[SOLUTION] DNS blocking using just dnsmasq

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Tue Feb 13, 2024 2:46    Post subject: [SOLUTION] DNS blocking using just dnsmasq Reply with quote
Update:
* wget has no TLS support
* 'killall -HUP dnsmasq' rereads /etc/hosts but does not reread dnsmasq_options
These have been adjusted in this post.

Start with the 'pro' and 'doh' blocklists from https://github.com/hagezi/dns-blocklists/tree/main/dnsmasq. Most lists are updated daily and appear to be well managed.

Add to 'Services -> Additional Options' a line for each list, turn on logging
Code:
conf-file=/tmp/pro.txt
conf-file=/tmp/doh.txt
log-facility=/tmp/dnsmasq.log
log-queries=extra

Then
Code:
service dnsmasq restart

Notes:
* If you use DoH/Dot, purge them from doh.txt
* Check dnsmasq version as there are pre and post v2.86 lists, recent builds use v2.89.
* Works with any blocklist of the form 'local=/<url>/'
* The 'pro' list contains 250K entries yet dnsmasq uses only 15M memory and zero performance impact (RT-AC68U).
* The lists can be many Megabytes so USB storage, or host the files elsewhere with re-init in 'Administration -> Commands -> Startup'.
* List maintenance is cron + curl, eg
Code:
cd /tmp; curl -LO https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt && service dnsmasq restart

* If clients are bypassing port 53 (or however your DNS is setup) this won't be effective. 'Forced DNS Redirection' and hagezi's 'doh' list are recommended. Dnsmasq logging will reveal all.

I'll update this post if issues or questions on the above method.

Cheers,


Last edited by lazardo on Sun Feb 18, 2024 19:36; edited 4 times in total
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6498
Location: UK, London, just across the river..

PostPosted: Tue Feb 13, 2024 8:04    Post subject: Reply with quote
have you tried your script on DDWRT router... ?

wget will not do https..you'd need curl instead...

killall -HUP dnsmasq &

or

stopservice dnsmasq && sleep 2 && startservice dnsmasq my do better...

also running this adblock what is the output of netstat -npla

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 56490 WAP
TP-Link WR1043NDv2 -DD-WRT 56490 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 56490 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 56721 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 56490 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Tue Feb 13, 2024 19:08    Post subject: Reply with quote
Alozaros wrote:
have you tried your script on DDWRT router... ?

wget will not do https..you'd need curl instead...

killall -HUP dnsmasq &

or

stopservice dnsmasq && sleep 2 && startservice dnsmasq my do better...

also running this adblock what is the output of netstat -npla


I found out wget has no TLS support at 2am when the script ran Smile

Code:
root@dd-wrt:/mnt/sda1# netstat -npla | tee 1.tmp
Active Internet connections (servers and established)
netstat: /proc/net/tcp6: No such file or directory
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1191/dropbear
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3635/httpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      12066/dnsmasq
tcp        0      0 192.168.1.251:22        192.168.1.48:55940      ESTABLISHED 11014/dropbear
netstat: /proc/net/udp6: No such file or directory
udp        0      0 0.0.0.0:53              0.0.0.0:*                           12066/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           12066/dnsmasq
udp        0      0 0.0.0.0:35182           0.0.0.0:*                           1014/syslogd
udp        0      0 127.0.0.1:34954         0.0.0.0:*                           3625/nas
netstat: /proc/net/raw6: No such file or directory
raw        0      0 0.0.0.0:255             0.0.0.0:*               255         1822/wland
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  10     [ ]         DGRAM                       909 1014/syslogd        /dev/log
unix  2      [ ]         DGRAM                       100 701/mstpd           @.mstp_server
unix  2      [ ]         DGRAM                     12457 3635/httpd         
unix  2      [ ]         DGRAM                      4921 705/irqbalance     
unix  2      [ ]         DGRAM                     12795 3916/cron           
unix  2      [ ]         DGRAM                      2286 1016/klogd         
unix  2      [ ]         DGRAM                      1213 701/mstpd           
unix  2      [ ]         DGRAM                      8503 2639/ttraff         
unix  2      [ ]         DGRAM                     12855 3625/nas           
unix  2      [ ]         DGRAM                      1069 1/init             
unix  2      [ ]         DGRAM                      2471 1191/dropbear       
unix  2      [ ]         DGRAM                     12562 3804/process_monito
root@dd-wrt:/mnt/sda1#
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Tue Feb 13, 2024 19:33    Post subject: Reply with quote
Blocklist now ~300K entries, dnsmasq memory footprint 18.2MB,no router performance issues (RT-AC68U).

