7-8l4ckh4t-001.txt)


 This list is a RPZ with sources not in the RPZ malware.

 * [2pz-l1s7-d0h-001.txt](https://github.com/seheyah/unbound/blob/main/2pz-l1s7-d0h-001.txt)


 This list is a RPZ with "famous" DoH.

 

## Script

 * [unbound-2d2-l1s7-ph15h1n9-001.sh](https://github.com/seheyah/unbound/blob/main/unbound-2d2-l1s7-ph15h1n9-001.sh)


 This script download and format __redirect__ file coming from [Red Flag Domains](https://red.flag.domains).


 💡Crontab __@daily__ is quite enough.

 

 * [unbound-2pz-l1s7-48u53-001.sh](https://github.com/seheyah/unbound/blob/main/unbound-2pz-l1s7-48u53-001.sh)


  This script download and format __RPZ__ file coming from [Abuse](https://urlhaus.abuse.ch/downloads/rpz).


 💡Crontab __@daily__ is quite enough.

 

## Blueteam - Check new settings

You can test your Unbound server configuration here:

 * [1.1.1.1](https://1.1.1.1/help)



🐡 Have fun!