dns/dnscrypt-proxy: add blacklist support (#1185)

2026-05-22 18:44:07 -07:00 · 2019-02-13 08:32:54 +01:00
parent 612f20c104
commit 48db37c699
13 changed files with 435 additions and 3 deletions
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================

+1.3
+
+* Add DNS blacklisting
+
 1.2

 * Add logging to menu
@@ -15,7 +19,10 @@ Plugin Changelog

 1.0

-* Initial release
+* Automatic selection of fastest DNS servers
+* Allow to set cloaks/overrides
+* Allow to set forwarders
+* Allow to set whitelists


 WWW: https://github.com/jedisct1/dnscrypt-proxy
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Dnscryptproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class DnsblController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Dnscryptproxy\Dnsbl';
+    protected static $internalModelName = 'dnsbl';
+}
@@ -33,6 +33,7 @@ namespace OPNsense\Dnscryptproxy\Api;
 use OPNsense\Base\ApiMutableServiceControllerBase;
 use OPNsense\Core\Backend;
 use OPNsense\Dnscryptproxy\General;
+use OPNsense\Dnscryptproxy\Dnsbl;

 /**
 * Class ServiceController
@@ -44,4 +45,13 @@ class ServiceController extends ApiMutableServiceControllerBase
    protected static $internalServiceTemplate = 'OPNsense/Dnscryptproxy';
    protected static $internalServiceEnabled = 'enabled';
    protected static $internalServiceName = 'dnscryptproxy';
+
+    public function dnsblAction()
+    {
+        $this->sessionClose();
+        $mdl = new Dnsbl();
+        $backend = new Backend();
+        $response = $backend->configdpRun('dnscryptproxy dnsbl', array((string)$mdl->type));
+        return array("response" => $response);
+    }
 }
@@ -37,6 +37,7 @@ class GeneralController extends \OPNsense\Base\IndexController
        $this->view->formDialogEditDnscryptproxyCloak = $this->getForm("dialogEditDnscryptproxyCloak");
        $this->view->formDialogEditDnscryptproxyWhitelist = $this->getForm("dialogEditDnscryptproxyWhitelist");
        $this->view->formDialogEditDnscryptproxyServer = $this->getForm("dialogEditDnscryptproxyServer");
+        $this->view->dnsblForm = $this->getForm("dnsbl");
        $this->view->pick('OPNsense/Dnscryptproxy/general');
    }
 }
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>dnsbl.enabled</id>
+        <label>Enable DNSBL and RPZ</label>
+        <type>checkbox</type>
+        <help>This will enable the use of DNS Blocklists for ADs, Malware, or both.</help>
+    </field>
+    <field>
+        <id>dnsbl.type</id>
+        <label>Type of DNSBL</label>
+        <type>select_multiple</type>
+        <help>Select which kind of DNSBL you want to use.</help>
+    </field>
+</form>
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Dnscryptproxy;
+
+use OPNsense\Base\BaseModel;
+
+class Dnsbl extends BaseModel
+{
+}
@@ -0,0 +1,34 @@
+<model>
+    <mount>//OPNsense/dnscryptproxy/dnsbl</mount>
+    <description>DNSBL configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <type type="OptionField">
+            <Required>N</Required>
+            <Multiple>Y</Multiple>
+            <OptionValues>
+                <aa>AdAway List</aa>
+                <ag>AdGuard List</ag>
+                <ca>Cameleon List</ca>
+                <el>Easy List</el>
+                <emd>EMD Malicious Domains List</emd>
+                <ep>Easyprivacy List</ep>
+                <ht>Hbbtv List</ht>
+                <mw>Malwaredomain List</mw>
+                <nc>NoCoin List</nc>
+                <pt>PornTop1M List</pt>
+                <rw>Ransomware Tracker List</rw>
+                <sa>Simple Ad List</sa>
+                <st>Simple Tracker List</st>
+                <sb>Steven Black List</sb>
+                <ws>Windows Spyware Blocker</ws>
+                <yy>YoYo List</yy>
+                <za>ZeusTracker Abuse.ch List</za>
+            </OptionValues>
+        </type>
+    </items>
+</model>
@@ -34,6 +34,7 @@ POSSIBILITY OF SUCH DAMAGE.
    <li><a data-toggle="tab" href="#cloaks">{{ lang._('Overrides') }}</a></li>
    <li><a data-toggle="tab" href="#whitelists">{{ lang._('Whitelists') }}</a></li>
    <li><a data-toggle="tab" href="#servers">{{ lang._('Servers') }}</a></li>
+    <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
 </ul>

