Dnsmasq example: DNS sinkhole
From wikinotes
See wikipedia definition. This method can be used to block advertisers.
The general idea is that we'll redirect several hostname DNS requests to 0.0.0.0/::1
so they never reach their intended target. This is achieved using two options:
address=
substitutionsaddn-hosts=
loads/etc/hosts
formatted files that direct malicious hostnames to 0.0.0.0
Tutorials
Alex Blewitt blog https://alblue.bandlem.com/2020/05/using-dnsmasq.html Vlad Stoica blog https://vlads.me/post/setting-up-dns-adblocker-freebsd-jail/
/etc/dnsmasq.d/10-sinkhole.conf
Based on pi-hole
log-queries # log rejected attempts localise-queries # hostnames are localized to their subnets (allowing reuse in different subnets) no-resolv # only configured nameservers are used (ignores resolv.conf) cache-size=10000 # keep LRU cache of 10_000 domain-names local-ttl=2 # instructs requester caches host/dhcp-leases for 2s log-async # async logging # domain-name substitution address=/example.com/ # redirect all requests to example.com to 0.0.0.0 or ::1 address=/example.com/0.0.0.0 # same addn-hosts=/etc/evil/hosts # adds a /etc/hosts style file (that here redirects domains to 0.0.0.0) # use open-dns server=208.67.222.222 server=208.67.220.220
Obtaining Denylists
We'll need to create denylist files using formatted as the above
address=
substitutions.
Denylists can be obtained from a variety of sources. Some examples:
acidwars (dnsmasq formatted) https://github.com/acidwars/AdBlock-Lists [pi-hole] Seven Black's "additional sketch domains" list (see here https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts [pi-hole] disconnect.me (see here) https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt