Dnsmasq example: DNS sinkhole: Difference between revisions
From wikinotes
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
See [https://en.wikipedia.org/wiki/DNS_sinkhole wikipedia] definition.<br> | See [https://en.wikipedia.org/wiki/DNS_sinkhole wikipedia] definition. This method can be used to block advertisers. | ||
The general idea is that we'll redirect several hostname DNS requests to <code>0.0.0.0/::1</code><br> | |||
so they never reach their intended target. This is achieved using two options: | |||
* <code>address=</code> substitutions | |||
* <code>addn-hosts=</code> loads <code>/etc/hosts</code> formatted files that direct malicious hostnames to 0.0.0.0 | |||
= Tutorials = | |||
<blockquote> | |||
{| class="wikitable" | |||
|- | |||
| Alex Blewitt blog || https://alblue.bandlem.com/2020/05/using-dnsmasq.html | |||
|- | |||
| Vlad Stoica blog || https://vlads.me/post/setting-up-dns-adblocker-freebsd-jail/ | |||
|- | |||
|} | |||
</blockquote><!-- Tutorials --> | |||
= /etc/dnsmasq.d/10-sinkhole.conf = | = /etc/dnsmasq.d/10-sinkhole.conf = | ||
<blockquote> | <blockquote> | ||
Based on pi-hole | Based on pi-hole | ||
<syntaxhighlight lang=" | <syntaxhighlight lang="yaml"> | ||
log-queries # log rejected attempts | |||
no-resolv | localise-queries # hostnames are localized to their subnets (allowing reuse in different subnets) | ||
cache-size=10000 | no-resolv # only configured nameservers are used (ignores resolv.conf) | ||
cache-size=10000 # keep LRU cache of 10_000 domain-names | |||
local-ttl=2 | local-ttl=2 # instructs requester caches host/dhcp-leases for 2s | ||
log-async | log-async # async logging | ||
# | # domain-name substitution | ||
address=/example.com/ # redirect all requests to example.com to 0.0.0.0 or ::1 | |||
address=/example.com/0.0.0.0 # same | |||
# open-dns | addn-hosts=/etc/evil/hosts # adds a /etc/hosts style file (that here redirects domains to 0.0.0.0) | ||
# use open-dns | |||
server=208.67.222.222 | server=208.67.222.222 | ||
server=208.67.220.220 | server=208.67.220.220 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
</blockquote><!-- /etc/dnsmasq.d/10-sinkhole.conf --> | </blockquote><!-- /etc/dnsmasq.d/10-sinkhole.conf --> | ||
= Obtaining Denylists = | |||
<blockquote> | |||
We'll need to create denylist files using formatted as the above <code>address=</code> substitutions.<br> | |||
Denylists can be obtained from a variety of sources. Some examples: | |||
{| class="wikitable" | |||
|- | |||
| acidwars (dnsmasq formatted) || https://github.com/acidwars/AdBlock-Lists | |||
|- | |||
| '''[pi-hole]''' Seven Black's "additional sketch domains" list (see [https://github.com/StevenBlack/hosts here] || https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | |||
|- | |||
| '''[pi-hole]''' disconnect.me (see [https://disconnect.me/ here]) || https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt <br> https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt | |||
|- | |||
|} | |||
</blockquote><!-- Obtaining Denylists --> |
Latest revision as of 20:36, 11 October 2021
See wikipedia definition. This method can be used to block advertisers.
The general idea is that we'll redirect several hostname DNS requests to 0.0.0.0/::1
so they never reach their intended target. This is achieved using two options:
address=
substitutionsaddn-hosts=
loads/etc/hosts
formatted files that direct malicious hostnames to 0.0.0.0
Tutorials
Alex Blewitt blog https://alblue.bandlem.com/2020/05/using-dnsmasq.html Vlad Stoica blog https://vlads.me/post/setting-up-dns-adblocker-freebsd-jail/
/etc/dnsmasq.d/10-sinkhole.conf
Based on pi-hole
log-queries # log rejected attempts localise-queries # hostnames are localized to their subnets (allowing reuse in different subnets) no-resolv # only configured nameservers are used (ignores resolv.conf) cache-size=10000 # keep LRU cache of 10_000 domain-names local-ttl=2 # instructs requester caches host/dhcp-leases for 2s log-async # async logging # domain-name substitution address=/example.com/ # redirect all requests to example.com to 0.0.0.0 or ::1 address=/example.com/0.0.0.0 # same addn-hosts=/etc/evil/hosts # adds a /etc/hosts style file (that here redirects domains to 0.0.0.0) # use open-dns server=208.67.222.222 server=208.67.220.220
Obtaining Denylists
We'll need to create denylist files using formatted as the above
address=
substitutions.
Denylists can be obtained from a variety of sources. Some examples:
acidwars (dnsmasq formatted) https://github.com/acidwars/AdBlock-Lists [pi-hole] Seven Black's "additional sketch domains" list (see here https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts [pi-hole] disconnect.me (see here) https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt