Around five years ago I started looking into different ways to block ads and trackers in the most effective way on my computers. I discovered this hosts list on someonewhocares.org and even wrote a script to automate the process of downloading, verifying, and installing the list on my machines.
I recently got back into it when I was setting up Encrypted DNS with dnsmasq
and dnscrypt-proxy on SmartOS using
stumbled across the Pi-hole project and really liked
it, however I didn’t want to run a raspberry pi in my house as part of any
critical infrastructure. Instead, I took the essence of that project and found
a compiled blocklist to use with my existing
dnsmasq setup to block these
sites at the DNS level.
which is an automatically updating block list compiled from multiple sources
dnsmasq. I created my own set of scripts to download the
latest blocklists from GitHub, verify them, and install them for use with
dnsmasq, and finally restart
dnsmasq so it picks up the changes.
I installed this on my nameserver zones with:
mkdir -p /opt/custom/opt/dnsmasq cd /opt/custom/opt/dnsmasq git clone git://github.com/bahamas10/notracking.git cd notracking
Then, ran the
update script to pull the latest files
# ./update Thu Jul 19 15:06:07 EDT 2018 pulling latest domains list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt) validating domains list (domains.txt.tmp) installing domains list: /opt/custom/opt/dnsmasq/notracking/domains.txt pulling latest hostnames list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt) validating hostnames list (hostnames.txt.tmp) installing hostnames list: /opt/custom/opt/dnsmasq/notracking/hostnames.txt done. took 2 seconds
update command will:
- pull the latest
domains.txtfiles to a temporary file in the current directory
- Validate them using the
validatescript (ensure the lines are well formed and the IPs are only
- Move them from their temporary file to
- Optionally run a command after this is done given as arguments
Note: Node.JS must be installed for the
validate script to work.
dnsmasq to use these lists you simply need to add these lines
to its configuration:
# no tracking block lists conf-file=/opt/custom/opt/dnsmasq/notracking/domains.txt addn-hosts=/opt/custom/opt/dnsmasq/notracking/hostnames.txt
To pull these lists automatically, I added this cronjob:
0 11 * * * cd /opt/custom/opt/dnsmasq/notracking && ./update svcadm -v restart dnsmasq >> /opt/custom/opt/dnsmasq/notracking/cron.log 2>> /opt/custom/opt/dnsmasq/notracking/cron.log
This will pull the latest lists nightly, validate them, install them, and
dnsmasq on SmartOS.
I also have nagios checks in place to alert me if the files get too old (meaning, the automatic updating is not working).
$ /opt/local/libexec/nagios/check_file_age -w 172800 -c 345600 -f /opt/custom/opt/dnsmasq/notracking/domains.txt FILE_AGE OK: /opt/custom/opt/dnsmasq/notracking/domains.txt is 29510 seconds old and 5312707 bytes | age=29510s;172800;345600 size=5312707B;0;0;0
Verify It Works
Query a site that is in the block list on our local DNS server (with the block list) and a public domain server.
$ dig +short @10.0.1.2 doubleclick.net A 0.0.0.0 $ dig +short @184.108.40.206 doubleclick.net A 220.127.116.11