Open Source Threat Intelligence And Makeshift RPZ with Unbound

openbsd, unbound, security, osint, dns firewall, dns rpz

So today I was incorporating some of my OSINT and PF work into my DNS setup at home. Just as a quick primer: I am using OpenBSD as the OS, unbound(8) as recursor and rcs(1) for local and simple version control. Nothing mentioned here is specific to OpenBSD besides the ftp(1) command that I use to fetch the feeds and the location of the files.

Setting up unbound

Setup is pretty simple, just add the following line to /var/unbound/etc/unbound.conf within the server: section of the file:

include: /var/unbound/zones/rpz

Then setup /var/unbound/zones/rpz w/ additional includes, e.g.

include: /var/unbound/zones/adblock.yoyo
include: /var/unbound/zones/adblock.local
include: /var/unbound/zones/


  • adblock.local is my local, hand-crafted block list with AD networks that are missing in the yoyo list and which I find annoying enough to block them.
  • adblock.yoyo is a list provided by yoyo
  • is being provided by and is more focused on the malicious part than yoyo.

Each of the files follows the specification as descibed in the unbound.conf(5) manual page. Basically I am using local-zones of type static, e.g.:

local-zone: "domain.tld" static

Constructing the zones

Currently I am not updating the above zones regularily but manually whenever I remember to do so but I don’t see why I shouldn’t setup a cronjob for doing so. But before that I’d like to move away from working as root while downloading and constructing the files. For now I can live with that, though. The script is as follows:

for _s in adblock.yoyo; do
        echo "$_s"
        if [[ -e /var/unbound/zones/"${_s}" ]]; then
                co -l /var/unbound/zones/"${_s}"
                touch /var/unbound/zones/"${_s}"
                ci -l -i -t- /var/unbound/zones/"${_s}"

        case "${_s}" in
                "adblock.yoyo")  ftp -V -o - '' |\
                        sed -ne "/local-zone/s/redirect$/static/p" > /var/unbound/zones/"${_s}";;
                "")  ftp -VMo- |\
                        awk -F, '/^#/{ next }; { if ( $4 ~ /[a-z]/ ) printf("local-zone: %s static\n",$4) }' > /var/unbound/zones/"${_s}";;

        rcsdiff -u /var/unbound/zones/"${_s}"
        ci -u -m'automatic update' /var/unbound/zones/"${_s}"
unbound-checkconf && unbound-control reload

Currently there are lots of sanity checks missing and I’ll let unbound weed out the duplicates. But this is not to be considered more than a POC.


Obviously this is missing live updates and it doesn’t scale well. I’d love to have a feed that I can share / get e.g. by AXFR but on the otherside, this is maybe not as bad as a starting point as I first thought.