DD-WRT :: View topic - [SOLUTION] DNS blocking using just dnsmasq

[SOLUTION] DNS blocking using just dnsmasq

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Tue Feb 13, 2024 2:46 Post subject: [SOLUTION] DNS blocking using just dnsmasq

Update:
* wget has no TLS support
* 'killall -HUP dnsmasq' rereads /etc/hosts but does not reread dnsmasq_options
These have been adjusted in this post.

Start with the 'pro' and 'doh' blocklists from https://github.com/hagezi/dns-blocklists/tree/main/dnsmasq. Most lists are updated daily and appear to be well managed.

Add to 'Services -> Additional Options' a line for each list, turn on logging

Code:

conf-file=/tmp/pro.txt
conf-file=/tmp/doh.txt
log-facility=/tmp/dnsmasq.log
log-queries=extra

Then

Code:

service dnsmasq restart

Notes:
* If you use DoH/Dot, purge them from doh.txt
* Check dnsmasq version as there are pre and post v2.86 lists, recent builds use v2.89.
* Works with any blocklist of the form 'local=/<url>/'
* The 'pro' list contains 250K entries yet dnsmasq uses only 15M memory and zero performance impact (RT-AC68U).
* The lists can be many Megabytes so USB storage, or host the files elsewhere with re-init in 'Administration -> Commands -> Startup'.
* List maintenance is cron + curl, eg

Code:

cd /tmp; curl -LO https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt && service dnsmasq restart

* If clients are bypassing port 53 (or however your DNS is setup) this won't be effective. 'Forced DNS Redirection' and hagezi's 'doh' list are recommended. Dnsmasq logging will reveal all.

I'll update this post if issues or questions on the above method.

Cheers,

Last edited by lazardo on Sun Feb 18, 2024 19:36; edited 4 times in total

Sponsor

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..

Posted: Tue Feb 13, 2024 8:04 Post subject:

have you tried your script on DDWRT router... ?

wget will not do https..you'd need curl instead...

killall -HUP dnsmasq &

or

stopservice dnsmasq && sleep 2 && startservice dnsmasq my do better...

also running this adblock what is the output of netstat -npla
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Tue Feb 13, 2024 19:08 Post subject:

Alozaros wrote:

I found out wget has no TLS support at 2am when the script ran Smile

Code:

root@dd-wrt:/mnt/sda1# netstat -npla | tee 1.tmp
Active Internet connections (servers and established)
netstat: /proc/net/tcp6: No such file or directory
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1191/dropbear
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3635/httpd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 12066/dnsmasq
tcp 0 0 192.168.1.251:22 192.168.1.48:55940 ESTABLISHED 11014/dropbear
netstat: /proc/net/udp6: No such file or directory
udp 0 0 0.0.0.0:53 0.0.0.0:* 12066/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 12066/dnsmasq
udp 0 0 0.0.0.0:35182 0.0.0.0:* 1014/syslogd
udp 0 0 127.0.0.1:34954 0.0.0.0:* 3625/nas
netstat: /proc/net/raw6: No such file or directory
raw 0 0 0.0.0.0:255 0.0.0.0:* 255 1822/wland
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 10 [ ] DGRAM 909 1014/syslogd /dev/log
unix 2 [ ] DGRAM 100 701/mstpd @.mstp_server
unix 2 [ ] DGRAM 12457 3635/httpd
unix 2 [ ] DGRAM 4921 705/irqbalance
unix 2 [ ] DGRAM 12795 3916/cron
unix 2 [ ] DGRAM 2286 1016/klogd
unix 2 [ ] DGRAM 1213 701/mstpd
unix 2 [ ] DGRAM 8503 2639/ttraff
unix 2 [ ] DGRAM 12855 3625/nas
unix 2 [ ] DGRAM 1069 1/init
unix 2 [ ] DGRAM 2471 1191/dropbear
unix 2 [ ] DGRAM 12562 3804/process_monito
root@dd-wrt:/mnt/sda1#

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Tue Feb 13, 2024 19:33 Post subject:

Blocklist now ~300K entries, dnsmasq memory footprint 18.2MB,no router performance issues (RT-AC68U).

