Sinkhole
Unbound as DNS Sinkhole
Inspired by the popular pi-hole project which sends advertisements and tracking scripts into oblivion, I decided to roll my own solution as an educational exercise. First place to look was at a DNS server, dnsmasq
is a common choice for this kind of task, but I noticed that FreeBSD is shiped with the Unbound DNS server installed by default. As I like to keep my system as clean as possible, I decided to use this one. Below is the config file used for the unbound DNS server, the important lines are the local-zone:
lines. This tells the server to return NXDOMAIN
which stands for non-existent domain. Also frequently seen on the internet is to return 127.0.0.1
instead of NXDOMAIN
, the downside of this solution is that the client will make an additional request to 127.0.0.1
to find the data it was looking for. Using the local-zone:
approach also any subdomains are automatically blocked. Any non-blocked DNS queries are forwarded to upstream DNS servers in the forward-zone
.