Configure
unwind - validating DNS resolver
unwind is a validating DNS resolver. It is intended to run on client
machines like workstations or laptops and only listens on localhost.
unwind sends DNS queries to nameservers to answer queries and switches to
resolvers learned from dhclient(8), dhcpleased(8) or slaacd(8) if it
detects that DNS queries are blocked by the local network. It
periodically probes if DNS is no longer blocked and switches back to
querying nameservers itself.
Putting that aside, we'll use the following configuration snippet.
forwarder { }
block list "/etc/unwind.blacklist"
The first line should have a list of DNS servers, you can fill those with OpenNIC's (see this link.md).
The latter should have a list of domains to block from the resolver, you can use dnsblockbuster to generate one, but you need to run ##STARTCODEBLOCK## sed 's/0.0.0.0 //g' dnsmasq-blocked-hosts.txt > unwind.blacklist ##ENDCODEBLOCK## in order to use it from unwind.
After it's done, you can enable unwind with ##STARTCODEBLOCK## # rcctl enable unwind ##ENDCODEBLOCK## and start it with ##STARTCODEBLOCK## # rcctl start unwind ##ENDCODEBLOCK## . It'll be automatically detected by the running resolvd process and place it on resolv.conf.