xref: /dports/dns/void-zones-tools/void-zones-tools-1.0.2/README.md

## void-zones-tools for FreeBSD
### Prepare a list of void zones that can be readily feed into *Unbound*.

### What is a void zone?

In terms of *Unbound*, a void zone is a static empty local-zone, i.e. one without any local-data directives, for example:

    local-zone: "void.example.com" static

With this in place, *Unbound* would answer any DNS requests for `void.example.com` with `NXDOMAIN`.


### For what are void zones useful?

Void zones are the most straightforward way of blocking ad, tracking and other malware domains.
While the method is similar to the *Hosts* file approach, the void zone method got 3 advantages:

1. Requests for any subdomain of the void zone result in `NXDOMAIN`.
   In *Hosts* files every subdomain needs its own entry.

2. In *Hosts* files, each entry does consist of an IP address and a fully qualified domain,
   so DNS requests for a given domain would return the listed IP address. For blocking
   purposes either `127.0.0.1` or `0.0.0.0` is used, which may result in undesired side effects:

   - in the case of `127.0.0.1`, developers won't be able to run a test web-server on localhost,
     and any software is supposed to try to establish a connection to localhost, and this
     usually ends up in a timeout error.
   - in the case of `0.0.0.0` ill-behaved software still tries to establish a connection, which
     cannot work, but resources are utilized until timeout.

   The void zone response is `NXDOMAIN`, and no software would try to establish a connection
   to a non-existing address.

3. The void zone method can be deployed on the gateway, and any number of clients behind the
   gateway do benefit automatically from ad, tracking and malware domain blocking. While *Hosts*
   files need to be deployed on any single machine. Even if this is not that difficult on
   desktops and notebooks, this may easily become a PITA for mobile clients. You would need
   `root` login on your Androids, iPhones and/or iPads.


### How does this compare to Browser Plugins?

1. Browser plugins are destined to one piece of software and not to the whole machine.
   Void zones are active for the whole machine or in the case of a gateway, for any
   number of clients, and even for those (Android) which don't allow ad-blocking plugins.

2. Browser plugins are active filters, that means, beside the advertised behaviour, they
   are able to do something in the background. This is a matter of trust, which may
   sometimes miserably trapped -- see the WoT incident. Void zones are passive. The actual
   filtering is done by the DNS resolver, here *Unbound*, which is much less likely of doing
   undesired things behind your back.


### How do I deploy the void zone method on my FreeBSD machine?

On the FreeBSD machine, either clone the present `void-zones-tools` project using *Git* or check it out with *Subversion*:

    # git clone https://github.com/cyclaero/void-zones-tools.git

or

    # svn checkout https://github.com/cyclaero/void-zones-tools.git/trunk/ void-zones-tools

Enter the directory of the working copy of the `void-zones-tools` and build & install the tools:

    # cd void-zones-tools
    # make install clean CDEFS="-march=native"

The tools consist of the *Hosts* file converter & consolidator `hosts2zones` and the shell script
`void-zones-update.sh` which is used to download suitable *Hosts* files from 6 pre-defined providers:

* [PGL - Ad blocking with ad server hostnames and IP addresses](http://pgl.yoyo.org/adservers/)
* [SomeOneWhoCares - How to make the internet not suck (as much)](http://someonewhocares.org/hosts/zero/)
* [MVPS - A detailed guide for using the MVPS HOSTS file](http://winhelp2002.mvps.org/)
* [MDL - Malware Domain List](http://www.malwaredomainlist.com/)
* [AdAway - Hosts](https://github.com/AdAway/AdAway/)
* [DNS-BH – Malware Domain Blocklist](http://www.malwaredomains.com/)
* [FadeMind - UncheckyAds](https://github.com/FadeMind/hosts.extras/)
* [WindowsSpyBlocker - Spy Hosts](https://github.com/crazy-max/WindowsSpyBlocker/)


The tools are placed by the above command sequence into `/usr/local/bin/`.

