+ if $zblock; then
+ cat <<'EOF'
+# no sy until that dongle is used by ziva
+
+# syw
+#access-control-view: 10.2.0.7/32 "youtube"
+# bow
+access-control-view: 10.2.0.29/32 "youtube"
+# samsungtab
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+ fi
+ } | cedit /etc/unbound/unbound_srv.conf || unbound_restart=true
+
+
+ # dns based blocking vs ip based. with ip, same
+ # server can have multiple domains. in dns,
+ # you have to make sure clients to use the local dns.
+ # https dns will need to be blocked by ip in
+ # order to be comprehensive
+
+
+
+ {
+ # shellcheck source=/p/c/ptr-data
+ . /root/ptr-data
+ cat <<EOF
+
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+ name: "."
+# forward-addr: 8.8.8.8
+# forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+# forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+# forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+# forward-ssl-upstream: yes
+ forward-first: no
+ forward-addr: 1.1.1.3
+ forward-addr: 1.0.0.3
+
+view:
+ name: "youtube"
+ local-zone: "googlevideo.com." refuse
+ local-zone: "video.google.com." refuse
+ local-zone: "youtu.be." refuse
+ local-zone: "youtube-nocookie.com." refuse
+ local-zone: "youtube-ui.l.google.com." refuse
+ local-zone: "youtube.com." refuse
+ local-zone: "youtube.googleapis.com." refuse
+ local-zone: "youtubeeducation.com." refuse
+ local-zone: "youtubei.googleapis.com." refuse
+ local-zone: "yt3.ggpht.com." refuse
+ local-zone: "youtubekids.com." refuse
+ # try global if no match in view
+ view-first: yes
+EOF
+ } | cedit /etc/unbound/unbound_ext.conf || unbound_restart=true
+
+
+ if $unbound_restart; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
+ fi
+fi # end if $ap
+
+# # disabled for now. i want to selectively enable it
+# # for specific hosts.
+# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+# v uci set adblock.global.adb_enabled=0
+# uci commit adblock
+# /etc/init.d/adblock restart
+# fi
+# # https://github.com/openwrt/packages/tree/master/net/adblock/files
+# cat >/etc/crontabs/root <<'EOF'
+# 0 06 * * * /etc/init.d/adblock reload
+# EOF
+