Skip to content

Instantly share code, notes, and snippets.

@orther

orther/edgemax-ad-blocker-dnsmasq.md

Forked from martinsohn/edgemax-ad-blocker-dnsmasq.md
Created December 27, 2018 03:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save orther/dbafbc147fa0cd2d06788cb5d87c459b to your computer and use it in GitHub Desktop.
Save orther/dbafbc147fa0cd2d06788cb5d87c459b to your computer and use it in GitHub Desktop.
Download ZIP
HOWTO Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter as dnsmasq server
Raw
edgemax-ad-blocker-dnsmasq.md

Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter

This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware. The blocklists used are:

Assumptions:

  • WAN interface is eth0 and is using DHCP
  • All other interfaces are for LAN, and will use the EdgeRouter as DNS server
  • EdgeRouter is DHCP server, with network name 'LAN' and subnet '192.168.1.0/24'
  • EdgeRouter is using firmware 1.9.7 or higher (to use 'forwarding except-interface' instead of 'forwarding listen-on')

Connect to EdgeRouter and set system DNS servers

Connect to EdgeRouter using PowerShell

PS > ssh <username>@<edgerouter IP  address>

Enter configure mode and set system nameservers. The system DNS servers will later be used for DNS forwarding.

I'm using Cloudflare and OpenDNS

admin@ERX:~$ configure
admin@ERX:~$ set system name-server 1.1.1.1
admin@ERX:~$ set system name-server 1.0.0.1
admin@ERX:~$ set system name-server 208.67.220.220
admin@ERX:~$ set system name-server 208.67.222.222

Stop EdgeRouter from adding extra system DNS servers from eth0 DHCP (the ones your ISP wants you to use)

admin@ERX:~$ set interfaces ethernet eth0 dhcp-options name-server no-update

Renew DHCP for eth0. This will remove the ISP DNS servers from EdgeRouter system

admin@ERX:~$ run renew dhcp interface eth0

Commit and save the new config

admin@ERX:~$ commit
admin@ERX:~$ save

Enable DNS server with DNS forwarding on EdgeRouter

Based on Ubiquiti guide to setup EdgeRouter as DNS server with forwarding enabled.

Enable DNS cache (EdgeRouter forum post discussing cache sizes)

admin@ERX:~$ set service dns forwarding cache-size 3000

Set eth0 to not listen for DNS queries coming from your ISP or the internet.

Using 'except-interface' setting allows incoming queries from all other interfaces

admin@ERX:~$ set service dns forwarding except-interface eth0

Forward unknown/uncached DNS queries to the EdgeRouter system DNS servers

admin@ERX:~$ set service dns forwarding system

Make DHCP clients use EdgeRouter as DNS server

admin@ERX:~$ set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server

Commit and save the new config. Exit the configuration tool.

admin@ERX:~$ commit
admin@ERX:~$ save
admin@ERX:~$ exit

Renew DHCP on a client in your LAN

PS > ipconfig /release
PS > ipconfig /renew

Confirm DNS server is set to EdgeRouter and DNS works

PS > nslookup
Default Server:  UnKnown
Address:  192.168.1.1

> github.com
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:       github.com
Addresses:  140.82.118.4
            140.82.118.3

Validate configuration

Check the correct forwarding nameservers are used

admin@ERX:~$ show dns forwarding nameservers
-----------------------------------------------
   Nameservers configured for DNS forwarding
-----------------------------------------------
1.1.1.1 available via 'optionally configured'
1.0.0.1 available via 'optionally configured'
208.67.222.222 available via 'optionally configured'
208.67.220.220 available via 'optionally configured'

Generate some traffic on your network. Afterwards show DNS statistics

admin@ERX:~$ show dns forwarding statistics
----------------
Cache statistics
----------------
Cache size: 3000
Queries forwarded: 472
Queries answered locally: 316
Total DNS entries inserted into cache: 1381
DNS entries removed from cache before expiry: 0

---------------------
Nameserver statistics
---------------------
Server: 208.67.220.220
Queries sent: 205
Queries retried or failed: 8

Server: 208.67.222.222
Queries sent: 162
Queries retried or failed: 3

Server: 1.0.0.1
Queries sent: 248
Queries retried or failed: 6

Server: 1.1.1.1
Queries sent: 202
Queries retried or failed: 7

Add DNS filter to dnsmasq

Switch to the root user and open up vi.

root@ERX:~# sudo -i
root@ERX:~# vi /config/user-data/update-adblock-dnsmasq.sh

Enable insert in 'vi' by pressing 'i'. Paste the following to the bash script

#!/bin/bash

# Blocklist for ads
blocklist_url1_1="https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext"
# Blocklist for malware
blocklist_url2_1="https://www.dshield.org/feeds/suspiciousdomains_High.txt"
blocklist_url2_2="https://www.dshield.org/feeds/suspiciousdomains_Medium.txt"
blocklist_url2_3="https://www.dshield.org/feeds/suspiciousdomains_Low.txt"

# IP to respond to DNS query if domain is on blocklist
# IP '0.0.0.0' is a black hole. Per RFC 1122, section 3.2.1.3 "This host on this network. MUST NOT be sent, except as a source address as part of an initialization procedure by which the host learns its own IP address."
pixelserv_ip="0.0.0.0"

# Block configuration to be used by dnsmasq
blocklist="/etc/dnsmasq.d/dnsmasq-blocklist.conf"

# Temp blocklists
temp_blocklist1="/tmp/dnsmasq-blocklist1.conf.tmp"
temp_blocklist2="/tmp/dnsmasq-blocklist2.conf.tmp"

curl -s $blocklist_url1_1 | sed "s/127\.0\.0\.1/$pixelserv_ip/" > $temp_blocklist1
curl -s $blocklist_url2_1 > $temp_blocklist2
curl -s $blocklist_url2_2 >> $temp_blocklist2
curl -s $blocklist_url2_3 >> $temp_blocklist2

# Remove comment lines
sed -i "/^#/d" $temp_blocklist2
# Remove header line: Site
sed -i "/Site/d" $temp_blocklist2
# Add to start of all lines: /address=
sed -i "s/^/address=\//g" $temp_blocklist2
# Add to end of all lines: /$pixelserv_ip
sed -i "s/$/\/$pixelserv_ip/" $temp_blocklist2

# Join files to one
cat $temp_blocklist2 >> $temp_blocklist1

# If temp blocklist exists
if [ -f "$temp_blocklist1" ]
then
    # Keep only unique entries
    sort $temp_blocklist1 | uniq > $blocklist
else
    echo "Error building the ad list, please try again."
    exit
fi

# Clean up temp blocklists
rm $temp_blocklist1
rm $temp_blocklist2

# Restart dnsmasq to load new config
/etc/init.d/dnsmasq force-reload

Save the bash file by typing escape, and ':wq'.

Make sure you're root, chmod the script, and add it to crontab. Contab will generate a new blocklist everyday, to always block the newest ad and malware content.

root@ERX:~# sudo -i
root@ERX:~# chmod a+x /config/user-data/update-adblock-dnsmasq.sh
root@ERX:~# sh /config/user-data/update-adblock-dnsmasq.sh
root@ERX:~# (crontab -l ; echo "20 4 * * *  /config/user-data/update-adblock-dnsmasq.sh") | crontab -

Disconnect from the router

root@ERX:~# exit
admin@ERX:~#

Visit the following sites to confirm the ad-blocker is working:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment