unbound: move some from blocklist.conf to please-hijack-me.conf

etc/unbound/unbound.conf.d/blocklist.conf

@@ -24,15 +24,15 @@ local-zone: "graph.facebook.com." always_refuse
 local-zone: "fritz.box." always_refuse
 
 # Netgear
-local-zone: "mywifiext.net." always_refuse
+#local-zone: "mywifiext.net." always_refuse
 
 # TP-Link
-local-zone: "tplinkrepeater.net." always_refuse
+#local-zone: "tplinkrepeater.net." always_refuse
 
 # ASUS
-local-zone: "router.asus.com." always_refuse
+#local-zone: "router.asus.com." always_refuse
 
 # Norwegian planes
-local-zone: "norwegianwifi.com." always_refuse
+#local-zone: "norwegianwifi.com." always_refuse
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/please-hijack-me.conf

@@ -0,0 +1,36 @@
+# These domains belong to silly network appliances or captive portals that
+# wish to perform DNS hijacking instead of just using IP addresses. The
+# server is https://dns0.eu/zero and hopefully rejects upstream queries
+# should the domains become malicious.
+# Pv6 is not specified since I don't think the silly devices support that.
+server:
+# Quad9 says pointless performance impact on forwarders.
+# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+qname-minimisation: no
+
+forward-zone:
+	name: "router.asus.com."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+forward-zone:
+	name: "tplinkrepeater.net."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+# Netgear
+forward-zone:
+	name: "mywifiext.net."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+forward-zone:
+	name: "norwegianwifi.com."
+	forward-tls-upstream: no
+	forward-addr: 193.110.81.9
+	forward-addr: 185.253.5.9
+
+# vim: filetype=unbound.conf