Splitted BLOCK_MALICIOUS with BLOCK_NSA and UNBLOCK env variable

Dockerfile

@@ -24,6 +24,8 @@ ENV USER= \
     PROTOCOL=udp \
     REGION="CA Montreal" \
     BLOCK_MALICIOUS=off \
+    BLOCK_NSA=off \
+    UNBLOCK= \
     EXTRA_SUBNETS= \
     NONROOT=
 ENTRYPOINT /entrypoint.sh
@@ -45,10 +47,13 @@ RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptab
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/root.key.updated -O /etc/unbound/root.key && \
     cd /tmp && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-hostnames.updated -O malicious-hostnames && \
+    wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/nsa-hostnames.updated -O nsa-hostnames && \
     wget -q https://raw.githubusercontent.com/qdm12/updated/master/files/malicious-ips.updated -O malicious-ips && \
     while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \
     while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \
     tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \
+    while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-nsa.conf; done < nsa-hostnames && \
+    tar -cjf /etc/unbound/blocks-nsa.bz2 blocks-nsa.conf && \
     rm -f /tmp/*
 COPY unbound.conf /etc/unbound/unbound.conf
 COPY entrypoint.sh healthcheck.sh /
@@ -59,4 +64,4 @@ RUN chown nonrootuser -R /etc/unbound && \
         /etc/unbound/root.hints \
         /etc/unbound/root.key \
         /etc/unbound/unbound.conf \
-        /etc/unbound/blocks-malicious.bz2
+        /etc/unbound/*.bz2

README.md

@@ -30,7 +30,7 @@
 - [OpenVPN 2.4.6-r3](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/openvpn) to tunnel to PIA servers
 - [IPtables 1.6.2-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/iptables) enforces the container to communicate only through the VPN or with other containers in its virtual network (acts as a killswitch)
 - [Unbound 1.7.3-r0](https://pkgs.alpinelinux.org/package/v3.8/main/x86_64/unbound) configured with Cloudflare's [1.1.1.1](https://1.1.1.1) DNS over TLS
-- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` environment variable)
+- [Files and blocking lists built periodically](https://github.com/qdm12/updated/tree/master/files) used with Unbound (see `BLOCK_MALICIOUS` and `BLOCK_NSA` environment variables)
 
 </p></details>
 
@@ -136,13 +136,13 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
 | `REGION` | `CA Montreal` | One of the [PIA regions](https://www.privateinternetaccess.com/pages/network/) |
 | `PROTOCOL` | `udp` | `tcp` or `udp` |
 | `ENCRYPTION` | `strong` | `normal` or `strong` |
-| `BLOCK_MALICIOUS` | `off` | `on` or `off` |
 | `USER` | | Your PIA username |
 | `PASSWORD` | | Your PIA password |
 | `NONROOT` | | Run OpenVPN without root, `yes` or other |
 | `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall |
-
-`EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28`
+| `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs |
+| `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
+| `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
 
 ## Connect other containers to it
 

docker-compose.yml

@@ -16,5 +16,8 @@ services:
       - ENCRYPTION=strong
       - REGION=CA Montreal
       - EXTRA_SUBNETS=
+      - BLOCK_MALICIOUS=off
+      - BLOCK_NSA=off
+      - UNBLOCK=
     restart: always
  

entrypoint.sh

@@ -58,6 +58,7 @@ exitIfUnset PASSWORD
 exitIfNotIn ENCRYPTION "normal,strong"
 exitIfNotIn PROTOCOL "tcp,udp"
 exitIfNotIn BLOCK_MALICIOUS "on,off"
+exitIfNotIn BLOCK_NSA "on,off"
 cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null
 exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible"
 for SUBNET in ${EXTRA_SUBNETS//,/ }; do
@@ -109,6 +110,18 @@ if [ "$BLOCK_MALICIOUS" = "on" ]; then
 else
   echo "" > /etc/unbound/blocks-malicious.conf
 fi
+if [ "$BLOCK_NSA" = "on" ]; then
+  tar -xjf /etc/unbound/blocks-nsa.bz2 -C /etc/unbound/
+  printf "$(cat /etc/unbound/blocks-nsa.conf | grep "local-zone" | wc -l ) NSA hostnames blacklisted\n"
+  cat /etc/unbound/blocks-nsa.conf >> /etc/unbound/blocks-malicious.conf
+  rm /etc/unbound/blocks-nsa.conf
+  sort -u -o /etc/unbound/blocks-malicious.conf /etc/unbound/blocks-malicious.conf
+fi
+for hostname in ${UNBLOCK//,/ }
+do
+  printf "Unblocking hostname $hostname\n"
+  sed -i "/$hostname/d" /etc/unbound/blocks-malicious.conf
+done
 
 ############################################
 # SETTING DNS OVER TLS TO 1.1.1.1 / 1.0.0.1