On the first run of `void-zones-update.sh`, a directory is created at `/usr/local/etc/void-zones/`,
which serves as the storage location for the downloaded *Hosts* files and/or *Domain* listings. In
addition a template for a custom white/black list `my_void_hosts.txt` is placed into that directory,
and this may be used for whitelisting some zones that are inadvertantly part of the downloaded *Hosts* files,
or for blacklisting addtional zones, which are missing from the downloads. Now execute said shell script:

    # void-zones-update.sh
    # nano /usr/local/etc/void-zones/my_void_hosts.txt

    # white list
    1.1.1.1 my.white.dom

    # black list
    0.0.0.0 my.black.dom

For whitelisting use the IP address `1.1.1.1`, and for blacklisting `0.0.0.0` shall be used.

The downloaded *Hosts* files are  placed into `/usr/local/etc/void-zones/` as well:

    # ls -l /usr/local/etc/void-zones

    total 1876
    -rw-r--r--  1 root  wheel   13722 Jan 31  2017 away_void_hosts.txt
    -rw-r--r--  1 root  wheel  640858 Aug 17 19:16 jdom_void_list.txt
    -rw-r--r--  1 root  wheel   36982 Jun 29 19:52 mdl_void_hosts.txt
    -rw-r--r--  1 root  wheel  497673 Aug  7 11:07 mvps_void_hosts.txt
    -rw-r--r--  1 root  wheel   60257 Aug 21 05:43 pgl_void_hosts.txt
    -rw-r--r--  1 root  wheel  376421 Aug 20 14:40 sowc_void_hosts.txt
    -rw-r--r--  1 root  wheel     618 Aug 22 09:29 ucky_void_host.txt
    -rw-r--r--  1 root  wheel    9977 Aug 22 09:29 w10telm_void_hosts.txt
    -rw-r--r--  1 root  wheel     886 Aug 22 09:29 w7telm_void_hosts.txt
    -rw-r--r--  1 root  wheel    1142 Aug 22 09:29 w81telm_void_hosts.txt

And finally the `void-zones-update.sh` compiles (converts & consolidates) all *Hosts* files
and *Domain* listings into one single `local-void.zones` include file, and moves this into
`/var/unbound/` for direct usage with *Unbound*:

    # head /var/unbound/local-void.zones

    local-zone: "clk.cloudyisland.com" static
    local-zone: "click.silvercash.com" static
    local-zone: "oascentral.pressdemocrat.com" static
    local-zone: "s29.cnzz.com" static
    local-zone: "www.spywarespy.com" static
    local-zone: "republika.onet.pl" static
    local-zone: "preview.msn.com" static
    local-zone: "pos.baidu.com" static
    ...

For using the void zones method, of course *Unbound* must be up and running already on the given FreeBSD machine.
Then edit the configuration file `/var/unbound/unbound.conf` in order to activate ad, tracking, malware and telemetry domain
filtering by *Unbound*:

    # nano /var/unbound/unbound.conf

**Before** any forwarder directives, e.g. `forward-zone:` or `include: /var/unbound/forward.conf` add the following line:

    include: /var/unbound/local-void.zones

Then restart *Unbound*:

    # service local_unbound restart

For future updates execute the following command sequence which may be placed into a cron job:

    # /usr/local/bin/void-zones-update.sh && /usr/sbin/service local_unbound restart

In order to facilitate inclusion of listings which are not part of the automated updating, 3 additional input files are
passed by `void-zones-update.sh` to the conversion tool `hosts2zones`:

    x_void_list.txt
    y_void_list.txt
    z_void_list.txt

This mechanism can be used to include for example the [Disconnect.me](https://github.com/chrisaljoudi/uBlock/issues/1406)
listings to the `hosts2zones` processing by executing the following command before updating the other zones:

    # fetch -o - \
            https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \
            https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt \
            https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \
            https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt \
            > /usr/local/etc/void-zones/x_void_list.txt

Said command would place the respective lists joined together into `/usr/local/etc/void-zones/x_void_list.txt`, and on the
next run of `void-zones-update.sh` that one would be  converted & consolidated & included into the `local-void.zones` for
filtering by *Unbound*. In the case these additional files are missing, the tool simply ignores these parameters.