Dnsmasq example: DNS sinkhole: Difference between revisions

From wikinotes
(Created page with "= /etc/dnsmasq.d/10-sinkhole.conf = <blockquote> Based on pi-hole <syntaxhighlight lang="ini"> localize-queries no-resolv cache-size=10000 log-queries local-ttl=2 log-async a...")
 
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
See [https://en.wikipedia.org/wiki/DNS_sinkhole wikipedia] definition. This method can be used to block advertisers.
The general idea is that we'll redirect several hostname DNS requests to <code>0.0.0.0/::1</code><br>
so they never reach their intended target. This is achieved using two options:
* <code>address=</code> substitutions
* <code>addn-hosts=</code> loads <code>/etc/hosts</code> formatted files that direct malicious hostnames to 0.0.0.0
= Tutorials =
<blockquote>
{| class="wikitable"
|-
| Alex Blewitt blog || https://alblue.bandlem.com/2020/05/using-dnsmasq.html
|-
| Vlad Stoica blog || https://vlads.me/post/setting-up-dns-adblocker-freebsd-jail/
|-
|}
</blockquote><!-- Tutorials -->
= /etc/dnsmasq.d/10-sinkhole.conf =
= /etc/dnsmasq.d/10-sinkhole.conf =
<blockquote>
<blockquote>
Based on pi-hole
Based on pi-hole
<syntaxhighlight lang="ini">
<syntaxhighlight lang="yaml">
localize-queries
log-queries                  # log rejected attempts
no-resolv
localise-queries             # hostnames are localized to their subnets (allowing reuse in different subnets)
cache-size=10000
no-resolv                     # only configured nameservers are used (ignores resolv.conf)
log-queries
cache-size=10000             # keep LRU cache of 10_000 domain-names
local-ttl=2
local-ttl=2                   # instructs requester caches host/dhcp-leases for 2s
log-async
log-async                     # async logging
 
# domain-name substitution
address=/example.com/        # redirect all requests to example.com to 0.0.0.0 or ::1
address=/example.com/0.0.0.0  # same
 
addn-hosts=/etc/evil/hosts    # adds a /etc/hosts style file (that here redirects domains to 0.0.0.0)


addn-hosts=


server=
# use open-dns
server=
server=208.67.222.222
server=208.67.220.220
</syntaxhighlight>
</syntaxhighlight>
</blockquote><!-- /etc/dnsmasq.d/10-sinkhole.conf -->
</blockquote><!-- /etc/dnsmasq.d/10-sinkhole.conf -->
= Obtaining Denylists =
<blockquote>
We'll need to create denylist files using formatted as the above <code>address=</code> substitutions.<br>
Denylists can be obtained from a variety of sources. Some examples:
{| class="wikitable"
|-
| acidwars (dnsmasq formatted) || https://github.com/acidwars/AdBlock-Lists
|-
| '''[pi-hole]''' Seven Black's "additional sketch domains" list (see [https://github.com/StevenBlack/hosts here] || https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
|-
| '''[pi-hole]''' disconnect.me (see [https://disconnect.me/ here]) || https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt <br> https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
|-
|}
</blockquote><!-- Obtaining Denylists -->

Latest revision as of 20:36, 11 October 2021

See wikipedia definition. This method can be used to block advertisers.


The general idea is that we'll redirect several hostname DNS requests to 0.0.0.0/::1
so they never reach their intended target. This is achieved using two options:

  • address= substitutions
  • addn-hosts= loads /etc/hosts formatted files that direct malicious hostnames to 0.0.0.0


Tutorials

Alex Blewitt blog https://alblue.bandlem.com/2020/05/using-dnsmasq.html
Vlad Stoica blog https://vlads.me/post/setting-up-dns-adblocker-freebsd-jail/

/etc/dnsmasq.d/10-sinkhole.conf

Based on pi-hole 

log-queries                   # log rejected attempts
localise-queries              # hostnames are localized to their subnets (allowing reuse in different subnets)
no-resolv                     # only configured nameservers are used (ignores resolv.conf)
cache-size=10000              # keep LRU cache of 10_000 domain-names
local-ttl=2                   # instructs requester caches host/dhcp-leases for 2s
log-async                     # async logging

# domain-name substitution
address=/example.com/         # redirect all requests to example.com to 0.0.0.0 or ::1
address=/example.com/0.0.0.0  # same

addn-hosts=/etc/evil/hosts    # adds a /etc/hosts style file (that here redirects domains to 0.0.0.0)


# use open-dns
server=208.67.222.222
server=208.67.220.220

Obtaining Denylists

We'll need to create denylist files using formatted as the above address= substitutions.
Denylists can be obtained from a variety of sources. Some examples:

acidwars (dnsmasq formatted) https://github.com/acidwars/AdBlock-Lists
[pi-hole] Seven Black's "additional sketch domains" list (see here https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
[pi-hole] disconnect.me (see here) https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
Retrieved from "http://willpittman.net:8080/index.php?title=Dnsmasq_example:_DNS_sinkhole&oldid=27859"