dns blocklist

I am a big friend of using ip and dns blocklists (as one component among many) in order to protect the network from malware, botnets, ads/trackers, ...

For home usage, there are some very good projects like AdGuard, pi-hole etc. For DNS blocklists in a more complex environment, from my point of view unbound offers quite good support.

See: github repo The script is configured and deployed via ansible ...

This way you can setup one or more unbound instances implementing dnsbl ...

But what about a big setup using multiple DNS frontend servers distributed over multiple locations? Well, we can use the same config for all of them, deployng and updating them all via ansible ...

But this means downloading the referenced blocklist sources multiple times, wasting download bandwidth and the resources of the original blocklist provider.

So we use the script from the playbook (unbound-dnsbl-updater.py), modify it to just download the defined list of dnsbl sources and generate a unbound compatible config file. The final file is distributed via https to the unbound servers (the just use this single URL as dnsbl list). As the internal dnsbl list provider is setup as a HA cluster, we ensure a all unbound instances have the same list via a reliable service .

BTW: the same way we aggregate and distribute IP blocklists for our firewall systems.