Block Tracking Sites With dnsmasq
Posted by Dave Eddy on Jul 19 2018 - tags: techAround five years ago I started looking into different ways to block ads and trackers in the most effective way on my computers. I discovered this hosts list on someonewhocares.org and even wrote a script to automate the process of downloading, verifying, and installing the list on my machines.
https://github.com/bahamas10/someonewhocares
I recently got back into it when I was setting up Encrypted DNS with dnsmasq
and dnscrypt-proxy on SmartOS using
OpenNIC. I
stumbled across the Pi-hole project and really liked
it, however I didn’t want to run a raspberry pi in my house as part of any
critical infrastructure. Instead, I took the essence of that project and found
a compiled blocklist to use with my existing dnsmasq setup to block these
sites at the DNS level.
notracking
I found
notracking/hosts-blocklists
which is an automatically updating block list compiled from multiple sources
compatible with dnsmasq. I created my own set of scripts to download the
latest blocklists from GitHub, verify them, and install them for use with
dnsmasq, and finally restart dnsmasq so it picks up the changes.
https://github.com/bahamas10/notracking
I installed this on my nameserver zones with:
mkdir -p /opt/custom/opt/dnsmasq
cd /opt/custom/opt/dnsmasq
git clone git://github.com/bahamas10/notracking.git
cd notracking
Then, ran the update script to pull the latest files
# ./update
Thu Jul 19 15:06:07 EDT 2018
pulling latest domains list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt)
validating domains list (domains.txt.tmp)
installing domains list: /opt/custom/opt/dnsmasq/notracking/domains.txt
pulling latest hostnames list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt)
validating hostnames list (hostnames.txt.tmp)
installing hostnames list: /opt/custom/opt/dnsmasq/notracking/hostnames.txt
done. took 2 seconds
The update command will:
- pull the latest
hostnames.txtanddomains.txtfiles to a temporary file in the current directory - Validate them using the
validatescript (ensure the lines are well formed and the IPs are only::or0.0.0.0) - Move them from their temporary file to
hostnames.txtanddomains.txtrespectively - Optionally run a command after this is done given as arguments
Note: Node.JS must be installed for the validate script to work.
dnsmasq
To configure dnsmasq to use these lists you simply need to add these lines
to its configuration:
# no tracking block lists
conf-file=/opt/custom/opt/dnsmasq/notracking/domains.txt
addn-hosts=/opt/custom/opt/dnsmasq/notracking/hostnames.txt
Automatic Updates
To pull these lists automatically, I added this cronjob:
0 11 * * * cd /opt/custom/opt/dnsmasq/notracking && ./update svcadm -v restart dnsmasq >> /opt/custom/opt/dnsmasq/notracking/cron.log 2>> /opt/custom/opt/dnsmasq/notracking/cron.log
This will pull the latest lists nightly, validate them, install them, and
restart dnsmasq on SmartOS.
I also have nagios checks in place to alert me if the files get too old (meaning, the automatic updating is not working).
$ /opt/local/libexec/nagios/check_file_age -w 172800 -c 345600 -f /opt/custom/opt/dnsmasq/notracking/domains.txt
FILE_AGE OK: /opt/custom/opt/dnsmasq/notracking/domains.txt is 29510 seconds old and 5312707 bytes | age=29510s;172800;345600 size=5312707B;0;0;0
Verify It Works
Query a site that is in the block list on our local DNS server (with the block list) and a public domain server.
$ dig +short @10.0.1.2 doubleclick.net A
0.0.0.0
$ dig +short @8.8.8.8 doubleclick.net A
216.58.192.206
