You can configure dnsmasq as a dns request forwarder while actively blocking known ad and tracker domains. This does wonders for your online privacy and page load times, providing a better browsing experience.
I will be using http://pgl.yoyo.org/adservers/ ad server list. You can use any list you want, just be sure you can get it into a format dnsmasq can read. I’m running the Arch Linux ARM OS on a Raspberry Pi 2, but you can do this with any linux setup.
You will need a cron service (I will be using cronie) and dnsmasq. And optionally, but preferred, you can also setup some firewall rules. I’ll be doing that with ufw.
$ pacman -Ss cronie core/cronie 1.5.1-1 Daemon that runs specified programs at scheduled times and related tools $ pacman -Ss dnsmasq extra/dnsmasq 2.77-1 Lightweight, easy to configure DNS forwarder and DHCP server $ pacman -Ss ufw community/ufw 0.35-3 Uncomplicated and easy to use CLI tool for managing a netfilter firewall # Install and enable services $ pacman -Sy cronie dnsmasq ufw ... $ sudo systemctl enable cronie.service $ sudo systemctl enable dnsmasq.service $ sudo systemctl enable ufw.service
Create a new daily job:
$ sudo vim /etc/cron.daily/dnsmasq.adblock.sh
Add the following:
#!/bin/bash wget "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" -O /etc/dnsmasq.adblock.conf systemctl restart dnsmasq
Start the service:
$ sudo systemctl start cronie.service
Edit /etc/resolv.conf and add your external dns server. Google DNS in this example. Dnsmasq uses these to forward external requests.
$ sudo vim /etc/resolv.conf nameserver 220.127.116.11 nameserver 18.104.22.168
Edit dnsmasq.conf and uncomment or add the following:
$ sudo vim /etc/dnsmasq.conf # Never forward plain names (without a dot or domain part) domain-needed # Never forward addresses in the non-routed address spaces. bogus-priv # For debugging purposes, log each DNS query as it passes through # dnsmasq. log-queries conf-file=/etc/dnsmasq.adblock.conf
Now manually fetch the adservers list for the first time and start dnsmasq:
$ wget "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" -O /etc/dnsmasq.adblock.con
Start the dnsmasq service:
$ sudo systemctl start dnsmasq.service
You can also use dnsmasq to resolve hostnames of local hosts with a static ip. Add entries like the following:
This is very useful to connect locally to services you have accessible on the internet.
Now configure your dhcp server to provide the ip of the dnsmasq service as dns server. For static hosts edit /etc/resolv.conf and add your dnsmasq ip as nameserver. Remove other entries.
UFW - Firewall
$ sudo ufw allow ssh $ sudo ufw allow dns $ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup $ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22 ALLOW IN Anywhere 53 (DNS) ALLOW IN Anywhere 22 (v6) ALLOW IN Anywhere (v6) 53 (DNS (v6)) ALLOW IN Anywhere (v6) $
Thats it! You’re set.