 <div class="tab-content content-box tab-content">
@@ -157,6 +158,15 @@ POSSIBILITY OF SUCH DAMAGE.
            <br /><br />
        </div>
    </div>
+    <div id="dnsbl" class="tab-pane fade in">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':dnsblForm,'id':'frm_dnsbl_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAct_dnsbl" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_dnsbl_progress"></i></button>
+            </div>
+        </div>
+    </div>
 </div>

 {{ partial("layout_partials/base_dialog",['fields':formDialogEditDnscryptproxyForward,'id':'dialogEditDnscryptproxyForward','label':lang._('Edit Forwarders')])}}
@@ -173,7 +183,11 @@ $( document ).ready(function() {
        $('.selectpicker').selectpicker('refresh');
    });

-    updateServiceControlUI('dnscryptproxy');
+    var data_get_map2 = {'frm_dnsbl_settings':"/api/dnscryptproxy/dnsbl/get"};
+    mapDataToFormUI(data_get_map2).done(function(data){
+        formatTokenizersUI();
+        $('.selectpicker').selectpicker('refresh');
+    });

    $("#grid-forwards").UIBootgrid(
        {   'search':'/api/dnscryptproxy/forward/searchForward',
@@ -265,5 +279,17 @@ $( document ).ready(function() {
        });
    });

