Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
HOWTO Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter as dnsmasq server

Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter

This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware. The blocklists used are:


  • WAN interface is eth0 and is using DHCP
  • All other interfaces are for LAN, and will use the EdgeRouter as DNS server
  • EdgeRouter is DHCP server, with network name 'LAN' and subnet ''
  • EdgeRouter is using firmware 1.9.7 or higher (to use 'forwarding except-interface' instead of 'forwarding listen-on')

Connect to EdgeRouter and set system DNS servers

Connect to EdgeRouter using PowerShell

PS > ssh <username>@<edgerouter IP  address>

Enter configure mode and set system nameservers. The system DNS servers will later be used for DNS forwarding.

I'm using Cloudflare and OpenDNS

admin@ERX:~$ configure
admin@ERX:~$ set system name-server
admin@ERX:~$ set system name-server
admin@ERX:~$ set system name-server
admin@ERX:~$ set system name-server

Stop EdgeRouter from adding extra system DNS servers from eth0 DHCP (the ones your ISP wants you to use)

admin@ERX:~$ set interfaces ethernet eth0 dhcp-options name-server no-update

Renew DHCP for eth0. This will remove the ISP DNS servers from EdgeRouter system

admin@ERX:~$ run renew dhcp interface eth0

Commit and save the new config

admin@ERX:~$ commit
admin@ERX:~$ save

Enable DNS server with DNS forwarding on EdgeRouter

Based on Ubiquiti guide to setup EdgeRouter as DNS server with forwarding enabled.

Enable DNS cache (EdgeRouter forum post discussing cache sizes)

admin@ERX:~$ set service dns forwarding cache-size 3000

Set eth0 to not listen for DNS queries coming from your ISP or the internet.

Using 'except-interface' setting allows incoming queries from all other interfaces

admin@ERX:~$ set service dns forwarding except-interface eth0

Forward unknown/uncached DNS queries to the EdgeRouter system DNS servers

admin@ERX:~$ set service dns forwarding system

Make DHCP clients use EdgeRouter as DNS server

admin@ERX:~$ set service dhcp-server shared-network-name LAN subnet dns-server

Commit and save the new config. Exit the configuration tool.

admin@ERX:~$ commit
admin@ERX:~$ save
admin@ERX:~$ exit

Renew DHCP on a client in your LAN

PS > ipconfig /release
PS > ipconfig /renew

Confirm DNS server is set to EdgeRouter and DNS works

PS > nslookup
Default Server:  UnKnown

Server:  UnKnown

Non-authoritative answer:

Validate configuration

Check the correct forwarding nameservers are used

admin@ERX:~$ show dns forwarding nameservers
   Nameservers configured for DNS forwarding
----------------------------------------------- available via 'optionally configured' available via 'optionally configured' available via 'optionally configured' available via 'optionally configured'

Generate some traffic on your network. Afterwards show DNS statistics

admin@ERX:~$ show dns forwarding statistics
Cache statistics
Cache size: 3000
Queries forwarded: 472
Queries answered locally: 316
Total DNS entries inserted into cache: 1381
DNS entries removed from cache before expiry: 0

Nameserver statistics
Queries sent: 205
Queries retried or failed: 8

Queries sent: 162
Queries retried or failed: 3

Queries sent: 248
Queries retried or failed: 6

Queries sent: 202
Queries retried or failed: 7

Add DNS filter to dnsmasq

Switch to the root user and open up vi.

root@ERX:~# sudo -i
root@ERX:~# vi /config/user-data/

Enable insert in 'vi' by pressing 'i'. Paste the following to the bash script


# Blocklist for ads
# Blocklist for malware

# IP to respond to DNS query if domain is on blocklist
# IP '' is a black hole. Per RFC 1122, section "This host on this network. MUST NOT be sent, except as a source address as part of an initialization procedure by which the host learns its own IP address."

# Block configuration to be used by dnsmasq

# Temp blocklists

curl -s $blocklist_url1_1 | sed "s/127\.0\.0\.1/$pixelserv_ip/" > $temp_blocklist1
curl -s $blocklist_url2_1 > $temp_blocklist2
curl -s $blocklist_url2_2 >> $temp_blocklist2
curl -s $blocklist_url2_3 >> $temp_blocklist2

# Remove comment lines
sed -i "/^#/d" $temp_blocklist2
# Remove header line: Site
sed -i "/Site/d" $temp_blocklist2
# Add to start of all lines: /address=
sed -i "s/^/address=\//g" $temp_blocklist2
# Add to end of all lines: /$pixelserv_ip
sed -i "s/$/\/$pixelserv_ip/" $temp_blocklist2

# Join files to one
cat $temp_blocklist2 >> $temp_blocklist1

# If temp blocklist exists
if [ -f "$temp_blocklist1" ]
    # Keep only unique entries
    sort $temp_blocklist1 | uniq > $blocklist
    echo "Error building the ad list, please try again."

# Clean up temp blocklists
rm $temp_blocklist1
rm $temp_blocklist2

# Restart dnsmasq to load new config
/etc/init.d/dnsmasq force-reload

Save the bash file by typing escape, and ':wq'.

Make sure you're root, chmod the script, and add it to crontab. Contab will generate a new blocklist everyday, to always block the newest ad and malware content.

root@ERX:~# sudo -i
root@ERX:~# chmod a+x /config/user-data/
root@ERX:~# sh /config/user-data/
root@ERX:~# (crontab -l ; echo "20 4 * * *  /config/user-data/") | crontab -

Disconnect from the router

root@ERX:~# exit

Visit the following sites to confirm the ad-blocker is working:


This comment has been minimized.

Copy link

commented Jun 13, 2019

Hoping you might be able to help me out. I'm following your guide and I keep getting this error.

ne@EdgeRoute# set service dhcp-server shared-network-name LAN subnet dns-server
The specified configuration node requires a value
Set failed

I'm simply copy-pasting what you have written

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.