blocky

Siehe auch

• AdGuard

• Pi-hole

• Ansible-Rolle blocky:

  https://github.com/Linuxfabrik/lfops/tree/main/roles/blocky

blocky ist ein einzelnes, minimalistisches, in Go geschriebenes Binary ohne Abhängigkeiten, welches ohne Web-GUI daherkommt, und rein auf der Kommandozeile bedient wird. Es eignet sich daher hervorragend für die Automatisierung. Die Konfiguration erfolgt über eine YAML-Datei, in der unter anderem Upstream-DNS-Server angegeben und Deny-Listen definiert werden, die es beziehen soll. Es hat den gleichen Funktionsumfang wie Pi-hole, und bietet unter anderem die modernen verschlüsselnden DNS-Protokolle (DoH und DoT), eine REST-Schnittstelle oder Metriken für Prometheus.

Links:

• Doku: https://0xerr0r.github.io/blocky/latest/

• Download: https://github.com/0xERR0R/blocky/releases

• Source Code: https://github.com/0xERR0R/blocky

Konfiguration

Eine umfangreichere Konfigurationsdatei:

# See https://0xerr0r.github.io/blocky/latest/configuration for details

# basic configuration
minTlsServeVersion: '1.2'
connectIPVersion: 'dual'

# ports configuration
ports:
  dns: 53
  http: 4000

# logging configuration
log:
  level: 'info'
  format: 'text'
  timestamp: false
  privacy: true

# upstreams configuration
upstreams:
  # init strategy
  init:
    strategy: 'fast'
  # upstream groups
  groups:
    default:
      - 'tcp+udp:1.0.0.1'               # cloudflare
      - 'tcp+udp:1.1.1.1'               # cloudflare
      - 'tcp+udp:8.8.4.4'               # google
      - 'tcp+udp:8.8.8.8'               # google
      - 'tcp-tls:fdns1.dismail.de:853'  # DNS-over-TLS server (DoT)
      - 'https://dns.digitale-gesellschaft.ch/dns-query'  # DNS-over-HTTPS (DoH)
  # upstream connection timeout
  timeout: '5s'
  # upstream strategy
  strategy: 'parallel_best'

# custom dns
customDNS:
  customTTL: '8h'
  filterUnmappedTypes: true
  mapping:
    # server network
    host01.example.com: '192.0.2.22'
    host02.example.com: '192.0.2.15'
    host03.example.com: '192.0.2.13'
    host04.example.com: '192.0.2.23'
    host05.example.com: '192.0.2.24'

# blocking and allowlisting - also see https://firebog.net/
blocking:
  # allowlists take precedence
  allowlists:
    allow_urls:
      - |
        *.bit.ly                    # Link Shortener
        *.digitec.ch
        *.galaxus.ch
        *.google.ch
        *.nzz.ch
        analytics.google.com
        www.google.com
  denylists:
    deny_ads:
      - 'https://adaway.org/hosts.txt'
      - 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext'
      - 'https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt'
      - 'https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts'
      - 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
      - 'https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt'
      - 'https://v.firebog.net/hosts/AdguardDNS.txt'
      - 'https://v.firebog.net/hosts/Admiral.txt'
      - 'https://v.firebog.net/hosts/Easylist.txt'
    deny_malicious:
      - 'https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt'
      - 'https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt'
      - 'https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt'
      - 'https://phishing.army/download/phishing_army_blocklist_extended.txt'
      - 'https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts'
      - 'https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt'
      - 'https://urlhaus.abuse.ch/downloads/hostfile/'
      - 'https://v.firebog.net/hosts/Prigent-Crypto.txt'
    deny_maximum:  # a very strict list
      - 'https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts'
    deny_suspicious:
      - 'https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts'
      - 'https://v.firebog.net/hosts/static/w3kbl.txt'
    deny_tracking:
      - 'https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt'
      - 'https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts'
      - 'https://v.firebog.net/hosts/Easyprivacy.txt'
      - 'https://v.firebog.net/hosts/Prigent-Ads.txt'
    deny_other:
      - 'https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser'
  clientGroupsBlock:
    default:
      - 'deny_ads'
    192.0.2.0/24:  # Server
      - 'deny_malicious'
      - 'deny_suspicious'
      - 'deny_other'

Built on 2024-09-19