{
"path": "/3mjdpbamjj22b",
"site": "at://did:plc:nuc33thnsiqzhytkleyr5jek/site.standard.publication/3mjdo3xyaoc2l",
"tags": [
"dns",
"dns-proxy",
"ad-blocking",
"tailscale",
"networking",
"homelab"
],
"$type": "site.standard.document",
"title": "Network-wide bullshit-blocking setup with Blocky and Tailscale",
"content": {
"$type": "pub.leaflet.content",
"pages": [
{
"id": "019d846a-411e-7bb5-9413-d74c59b1e1e0",
"$type": "pub.leaflet.pages.linearDocument",
"blocks": [
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": "I will use an Orange Pi 5 Plus, but any device, including single board computers, should work, as long as they can run the latest stable Debian or Armbian release."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.header",
"level": 2,
"plaintext": "Orange Pi 5 Plus"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.unorderedList",
"children": [
{
"$type": "pub.leaflet.blocks.unorderedList#listItem",
"content": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 52,
"byteStart": 38
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "Unbound for recursive DNS resolver on 127.0.0.1:5335"
}
},
{
"$type": "pub.leaflet.blocks.unorderedList#listItem",
"content": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 6,
"byteStart": 0
},
"features": [
{
"uri": "https://0xerr0r.github.io/blocky/latest/",
"$type": "pub.leaflet.richtext.facet#link"
}
]
},
{
"index": {
"byteEnd": 69,
"byteStart": 59
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
},
{
"index": {
"byteEnd": 101,
"byteStart": 87
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "Blocky for DNS proxy, ad-blocking, and malware-blocking on 0.0.0.0:53. Uses Unbound on 127.0.0.1:5335 as upstream resolver."
}
},
{
"$type": "pub.leaflet.blocks.unorderedList#listItem",
"content": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 33,
"byteStart": 15
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "Tailscale with --accept-dns=false"
}
},
{
"$type": "pub.leaflet.blocks.unorderedList#listItem",
"content": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 27,
"byteStart": 0
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
},
{
"index": {
"byteEnd": 68,
"byteStart": 52
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "unbound-resolveconf.service should be disabled, and /etc/resolv.conf should not be managed by any other service."
}
}
]
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 55,
"byteStart": 39
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "I just put the following contents into /etc/resolv.conf for the Orange Pi 5 Plus's local DNS resolution:"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.code",
"language": "shellscript",
"plaintext": "nameserver 9.9.9.9\nnameserver 149.112.112.112",
"syntaxHighlightingTheme": "catppuccin-mocha"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"index": {
"byteEnd": 42,
"byteStart": 36
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
},
{
"index": {
"byteEnd": 69,
"byteStart": 60
},
"features": [
{
"$type": "pub.leaflet.richtext.facet#code"
}
]
}
],
"plaintext": "I have Blocky configured to use the strict strategy for the upstreams setting, so after a timeout of the topmost upstream server it will fallback to the next one, which is Quad9."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": "I have the Orange Pi 5 Plus's Tailnet IP address configured to be my Tailnet's global nameserver. This can be done through the Tailscale admin console under the DNS tab. So every device on my Tailnet that uses MagicDNS will be using Blocky and Unbound."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.header",
"level": 2,
"plaintext": "Blocky configuration"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.code",
"language": "yaml",
"plaintext": "upstreams: \n strategy: strict \n groups: \n default: \n - 127.0.0.1:5335 \n - 9.9.9.9 \n - 149.112.112.112 \n \nblocking: \n denylists: \n ads: \n - <https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts> \n - <https://adaway.org/hosts.txt> \n - <https://v.firebog.net/hosts/AdguardDNS.txt> \n suspicious: \n - <https://v.firebog.net/hosts/static/w3kbl.txt> \n tracking: \n - <https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt> \n - <https://v.firebog.net/hosts/Easyprivacy.txt> \n - <https://v.firebog.net/hosts/Prigent-Ads.txt> \n malicious: \n - <http://phishing.mailscanner.info/phishing.bad.sites.conf> \n - <https://v.firebog.net/hosts/Prigent-Crypto.txt> \n - <https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts> \n \n clientGroupsBlock: \n default: \n - ads \n - suspicious \n - tracking \n - malicious \n \nports: \n dns: 53 \n http: 4000 \n \nprometheus: \n enable: yes \n \ncaching: \n minTime: 60s \n maxItemsCount: 10000 \n prefetching: yes \n prefetchMaxItemsCount: 2000 \n \nqueryLog: \n type: csv-client \n target: /home/jas/dns-query-logs \n logRetentionDays: 5 \nclientLookup: \n upstream: 10.0.0.1 \n singleNameOrder: \n - 1 ",
"syntaxHighlightingTheme": "catppuccin-mocha"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": ""
}
}
]
}
]
},
"description": "",
"publishedAt": "2025-01-05T02:21:00.000Z"
}