adblock plugin #229
Comments
|
This does already work with OpenDNS, the Web Proxy (https://docs.opnsense.org/manual/how-tos/proxywebfilter.html), ICAP and many other ways. There is also a script working with OPNsense somewhere around. |
|
This question is for development purpose, as I may be interesting in stepping in. I understand that proxies already support banlists. It is also possible to create a list of hosts and implement it at packet filtering level (pf). I was wondering of a DNS alone approach (lying DNS), as it proves to works pretty with little computing burden. This is how it is done in LEDE (OpenWRT reboot). At present (2017), all adds are pointing to full-qualified hostnames. None of them are pointing to IPs either v4 or v6. This is why the DNS approach seems well enough. The script works in conjunction with dnsmasq or unbound. I might be wrong, but I think this is the right approach until adds have publics IPs and not FQDN. Furthermore, when you think of proxy, you need to use a transparent-reverse one to make sure that all traffic actually goes through the proxy. With lying DNS, you can make sure that no-add, whatever using direct or proxy connection, goes through. Please make any comment that might save my future development time ... |
|
I am catching up: Unfortunately, a private company will not want to leak its DNS. But this basically what I am looking for, so I will enquire more. Any comments are welcome. |
|
I found the script working on OPNsense: |
|
Indeed, adblock.sh could be easily ported to OPNsense. banlist can be fetched from: i will try fist to implement it as an IP banlist to see if my firewall 'survives' 100.000 entries. |
|
Most blacklist need to be processed using a regex. Example from: 'securemecca' I am opening a separate ticket on opnsense core. |
|
there is no regular expression required. So theoretically this would work without a regular expression. |
|
Sounds very easy, you are right. I opened this issue to ask core team what they are waiting for: Then, i can start my own dev. |
|
The original link seems to be down, but I managed to grab a copy of the https://gist.github.com/phedoreanu/0f28594b17caa7cb6da0ef235d16a1f4 |
|
@ffries Not sure if it's of any use for this issue, but a FYI can't hurt: I yesterday stumbled upon https://pi-hole.net/. It seems like they use a DNS-based approach, along with a (optional?) web server for statistics, graphs and some settings. |
|
Ok, not the best but have done the following to get something basci working for me. Obviously work needs to be done on reporting and putting config into the gui (I'm not a developer so cant help out there). But was thinking the lists in the script could be bought into the gui as options. Via CLI #Update some of the variables to reflect the OPNSENSE locations #how to restart unbound in opnsense??
#The next section is manual #Download Files #Set permissions, not 100% sure this is actually required, and could add it to the actual script if it is #These Seds not required if removing "Someone Who Cares" entry (comments cause issues) #Add to the advanced section of unbound in GUI (Save and reload) #Setup Cron Job via gui, once daily The above may be usefull or not, and I am sure there are more efficient ways to do this, thanks |
|
jumped the gun on the cron job via the gui, had to do the following create the file "/root/dns-unbound-blocklist-downloader.sh" and add the below to it #!/bin/sh Mark the script as executable
create the file "/usr/local/opnsense/service/conf/actions.d/actions_dnsblacklistupdates.conf" put the following into it [start] Restart configd
At this point you should be able to go into the GUI to set the daily cron job |
|
We might close this one too, we have BIND plugin with DNSBL and soon support within Unbound #808 |
Dear Friends,
Lede offers this marvelous plugin:
https://github.com/openwrt/packages/tree/lede-17.01/net/adblock/files
It works very well and wipes all adds without breaking applications.
The adblock plugin relies on a single bash script:
https://github.com/openwrt/packages/blob/lede-17.01/net/adblock/files/adblock.sh
It is compatible with dnsmasq and unound and relies on "lying DNS".
I am aware that it is possible to integrate DNSBLs in a proxy, but here the solution is lean and simple, so I wonder whether this script could be distributed and adapted for opnsense.
Kind regards,
Frenc Fries
The text was updated successfully, but these errors were encountered: