PS1='\[\e[7m\]${?#0}\[\e[0m\]\W\$ '

(also works with bash & Busybox’s ash)

It looks like this:

It’s nothing fancy, I know, but I’m going to explain what each part of that ugly string does anyway.

Showing the Exit Status

An exit status of 0 means your command ran without a hitch, and any other number is an error code. For some reason it is standard to hide this info from the user. Sure, you could query the exit status with echo $?, but that’d require you to have a premonition of your command failing. On top of that, the $? variable gets overwritten as soon as you run your next command.

This inclusion might be the only unique thing about my prompt.

Parameter Substitution

I use ${?#0} instead of just $? to avoid unnecessary noise. This strips the leading 0 from the variable, leaving an empty string when everything goes right while still displaying the exit status when it doesn’t.

The shell’s builtin substitutions can be used to avoid calls to external programs and subshells in some scripts. Here’s a simple example of parameter substitution compared to plain old sed being used to strip the protocol from a URL:

~$ URL=http://example.net
~$ echo $URL | sed 's!^http://!!'
example.net
~$ echo ${URL#http://}
example.net

ANSI Escape Sequences

Before getting into the actual ANSI stuff, \[ and \] are there to inform the shell that the enclosed characters take up no physical space on the screen. Without these, the shell will get confused about line wrapping and cursor placement.

ANSI Escape Codes, on the other hand, are interpreted by the terminal emulator as instructions for styling text. I use \e[7m to tell the terminal to invert the foreground and background colors when outputting the exit status to make it pop out a bit. After that, I use \e[0m to reset the terminal to its default state.

Here’s a snippet that spews out all of the colors you can jam into your prompt:

i=0
while [ "$i" -le 255 ]; do
    printf "\e[48;5;%sm %3d \e[0m" "$i" "$i"
    i=$((i + 1))
done
printf "\n"

Despite the possibilities, I generally skip color in my terminal. The same goes for emojis, ligatures, and Nerd Fonts. :)

The Rest

\W provides the current directory name. I prefer this over having the full path (\w). I saw a script that truncates directory names to keep your prompt short (e.g., ~/.c/mpv). While it looks like a nice middle ground, including a subshell in my prompt feels frivolous.

\$ displays $ for regular users and # for root. In some odd way, the root symbol could act as a safety against copy-pasting commands since what follows is read as a comment. Is this a mere coincidence, or divine providence offering a reckless soul the opportunity to repent before ignorantly executing a command from a forum as root?

Finally, I add a space at the end too. It gives a bit of breathing room between the prompt and the command.

Additional Resources

• ksh man page on PS1
• ohmyksh
• More ANSI

Pi-hole needs no introduction; it has been a homelab staple for years. However, this popularity has also gotten it into places where it does not belong. If your goal is to self-host a recursive DNS resolver with ad blocking, you’ll need to run Unbound too. Instead of playing with cute web interfaces, we can simplify our networks by leveraging Response Policy Zones (RPZ). On top of that, Pi-hole only runs on Linux.

This isn’t for everyone; it requires familiarity with the command line. My goal is just to show a better integrated alternative to Pi-Hole for OpenBSD routers.

Configuring Unbound

Since Unbound is included in base, we do not need to install anything. The configuration takes place in /var/unbound/etc/unbound.conf because it runs in a chroot for extra separation.

Modify the config to something like:

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

server:
    interface: 127.0.0.1
    interface: ::1

    hide-identity: yes
    hide-version: yes

    root-hints: "/var/unbound/db/named.cache"
    prefetch: yes

    auto-trust-anchor-file: "/var/unbound/db/root.key"
    prefetch-key: yes

    # The order of these matters!
    module-config: "respip validator iterator"

    define-tag: "ads nsfw"
    # You might want to change these to your subnets
    access-control-tag: 0.0.0.0/0 "ads nsfw"
    access-control-tag: ::/0 "ads nsfw"

rpz:
    name: oisd-ads
    url: https://small.oisd.nl/rpz
    tags: "ads"

rpz:
    name: oisd-nsfw
    url: https://nsfw-small.oisd.nl/rpz
    tags: "nsfw" 

I’m not going to break this down line by line. If you need help understanding the config, start with the man page.

Validate the config with unbound-checkconf, because rcctl configtest unbound doesn’t work for whatever reason.

Add the root hints to the chroot

Recursive resolvers need to know where to start looking for DNS records. The root hints file provides the IP addresses of the 13 authoritative root nameservers that anchor the global DNS hierarchy.

cd /var/unbound/db/
ftp https://www.internic.net/domain/named.cache

Starting Unbound

Enable the service and increase the startup timeout. Larger RPZ files will increase the time it takes for the daemon to initialize, so we tell rc that the wait is expected.

rcctl set unbound timeout 60
rcctl enable unbound
rcctl start unbound

Redirect all DNS traffic on your network to Unbound

Then add this little trick to /etc/pf.conf so that all incoming local traffic on port 53 is routed to unbound. This doesn’t include the router itself.

pass in on !egress inet proto { udp tcp } from any to self \
    port domain rdr-to 127.0.0.1
pass in on !egress inet6 proto { udp tcp } from any to self \
    port domain rdr-to ::1

Now run pfctl -f /etc/pf.conf and you should be done!

Alternatively, you could advertise the resolver in dhcpd.conf and rad.conf like a normal person.

Testing

Modern web browsers often try to handle DNS internally (DoH), which can make command-line tests deceiving. So I recommend web-based tests to check if DNSSEC and the RPZ for ad blocking are working.

If these tests fail, check your browser’s “Secure DNS” settings; it might be bypassing the system resolver.

RPZ files

If you have the available memory, I suggest using the big lists from OISD.nl. Another source I’ve found is hagezi/dns-blocklists. Writing your own RPZ should also be self explanatory after you look at the syntax of an already existing zone.

Additional notes

• BIND supports RPZ too but I’ve never used it
• If you want remote access take a look at wg
• YouTube video of Paul Vixie explaining the current state of DNS
• This article was inspired by this guy using Pi-hole
• I found the pf trick on Tedu’s blog