NXDOMAIN is returned for blocked DNS query:

Code:

Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 query[A] forum.dd-wrt.com from 192.168.1.48
Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 cached forum.dd-wrt.com is 185.84.6.126
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 query[A] scribe.logs.roku.com from 192.168.1.6
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 config scribe.logs.roku.com is NXDOMAIN

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..

Posted: Wed Feb 14, 2024 0:45 Post subject:

Those big chunky lists are double aged dagger, as it may break some stuff around...there are tons of adblockers based on the same idea and few blocklists too...to find the happy medium is a bit of a work...i always add and remove some hosts from there than kill dnsmasq in order changes to take in to an action....but thanks for the block-list link...
cheers
Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Wed Feb 14, 2024 19:48 Post subject:

hagezi has 5 or 6 list levels from light/easy to heavy/complex, with clear documentation and no overlaps. Volatile lists are updated daily, others weekly.

dnsmasq_options

Code:

filter-AAAA
neg-ttl=60
log-facility=/mnt/sda1/dnsmasq.log
log-queries=extra
# about 300K blocked domains
conf-file=/mnt/sda1/native.apple.txt
conf-file=/mnt/sda1/native.amazon.txt
conf-file=/mnt/sda1/roku.txt
conf-file=/mnt/sda1/doh.txt
conf-file=/mnt/sda1/pro.txt
conf-file=/mnt/sda1/tif.normal.txt
# intel is the LAN NTP server
cname=time.apple.com,time-ios.apple.com,time-macos.apple.com,intel
cname=usscz2-ntp-001.aaplimg.com,usscz2-ntp-002.aaplimg.com,intel
address=/use-application-dns.net/

rc_custom

Code:

# called by cron
cd /mnt/sda1 || exit 1

URL=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq
LIST="pro tif.normal" # daily refresh
[ "$1" == "all" ] && # weekly refresh
LIST="$LIST doh native.amazon native.apple"

for i in $LIST; do
NEW=$i.txt
curl -vL -o $NEW.new $URL/$NEW
[ $? -ne 0 ] && continue

[ -e $NEW.prev.gz ] && mv $NEW.prev.gz $NEW.old.gz
cat $NEW | gzip > $NEW.prev.gz
mv $NEW.new $NEW
sleep 1
done

LOG=dnsmasq.log
[ -e $LOG.prev.gz ] && mv $LOG.prev.gz $LOG.old.gz
cat $LOG | gzip > $LOG.prev.gz && >$LOG
ls -l *.txt *.gz
time restart_dns

cron_jobs

Code:

5 2 * * 1-6 root /bin/sh /tmp/.rc_custom >> /mnt/sda1/update.log 2>&1
5 2 * * 0 root /bin/sh /tmp/.rc_custom all >> /mnt/sda1/update.log 2>&1

Also iptables rules to redirect port 53, block ports 853, 5353 and 8853, and to rate-limit LAN clients (roku) that hit dnsmasq too frequently, eg,

Code:

-A INPUT -s 192.168.1.6/32 -i br0 -p udp -m udp --dport 53 -m limit --limit 90/min -j ACCEPT
-A INPUT -s 192.168.1.6/32 -i br0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

Once this method is proven the only additional step is to sort how to flag ESNI by watching for an initial 53DNS query followed by HTTPS or TLS followed by HTTPS patterns by way of conntrack/tcpdump.

DoH is clearly being leveraged as a virus. https://www.toptal.com/web/encrypted-safe-with-esni-doh-dot

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Thu Feb 15, 2024 19:21 Post subject:

Final updates on this thread.

* Now using 850K blocklist entries (hagezi tif.txt replaces tif.normal.txt above), still with zero performance issues.

Code:

root@dd-wrt:/tmp# free -m
total used free shared buff/cache available
Mem: 248 79 78 0 91 88
Swap: 0 0 0

* moved dnsmasq.log to /tmp for performance
* added shutdown scrip:

Code:

[ -s /tmp/dnsmasq.log ] && cat /tmp/dnsmasq.log | gzip > /mnt/sda1/dnsmasq.log.gz

* May add a small swap area to /dev/sda1 just to be safe.
* Currently OpenNIC resolvers are used. Intent is to move to TLS and integrate SmartDNS.

cheers,

Last edited by lazardo on Thu Feb 15, 2024 19:58; edited 1 time in total

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..

Posted: Thu Feb 15, 2024 19:40 Post subject:

its probably not a bad idea to add a sed/sort/grep line, where it will DL only the lines with
'local=/<url>/' format..so in this case if someone takes over that hosts page you will not add a malicious stuff to your DNS hosts..allowing some odd connections... Razz

if you look at most of the ad-blocker scripts available around..you will see something like...in all of them... Cool

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Thu Feb 15, 2024 20:44 Post subject:

Did not consider dnsmasq would have that issue since NXDOMAIN is always returned.

Code:

# check format, max length, character set
cat blocklist.txt |
nice grep '^local=/.*/' |
nice grep -vxE '.{250,}' |
LC_ALL=C nice grep -av '[^[:cntrl:][:print:]]' > blocklist.new

Cautions:
* block lists and character set check are UCS
* kludgy and CPU-intensive

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6447
Location: UK, London, just across the river..

Posted: Fri Feb 16, 2024 12:04 Post subject:

yes it is..intensive and sluggish..better and faster blocking use IPset...

In the past I was using something like...

_rogue=0.\0\.0\.0
echo -e "n=1\nwhile ! wget -q -O /tmp/hsts http://sbc.io/hosts/hosts ; do\n\t[ \$n -gt 5 ] && break\n\tlet n+=1\n\tsleep 30\ndone\ngrep "^0\.0\.0\.0" /tmp/hsts | grep -v localhost | awk '{print \"$_rogue\\\t\"\$2}' | tr -d '\\\015' >/tmp/badhosts\nrm /tmp/hsts\nkillall -HUP dnsmasq" >/tmp/wh
sh /tmp/wh &

you could just use curl and change the _rogue=

or this one made by SurprisedItWorks ( i cant find the forum link ) but there are many AD-blocking scripts...

( cd /tmp; touch badhosts; sleep 30
sed 's/\./\\./g;s/.*/\/( |\\.)&$\/d/' <<'ENDOFWHITE' >badhosts.whitelist
hulu.com
huluad.com
ENDOFWHITE
( EXA=0 ; EXB=0 ; EXC=0
curl http://winhelp2002.mvps.org/hosts.txt || EXA=$?
curl http://sbc.io/hosts/hosts || EXB=$?
curl -k https://someonewhocares.org/hosts/zero/hosts || EXC=$?
echo $EXA $EXB $EXC > badhosts.codes
) 2>badhosts.log \
| sed 's/\t/ /g; /^0\.0\.0\.0 /!d; s/ *\#.*$//; s/\r//' | sort -u \
| sed -Ef badhosts.whitelist > badhosts
echo $(wc -l /tmp/badhosts | awk '{print $2,"has",$1,"lines,"}') \
'curl exit codes' $(cat badhosts.codes) \
| logger -p user.info -t "startup-code adblocker"
) && killall -HUP dnsmasq &

Im on IPset rules for AD-blocking...so, im not using this script any more......but just as an examples...
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12923
Location: Netherlands

Posted: Fri Feb 16, 2024 15:15 Post subject:

Like @Alozoros said there are several nice examples this is the one I am using:
https://github.com/egc112/ddwrt/tree/main/adblock/dnsmasq
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Last edited by egc on Sun Feb 18, 2024 7:52; edited 1 time in total

lazardo
DD-WRT User

Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

Posted: Fri Feb 16, 2024 18:49 Post subject:

egc wrote:

Like @Alozoros said there are several nice examples this is the one I am using:
https://github.com/egc112/ddwrt/tree/main/adblock/dnsmasq

That would have saved a few hours, thanks Smile

My preference is scripts/dd-wrt builtin over add-on software or cloud-based. Even Cloudflare has downtime.

Borrowed 'dnsmasq --test' from ddwrt-adblock.sh and simplified list sanitizer

Code:

# check format, max length and UTS
LC_ALL=C awk '/[^[:cntrl:][:graph:]]/{next}; { if(length($0) > 258) next }; /^local=\/.*\/$/{ print }'

cheers,

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

[SOLUTION] DNS blocking using just dnsmasq

Quick Links

Log in