I use uBlock Origin in my browser to block ads and malware. uBlock is great but it doesn’t work on all my (and my housemates’) devices. A Raspberry Pi with Pi-hole installed would offer an extra layer of protection, but I wasn’t too keen on adding yet another device to my home network. Why not use my Ubiquiti UniFi Security Gateway (USG)? It’s already blocking threats via its built-in threat management module. The USG uses dnsmasq as DNS forwarder which means it can be used to sinkhole DNS queries. It will simply respond with 0.0.0.0 instead of the real IP address for blacklisted domains.
Warning, playing around with the Ubiquiti USG’s command line can brick the device. I am not liable for any damages.
Elevate to root privileges and download the getBlacklistHosts script.
Unpack the script, make it executable and run it twice.
The script will generate a config file the first time it has run. Update the config file (if you want) and run it a second time to download the blocklists. Your DNS is now blocking the domains from the blacklists.
These blocklists change from time to time: new domains are added, old ones removed. You can configure the Security Gateway to download the new lists regularly. Add to following to your ‘config.gateway.json’ to update daily at 5 A.M.
Maybe you need access to a blocked domain. This is easy to do with a client-side blocker, like uBlock Origin, but a bit harder with a network-wide blocklist.
I would also like to implement some sort of countrywide blocking for added protection. I don’t understand <insert random language>, so what are the chances I would ever visit a website from that country? Is anyone blocking whole countries on their USG’s?
This post is open source. Did you spot a mistake? Ideas for improvements? Contribute to this post via Github. Thank you!