diff --git a/cron/unbound-dhcpd-updater b/cron/unbound-dhcpd-updater
index 1d09560..d744ce7 100755
--- a/cron/unbound-dhcpd-updater
+++ b/cron/unbound-dhcpd-updater
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -eu
+#!/usr/local/bin/bash
+set -euo pipefail
 
 readonly DHCPD_CONF_FILE='/etc/dhcpd.conf'
 readonly DHCPD_LEASES_FILE='/var/db/dhcpd.leases'
@@ -24,5 +24,6 @@ fi
 ../dhcpd/list_active_assignments | ../unbound/local-data-file-generator > "$UNBOUND_LOCAL_DATA_FILE_TMP"
 
 mv "$UNBOUND_LOCAL_DATA_FILE_TMP" "$UNBOUND_LOCAL_DATA_FILE"
+chmod 644 "$UNBOUND_LOCAL_DATA_FILE"
 
-rcctl restart unbound
+rcctl reload unbound
diff --git a/dhcpd/list_active_assignments b/dhcpd/list_active_assignments
old mode 100644
new mode 100755
index 4684324..b167b75
--- a/dhcpd/list_active_assignments
+++ b/dhcpd/list_active_assignments
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -eu
+#!/usr/local/bin/bash
+set -euo pipefail
 
 readonly DHCPD_CONF_FILE="${DHCPD_CONF_FILE:-/etc/dhcpd.conf}"
 readonly DHCPD_LEASES_FILE="${DHCPD_LEASES_FILE:-/var/db/dhcpd.leases}"
diff --git a/unbound/blocklist-updater b/unbound/blocklist-updater
new file mode 100755
index 0000000..f09d23e
--- /dev/null
+++ b/unbound/blocklist-updater
@@ -0,0 +1,23 @@
+#!/usr/local/bin/bash
+
+set -euo pipefail
+
+if ! command -v curl &> /dev/null; then
+	>&2 echo 'curl is missing from PATH'
+	exit 1
+fi
+
+readonly OUTPUT_FILE='/var/unbound/etc/blocklist.conf'
+
+curl -LSsf 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts' | awk '/^0\.0\.0\.0/{
+	# there is no need for a "0.0.0.0 0.0.0.0" line
+	if ($2 == "0.0.0.0") {
+		next
+	}
+
+	print "local-zone: \"" $2 "\" redirect"
+	print "local-data: \"" $2 " A 0.0.0.0\""
+}' > "${OUTPUT_FILE}"
+
+chmod 644 "${OUTPUT_FILE}"
+rcctl reload unbound
diff --git a/unbound/local-data-file-generator b/unbound/local-data-file-generator
index 01559b8..2100e98 100755
--- a/unbound/local-data-file-generator
+++ b/unbound/local-data-file-generator
@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/usr/local/bin/bash
 
-set -eu
+set -euo pipefail
 
 AWK_SCRIPT=$(cat << 'EOF'
 /^[ \t]*[^ \t]+[ \t]+([0-9]{1,3}\.){3}[0-9]{1,3}[ \t]*$/ {