Block "Junk" With dnsmasq

[Snorkasaurus]

In a recent post here viking60 told us about Windows 10 sending collected data from PC's to ssw.live.com. So I thought I would do a little write up about using dnsmasq to block access to all kinds of junk including servers for ads, malware, "phone home" ware, and tracking.

On Debian I just sudo apt-get -y install dnsmasq to get it, and it is configured by /etc/dnsmasq.conf as well as the files in /etc/dnsmasq.d. I like to comment out all of the settings in the .conf file except for just a few lines that I add at the bottom:

Code: Select all

conf-dir=/etc/dnsmasq.d
conf-file=/etc/ad_hosts.txt
addn-hosts=/etc/mvp_hosts.txt

The first line tells dnsmasq to process files in the dnsmasq.d directory, the second line tells it to use /etc/ad_hosts.txt as a dnsmasq config file, and the third line tells it to treat /etc/mvp_hosts.txt as a hosts file. This allows me to put separate .conf files in /etc/dnsmasq.d which will all get processed, allowing me to separate my config in to manageable chunks.

For example, /etc/dnsmasq.d/local_dns.conf can be used to setup names for devices on your internal network like this

Code: Select all

address=/server1.network.home/192.168.1.2
address=/server2.network.home/192.168.1.3
address=/www.network.home/192.168.1.21
address=/pc1.network.home/192.168.1.101
address=/pc2.network.home/192.168.1.102

Now, to add in support for the MVPHosts file you'll want to cron a weekly task to download it weekly and restart dnsmasq.

Code: Select all

wget -O /etc/mvp_hosts.txt http://winhelp2002.mvps.org/hosts.txt
/etc/init.d/dnsmasq restart

For the ad_hosts.txt file I basically have the same cron'ed script except that it downloads my personal list of hosts I don't like. Now you can test your setup by using nslookup to connect to your dnsmasq and try some queries:

Code: Select all

nslookup www.doubleclick.net 192.168.1.2
Server:         192.168.1.2
Address:        192.168.1.2#53

Name:   www.doubleclick.net
Address: 127.0.0.1

If you do the same query against the DNS server 8.8.8.8 you will likely see a very different answer. Now that your DNS server works, you need your clients to use it instead of your default DNS server (probably your router). On my dd-wrt router I just went to the "Services" page of the dd-wrt admin interface and added this to the dnsmasq section

Code: Select all

dhcp-option= option:dns-server, 192.168.1.2

Yes, it is true that my dd-wrt router is already using dnsmasq, but I chose to run a separate instance on a Debian box because the dd-wrt design makes its dnsmasq a pain to configure. I use it for DHCP but not this kind of detailed DNS config. So renew an IP address on one of your clients and try a direct DNS query:

Code: Select all

C:\>nslookup www.doubleclick.net
Server:  UnKnown
Address:  192.168.1.2

Name:    www.doubleclick.net
Address:  127.0.0.1

Now your clients are unable to reach the servers defined in the MVPHosts file as well as the list I maintain of crappy hosts.

Now... what if Microsoft was smart enough to design its "phone home" ware to use a special DNS server other than your default one? Well, head back in to the dd-wrt admin page and click on the "Access Restrictions" tab to setup a restriction that denies your clients from using DNS servers that are outside your network like this:

You'll need to click on the Client List button to define the IP addresses on your network that should not have access to DNS through the firewall. Of course you will need to keep your new DNS server off this list because it will still need to provide upstream queries. Your client PC's should now get this:

Code: Select all

C:\>nslookup www.doubleclick.net 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  8.8.8.8

when trying to query external DNS servers. Now your client PC's do not have the ability to resolve these "bad names" while on your network. It should be clear though that mobile devices will not be protected while on networks other than your own. If anyone has any suggestions about my list or this howto please let me know. :-)

S.

[Snorkasaurus]

Here's a bonus... a script that downloads, converts and uses the "malware domain" list from Easylist which is one of the default list maintainers in AdBlock Plus. Cron this up for weekly execution on your DNS server to block a whack of (over 9400) bad domains.

