DNS Ad Blocker

From Leo's Notes
Last edited on 1 September 2019, at 06:21.

The DNS Advertisement blocker is an extension of blocking advertisements through the local hosts file, except using a real DNS server instead. There are various upsides to this approach such as the ability to blocking entire domains and sub-domains, and being able to block specific hosts on devices where editing the hosts file is not possible or practical (eg. a phone or tablet).

I do not recommend running this on a Raspberry Pi simply because a large list of zones will take a considerably long time to load and DNS queries may appear to be sluggish.

Deprecated: Use OpenWRT or Pi Hole
This is way too much work. Instead, put a copy of OpenWRT on your Pi and install the adblock package. From there, you can load a bunch of hosts from ad lists (such as adaway) to blackhole.

The benefit of using OpenWRT is that you can also manage DNS/DHCP for your network in addition to acting as a DNS ad blocker.


The Code[edit | edit source]

This blocker contains the following components:

  • BIND DNS server
  • A generator script that creates zones based on an ad list
  • An ad list containing all servers to be blocked
  • Optionally, a HTTP server to capture all redirected HTTP traffic

Setup[edit | edit source]

Install BIND with the following configuration in /etc/named.conf

/etc/named.conf[edit | edit source]

Make sure your named.conf contains something similar to: 

options {
	listen-on port 53 { any; };

        directory "/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query { any; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};


logging {
	channel "querylog" {
		file "/var/log/named-query.log";
		print-time yes;
	};
	category queries { querylog; };
};

include "/etc/named.advertisement.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "." IN {
	type hint;
	file "named.ca";
};

# If you need to forward zones, add them here. For example:
zone "cs.ucalgary.ca" IN {
	type forward;
	forwarders { 136.159.5.75; 136.159.5.76; 172.17.12.100; };
};

Zones that are not defined should be looked up via root hints.

generate.sh[edit | edit source]

Create a script named generate.sh with the following: 

# Normal advertisement zones
echo "" > /etc/named.advertisement.conf
for i in `cat adlist.txt` ; do
	test -z $i && continue;
	echo "zone \"$i\" {" >> /etc/named.advertisement.conf
	echo "type master; file \"adredirect.zone\";" >> /etc/named.advertisement.conf
	echo "};" >> /etc/named.advertisement.conf
	echo "" >> /etc/named.advertisement.conf
done

# Or if using systemd: systemctl restart named.service
/etc/init.d/named restart

rndc status|grep OFF && rndc querylog
# systemctl restart named

sleep 4
rndc reload
rndc flush

adlist.txt[edit | edit source]

Get the latest adlist from DNS Ad Blocker/Ad List and place it into the adlist.txt file. Zones will be generated for each domain in this list which will also block all subdomains.

adredirect.zone[edit | edit source]

Create this zone file in /var/named/adredirect.zone. This zone will be referenced for every zone that is created.

Replace the IP address 9.11.9.11 with 0.0.0.0 if you do not plan on running a HTTP server to capture the ad requests. 

$TTL 1h
@               IN SOA  ns1.server. ns2.server. (
                        44      ; serial
                        3600    ; refresh
                        15M     ; retry
                        1W      ; expiry
                        1D )    ; minimum
@               NS      ns1.server.
@               A       9.11.9.11
*               A   9.11.9.11

index.php[edit | edit source]

<?php
date_default_timezone_set("America/Edmonton");

// Attempt to get a redirect URL for click tracking sites
// if a GET parameter begins with http, then it's probably a link we can redirect to.
$redirect = "";
foreach ($_GET as $key => $value) {
	$value = urldecode($value);
	if (strtolower(substr($value, 0, 4)) == "http") {
		$redirect = $value;
	}
}

if ($redirect != "") {
	echo "$redirect";
	echo "<form action=\"$redirect\" method=\"post\"><input type=\"submit\" value=\"Go\" /></form>";
}

// log requests to a log file
$fp = fopen('log.txt', 'a');
fwrite($fp, date("M j - H:i:s") . " : " . $_SERVER['REMOTE_ADDR'] . " - " .  $_SERVER['HTTP_HOST'] . " - " . $_SERVER['REQUEST_URI'] . "\n");
fclose($fp);


echo "<script>if (opener){self.close();}</script>";
echo $_SERVER['HTTP_HOST'];

exit;

.htaccess[edit | edit source]

Place this with the index.php file so that all requests go to the same PHP script. 

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers