Blocking ads and malwares with unbound

Here's a small post on how to (DNS-)block ads, malwares, social networks and whatnot on your network using unbound.

Unbound is the default DNS resolver on Pfsense 2.2. Adding a list of domains to block will help you speed up your connections, potentially secure it (malwares, ...) and might also avoid being tracked.

To get a good list of domains, the consolidated lists of StevenBlack are very useful and can be downloaded from his github.

Here are the different steps to set it up for unbound:

Download the list you're interested to block (for example ads+malwares+social networks)

$ wget

Entries in the host file are in the form <domain> and unbound needs something like this:

local-zone: "<domain>" redirect
local-data: "<domain> A"

Following awk command will transform the list into something that unbound understands:

$ cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A\""}' > ads.conf

Finally copy the resulting file to pfsense (or to your DNS resolver running unbound).

For pfsense, copy the file to /var/unbound/ and paste following lines into the Display Custom Option field on Unbound config page on pfsense's web interface.

# Ads overrides
include: /var/unbound/ads.conf

For other unbound setups, edit the unbound.conf file and add previous lines (do not forget to update the path to the file as it might not be /var/unbound).

You can then reload unbound config with the following command on pfsense:

$ unbound-control -c /var/unbound/unbound.conf reload

That's it, added domains will resolve to on your DNS resolver and thus would be blocked. Be aware that if some of those are already in the cache of your host, they would resolve until cache is cleared.