NXDOMAIN is returned for blocked DNS query:
Code:
Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 query[A] forum.dd-wrt.com from 192.168.1.48
Feb 13 11:03:03 dnsmasq[12066]: 1240 192.168.1.48/42840 cached forum.dd-wrt.com is 185.84.6.126
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 query[A] scribe.logs.roku.com from 192.168.1.6
Feb 13 11:03:13 dnsmasq[12066]: 1241 192.168.1.6/36927 config scribe.logs.roku.com is NXDOMAIN
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6498
Location: UK, London, just across the river..

PostPosted: Wed Feb 14, 2024 0:45    Post subject: Reply with quote
Those big chunky lists are double aged dagger, as it may break some stuff around...there are tons of adblockers based on the same idea and few blocklists too...to find the happy medium is a bit of a work...i always add and remove some hosts from there than kill dnsmasq in order changes to take in to an action....but thanks for the block-list link...
cheers
Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 56490 WAP
TP-Link WR1043NDv2 -DD-WRT 56490 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 56490 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 56721 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 56490 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Wed Feb 14, 2024 19:48    Post subject: Reply with quote
hagezi has 5 or 6 list levels from light/easy to heavy/complex, with clear documentation and no overlaps. Volatile lists are updated daily, others weekly.

dnsmasq_options
Code:
filter-AAAA
neg-ttl=60
log-facility=/mnt/sda1/dnsmasq.log
log-queries=extra
# about 300K blocked domains
conf-file=/mnt/sda1/native.apple.txt
conf-file=/mnt/sda1/native.amazon.txt
conf-file=/mnt/sda1/roku.txt
conf-file=/mnt/sda1/doh.txt
conf-file=/mnt/sda1/pro.txt
conf-file=/mnt/sda1/tif.normal.txt
# intel is the LAN NTP server
cname=time.apple.com,time-ios.apple.com,time-macos.apple.com,intel
cname=usscz2-ntp-001.aaplimg.com,usscz2-ntp-002.aaplimg.com,intel
address=/use-application-dns.net/

rc_custom
Code:
# called by cron
cd /mnt/sda1 || exit 1

URL=https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq
LIST="pro tif.normal"   # daily refresh
[ "$1" == "all" ] &&   # weekly refresh
  LIST="$LIST doh native.amazon native.apple"

for i in $LIST; do
  NEW=$i.txt
  curl -vL -o $NEW.new $URL/$NEW
  [ $? -ne 0 ] && continue

  [ -e $NEW.prev.gz ] && mv $NEW.prev.gz $NEW.old.gz
  cat $NEW | gzip > $NEW.prev.gz
  mv $NEW.new $NEW
  sleep 1
done

LOG=dnsmasq.log
[ -e $LOG.prev.gz ] && mv $LOG.prev.gz $LOG.old.gz
cat $LOG | gzip > $LOG.prev.gz && >$LOG
ls -l *.txt *.gz
time restart_dns

cron_jobs
Code:
5 2 * * 1-6 root /bin/sh /tmp/.rc_custom >> /mnt/sda1/update.log 2>&1
5 2 * * 0 root /bin/sh /tmp/.rc_custom all >> /mnt/sda1/update.log 2>&1

Also iptables rules to redirect port 53, block ports 853, 5353 and 8853, and to rate-limit LAN clients (roku) that hit dnsmasq too frequently, eg,
Code:
-A INPUT -s 192.168.1.6/32 -i br0 -p udp -m udp --dport 53 -m limit --limit 90/min -j ACCEPT
-A INPUT -s 192.168.1.6/32 -i br0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

Once this method is proven the only additional step is to sort how to flag ESNI by watching for an initial 53DNS query followed by HTTPS or TLS followed by HTTPS patterns by way of conntrack/tcpdump.

DoH is clearly being leveraged as a virus. https://www.toptal.com/web/encrypted-safe-with-esni-doh-dot
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Thu Feb 15, 2024 19:21    Post subject: Reply with quote
Final updates on this thread.

* Now using 850K blocklist entries (hagezi tif.txt replaces tif.normal.txt above), still with zero performance issues.
Code:
root@dd-wrt:/tmp# free -m
              total        used        free      shared  buff/cache   available
Mem:            248          79          78           0          91          88
Swap:             0           0           0


* moved dnsmasq.log to /tmp for performance
* added shutdown scrip:
Code:
[ -s /tmp/dnsmasq.log ] && cat /tmp/dnsmasq.log | gzip > /mnt/sda1/dnsmasq.log.gz


* May add a small swap area to /dev/sda1 just to be safe.
* Currently OpenNIC resolvers are used. Intent is to move to TLS and integrate SmartDNS.


cheers,


Last edited by lazardo on Thu Feb 15, 2024 19:58; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6498
Location: UK, London, just across the river..

