当ブログはアフィリエイト広告を利用し商品を紹介しています。
PiholeとUnboundの設定&備忘録的なところを示す。
PiholeのAdlist
Piholeは自分で広告リストを追加することで強化できる。
http://(PiholeのIP):(Port)/admin/groups-adlists.php からいじる
ここのAddressに広告リストを入れ、Addを押して追加する。
以下に筆者が集めたAdlistを示す。全部コピペしてAddressに入れることが出来るようにしている。
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://warui.intaa.net/adhosts/hosts_lb.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&mimetype=plaintext https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt https://raw.githubusercontent.com/eEIi0A5L/adblock_filter/master/kame_filter.txt https://zonefiles.io/f/compromised/domains/full/ https://zonefiles.io/f/compromised/ip/live/ https://hosts.oisd.nl/ https://adaway.org/hosts.txt https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt https://sebsauvage.net/hosts/hosts https://warui.intaa.net/adhosts/hosts.txt https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt https://blocklistproject.github.io/Lists/abuse.txt https://blocklistproject.github.io/Lists/ads.txt https://blocklistproject.github.io/Lists/drugs.txt https://blocklistproject.github.io/Lists/malware.txt https://blocklistproject.github.io/Lists/phishing.txt https://blocklistproject.github.io/Lists/ransomware.txt https://blocklistproject.github.io/Lists/redirect.txt https://blocklistproject.github.io/Lists/scam.txt https://blocklistproject.github.io/Lists/tracking.txt https://bit.ly/PiHoleHostBlock https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts https://v.firebog.net/hosts/static/w3kbl.txt https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts https://winhelp2002.mvps.org/hosts.txt https://v.firebog.net/hosts/neohostsbasic.txt https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt https://v.firebog.net/hosts/AdguardDNS.txt https://v.firebog.net/hosts/Admiral.txt https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://v.firebog.net/hosts/Easylist.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts https://v.firebog.net/hosts/Easyprivacy.txt https://v.firebog.net/hosts/Prigent-Ads.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt https://v.firebog.net/hosts/Prigent-Crypto.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt https://phishing.army/download/phishing_army_blocklist_extended.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt https://v.firebog.net/hosts/RPiList-Malware.txt https://v.firebog.net/hosts/RPiList-Phishing.txt https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts https://urlhaus.abuse.ch/downloads/hostfile/ https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt https://v.firebog.net/hosts/Prigent-Malware.txt https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list https://v.firebog.net/hosts/Prigent-Adult.txt https://hostsfile.mine.nu/hosts0.txt https://hostsfile.org/Downloads/hosts.txt https://v.firebog.net/hosts/Kowabit.txt https://adblock.mahakala.is/ https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/6b8c2411f22dda68b0b41757aeda10e50717a802/TOP_EU_US_Ads_Trackers_HOST https://raw.githubusercontent.com/tg12/pihole-phishtank-list/master/list/phish_domains.txt https://raw.githubusercontent.com/HorusTeknoloji/TR-PhishingList/master/url-lists.txt https://raw.githubusercontent.com/Cats-Team/AdRules/main/dns.txt https://raw.githubusercontent.com/neodevpro/neodevhost/master/host https://raw.githubusercontent.com/neodevpro/neodevhost/master/lite_host https://raw.githubusercontent.com/5-whys/adh-rules/main/rules/output_full.txt https://raw.githubusercontent.com/xndeye/adblock_list/main/rule/all.txt https://raw.githubusercontent.com/cenk/bad-hosts/main/hosts
……この辺にしておこうか。
Adlistが増えると重くなるという話があるが、実際筆者の場合、512mb1コアのConoha VPSで元気に動いている。
【1.3円/時間】GMOインターネットのSSD「ConoHa VPS」
Unboundの設定
nano /etc/unbound/unbound.conf から
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
#
# local network - DNS Setting
#
# domain name: ***.local
#
server:
# use all CPUs
num-threads: 1
# power of 2 close to num-threads
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
# more cache memory, rrset=msg*2
rrset-cache-size: 100m
msg-cache-size: 50m
# more outgoing connections
# depends on number of cores: 1024/cores - 50
outgoing-range: 950
# Larger socket buffer. OS may need config.
so-rcvbuf: 4m
# インターフェース設定.デフォルトルートとする
interface: 0.0.0.0
# 問いあわせを許可するネットワーク設定
#
# ネットワークに合わせて記述する
access-control: 192.168.1.0/24 allow
# IPv6 は使用しない
do-ip6: no
# ローカルゾーン設定
#
#
local-zone: "***.local." static
# NS レコードの設定
#
# ネームサーバーの設定を行う
#
# プライマリ: ns.~
# セカンダリ: ns2.~
local-data: "IN NS ns.***.local."
local-data: "IN NS ns2.***.local."
# MX recode: mail server
# メールサーバーの設定.
#
# mail.~.local.
local-data: "IN MX 10 mail.***.mydns.jp."
# A レコード,ptr レコードの設定
#
# A レコードは,正引き
# PTR レコードは,逆引き
#
# サーバーIP: 192.168.1.10
local-data: "***.local. IN A 192.168.25.1"
local-data: "***.local. IN A 192.168.25.1"
local-data: "***.local. IN A 192.168.25.1"
local-data: "***.local. IN A 192.168.25.1"
local-data-ptr: "192.168.25.1 shirakawa.mydns.jp."
# 転送設定
#
# 上記設定以外の問い合わせが発生した場合,google dns に問いあわせるようにする
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
色々設定を考えてくれている人はいますが、いろいろ試してみて512mb1コアの場合にはこれが一番早いように感じたので、これに書き換えると高速化可能です。
続いて /etc/unbound/unbound.conf.d/pi-hole.conf として
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small n$ num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
これもコピペで大丈夫かと思います。
これでPihole+Unboundの環境が整いました。
最後に
Piholeだけでは管理できないものがいくつかあるので、その他の対処法については次回述べることとする。
