6

Is there a way to integrate dnsmasq and the popular urlblacklist.com list?

I thought about adding all the entries with the -A flag, but that's a lot of hosts for dnsmasq to process, especially on a low-powered ARM device and I would need to write a script to parse the blacklist each time it needed to be updated, so I'm hoping there's a better approach to this overall.

To clarify the -A flag, taken from the man page for dnsmasq:

-A, --address=/<domain>/[domain/]<ipaddr> 

Specify an IP address to return for any host in the given domains.
Queries in the domains are never forwarded and always replied to with
the specified IP address which may be IPv4 or IPv6. To give both IPv4
and IPv6 addresses for a domain, use repeated -A flags. Note that
/etc/hosts and DHCP leases override this for individual names. A
common use of this is to redirect the entire doubleclick.net domain to
some friendly local web server to avoid banner ads. The domain
specification works in the same was as for --server, with the
additional facility that /#/ matches any domain. Thus
--address=/#/1.2.3.4 will always return 1.2.3.4 for any query not
answered from /etc/hosts or DHCP and not sent to an upstream
nameserver by a more specific --server directive.
Michael Lang
  • 213
  • 2
  • 7
  • when you say **with -A flag** do you mean iptables -A or which command? – cybernard Oct 07 '13 at 23:37
  • added relevant info about the -A flag. – Michael Lang Oct 08 '13 at 15:10
  • Does the offending traffic need to be redirected or can we just drop it? – cybernard Oct 08 '13 at 23:59
  • redirected. I'm actually digging into iptables now as that may be the better place to deal with what they call "discretionary access control (DAC)" For now, I did manage to get a limited version of what I ultimately wanted with squid3 as a transparent proxy and squidguard, but this only protects http/https browsing, not all ports. – Michael Lang Oct 09 '13 at 18:27
  • urlblacklist.com has 3 million entries. "iptables" by itself will suck. If you combine "iptables" with "ipset" then it won't kill your performance. One "iptables" tables rule will block a whole set of ip addresses(up to 65535 per set). You can create a list:set containing 8 individual sets. You will still, however, require many sets. However, the entire ipset config can be saved like this "ipset save >all.txt" or restored like this "ipset restore – cybernard Oct 09 '13 at 21:51
  • Ah, I didn't put the data into the iptables itself. I used libnetfilter_queue to pass the packet out to userland where I looked the ip address up in postgresql database of the urlblacklist to handle non-http(s) (new connections only). I used squid and squidguard for http(s) traffic in transparent mode. Performance seems pretty solid so far. – Michael Lang Oct 10 '13 at 15:19

2 Answers2

0

It sounds like what you are looking for is pihole-FTL, which is a modified version of dnsmasq specifically designed for DNS based URL/domain blocking.

Gordan Bobić
  • 3,330
  • 1
  • 18
  • 23
0

The Best Ad Blocking Method with dnsmasq is doing exactly as what you are asking for.

The urlblacklist config file is under /etc/dnsmasq.d/: /etc/dnsmasq.d/dbab.adblock.conf, exactly in the format of

address=/101com.com/192.168.2.101
address=/101order.com/192.168.2.101
...

For details refer to
https://sfxpt.wordpress.com/2015/11/22/dbab-from-start-to-finish/

In the section "Faq: How to blacklist those bad sites".

From the blog:

  • Block accessing to the ad sites from the DNS level.
  • All ads will be replaced by a 1×1 pixel gif image served locally by the Pixelserv server
xpt
  • 8,261
  • 38
  • 102
  • 156