# Recommended approach to host / domain blocking?



## MasterOne (Jan 3, 2020)

I'm currently using hblock with Arch Linux on my laptop:



> This POSIX-compliant shell script, designed for Unix-like systems, gets a list of domains that serve ads, tracking scripts and malware from multiple sources and creates a hosts file (alternative formats are also supported) that prevents your system from connecting to them.



and now I'm wondering what the recommended approach for something like this could be when using FreeBSD.

What comes to mind:

Simply stick to using a hosts file
Use a DNS resolver like unbound with a blocklist
Use a DNS proxy like dns/dnscrypt-proxy2 with a blocklist
Use a firewall setup with a blocklist
Or maybe something else?
Thoughts?


----------



## obsigna (Jan 3, 2020)

I recommend dns/void-zones-tools
See also the description (README) on: https://github.com/cyclaero/void-zones-tools#readme


----------



## leebrown66 (Jan 3, 2020)

For a standalone machine, I would say if the first option works for _you_, stick with it.  It's nice and simple, nothing much to go wrong and easy to debug/restore, etc.


----------



## MasterOne (Jan 3, 2020)

obsigna said:


> I recommend dns/void-zones-tools
> See also the description (README) on: https://github.com/cyclaero/void-zones-tools#readme


That's a nice solution, which gives real meaning to the use of local_unbound.



leebrown66 said:


> For a standalone machine, I would say if the first option works for _you_, stick with it.  It's nice and simple, nothing much to go wrong and easy to debug/restore, etc.


That makes me wonder if it's unreasonable to use local_unbound mainly for that purpose on a desktop or laptop instead in terms of resource usage and maintenance.


----------



## obsigna (Jan 3, 2020)

I have running local_unbond on my FreeBSD home server which is also the gateway into the internet for all devices in our house. Obviously, the Hosts file approach is not useful in this case. The server is setup on a >10 years old Intel Atom D510@1.66GHz system and local-unbound is not consuming much resources, here the respective top output after apprx. 1 h when I restarted the machine:

```
32900 unbound       1  20    0    38M    24M select   3   0:02   0.00% local-unbound
```

In that time, my son was heavily playing on Trove and Roblox while talking with his friends over Discord and my wife watched a movie on Netflix, and I visited various sites in the internet. Unbound on this low end machine serves perfectly well for all of our needs at the same time and does not impose a notable load on the CPU.

BTW, it is setup as a recursive caching resolver and not as a forwarder. The fist lookup for a zone takes a bit longer, but consequent lookups of domains in already cached zones are responded in no time, though.

The imported void-zones list consist of 45566 zones (resolving to NXDOMAIN) which were consolidated from 55817 hosts.

The Hosts method on the other hand would work only for your local machine, and the complete list of hosts is needed. Also, the Hosts file would resolve domains to an IP address, usually 127.0.0.1 or 0.0.0.0. The benefit of having a NXDOMAIN response instead of a somehow invalid IP address is, that the client won’t even try to open a connection to a non-existing IP. So even if the Hosts file would consume less system resources, the clients which would be forced to look at 127.0.0.1 or 0.0.0.0 for the ads to be blocked would indeed consume more resources.

Setting up dns/void-zones-tools is a matter of minutes. Maintenance is a matter of putting the update script into a monthly cron job and then forget it. I didn’t had a closer look for several months now, and I looked at it now only because of your question.


----------



## Lamia (Jan 3, 2020)

MasterOne said:


> and now I'm wondering what the recommended approach for something like this could be when using FreeBSD.


You can also use Unbound with adblock-unbound @ https://github.com/lepiaf/adblock-unbound.


----------

