当ブログはアフィリエイト広告を利用し商品を紹介しています。
PiholeとUnboundの設定&備忘録的なところを示す。
PiholeのAdlist
Piholeは自分で広告リストを追加することで強化できる。
http://(PiholeのIP):(Port)/admin/groups-adlists.php からいじる
ここのAddressに広告リストを入れ、Addを押して追加する。
以下に筆者が集めたAdlistを示す。全部コピペしてAddressに入れることが出来るようにしている。
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://warui.intaa.net/adhosts/hosts_lb.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&mimetype=plaintext https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt https://raw.githubusercontent.com/eEIi0A5L/adblock_filter/master/kame_filter.txt https://zonefiles.io/f/compromised/domains/full/ https://zonefiles.io/f/compromised/ip/live/ https://hosts.oisd.nl/ https://adaway.org/hosts.txt https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt https://sebsauvage.net/hosts/hosts https://warui.intaa.net/adhosts/hosts.txt https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt https://blocklistproject.github.io/Lists/abuse.txt https://blocklistproject.github.io/Lists/ads.txt https://blocklistproject.github.io/Lists/drugs.txt https://blocklistproject.github.io/Lists/malware.txt https://blocklistproject.github.io/Lists/phishing.txt https://blocklistproject.github.io/Lists/ransomware.txt https://blocklistproject.github.io/Lists/redirect.txt https://blocklistproject.github.io/Lists/scam.txt https://blocklistproject.github.io/Lists/tracking.txt https://bit.ly/PiHoleHostBlock https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts https://v.firebog.net/hosts/static/w3kbl.txt https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts https://winhelp2002.mvps.org/hosts.txt https://v.firebog.net/hosts/neohostsbasic.txt https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt https://v.firebog.net/hosts/AdguardDNS.txt https://v.firebog.net/hosts/Admiral.txt https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://v.firebog.net/hosts/Easylist.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts https://v.firebog.net/hosts/Easyprivacy.txt https://v.firebog.net/hosts/Prigent-Ads.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt https://v.firebog.net/hosts/Prigent-Crypto.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt https://phishing.army/download/phishing_army_blocklist_extended.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt https://v.firebog.net/hosts/RPiList-Malware.txt https://v.firebog.net/hosts/RPiList-Phishing.txt https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts https://urlhaus.abuse.ch/downloads/hostfile/ https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt https://v.firebog.net/hosts/Prigent-Malware.txt https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list https://v.firebog.net/hosts/Prigent-Adult.txt https://hostsfile.mine.nu/hosts0.txt https://hostsfile.org/Downloads/hosts.txt https://v.firebog.net/hosts/Kowabit.txt https://adblock.mahakala.is/ https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/6b8c2411f22dda68b0b41757aeda10e50717a802/TOP_EU_US_Ads_Trackers_HOST https://raw.githubusercontent.com/tg12/pihole-phishtank-list/master/list/phish_domains.txt https://raw.githubusercontent.com/HorusTeknoloji/TR-PhishingList/master/url-lists.txt https://raw.githubusercontent.com/Cats-Team/AdRules/main/dns.txt https://raw.githubusercontent.com/neodevpro/neodevhost/master/host https://raw.githubusercontent.com/neodevpro/neodevhost/master/lite_host https://raw.githubusercontent.com/5-whys/adh-rules/main/rules/output_full.txt https://raw.githubusercontent.com/xndeye/adblock_list/main/rule/all.txt https://raw.githubusercontent.com/cenk/bad-hosts/main/hosts
……この辺にしておこうか。
Adlistが増えると重くなるという話があるが、実際筆者の場合、512mb1コアのConoha VPSで元気に動いている。
【1.3円/時間】GMOインターネットのSSD「ConoHa VPS」
Unboundの設定
nano /etc/unbound/unbound.conf から
# Unbound configuration file for Debian. # # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. # # The following line includes additional configuration files from the # /etc/unbound/unbound.conf.d directory. include: "/etc/unbound/unbound.conf.d/*.conf" # # local network - DNS Setting # # domain name: ***.local # server: # use all CPUs num-threads: 1 # power of 2 close to num-threads msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2 key-cache-slabs: 2 # more cache memory, rrset=msg*2 rrset-cache-size: 100m msg-cache-size: 50m # more outgoing connections # depends on number of cores: 1024/cores - 50 outgoing-range: 950 # Larger socket buffer. OS may need config. so-rcvbuf: 4m # インターフェース設定.デフォルトルートとする interface: 0.0.0.0 # 問いあわせを許可するネットワーク設定 # # ネットワークに合わせて記述する access-control: 192.168.1.0/24 allow # IPv6 は使用しない do-ip6: no # ローカルゾーン設定 # # local-zone: "***.local." static # NS レコードの設定 # # ネームサーバーの設定を行う # # プライマリ: ns.~ # セカンダリ: ns2.~ local-data: "IN NS ns.***.local." local-data: "IN NS ns2.***.local." # MX recode: mail server # メールサーバーの設定. # # mail.~.local. local-data: "IN MX 10 mail.***.mydns.jp." # A レコード,ptr レコードの設定 # # A レコードは,正引き # PTR レコードは,逆引き # # サーバーIP: 192.168.1.10 local-data: "***.local. IN A 192.168.25.1" local-data: "***.local. IN A 192.168.25.1" local-data: "***.local. IN A 192.168.25.1" local-data: "***.local. IN A 192.168.25.1" local-data-ptr: "192.168.25.1 shirakawa.mydns.jp." # 転送設定 # # 上記設定以外の問い合わせが発生した場合,google dns に問いあわせるようにする forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4
色々設定を考えてくれている人はいますが、いろいろ試してみて512mb1コアの場合にはこれが一番早いように感じたので、これに書き換えると高速化可能です。
続いて /etc/unbound/unbound.conf.d/pi-hole.conf として
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 interface: 127.0.0.1 port: 5335 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: yes # You want to leave this to no unless you have *native* IPv6. With 6to4 and # Terredo tunnels your web browser should favor IPv4 for the same reasons prefer-ip6: no # Use this only when you downloaded the list of primary root servers! # If you use the default dns-root-data package, unbound will find it automatically #root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the server's authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # IP fragmentation is unreliable on the Internet today, and can cause # transmission failures when large DNS messages are sent via UDP. Even # when fragmentation does work, it may not be secure; it is theoretically # possible to spoof parts of a fragmented DNS message, without easy # detection at the receiving end. Recently, there was an excellent study # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) # in collaboration with NLnet Labs explored DNS using real world data from the # the RIPE Atlas probes and the researchers suggested different values for # IPv4 and IPv6 and in different scenarios. They advise that servers should # be configured to limit DNS messages sent over UDP to a size that will not # trigger fragmentation on typical network links. DNS servers can switch # from UDP to TCP when a DNS response is too big to fit in this limited # buffer size. This value has also been suggested in DNS Flag Day 2020. edns-buffer-size: 1232 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small n$ num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
これもコピペで大丈夫かと思います。
これでPihole+Unboundの環境が整いました。
最後に
Piholeだけでは管理できないものがいくつかあるので、その他の対処法については次回述べることとする。