Using DNSMasq as a caching nameserver & add in a malware etc blocking

dnsmasq-antimalware

#!/bin/sh

# Choose from here https://github.com/StevenBlack/hosts
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts
TMP_LOCATION=/tmp

wget $HOSTS_RAW -P $TMP_LOCATION 

awk '$1 == "0.0.0.0"  { print "address=/"$2"/0.0.0.0/"}' $TMP_LOCATION/hosts  > /etc/dnsmasq.d/malware.conf

#for ipv6 support uncomment below
#awk '$1 == "0.0.0.0"  { print "address=/"$2"/::1/"}' $TMP_LOCATION/hosts > /etc/dnsmasq.d/malware-ipv6.conf

#clean up!
rm $TMP_LOCATION/hosts

DNSMasq_withMalwareBlocking.md

Assuming a Properly configured DNSMasq

a quickstart for dnsmasq is given at the end if you have not set it up yet.

---

something like this will add a great regularly updated malware file for it to use. More security and privacy to you! Specifically, this uses https://github.com/StevenBlack/hosts Choose one of the Raw Hosts file from there to use.

To setup DNSMasq, follow the below ...

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' > /etc/dnsmasq.d/malware.conf`

for ipv6, add in this too

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' > /etc/dnsmasq.d/malware-ipv6.conf

you could also use that line in a cron job to have it run periodically. I have attached a file dnsmasq-antimalware with this gist, which I dump into /etc/cron.weekly which basically does the above and updates the dnsmasq formatted file weekly

The only thing you might need to configure is your choice of host file. Edit "HOSTS_RAW" as needed.

& of course, restart dnsmasq.

If you have not setup dnsmasq, there is a heap of documentaion online, or just follow the quick steps below.

---

Quickstart DNSMasq Setup, just in case

1. Install DNSMasq Debian: apt-get install dnsmasq Others: install dnsmasq from whatever package manager present, it will likely be present in the distro.

2. Config DNSMasq as Needed. Edit as needed, I have added the main config I use below.

/etc/dnsmasq.conf

( or /etc/dnsmasq.d/dnsmasq.conf if configured in Debian as such )

 domain-needed
 bogus-priv
 no-resolv
 clear-on-reload
 strict-order
 no-negcache
 no-poll
 cache-size=1000

3. Lets point command line to use dnsmasq by default If you are using the resolvconf package. Basically configure your system so that it /etc/resolv.conf has only one nameserver configured pointing to localhost, or make sure this local dns is the first listed nameserver.

Tip: For many public wifis, you might need to also configure a second nameserver to an externally used dns. I usually leave a second nameserver with a public nameserver of my choosing. No need too, just keep this in mind since it could catch you out.

echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base

4. Lets also configure NetworkManager to use this dnsmasq. This ensures no other config is needed for each configured interface from NetworkManager.

Put a line like so in

/etc/NetworkManager/NetworkManager.conf:

look for [main] and add a line as indicated below (& of course restart NetworkManager, or just restart)

I use a separate dnsmasq process and hence the config, below basically tells NetworkManager not the touch the resolv.conf

[main]

dns=none

• with the above config, I do not actually use the /etc/resolv.conf .. so check and adjust your system accordingly with your choice. The above setup for Dnsmasq + NetworkManager are really hints only. Milage will vary.

Alternately, the option dns=systemd-resolved could also work instead.

• This is tested across recent Fedora (24+) & Debian boxes
• Bonus tip: Its a smallish step up from here to get DNSCrypt going as well, will add a link once I get down to documenting that.