Joined: 17 Apr 2014 Posts: 140 Location: SF Bay Area
Posted: Tue Feb 13, 2024 2:46 Post subject: [SOLUTION] DNS blocking using just dnsmasq
Update:
* wget has no TLS support
* 'killall -HUP dnsmasq' rereads /etc/hosts but does not reread dnsmasq_options
These have been adjusted in this post.
Notes:
* If you use DoH/Dot, purge them from doh.txt
* Check dnsmasq version as there are pre and post v2.86 lists, recent builds use v2.89.
* Works with any blocklist of the form 'local=/<url>/'
* The 'pro' list contains 250K entries yet dnsmasq uses only 15M memory and zero performance impact (RT-AC68U).
* The lists can be many Megabytes so USB storage, or host the files elsewhere with re-init in 'Administration -> Commands -> Startup'.
* List maintenance is cron + curl, eg
Code:
cd /tmp; curl -LO https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt && service dnsmasq restart
* If clients are bypassing port 53 (or however your DNS is setup) this won't be effective. 'Forced DNS Redirection' and hagezi's 'doh' list are recommended. Dnsmasq logging will reveal all.
I'll update this post if issues or questions on the above method.
Cheers,
Last edited by lazardo on Sun Feb 18, 2024 19:36; edited 4 times in total
Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 query[A] forum.dd-wrt.com from 192.168.1.48
Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 cached forum.dd-wrt.com is 185.84.6.126
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 query[A] scribe.logs.roku.com from 192.168.1.6
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 config scribe.logs.roku.com is NXDOMAIN
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Wed Feb 14, 2024 0:45 Post subject:
Those big chunky lists are double aged dagger, as it may break some stuff around...there are tons of adblockers based on the same idea and few blocklists too...to find the happy medium is a bit of a work...i always add and remove some hosts from there than kill dnsmasq in order changes to take in to an action....but thanks for the block-list link...
cheers
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 17 Apr 2014 Posts: 140 Location: SF Bay Area
Posted: Wed Feb 14, 2024 19:48 Post subject:
hagezi has 5 or 6 list levels from light/easy to heavy/complex, with clear documentation and no overlaps. Volatile lists are updated daily, others weekly.
dnsmasq_options
Code:
filter-AAAA
neg-ttl=60
log-facility=/mnt/sda1/dnsmasq.log
log-queries=extra
# about 300K blocked domains
conf-file=/mnt/sda1/native.apple.txt
conf-file=/mnt/sda1/native.amazon.txt
conf-file=/mnt/sda1/roku.txt
conf-file=/mnt/sda1/doh.txt
conf-file=/mnt/sda1/pro.txt
conf-file=/mnt/sda1/tif.normal.txt
# intel is the LAN NTP server
cname=time.apple.com,time-ios.apple.com,time-macos.apple.com,intel
cname=usscz2-ntp-001.aaplimg.com,usscz2-ntp-002.aaplimg.com,intel
address=/use-application-dns.net/
Once this method is proven the only additional step is to sort how to flag ESNI by watching for an initial 53DNS query followed by HTTPS or TLS followed by HTTPS patterns by way of conntrack/tcpdump.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Feb 15, 2024 19:40 Post subject:
its probably not a bad idea to add a sed/sort/grep line, where it will DL only the lines with
'local=/<url>/' format..so in this case if someone takes over that hosts page you will not add a malicious stuff to your DNS hosts..allowing some odd connections...
if you look at most of the ad-blocker scripts available around..you will see something like...in all of them... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Im on IPset rules for AD-blocking...so, im not using this script any more......but just as an examples... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913