Code: Select all

wget -U "wget/snorkscript" -O /etc/dnsmasq.d/maldomains.txt https://easylist-downloads.adblockplus.org/malwaredomains_full.txt
# Comment out the stuff at the top [usually] of the file
sed -i 's/^\[/#\[/' /etc/dnsmasq.d/maldomains.txt
sed -i 's/^\!/#\!/' /etc/dnsmasq.d/maldomains.txt
# convert the format to something dnsmasq can understand
sed -i 's/^||/address\=\/\./' /etc/dnsmasq.d/maldomains.txt
sed -i 's/\^$/\/127\.0\.0\.1/' /etc/dnsmasq.d/maldomains.txt
# restart dnsmasq
/etc/init.d/dnsmasq restart


S.

[Snorkasaurus]

Another bonus...

Some browsers will display a "Can't find that site" error message in the "blocked" parts of some web pages because bad sites are being blocked by fooling your PC in to thinking they are really 127.0.0.1. If you have a Windows based client I know of two little "localhost web servers" that can be used to serve up a tiny image instead of allowing your browser to time out on the bad site redirections.

The one I use is called Homer and was made by FunkyToad Software. Unfortunately FunkyToad seems to have disappeared (well bought by Dreamhost), but I have this custom NSIS build of Homer v1.3 that will install itself in C:\Apps\Homer and use SRVANY to run it as a service. It is very light on resources, using a little over 1MB of memory. Alternatively I understand that eDexter is supposed to provide the same functionality, though I have never used it (the download is something like 64kB).

Happy blocking!
S.

[viking60]

Thanks - great stuff!
I will dig into it when I find the time...

[Snorkasaurus]

Update:
I have a cell phone that runs Android. I don't particularly like Android [for a few reasons] but am using it anyways. I have installed a few applications on this phone and was monitoring the DNS queries made by my phone, some of which were for advertising and some of which... well I don't know why it was making those queries. So, I have added some more addresses to the list today. I must say that the free version of Fongo looks really clean now.

If anyone has any hosts they would like added to the list just let me know!

PS: If you run dnsmasq you can monitor what your client PC's are querying by adding "log-queries" to your conf files and then use

Code: Select all

tail -f /var/log/syslog | grep --line-buffered query

to watch the queries in real-time. If you have a lot of clients you may want to limit the grep by using the IP address of the client or even cat'ing the queries out to a separate log file to parse through at your leisure.

S.

[Snorkasaurus]

Today I saw this article in /r/anticonsuption and decided to add RaGaPa to the block list.

In short, AT&T hotspots are injecting ads in to http pages.

s.

[dedanna1029]

Another bonus...

Some browsers will display a "Can't find that site" error message in the "blocked" parts of some web pages because bad sites are being blocked by fooling your PC in to thinking they are really 127.0.0.1. If you have a Windows based client I know of two little "localhost web servers" that can be used to serve up a tiny image instead of allowing your browser to time out on the bad site redirections.

The one I use is called Homer and was made by FunkyToad Software. Unfortunately FunkyToad seems to have disappeared (well bought by Dreamhost), but I have this custom NSIS build of Homer v1.3 that will install itself in C:\Apps\Homer and use SRVANY to run it as a service. It is very light on resources, using a little over 1MB of memory. Alternatively I understand that eDexter is supposed to provide the same functionality, though I have never used it (the download is something like 64kB).

Happy blocking!
S.

Why not just use 0.0.0.0 instead of 127.0.0.1?

[Snorkasaurus]

Why not just use 0.0.0.0 instead of 127.0.0.1?

Because there is no way to run a web server on 0.0.0.0 and you end up with "Can't resolve server" messages in areas where some ads or junk used to be. With Homer running on 127.0.0.1 you get a 1x1 pixel transparent image and it makes web pages look much better.
s.

[viking60]

Here is a test site:

https://www.dnsleaktest.com/
And here is my dnsmasq install

viewtopic.php?f=11&t=1921&p=20979#p20979

[dedanna1029]

So then we should either be using the Tor browser or have some kind of anonymous network, yes, this I get, but I was reading about using the 0.0.0.0, and it made sense. I didn't realise though that it would prevent the server from running at the time, hadn't thought of it.

I used to keep a very long hosts file; it got too tedious for me, so find alternate methods now of blocking unwanted traffic, and of preventing privacy leaks. Firewall, etc., anonymous browsers, VPNs.