+    $("#saveAct_dnsbl").click(function(){
+        saveFormToEndpoint(url="/api/dnscryptproxy/dnsbl/set", formid='frm_dnsbl_settings',callback_ok=function(){
+        $("#saveAct_dnsbl_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/dnscryptproxy/service/dnsbl", sendData={}, callback=function(data,status) {
+                ajaxCall(url="/api/dnscryptproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                    updateServiceControlUI('dnscryptproxy');
+                    $("#saveAct_dnsbl_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+
 });
 </script>
@@ -0,0 +1,241 @@
+#!/bin/sh
+
+# Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
+# Copyright (c) 2018 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+FETCH="/usr/bin/fetch -qT 5"
+
+DESTDIR="/usr/local/etc/dnscrypt-proxy"
+WORKDIRPREFIX="/tmp/dnscryptproxydnsbl."
+WORKDIR="${WORKDIRPREFIX}${$}"
+
+rm -rf ${WORKDIRPREFIX}*
+mkdir -p ${WORKDIR}
+
+easylist() {
+	# EasyList
+	${FETCH} https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt -o ${WORKDIR}/easylist-raw
+	sed "/\.$/d" ${WORKDIR}/easylist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easylist
+	rm ${WORKDIR}/easylist-raw
+}
+
+easyprivacy() {
+	# EasyPrivacy
+	${FETCH} https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt -o ${WORKDIR}/easyprivacy-raw
+	sed "/\.$/d" ${WORKDIR}/easyprivacy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easyprivacy
+	rm ${WORKDIR}/easyprivacy-raw
+}
+
+pornall() {
+	# PornAll
+	${FETCH} https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list -o ${WORKDIR}/pornall-raw
+	sed "/\.$/d" ${WORKDIR}/pornall-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/pornall
+	rm ${WORKDIR}/pornall-raw
+}
+
+porntop() {
+	# PornTop1M
+	${FETCH} https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list -o ${WORKDIR}/porntop-raw
+	sed "/\.$/d" ${WORKDIR}/porntop-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/porntop
+	rm ${WORKDIR}/porntop-raw
+}
+
+emdlist() {
+	# EMD
+	${FETCH} https://hosts-file.net/emd.txt -o ${WORKDIR}/emdlist-raw
+	sed "/\.$/d" ${WORKDIR}/emdlist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/emdlist
+	rm ${WORKDIR}/emdlist-raw
+}
+
+adguard() {
+	# AdGuard
+	${FETCH} https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt -o ${WORKDIR}/adguard-raw
+	sed "/\.$/d" ${WORKDIR}/adguard-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/adguard
+	rm ${WORKDIR}/adguard-raw
+}
+
+nocoin() {
+	# NoCoin
+	${FETCH} https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt -o ${WORKDIR}/nocoin-raw
+	sed "/\.$/d" ${WORKDIR}/nocoin-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/nocoin
+	rm ${WORKDIR}/nocoin-raw
+}
+
+rwtracker() {
+	# RansomWare Tracker abuse.ch
+	${FETCH} https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt -o ${WORKDIR}/rwtracker-raw
+	sed "/\.$/d" ${WORKDIR}/rwtracker-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/rwtracker
+	rm ${WORKDIR}/rwtracker-raw
+}
+
+mwdomains() {
+	# MalwareDomains
+	${FETCH} http://malwaredomains.lehigh.edu/files/justdomains -o ${WORKDIR}/malwaredomains-raw
+	sed "/\.$/d" ${WORKDIR}/malwaredomains-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/malwaredomains
+	rm ${WORKDIR}/malwaredomains-raw
+}
+
+windowsspyblocker() {
+	# WindowsSpyBlocker
+	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt -o ${WORKDIR}/windowsspyblocker-raw
+	sed "/\.$/d" ${WORKDIR}/windowsspyblocker-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblocker
+	rm ${WORKDIR}/windowsspyblocker-raw
+}
+
+cameleon() {
+	# Cameleon List
+	${FETCH} http://sysctl.org/cameleon/hosts -o ${WORKDIR}/cameleon-raw
+	sed "/\.$/d" ${WORKDIR}/cameleon-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/cameleon
+	rm ${WORKDIR}/cameleon-raw
+}
+
+adaway() {
+	# AdAway List
+	${FETCH} https://adaway.org/hosts.txt -o ${WORKDIR}/adaway-raw
+	sed "/\.$/d" ${WORKDIR}/adaway-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/adaway
+	rm ${WORKDIR}/adaway-raw
+}
+
+yoyo() {
+	# YoYo List
+	${FETCH} "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext" -o ${WORKDIR}/yoyo-raw
+	sed "/\.$/d" ${WORKDIR}/yoyo-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/yoyo
+	rm ${WORKDIR}/yoyo-raw
+}
+
+stevenblack() {
+        # StevenBlack
+        ${FETCH} https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -o ${WORKDIR}/stevenblack-raw
+        sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
+        rm ${WORKDIR}/stevenblack-raw
+}
+
+hbbtv() {
+	# HBBTV List
+	${FETCH} https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/hbbtv.txt -o ${WORKDIR}/hbbtv-raw
+	sed "/\.$/d" ${WORKDIR}/hbbtv-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/hbbtv
+	rm ${WORKDIR}/hbbtv-raw
+}
+
+simplead() {
+	# Simple Ad List
+	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt -o ${WORKDIR}/simplead-raw
+	sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
+	rm ${WORKDIR}/simplead-raw
+}
+
+simpletrack() {
+	# Simple Tracking List
+	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt -o ${WORKDIR}/simpletrack-raw
+	sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
+	rm ${WORKDIR}/simpletrack-raw
+}
+
+zeusabuse() {
+	# Zeus Tracker List from abuse.ch
+	${FETCH} https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist -o ${WORKDIR}/zeusabuse-raw
+	sed "/\.$/d" ${WORKDIR}/zeusabuse-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/zeusabuse
+	rm ${WORKDIR}/zeusabuse-raw
+}
+
+install() {
+	# Put all files in correct format
+	for FILE in $(find ${WORKDIR} -type f); do
+		awk '{ if (length($1) < 245) print $1 }' ${FILE} | sort -u > ${FILE}.inc
+	done
+	# Merge resulting files (/dev/null in case there are none)
+	cat $(find ${WORKDIR} -type f -name "*.inc") /dev/null | sort -u > ${DESTDIR}/blacklist.txt
+	chown _dnscrypt-proxy:_dnscrypt-proxy ${DESTDIR}/blacklist.txt
+	rm -rf ${WORKDIR}
+}
+
+DNSBL=${1}
+
+if [ -z "${DNSBL}" ]; then
+	. /etc/rc.conf.d/dnscrypt_proxy
+	DNSBL=${dnscrypt_proxy_dnsbl}
+fi
+
+for CAT in $(echo ${DNSBL} | tr ',' ' '); do
+	case "${CAT}" in
+	aa)
+		adaway
+		;;
+	ag)
+		adguard
+		;;
+	ca)
+		cameleon
+		;;
+	el)
+		easylist
+		;;
+	ep)
+		easyprivacy
+		;;
+	emd)
+		emdlist
+		;;
+	ht)
+		hbbtv
+		;;
+	nc)
+		nocoin
+		;;
+	rw)
+		rwtracker
+		;;
+	mw)
+		mwdomains
+		;;
+	pa)
+		#pornall
+		;;
+	pt)
+		porntop
+		;;
+	sa)
+		simplead
+		;;
+	sb)
+		stevenblack
+		;;
+	st)
+		simpletrack
+		;;
+	ws)
+		windowsspyblocker
+		;;
+	yy)
+		yoyo
+		;;
+	za)
+		zeusabuse
+		;;
+	esac
+done
+
+install
@@ -21,3 +21,16 @@ command:/usr/local/etc/rc.d/dnscrypt-proxy status; exit 0
 parameters:
 type:script_output
 message:request dnscrypt-proxy status
+
+[dnsbl]
+command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+parameters: %s
+type:script
+message:fetching DNSBLs
+
+[dnsblcron]
+command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh;/usr/local/etc/rc.d/dnscrypt-proxy restart
+parameters:
+type:script
+message:fetching DNSBLs and restart
+description: Download DNSCrypt-Proxy DNSBLs and restart
@@ -131,6 +131,13 @@ cache = false
  log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
  log_format = 'tsv'

+{% if helpers.exists('OPNsense.dnscryptproxy.dnsbl.enabled') and OPNsense.dnscryptproxy.dnsbl.enabled == '1' %}
+[blacklist]
+  blacklist_file = 'blacklist.txt'
+  log_file = '/var/log/dnscrypt-proxy/blocked.log'
+  log_format = 'tsv'
+{% endif %}
+
 [sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -3,6 +3,11 @@ dnscrypt_proxy_enable="YES"
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.allowprivileged') and OPNsense.dnscryptproxy.general.allowprivileged == '1' %}
 dnscrypt_proxy_suexec="YES"
 {%   endif %}
+{%   if helpers.exists('OPNsense.dnscryptproxy.dnsbl.enabled') and OPNsense.dnscryptproxy.dnsbl.enabled == '1' %}
+{%     if helpers.exists('OPNsense.dnscryptproxy.dnsbl.type') and OPNsense.dnscryptproxy.dnsbl.type != '' %}
+dnscrypt_proxy_dnsbl="{{ OPNsense.dnscryptproxy.dnsbl.type }}"
+{%     endif %}
+{%   endif %}
 {% else %}
 dnscrypt_proxy_enable="NO"
 {% endif %}