Skip to content

Instantly share code, notes, and snippets.

@0x-2a
Forked from martinsohn/edgemax-ad-blocker-dnsmasq.md
Last active November 3, 2020 22:38
Show Gist options
  • Save 0x-2a/805e1da3cf599c5f73d15b95c561b0cc to your computer and use it in GitHub Desktop.
Save 0x-2a/805e1da3cf599c5f73d15b95c561b0cc to your computer and use it in GitHub Desktop.
HOWTO Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter as dnsmasq server

Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter

This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware. An alternative is to use Pi-hole, which gives many features such as web UI, statistics, DNS-over-HTTPS, and possibly better written code ;)

The blocklists used are:

Assumptions:

  • WAN interface is eth0 and is using DHCP
  • All other interfaces are for LAN

Add DNS filter to dnsmasq

Switch to the root user and create a bash script with vi in root home directory.

root@ERX:~# sudo -i
root@ERX:~# vi ~/update-adblock-dnsmasq.sh

Enable insert in 'vi' by pressing 'i'. Paste the following to the bash script

#!/bin/bash

# Blocklists pre-formatted as "address=/<domain>/<blackhole ip>
# NB: the script later implies pre-formatted blocklists use 127.0.0.1 as the blackhole IP
formatted_blocklists=("https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext")

# Blocklists with raw IP addresses
raw_blocklists=("https://www.dshield.org/feeds/suspiciousdomains_High.txt"
		"https://www.dshield.org/feeds/suspiciousdomains_Medium.txt"
		"https://www.dshield.org/feeds/suspiciousdomains_Low.txt"
		)

# Blackhole/IP to respond to DNS query if domain is on blocklist
# IP "0.0.0.0" is a black hole. Per RFC 1122, section 3.2.1.3 "This host on this network. MUST NOT be sent, except as a source address as part of an initialization procedure by which the host learns its own IP address."
blackhole_ip="0.0.0.0"

# Block configuration to be used by dnsmasq
blocklist="/etc/dnsmasq.d/dnsmasq-blocklist.conf"
# Temp blocklists
tmp_blocklist="/tmp/dnsmasq-blocklist.conf.tmp"
tmp_formatted_blocklist="/tmp/dnsmasq-formatted_blocklist.conf.tmp"
tmp_raw_blocklist="/tmp/dnsmasq-raw_blocklist.conf.tmp"

# Make sure we're starting with empty blocklists
rm -f $tmp_formatted_blocklist
rm -f $tmp_raw_blocklist
rm -f $tmp_blocklist

# replace pre-formatted blocklist black hole IP with our preference
# NB: This implies pre-formatted blocklists use 127.0.0.1
for i in "${formatted_blocklists[@]}"
do
    curl -s "$i" | sed "s/127\.0\.0\.1/$blackhole_ip/" >> $tmp_formatted_blocklist
done

# Download blocklists
for i in "${raw_blocklists[@]}"
do
    curl -s "$i" >> $tmp_raw_blocklist
done

# Remove comment lines
sed -i "/^#/d" $tmp_formatted_blocklist
# Remove comment lines
sed -i "/^#/d" $tmp_raw_blocklist

# Format raw blocklist
# Add to start of all lines: '/address='
sed -i "s/^/address=\//g" $tmp_raw_blocklist
# Add to end of all lines: '/$blackhole_ip'
sed -i "s/$/\/$blackhole_ip/" $tmp_raw_blocklist

# Join files to one
cat $tmp_raw_blocklist >> $tmp_formatted_blocklist

# Remove invalid lines
grep -E "^address=\/.{1,}\..{1,}\/0\.0\.0\.0" $tmp_formatted_blocklist > $tmp_blocklist

# Keep only unique entries
sort $tmp_blocklist | uniq > $blocklist

# Clean up temp blocklists
rm -f $tmp_raw_blocklist
rm -f $tmp_formatted_blocklist
rm -f $tmp_blocklist

# Restart dnsmasq to load new config
/etc/init.d/dnsmasq force-reload

Save the bash file by hitting escape, ':wq', and enter.

Make sure you're root, chmod the script, and run the script.

root@ERX:~# sudo -i
root@ERX:~# chmod a+x ~/update-adblock-dnsmasq.sh
root@ERX:~# ~/update-adblock-dnsmasq.sh

Make sure no errors were written to the console. Then add the script to crontab. Contab will generate a new blocklist everyday from your blocklist sources.

root@ERX:~# (crontab -l ; echo "20 4 * * *  /root/update-adblock-dnsmasq.sh") | crontab -

Disconnect from the router

root@ERX:~# logout
admin@ERX:~# exit

Visit the following sites to confirm the ad-blocker is working:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment