Skip to content

Instantly share code, notes, and snippets.

@4np
Last active February 13, 2023 00:45
Show Gist options
  • Save 4np/8d64fedca7a314bdf214933fde5ee8ce to your computer and use it in GitHub Desktop.
Save 4np/8d64fedca7a314bdf214933fde5ee8ce to your computer and use it in GitHub Desktop.
How to block adware and malware using bind.

Block adware and malware using DNS

Install bind

For Gentoo Linux:

emerge bind

Create a new zones directory

You can also choose to use bind's own zones directories, but I prefer to keep things separate.

sudo mkdir /etc/bind/zones

Create /etc/bind/zones/blackhole.zone:

$TTL 6h
@        IN    SOA	ns.home.lan.	hostmaster.home.lan. (
			2015060501
			10800
			3600
			604800
			86400 )

@		NS	ns.home.lan.

; Resolve domain and wildcard subdomains
@        IN      A               0.0.0.0
*        IN      A               0.0.0.0

Update /etc/init.d/named's start() method:

121a122,124
> 	# Update /etc/bind/zones/adware-plus-malware.zones using the most recent data.
> 	wget -O - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep '^0.0.0.0' | tr "[A-Z]" "[a-z]" | awk '!a[$0]++' | awk '{print "zone \""$2"\" { type master; notify no; file \"/etc/bind/zones/blackhole.zone\"; };"}' > /etc/bind/zones/adware-plus-malware.zones
>

This will create / update adware-plus-malware.zones before bind is started, based on Steven Black's frequently updated adware + malware hosts file. As it is based on multiple aggregated well-known block lists it should capture most of the crapware out there.

Update /etc/bind/named.conf

25a26
> 	192.168.2.0/24;
37c38
< 	listen-on { 127.0.0.1; };
---
> 	listen-on { 127.0.0.1; 192.168.2.1; };
77d77
< /*
84,85c84,87
< 		8.8.8.8;		// Google Open DNS
< 		8.8.4.4;		// Google Open DNS
---
> 	//	8.8.8.8;		// Google Open DNS
> 	//	8.8.4.4;		// Google Open DNS
> 		1.1.1.1;		// Cloudflare DNS #1
> 		1.0.0.1;		// Cloudflare DNS #2
88,89d89
< */
<
166a167,170
>
> // Block adware and malware
> include "/etc/bind/zones/adware-plus-malware.zones";

Note that I am using Cloudflare DNS as it is supposedly more privacy-focused and even faster than Google's.

Update dhcpd

Make sure your dhcp daemon to give out your bind server's ip adress. For example in /etc/dhcp/dhcpd.conf:

option domain-name-servers 192.168.2.1;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment