Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using DNSMasq as a caching nameserver & add in a malware etc blocking
#!/bin/sh
# Choose from here https://github.com/StevenBlack/hosts
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts
TMP_LOCATION=/tmp
wget $HOSTS_RAW -P $TMP_LOCATION
awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' $TMP_LOCATION/hosts > /etc/dnsmasq.d/malware.conf
#for ipv6 support uncomment below
#awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' $TMP_LOCATION/hosts > /etc/dnsmasq.d/malware-ipv6.conf
#clean up!
rm $TMP_LOCATION/hosts

Assuming a Properly configured DNSMasq

a quickstart for dnsmasq is given at the end if you have not set it up yet.

something like this will add a great regularly updated malware file for it to use. More security and privacy to you! Specifically, this uses https://github.com/StevenBlack/hosts Choose one of the Raw Hosts file from there to use.

To setup DNSMasq, follow the below ...

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' > /etc/dnsmasq.d/malware.conf`

for ipv6, add in this too

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' > /etc/dnsmasq.d/malware-ipv6.conf

you could also use that line in a cron job to have it run periodically. I have attached a file dnsmasq-antimalware with this gist, which I dump into /etc/cron.weekly which basically does the above and updates the dnsmasq formatted file weekly

The only thing you might need to configure is your choice of host file. Edit "HOSTS_RAW" as needed.

& of course, restart dnsmasq.

If you have not setup dnsmasq, there is a heap of documentaion online, or just follow the quick steps below.


Quickstart DNSMasq Setup, just in case

  1. Install DNSMasq Debian: apt-get install dnsmasq Others: install dnsmasq from whatever package manager present, it will likely be present in the distro.

  2. Config DNSMasq as Needed. Edit as needed, I have added the main config I use below.

/etc/dnsmasq.conf

( or /etc/dnsmasq.d/dnsmasq.conf if configured in Debian as such )

 domain-needed
 bogus-priv
 no-resolv
 clear-on-reload
 strict-order
 no-negcache
 no-poll
 cache-size=1000
  1. Lets point command line to use dnsmasq by default If you are using the resolvconf package. Basically configure your system so that it /etc/resolv.conf has only one nameserver configured pointing to localhost, or make sure this local dns is the first listed nameserver.

Tip: For many public wifis, you might need to also configure a second nameserver to an externally used dns. I usually leave a second nameserver with a public nameserver of my choosing. No need too, just keep this in mind since it could catch you out.

echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base

  1. Lets also configure NetworkManager to use this dnsmasq. This ensures no other config is needed for each configured interface from NetworkManager.

Put a line like so in

/etc/NetworkManager/NetworkManager.conf:

look for [main] and add a line as indicated below (& of course restart NetworkManager, or just restart)

I use a separate dnsmasq process and hence the config, below basically tells NetworkManager not the touch the resolv.conf

[main]

dns=none
  • with the above config, I do not actually use the /etc/resolv.conf .. so check and adjust your system accordingly with your choice. The above setup for Dnsmasq + NetworkManager are really hints only. Milage will vary.

Alternately, the option dns=systemd-resolved could also work instead.

  • This is tested across recent Fedora (24+) & Debian boxes
  • Bonus tip: Its a smallish step up from here to get DNSCrypt going as well, will add a link once I get down to documenting that.
@automorphism88

This comment has been minimized.

automorphism88 commented May 3, 2018

This script is an example of useless use of cat - awk can read its input from a file instead of stdin if the filename is specified as the second argument, e.g.

awk '$1 == "0.0.0.0"  { print "address=/"$2"/0.0.0.0/"}' /tmp/hosts > /etc/dnsmasq.d/malware.conf

No need for the extra process and pipe. Might also want to delete the temporary file at the end of the script.

@erlepereira

This comment has been minimized.

Owner

erlepereira commented May 26, 2018

Nice catch. Script updated.
Cheers!

@frateche

This comment has been minimized.

frateche commented Aug 4, 2018

Why not use the dnsmasq "--addn-hosts" option with raw file ?

@pgeorgan

This comment has been minimized.

pgeorgan commented Dec 12, 2018

I think you have a superfluous backtick in the first command of .md file.

@pgeorgan

This comment has been minimized.

pgeorgan commented Dec 12, 2018

Why not use the dnsmasq "--addn-hosts" option with raw file ?

That's what I did, as I use dnsmasq in combination with dnscrypt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment