Dnsmasq Ad & Tracker Blocking DNS Forwarder

Ansible Role & Playbook

You can configure dnsmasq as a dns request forwarder while actively blocking known ad and tracker domains. This does wonders for your online privacy and page load times, providing a better browsing experience.

I will be using http://pgl.yoyo.org/adservers/ ad server list. You can use any list you want, just be sure you can get it into a format dnsmasq can read. I’m running the Arch Linux ARM OS on a Raspberry Pi 2, but you can do this with any linux setup.

Dependencies

You will need a cron service (I will be using cronie) and dnsmasq. And optionally, but preferred, you can also setup some firewall rules. I’ll be doing that with ufw.

$ pacman -Ss cronie
core/cronie 1.5.1-1
    Daemon that runs specified programs at scheduled times and related tools
$ pacman -Ss dnsmasq
extra/dnsmasq 2.77-1
    Lightweight, easy to configure DNS forwarder and DHCP server
$ pacman -Ss ufw
community/ufw 0.35-3
    Uncomplicated and easy to use CLI tool for managing a netfilter firewall

# Install and enable services
$ pacman -Sy cronie dnsmasq ufw
...
$ sudo systemctl enable cronie.service
$ sudo systemctl enable dnsmasq.service
$ sudo systemctl enable ufw.service

CRON

Create a new daily job:

$ sudo vim /etc/cron.daily/dnsmasq.adblock.sh

Add the following:

#!/bin/bash

wget "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" -O /etc/dnsmasq.adblock.conf
systemctl restart dnsmasq

Start the service:

$ sudo systemctl start cronie.service

DNSMASQ

Edit /etc/resolv.conf and add your external dns server. Google DNS in this example. Dnsmasq uses these to forward external requests.

$ sudo vim /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

Edit dnsmasq.conf and uncomment or add the following:

$ sudo vim /etc/dnsmasq.conf

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries

conf-file=/etc/dnsmasq.adblock.conf

Now manually fetch the adservers list for the first time and start dnsmasq:

$ wget "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" -O /etc/dnsmasq.adblock.con

Start the dnsmasq service:

$ sudo systemctl start dnsmasq.service

You can also use dnsmasq to resolve hostnames of local hosts with a static ip. Add entries like the following:

address=/internal-host.domain.com/192.168.1.10
ptr-record=10.1.168.192.in-addr.arpa,internal-host.domain.com

This is very useful to connect locally to services you have accessible on the internet.

Now configure your dhcp server to provide the ip of the dnsmasq service as dns server. For static hosts edit /etc/resolv.conf and add your dnsmasq ip as nameserver. Remove other entries.

UFW - Firewall

$ sudo ufw allow ssh
$ sudo ufw allow dns
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
53 (DNS)                   ALLOW IN    Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
53 (DNS (v6))              ALLOW IN    Anywhere (v6)             

$ 

Thats it! You’re set.

comments powered by Disqus