This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware. The blocklists used are:
- Ad blocklist from Yoyo Internet Services
- High risk domains from DShield
- Medium risk domains from DShield
- Low risk domains from DShield
Assumptions:
- WAN interface is eth0 and is using DHCP
- All other interfaces are for LAN, and will use the EdgeRouter as DNS server
- EdgeRouter is DHCP server, with network name 'LAN' and subnet '192.168.1.0/24'
- EdgeRouter is using firmware 1.9.7 or higher (to use 'forwarding except-interface' instead of 'forwarding listen-on')
Connect to EdgeRouter using PowerShell
PS > ssh <username>@<edgerouter IP address>
Enter configure mode and set system nameservers. The system DNS servers will later be used for DNS forwarding.
I'm using Cloudflare and OpenDNS
admin@ERX:~$ configure
admin@ERX:~$ set system name-server 1.1.1.1
admin@ERX:~$ set system name-server 1.0.0.1
admin@ERX:~$ set system name-server 208.67.220.220
admin@ERX:~$ set system name-server 208.67.222.222
Stop EdgeRouter from adding extra system DNS servers from eth0 DHCP (the ones your ISP wants you to use)
admin@ERX:~$ set interfaces ethernet eth0 dhcp-options name-server no-update
Renew DHCP for eth0. This will remove the ISP DNS servers from EdgeRouter system
admin@ERX:~$ run renew dhcp interface eth0
Commit and save the new config
admin@ERX:~$ commit
admin@ERX:~$ save
Based on Ubiquiti guide to setup EdgeRouter as DNS server with forwarding enabled.
Enable DNS cache (EdgeRouter forum post discussing cache sizes)
admin@ERX:~$ set service dns forwarding cache-size 3000
Set eth0 to not listen for DNS queries coming from your ISP or the internet.
Using 'except-interface' setting allows incoming queries from all other interfaces
admin@ERX:~$ set service dns forwarding except-interface eth0
Forward unknown/uncached DNS queries to the EdgeRouter system DNS servers
admin@ERX:~$ set service dns forwarding system
Make DHCP clients use EdgeRouter as DNS server
admin@ERX:~$ set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server
Commit and save the new config. Exit the configuration tool.
admin@ERX:~$ commit
admin@ERX:~$ save
admin@ERX:~$ exit
Renew DHCP on a client in your LAN
PS > ipconfig /release
PS > ipconfig /renew
Confirm DNS server is set to EdgeRouter and DNS works
PS > nslookup
Default Server: UnKnown
Address: 192.168.1.1
> github.com
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
Name: github.com
Addresses: 140.82.118.4
140.82.118.3
Check the correct forwarding nameservers are used
admin@ERX:~$ show dns forwarding nameservers
-----------------------------------------------
Nameservers configured for DNS forwarding
-----------------------------------------------
1.1.1.1 available via 'optionally configured'
1.0.0.1 available via 'optionally configured'
208.67.222.222 available via 'optionally configured'
208.67.220.220 available via 'optionally configured'
Generate some traffic on your network. Afterwards show DNS statistics
admin@ERX:~$ show dns forwarding statistics
----------------
Cache statistics
----------------
Cache size: 3000
Queries forwarded: 472
Queries answered locally: 316
Total DNS entries inserted into cache: 1381
DNS entries removed from cache before expiry: 0
---------------------
Nameserver statistics
---------------------
Server: 208.67.220.220
Queries sent: 205
Queries retried or failed: 8
Server: 208.67.222.222
Queries sent: 162
Queries retried or failed: 3
Server: 1.0.0.1
Queries sent: 248
Queries retried or failed: 6
Server: 1.1.1.1
Queries sent: 202
Queries retried or failed: 7
Switch to the root user and open up vi
.
root@ERX:~# sudo -i
root@ERX:~# vi /config/user-data/update-adblock-dnsmasq.sh
Enable insert in 'vi' by pressing 'i'. Paste the following to the bash script
#!/bin/bash
# Blocklist for ads
blocklist_url1_1="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext"
# Blocklist for malware
blocklist_url2_1="https://www.dshield.org/feeds/suspiciousdomains_High.txt"
blocklist_url2_2="https://www.dshield.org/feeds/suspiciousdomains_Medium.txt"
blocklist_url2_3="https://www.dshield.org/feeds/suspiciousdomains_Low.txt"
# IP to respond to DNS query if domain is on blocklist
# IP '0.0.0.0' is a black hole. Per RFC 1122, section 3.2.1.3 "This host on this network. MUST NOT be sent, except as a source address as part of an initialization procedure by which the host learns its own IP address."
pixelserv_ip="0.0.0.0"
# Block configuration to be used by dnsmasq
blocklist="/etc/dnsmasq.d/dnsmasq-blocklist.conf"
# Temp blocklists
temp_blocklist1="/tmp/dnsmasq-blocklist1.conf.tmp"
temp_blocklist2="/tmp/dnsmasq-blocklist2.conf.tmp"
curl -s $blocklist_url1_1 | sed "s/127\.0\.0\.1/$pixelserv_ip/" > $temp_blocklist1
curl -s $blocklist_url2_1 > $temp_blocklist2
curl -s $blocklist_url2_2 >> $temp_blocklist2
curl -s $blocklist_url2_3 >> $temp_blocklist2
# Remove comment lines
sed -i "/^#/d" $temp_blocklist2
# Remove header line: Site
sed -i "/Site/d" $temp_blocklist2
# Add to start of all lines: /address=
sed -i "s/^/address=\//g" $temp_blocklist2
# Add to end of all lines: /$pixelserv_ip
sed -i "s/$/\/$pixelserv_ip/" $temp_blocklist2
# Join files to one
cat $temp_blocklist2 >> $temp_blocklist1
# If temp blocklist exists
if [ -f "$temp_blocklist1" ]
then
# Keep only unique entries
sort $temp_blocklist1 | uniq > $blocklist
else
echo "Error building the ad list, please try again."
exit
fi
# Clean up temp blocklists
rm $temp_blocklist1
rm $temp_blocklist2
# Restart dnsmasq to load new config
/etc/init.d/dnsmasq force-reload
Save the bash file by typing escape, and ':wq'.
Make sure you're root, chmod the script, and add it to crontab. Contab will generate a new blocklist everyday, to always block the newest ad and malware content.
root@ERX:~# sudo -i
root@ERX:~# chmod a+x /config/user-data/update-adblock-dnsmasq.sh
root@ERX:~# sh /config/user-data/update-adblock-dnsmasq.sh
root@ERX:~# (crontab -l ; echo "20 4 * * * /config/user-data/update-adblock-dnsmasq.sh") | crontab -
Disconnect from the router
root@ERX:~# exit
admin@ERX:~#
Visit the following sites to confirm the ad-blocker is working: