From d4e994c459fcdb9f844759cbed0f59550e9bd152 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Fri, 13 Sep 2024 08:52:44 +0300
Subject: [PATCH] unbound: move some from blocklist.conf to
 please-hijack-me.conf

---
 etc/unbound/unbound.conf.d/blocklist.conf     |  8 ++---
 .../unbound.conf.d/please-hijack-me.conf      | 36 +++++++++++++++++++
 2 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 etc/unbound/unbound.conf.d/please-hijack-me.conf

diff --git a/etc/unbound/unbound.conf.d/blocklist.conf b/etc/unbound/unbound.conf.d/blocklist.conf
index 05ffe3cd..e5684f83 100644
--- a/etc/unbound/unbound.conf.d/blocklist.conf
+++ b/etc/unbound/unbound.conf.d/blocklist.conf
@@ -24,15 +24,15 @@ local-zone: "graph.facebook.com." always_refuse
 local-zone: "fritz.box." always_refuse
 
 # Netgear
-local-zone: "mywifiext.net." always_refuse
+#local-zone: "mywifiext.net." always_refuse
 
 # TP-Link
-local-zone: "tplinkrepeater.net." always_refuse
+#local-zone: "tplinkrepeater.net." always_refuse
 
 # ASUS
-local-zone: "router.asus.com." always_refuse
+#local-zone: "router.asus.com." always_refuse
 
 # Norwegian planes
-local-zone: "norwegianwifi.com." always_refuse
+#local-zone: "norwegianwifi.com." always_refuse
 
 # vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/please-hijack-me.conf b/etc/unbound/unbound.conf.d/please-hijack-me.conf
new file mode 100644
index 00000000..c64cb212
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/please-hijack-me.conf
@@ -0,0 +1,36 @@
+# These domains belong to silly network appliances or captive portals that
+# wish to perform DNS hijacking instead of just using IP addresses. The
+# server is https://dns0.eu/zero and hopefully rejects upstream queries
+# should the domains become malicious.
+# Pv6 is not specified since I don't think the silly devices support that.
+server:
+# Quad9 says pointless performance impact on forwarders.
+# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+qname-minimisation: no
+
+forward-zone:
+	name: "router.asus.com."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+forward-zone:
+	name: "tplinkrepeater.net."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+# Netgear
+forward-zone:
+	name: "mywifiext.net."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+forward-zone:
+	name: "norwegianwifi.com."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+# vim: filetype=unbound.conf