@Umbra "hobbyist" because I can not find another project that works with pattern files that you can edit yourself or use with https inspection. My true goal is to offload as much from my pc to the network and protect all devices not just one ^^
From today on I am a (eBlocker) contributor.
That does not mean that I will "fanboying" this product like a boss! I am open to all projects.
It just seams fair to the MalwareTips-Community that they know about my standing to eBlocker and understand if I try to protect this product a little more then the others. Of course the time spent to collaborate with other devs. from the eBlocker Team.
I still want to try out other solutions / projects and my mix match project is still on the go. (eblocker / Pi-Hole combo Https Pattern and DNS unbound server) Just waiting for the eBlocker Raspberry 4 update.
It just seams fair to the MalwareTips-community that they now about my standing to eBlocker and understand if I try to protect this product a little more then the others. Of course the time spent to collaborate with other devs. from the eBlocker Team.
From today on I have configured my Pi-hole to my "raspberry pi 4b" - could not wait...
What I did?
Clean Pi-hole install
Tested Pi-hole DNS directly with Quad9 Uplink DNS Server
Installed and Configured - Unbound - Recursive DNS Server and Signatures
Looped the DNS Querys back from Unbound to PI-hole
Like this all DNS Querys hit the Pi-hole and it makes a direct request to the Root-DNS-Servers plus Signature chain. (DNSSEC)
PC----> eblocker -----> Pi-hole <---> Unbound (Service Local on Pi-hole) ---> Router ----> ISP--->RootDNSServers if not cached by Pi-hole
Best part out of it is that I do not need to rely on services like cloudflare, quad9 and google to function since I request directly from the root servers.
DNSSec works too!
eBlocker is setup to have the Pi-hole as the Uplink server and disabled all Domain Blocklists since Pi-hole will take care of that part by itself and I am able to see what domains are "bogus" or "insecure". Now the added advantage is the following with eBlocker...
HTTPs Inspection --- goes to Pattern Files ---- that forwards unblocked querys to the DNS (Pi-hole) ---- that checks if the Domains are Blacklisted and allows/denys that query ---- verfiys DNSSEC ------ So you have the best of two worlds HTTPS Inspection from eBlocker and DNSSec, RecursiveDNS, Domain / Regex Blocklist from unbound/Pi-hole.
The Project was to have an eBlocker go to a Pi-Hole (Uplink DNS) and that one to Unbound to have a direct recursive DNS route to the Root DNS Servers. With features enabled like DNSsec for SSL Chain Verification and Monitoring.
How was the Setup?
Have to say super easy Pi-hole has a very well documented website and the installation and preparation for Unbound was awesome.
A little meh... at first until the DNS requests were cached and then wooow it was fast. But still the performance could be allot better if eBlocker was Raspberry 4 compatible... (More Processing Power and 1Gbit/Ethernet Interface) - Reason is that HTTPS Inspection costs allot of horsepower and since the device acts as a gateway all traffic goes thru that first (Raspberry 3 - 100Mbit/Ethernet Interface)... -.-
Nice to have but needs allot of fine tuning (eBlocker Raspberry 4 Support) and Whitelisting of URLs needed for eBlocker (Desktop Apps & Smartphone Apps that do not like to be SSL Inspected) - Plus the added administration of Pi-hole DNS Query's.
P.S. ATM I run Adguard Home DNS with Unbound and wait for it ...... DNSsec - Yap got it to work without a certificate on the Adguard somehow?!