Have you considered using DNS addblocking via unbound(8)? I wrote a
little script using a bit of awk and grep that automatically pulls a
collection of different blocklists I like, and then parses them into an
unbound friendly conf file. I also employ IP filtering as well via
similar means. I have a script pull some of my preferred IP blocklists
(from github et al, such as the StevenBlack host files etc) and then
load them into a pf anchor rule.
Every night at midnight my machine will run the scripts, download a new
blocklist, parse it, and reload the designated pf anchor and/or reload
unbound to update the ruleset. This setup has the added benefit of using
only the base system, and it also prevents the advertisements from being
loaded in the first place. I have seen battery life increase
dramatically on my mobile devices as well as increased browsing speed
across the board on all devices. There is a modest RAM requirement due
to having to keep thousands of addresses / CIDR blocks in memory, but it
should never exceed 350MB usage. I have this setup running on some
Octeon machines ( both Edgerouter Pro and lite) and they hold up just
fine. On a nearly decade old amd64 machine I have yet to see this
filtering setup crack 15% cpu usage excepts when the script parses the
I also usually add some rules to redirect outgoing DNS traffic to my own
local DNS server to prevent media devices (chromecast etc ) from phoning
home for adds, instead forcing all their dns traffic to the local server
where the requests are then filtered. This can also be useful for
filtering in the workplace, as there are plenty of lists out there to
block NSFW or otherwise inappropriate content for the workplace. I have
used it in this capacity with great success. This can be circumvented
obviously with any sort of tunnelling or proxy, but when your dealing
with an office full of Windows gomers, it tends to suffice.
Let me know if your interested in a copy of the script and I'll send it
Post by Stefan Wollny
I have this little machine which serves as (squid-)proxy for my local net.
$ dmesg | grep Open
OpenBSD 6.2-current (GENERIC.MP) #311: Wed Dec 27 21:49:49 MST 2017
Basically everything is fine - except responses are kind of slow. So I
had the idea to not use squid to filter for unwanted sites but use adsuck.
I followed the advice in /usr/local/share/doc/pkg-readmes/adsuck-2.5.0p4
$ cat /etc/dhclient.conf
send host-name <client-name>;
I had to use chflags with 'schg' to make shure that /etc/resolv.conf
only contains one line (neither 'supersede' nor 'prepend' in
$ cat /etc/resolv.conf
And YES: adsuck is activated via /etc/rc.conf.local (actually it is the
$ top | grep adsuck
72573 _adsuck 2 0 2260K 4704K idle kqread 0:00 0.00% adsuck
Now: If I run 'sh /etc/netstart' on the console or an xterm I see the
$ doas sh /etc/netstart
em1: /etc/dhclient.conf line 2: expecting statement.
em1: DHCPREQUEST to 255.255.255.255
em1: DHCPACK from a.b.c.d (aa:bb:cc:dd:ee:ff)
em1: bound to a.b.d.e -- renewal in 432000 seconds
I am kind of stuck: What might I have been doing wrong here???
Some kind soul around to give me a clue?
THX in advance!