PostPosted: Thu Feb 15, 2024 19:40    Post subject: Reply with quote
its probably not a bad idea to add a sed/sort/grep line, where it will DL only the lines with
'local=/<url>/' format..so in this case if someone takes over that hosts page you will not add a malicious stuff to your DNS hosts..allowing some odd connections... Razz

if you look at most of the ad-blocker scripts available around..you will see something like...in all of them... Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 56490 WAP
TP-Link WR1043NDv2 -DD-WRT 56490 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 56490 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 56721 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 56490 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Thu Feb 15, 2024 20:44    Post subject: Reply with quote
Did not consider dnsmasq would have that issue since NXDOMAIN is always returned.

Code:
# check format, max length, character set
cat blocklist.txt |
  nice grep '^local=/.*/' |
  nice grep -vxE '.{250,}' |
  LC_ALL=C nice grep -av '[^[:cntrl:][:print:]]' > blocklist.new


Cautions:
* block lists and character set check are UCS
* kludgy and CPU-intensive
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6498
Location: UK, London, just across the river..

PostPosted: Fri Feb 16, 2024 12:04    Post subject: Reply with quote
yes it is..intensive and sluggish..better and faster blocking use IPset...

In the past I was using something like...

_rogue=0.\0\.0\.0
echo -e "n=1\nwhile ! wget -q -O /tmp/hsts http://sbc.io/hosts/hosts ; do\n\t[ \$n -gt 5 ] && break\n\tlet n+=1\n\tsleep 30\ndone\ngrep "^0\.0\.0\.0" /tmp/hsts | grep -v localhost | awk '{print \"$_rogue\\\t\"\$2}' | tr -d '\\\015' >/tmp/badhosts\nrm /tmp/hsts\nkillall -HUP dnsmasq" >/tmp/wh
sh /tmp/wh &

you could just use curl and change the _rogue=

or this one made by SurprisedItWorks ( i cant find the forum link ) but there are many AD-blocking scripts...

( cd /tmp; touch badhosts; sleep 30
sed 's/\./\\./g;s/.*/\/( |\\.)&$\/d/' <<'ENDOFWHITE' >badhosts.whitelist
hulu.com
huluad.com
ENDOFWHITE
( EXA=0 ; EXB=0 ; EXC=0
curl http://winhelp2002.mvps.org/hosts.txt || EXA=$?
curl http://sbc.io/hosts/hosts || EXB=$?
curl -k https://someonewhocares.org/hosts/zero/hosts || EXC=$?
echo $EXA $EXB $EXC > badhosts.codes
) 2>badhosts.log \
| sed 's/\t/ /g; /^0\.0\.0\.0 /!d; s/ *\#.*$//; s/\r//' | sort -u \
| sed -Ef badhosts.whitelist > badhosts
echo $(wc -l /tmp/badhosts | awk '{print $2,"has",$1,"lines,"}') \
'curl exit codes' $(cat badhosts.codes) \
| logger -p user.info -t "startup-code adblocker"
) && killall -HUP dnsmasq &


Im on IPset rules for AD-blocking...so, im not using this script any more......but just as an examples...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 56490 WAP
TP-Link WR1043NDv2 -DD-WRT 56490 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 56490 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 56721 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 56490 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 13033
Location: Netherlands

PostPosted: Fri Feb 16, 2024 15:15    Post subject: Reply with quote
Like @Alozoros said there are several nice examples this is the one I am using:
https://github.com/egc112/ddwrt/tree/main/adblock/dnsmasq

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun Feb 18, 2024 7:52; edited 1 time in total
lazardo
DD-WRT User


Joined: 17 Apr 2014
Posts: 140
Location: SF Bay Area

PostPosted: Fri Feb 16, 2024 18:49    Post subject: Reply with quote
egc wrote:
Like @Alozoros said there are several nice examples this is the one I am using:
https://github.com/egc112/ddwrt/tree/main/adblock/dnsmasq


That would have saved a few hours, thanks Smile

My preference is scripts/dd-wrt builtin over add-on software or cloud-based. Even Cloudflare has downtime.

Borrowed 'dnsmasq --test' from ddwrt-adblock.sh and simplified list sanitizer
Code:
# check format, max length and UTS
LC_ALL=C awk '/[^[:cntrl:][:graph:]]/{next}; { if(length($0) > 258) next }; /^local=\/.*\/$/{ print }'


cheers,
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum