Local Area Network wide ablocking

They do not want you to know this, but there’s something called “adblocking”, which consists on blocking ads so they do not bother you while browsing the internet. This has many advantages such as a less dystopic experience of the internet and a faster website loading because you literally cannot load the ads. There are, as far as I’m concerned, two ways of adblocking, the simple and the complex. the simple is basically installing ublock origin from your browser’s webstore and call it a day. The other is to setup a Linux or BSD server so you can install Unbound on it and configure it in a way that it blocks all the domains that websites use to load ads. As you can see, there’s a long road between the former and the later.

This post will redact my experiences doing the complex solution. I use OpenBSD with an apparently incompatible wireless network card. So I could not do the correct thing to do, which is to setup a router whose DHCP daemon sets the default DNS server to the address of the router, which runs this cool unbound that blocks ads.

Installing unbound

As mentioned before, I’m running OpenBSD in my server, OpenBSD comes with unbound preinstalled I did not have to do anything, Linux users probably can install unbound with the default package manager.

Configuring unbound

There’s this cool tutorial on how to setup an adblocking local DNS server under FreeBSD, this guide uses a script that generates a DNS list with hosts to be blocked. But as I’m a good person I’ve uploaded the resulting file to my server so you can just download it.

Then, you have to edit the unbound config file, under OpenBSD it is in /var/unbound/etc/unbound.conf like this:

server:
     # Bind to localhost and external address
     interface: 127.0.0.1
     interface: 192.168.1.57
     interface: ::1
     # Allow requests from the LAN and the localhost
     access-control: 0.0.0.0/0 refuse
     access-control: 192.168.0.0/16 allow
     access-control: 127.0.0.0/8 allow
     access-control: ::0/0 refuse
     access-control: ::1 allow
     # Security reasons
     hide-identity: yes
     hide-version: yes

     # Perform DNSSEC validation.
     #
     auto-trust-anchor-file: "/var/unbound/db/root.key"
     val-log-level: 2

     # Synthesize NXDOMAINs from DNSSEC NSEC chains.
     # https://tools.ietf.org/html/rfc8198
     #
     aggressive-nsec: yes

# Bind the remote control socket to a UNIX socket so only the server
# can control it
remote-control:
     control-enable: yes
     control-interface: /var/run/unbound.sock

# The file you got
include: /var/unbound/etc/blocklist.conf

After doing this, unbound should be ready to run and can be started with rcctl enable unbound && rcctl start unbound

Configuring devices to use the DNS server

As mentioned before, the correct way to do this is to setup the machine as a router, my T400 has an intel card that does not support OpenBSD too good, I still like my T400 despite its handicap, a workaround for this is to setup in each device you want to connect to your LAN. So basically you have to know how to setup a static IP address. The most basic configuration for a static IP address that should work in a normal scenario is the following:

address: 192.168.1.whatever
mask:   255.255.0.0 (or 255.255.255.0 if that doesn't work)
gateway: 192.168.1.1 (or 192.168.0.0, depending on your router)
dns server: the ip address of your server running unbound