BlockList

What is Unbound Blocklist?

Unbound DNS blocklists are lists of domain names or IP addresses that you can configure Unbound to block. This means that when a device on your network tries to access a website or service that’s on the blacklist, Unbound will refuse to resolve the domain name, effectively preventing access.

Common uses of Unbound DNS blocklists:

Blocking ads and trackers: This can improve privacy, speed up browsing, and reduce data usage.
Blocking malware and phishing sites: This can protect your devices from malicious software and scams.
Blocking social media and other distracting websites: This can help improve productivity and focus.
Blocking content based on personal preferences or parental controls: This can customize what’s accessible on your network.

Goal: Enable unbound Blocklist to block sites that contains ads, trackers, adult, and malicious content. The source will be from LAN. If there are VLAN, apply it to those as well.

Enable Blocklist

Navigate to services > Unbound DNS > Blocklist

Check enable

Select the DNSBL

Blackhole DNSBL (Domain Name System blocklist): The listed DNSBL can be used with unbound to block queries to those IP by mapping DNS name to loopback address.

Predefined sources

Abuse.ch – ThreatFox IOC database	https://threatfox.abuse.ch/
AdAway List	https://adaway.org/hosts.txt
AdGuard List	https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
OISD – Domain Blocklist Ads*	https://small.oisd.nl/domainswild
OISD – Domain Blocklist Big*	https://big.oisd.nl/domainswild
OISD – Domain Blocklist NSFW*	https://nsfw.oisd.nl/domainswild
Blocklist.site	https://github.com/blocklistproject/Lists
EasyList	https://justdomains.github.io/blocklists/#the-lists
Easyprivacy	https://justdomains.github.io/blocklists/#the-lists
NoCoin List	https://justdomains.github.io/blocklists/#the-lists
PornTop1M List	https://github.com/chadmayfield/my-pihole-blocklists
Simple Ad List	https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
Simple Tracker List	https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
StevenBlack/hosts	https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
WindowsSpyBlocker	https://github.com/crazy-max/WindowsSpyBlocker
YoYo List	https://pgl.yoyo.org/adservers/

Result:

Notes:

Trigger ipconfig/flushdns and restart browser to test the blocked url links to see if you are able to view it

To view reports of which domains are block and which blocklist are being used to trigger that action:
Navigate to Reporting > Unbound DNS.
Search by Client IP
The red column shows a block message– In the far right shows the blocklist that triggered that block. In this scenario, it is Blocklist.site Ads doing the work.
Whitelist the domain if it is interfering with production workflow.

Troubleshoot

If whitelisting does not seem to work, either the entire domain must be whitelisted instead or canonical name must be whitelisted after its resolved.

There is a known bug that whitelisting CNAME aliases will not work under unbound DNS.

Example: If you want to whitelist g.live.com CNAME, putting on whitelist will not work. Test by disabling the policy first, let g.live.com resolve to g.msn.com – whitelist g.msn.com and g.live.com will resolve normally. You can also use mxtoolbox.com to look up CNAME records as well.