512mbのVPSの限界に挑戦し、広告を破壊する。その3 PiholeとUnboundの設定

当ブログはアフィリエイト広告を利用し商品を紹介しています。

PiholeとUnboundの設定&備忘録的なところを示す。

PiholeのAdlist

Piholeは自分で広告リストを追加することで強化できる。

http://(PiholeのIP):(Port)/admin/groups-adlists.php からいじる

ここのAddressに広告リストを入れ、Addを押して追加する。

以下に筆者が集めたAdlistを示す。全部コピペしてAddressに入れることが出来るようにしている。

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://warui.intaa.net/adhosts/hosts_lb.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&mimetype=plaintext https://raw.githubusercontent.com/Yhonay/antipopads/master/popads.txt https://raw.githubusercontent.com/eEIi0A5L/adblock_filter/master/kame_filter.txt https://zonefiles.io/f/compromised/domains/full/ https://zonefiles.io/f/compromised/ip/live/ https://hosts.oisd.nl/ https://adaway.org/hosts.txt https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt https://sebsauvage.net/hosts/hosts https://warui.intaa.net/adhosts/hosts.txt https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt https://blocklistproject.github.io/Lists/abuse.txt https://blocklistproject.github.io/Lists/ads.txt https://blocklistproject.github.io/Lists/drugs.txt https://blocklistproject.github.io/Lists/malware.txt https://blocklistproject.github.io/Lists/phishing.txt https://blocklistproject.github.io/Lists/ransomware.txt https://blocklistproject.github.io/Lists/redirect.txt https://blocklistproject.github.io/Lists/scam.txt https://blocklistproject.github.io/Lists/tracking.txt https://bit.ly/PiHoleHostBlock https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts https://v.firebog.net/hosts/static/w3kbl.txt https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts https://winhelp2002.mvps.org/hosts.txt https://v.firebog.net/hosts/neohostsbasic.txt https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt https://v.firebog.net/hosts/AdguardDNS.txt https://v.firebog.net/hosts/Admiral.txt https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://v.firebog.net/hosts/Easylist.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts https://v.firebog.net/hosts/Easyprivacy.txt https://v.firebog.net/hosts/Prigent-Ads.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts  https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt  https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt https://v.firebog.net/hosts/Prigent-Crypto.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt https://phishing.army/download/phishing_army_blocklist_extended.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt https://v.firebog.net/hosts/RPiList-Malware.txt https://v.firebog.net/hosts/RPiList-Phishing.txt https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts https://urlhaus.abuse.ch/downloads/hostfile/ https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt https://v.firebog.net/hosts/Prigent-Malware.txt https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list https://v.firebog.net/hosts/Prigent-Adult.txt https://hostsfile.mine.nu/hosts0.txt https://hostsfile.org/Downloads/hosts.txt https://v.firebog.net/hosts/Kowabit.txt https://adblock.mahakala.is/ https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt https://raw.githubusercontent.com/Kees1958/W3C_annual_most_used_survey_blocklist/6b8c2411f22dda68b0b41757aeda10e50717a802/TOP_EU_US_Ads_Trackers_HOST https://raw.githubusercontent.com/tg12/pihole-phishtank-list/master/list/phish_domains.txt https://raw.githubusercontent.com/HorusTeknoloji/TR-PhishingList/master/url-lists.txt https://raw.githubusercontent.com/Cats-Team/AdRules/main/dns.txt https://raw.githubusercontent.com/neodevpro/neodevhost/master/host https://raw.githubusercontent.com/neodevpro/neodevhost/master/lite_host https://raw.githubusercontent.com/5-whys/adh-rules/main/rules/output_full.txt https://raw.githubusercontent.com/xndeye/adblock_list/main/rule/all.txt https://raw.githubusercontent.com/cenk/bad-hosts/main/hosts

……この辺にしておこうか。
Adlistが増えると重くなるという話があるが、実際筆者の場合、512mb1コアのConoha VPSで元気に動いている。

【1.3円/時間】GMOインターネットのSSD「ConoHa VPS」

Unboundの設定

nano /etc/unbound/unbound.conf から

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

#
#  local network - DNS Setting
#
# domain name: ***.local
#
server:
        # use all CPUs
        num-threads: 1

        # power of 2 close to num-threads
        msg-cache-slabs: 2
        rrset-cache-slabs: 2
        infra-cache-slabs: 2
        key-cache-slabs: 2
        # more cache memory, rrset=msg*2
        rrset-cache-size: 100m
        msg-cache-size: 50m

        # more outgoing connections
        # depends on number of cores: 1024/cores - 50
        outgoing-range: 950

        # Larger socket buffer.  OS may need config.
        so-rcvbuf: 4m
    # インターフェース設定.デフォルトルートとする
    interface: 0.0.0.0
    # 問いあわせを許可するネットワーク設定
    #
    # ネットワークに合わせて記述する
    access-control: 192.168.1.0/24 allow

    # IPv6 は使用しない
    do-ip6: no

    # ローカルゾーン設定
    #
    #
    local-zone: "***.local." static


    # NS レコードの設定
    #
    # ネームサーバーの設定を行う
    #
    # プライマリ: ns.~
    # セカンダリ: ns2.~
    local-data: "IN NS ns.***.local."
    local-data: "IN NS ns2.***.local."


    # MX recode: mail server

    # メールサーバーの設定.
    #
    # mail.~.local.
    local-data: "IN MX 10 mail.***.mydns.jp."


    # A レコード,ptr レコードの設定
    #
    # A レコードは,正引き
    # PTR レコードは,逆引き
    #
    # サーバーIP: 192.168.1.10
    local-data: "***.local. IN A 192.168.25.1"
    local-data: "***.local. IN A 192.168.25.1"
    local-data: "***.local. IN A 192.168.25.1"
    local-data: "***.local. IN A 192.168.25.1"
    local-data-ptr: "192.168.25.1 shirakawa.mydns.jp."

    # 転送設定
    #
    # 上記設定以外の問い合わせが発生した場合,google dns に問いあわせるようにする

forward-zone:
    name: "."
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4

色々設定を考えてくれている人はいますが、いろいろ試してみて512mb1コアの場合にはこれが一番早いように感じたので、これに書き換えると高速化可能です。

続いて /etc/unbound/unbound.conf.d/pi-hole.conf として

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small n$    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

これもコピペで大丈夫かと思います。

これでPihole+Unboundの環境が整いました。

最後に

Piholeだけでは管理できないものがいくつかあるので、その他の対処法については次回述べることとする。

←前  次→

研究室の一角 - にほんブログ村

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]
Licensed under CC BY-NC-SA 4.0
最終更新 Aug 16, 2023 12:37 UTC
comments powered by Disqus
Hugo で構築されています。
テーマ StackJimmy によって設計されています。
Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]