NSA blocklist is separated from malicious blocklist

Dockerfile

@@ -14,13 +14,14 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
       org.label-schema.docker.cmd="docker run -d -p 53:53/udp qmcgaw/cloudflare-dns-server" \
       org.label-schema.docker.cmd.devel="docker run -it --rm -p 53:53/udp -e VERBOSITY=3 -e VERBOSITY_DETAILS=3 -e BLOCK_MALICIOUS=off qmcgaw/cloudflare-dns-server" \
       org.label-schema.docker.params="VERBOSITY=from 0 (no log) to 5 (full debug log) and defaults to 1,VERBOSITY_DETAILS=0 to 4 and defaults to 0 (higher means more details),BLOCK_MALICIOUS='on' or 'off' and defaults to 'on' (note that it consumes about 50MB of additional RAM),LISTENING_PORT=1 to 65535 for internal Unbound listening port,PROVIDER=CLOUDFLARE or GOOGLE or QUAD9 or QUADRANT or CLEANBROWSING" \
-      image-size="17MB" \
+      image-size="20.8MB" \
       ram-usage="13.2MB to 70MB" \
       cpu-usage="Low"
 EXPOSE 53/udp
 ENV VERBOSITY=1 \
     VERBOSITY_DETAILS=0 \
     BLOCK_MALICIOUS=on \
+    BLOCK_NSA=off \
     LISTENINGPORT=53 \
     PROVIDER=cloudflare
 ENTRYPOINT /etc/unbound/entrypoint.sh
@@ -35,15 +36,18 @@ RUN apk --update --no-cache --progress -q add ca-certificates unbound bind-tools
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
     cd /tmp && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \
+    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \
     while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \
     while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \
     tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \
+    while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-nsa.conf; done < nsa-hostnames && \
+    tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
     rm -f /tmp/*
 COPY unbound.conf entrypoint.sh /etc/unbound/
 RUN chown nonrootuser -R /etc/unbound && \
     chmod 700 /etc/unbound && \
     chmod 600 /etc/unbound/unbound.conf && \
     chmod 500 /etc/unbound/entrypoint.sh && \
-    chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/blocks-malicious.bz2
+    chmod 400 /etc/unbound/root.hints /etc/unbound/root.key /etc/unbound/*.bz2
 USER nonrootuser

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Quentin McGaw
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -24,14 +24,14 @@
 
 | Image size | RAM usage | CPU usage |
 | --- | --- | --- |
-| 17MB | 13.2MB to 70MB | Low |
+| 20.8MB | 13.2MB to 70MB | Low |
 
 It is based on:
 
 - [Alpine 3.9](https://alpinelinux.org)
-- [Unbound 1.8.3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/unbound)
+- [Unbound 1.8.3](https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/unbound)
 - [Files and lists built periodically](https://github.com/qdm12/updated/tree/master/files)
-- [bind-tools](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/bind-tools) for the healthcheck with `nslookup duckduckgo.com 127.0.0.1`
+- [bind-tools](https://pkgs.alpinelinux.org/package/v3.9/main/x86_64/bind-tools) for the healthcheck with `nslookup duckduckgo.com 127.0.0.1`
 
 It also uses DNS rebinding protection and DNSSEC Validation:
 
@@ -78,6 +78,7 @@ More environment variables are described in the [environment variables](#environ
 | `VERBOSITY` | `1` | From 0 (no log) to 5 (full debug log) |
 | `VERBOSITY_DETAILS` | `0` | From 0 to 4 and defaults to 0 (higher means more details) |
 | `BLOCK_MALICIOUS` | `on` | `on` or `off`. It blocks malicious IP addresses and malicious hostnames from being resolved. Note that it consumes about 50MB of additional RAM. |
+| `BLOCK_NSA` | `off` | `on` or `off`. It blocks NSA hostnames from being resolved. |
 | `LISTENINGPORT` | `53` | UDP port on which the Unbound DNS server should listen to (internally) |
 | `PROVIDER` | `cloudflare` | DNS-over-TLS provider. It can be: `google`, `quad9`, `quadrant`, `cleanbrowsing` |
 
@@ -117,7 +118,7 @@ For *docker-compose.yml*:
 version: '3'
 services:
   test:
-    image: alpine:3.8
+    image: alpine:3.9
     network_mode: bridge
     dns:
       - 127.0.0.1

docker-compose.yml

@@ -8,6 +8,7 @@ services:
       - VERBOSITY=1
       - VERBOSITY_DETAILS=0
       - BLOCK_MALICIOUS=on
+      - BLOCK_NSA=off
       - LISTENINGPORT=53
       - PROVIDER=cloudflare
     ports:

entrypoint.sh

@@ -36,6 +36,10 @@ if [ "$BLOCK_MALICIOUS" != "on" ] && [ "$BLOCK_MALICIOUS" != "off" ]; then
   printf "Environment variable BLOCK_MALICIOUS=$BLOCK_MALICIOUS must be 'on' or 'off'\n"
   exit 1
 fi
+if [ "$BLOCK_NSA" != "on" ] && [ "$BLOCK_NSA" != "off" ]; then
+  printf "Environment variable BLOCK_NSA=$BLOCK_NSA must be 'on' or 'off'\n"
+  exit 1
+fi
 if [ -z $(echo $LISTENINGPORT | grep -E '^[0-9]+$') ] || [ $LISTENINGPORT -lt 1 ] || [ $LISTENINGPORT -gt 65535 ]; then
   printf "Environment variable LISTENINGPORT=$LISTENINGPORT must be a positive integer between 1 and 65535\n"
   exit 1
@@ -89,6 +93,16 @@ if [ "$BLOCK_MALICIOUS" = "on" ]; then
 else
   echo "" > /etc/unbound/blocks-malicious.conf
 fi
+printf "NSA hostnames blocking is $BLOCK_NSA\n"
+if [ "$BLOCK_NSA" = "on" ]; then
+  tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/
+  printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n"
+  cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf
+  rm /etc/unbound/blocks-nsa.conf
+  sort -u /etc/unbound/blocks-malicious.conf > /etc/unbound/temp
+  rm /etc/unbound/blocks-malicious.conf
+  mv /etc/unbound/temp /etc/unbound/blocks-malicious.conf
+fi
 unbound -d $ARGS
 status=$?
 printf "\n =========================================\n"