From e319c8aacfbf71f5089608f0aad29a12ab4cfee3 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Sat, 20 Apr 2024 08:53:34 +0300
Subject: [PATCH] unbound: restore and update blocklist.conf

This reverts commit fe8ac1bbb799fd0beaac35553bd400431bc25513.
---
 etc/unbound/unbound.conf.d/blocklist.conf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 etc/unbound/unbound.conf.d/blocklist.conf

diff --git a/etc/unbound/unbound.conf.d/blocklist.conf b/etc/unbound/unbound.conf.d/blocklist.conf
new file mode 100644
index 00000000..3c327de6
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/blocklist.conf
@@ -0,0 +1,18 @@
+server:
+# Tells Firefox to not automatically use Cloudflare as TRR thus bypassing
+# local encrypted DNS.
+# Encrypted Client Hello (ECH) does require DoH, but that should be
+# configured separately in browser policy and/or autoconfig.js
+local-zone: "use-application-dns.net." always_nxdomain
+
+# One of the most prevalent trackers, also the most blocked one.
+local-zone: "google-analytics.com." always_refuse
+
+# Theoretically breaks nothing as clients should handle it.
+# https://aminda.eu/matrix/#why-do-you-use-matrix-uri-scheme-instead-of-matrixto
+# https://matrix.to/#/!KMbEUhVQHLwZHmwzKX:matrix.org/$jvB1PAivkIzRKQdlU_KFAtyPW_8Gv9o5tygud_09CRY?via=pikaviestin.fi&via=grin.hu&via=tchncs.de
+local-zone: "matrix.to." always_refuse
+
+# A lot of apps integrating Facebook in any form on mobile call this domain
+# in particular, likely websites too.
+local-zone: "graph.facebook.com." always_refuse