#!/bin/bash

# --
# adblocker-dnsmasq.sh
# Rev 6
#
# Complete guide to creating your own ad-blocking, malware blocking and ransomware-blocking internet gateway:
# http://supratim-sanyal.blogspot.com/2016/07/add-simple-ad-blocker-with-dnsmasq-to.html
#
# Assuming dnsmasq is configured so that it reads configuration files from /etc/dnsmasq.d, this
# script grabs ad, malware and ransomware server lists from yoyo and other places, saving "address=/xxxxxx.com/10.42.2.1" and
# "server=/xxxxxx.com/" format files in dnsmasq configuration directory so that requests to the listed ad servers
# are redirected to a local LAN address or fail. It restarts dnsmasq afterwards.
#
# OUTPUT FILES:
# 1) /etc/dnsmasq.d/adblocklist.conf with lines like "address=/xxxxxx.com/10.42.2.1"
# 2) /etc/dnsmasq.d/adblockserverlist.conf with lines like "server=/xxxxxx.com/"
# 3) /etc/dnsmasq.d/adblocklist-from-vps.conf - grabbed from my VPS at http://sanyalnet-cloud-vps.freeddns.org/adblocklist.conf
#
# This should be put in a weekly cron job, perhaps using a file in /etc/cron.d/update-adblocker-dnsmasq like this:
#       #/etc/cron.d/update-adblocker-dnsmasq
#       SHELL=/bin/bash
#       PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
#       MAILTO=""
#       HOME=/
#       # Every 7 days (each Wednesday midnight) update dnsmasq ad server block lists
#       0 0 * * 3 * root /root/adblocker/adblocker-dnsmasq.sh>/var/log/adblocker-dnsmasq.log 2>&1
#
# Initial implementation tested on a massively modified CentOS-based ClearOS Community release 6.6.0 (Final)
# server with Dnsmasq version 2.72.
# Linux anubis-clearos.sanyalnet.lan 2.6.32-573.1.1.v6.x86_64 #1 SMP Fri Aug 21 13:24:06 MDT 2015 x86_64 x86_64 x86_64 GNU/Linux
#
# License: GNU AGPLv3 http://tuklusan.decsystem.org/agpl-3.0.txt
#
# Supratim Sanyal, Germantown, MD
# http://supratim-sanyal.blogspot.com/
# e-mail form: http://mcaf.ee/sdlg9f
# --

# The following is the IP address that ad server domains will be forced to resolve to
# This IP runs a little http server that returns HTTP 502 and logs the ad request (so that I can see all ad requests being
# blocked in real time). See http://supratim-sanyal.blogspot.com/2016/07/httpd410server-tiny-free-web-server-to.html
#------------------------
IP='10.42.2.1'
#------------------------


# --------------------
# get list from yoyo.org, and
# create /etc/dnsmasq.d/adblocklist.conf with lines like "address=/xxxxxx.com/10.42.2.1"
# --------------------
# get https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext into /etc/dnsmasq.d/adblocklist.conf
/bin/mv /etc/dnsmasq.d/adblocklist.conf /tmp/adblocklist.conf.bak
/usr/bin/wget --no-check-certificate -q -O /etc/dnsmasq.d/adblocklist.conf "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext"
if [ "$?" -ne "0" ]; then
    /bin/logger -p cron.err "ad blocklist updater: wget adblocklist failed"
    echo "ad blocklist updater: wget adblocklist failed"
    /bin/mv /tmp/adblocklist.conf.bak /etc/dnsmasq.d/adblocklist.conf
else
    # The following line repoints 127.0.0.1 in the blocklist to a little http server running on my network that
    # returns HTTP 502 and logs the ad request (so that I can see all ad requests being blocked at real time)
    /bin/sed -i "s/127.0.0.1/$IP/g" /etc/dnsmasq.d/adblocklist.conf
fi



# --------------------
# get lists from many sources, and
# create /etc/dnsmasq.d/adblockserverlist.conf with lines like "server=/xxxxxx.com/"
# --------------------
# this part is adapted from  the adblocker for dd-wrt from http://jazz.tvtom.pl/download/dd-wrt/adblock
# the idea is even if we fail to get a list from yoyo this will still provide a list

HOSTSTEMP='/tmp/adserver-hosts.tmp'
HOSTSDENY='/etc/dnsmasq.d/adblockserverlist.conf'

BLACKLISTS='https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
http://adaway.org/hosts.txt
http://adblock.gjtech.net/?format=unix-hosts
http://hosts-file.net/ad_servers.txt
http://jazz.tvtom.pl/download/hosts
http://mirror.cedia.org.ec/malwaredomains/justdomains
http://palevotracker.abuse.ch/blocklists.php?download=domainblocklist
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts;showintro=0;mimetype=plaintext
http://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
http://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
http://someonewhocares.org/hosts/hosts
http://sysctl.org/cameleon/hosts
http://winhelp2002.mvps.org/hosts.txt
http://www.dshield.org/feeds/suspiciousdomains_Low.txt
http://www.malekal.com/HOSTS_filtre/HOSTS.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://malwaredomains.lehigh.edu/files/justdomains
http://zeustracker.abuse.ch/blocklist.php?download=hostfile'

# + ---
# WHITELIST - DO NOT BLOCK THESE DOMAINS
# + ---
WHITELIST='localhost
apple.com
twitter.com
localhost.localdomain'


: > $HOSTSTEMP
for url in $BLACKLISTS ; do
        /usr/bin/wget --no-check-certificate -O- $url | /bin/cut -d '#' -f 1 | /bin/grep -E -o '([a-zA-Z0-9](-?[a-zA-Z0-9])*\.){1,}[a-zA-Z]{2,}' | /bin/sed 's/.*/127.0.0.1 \0/g' >> $HOSTSTEMP
done
#echo 'Sorting'
/bin/sort $HOSTSTEMP | /usr/bin/uniq > $HOSTSDENY
for site in $WHITELIST ; do
        /bin/sed -i "/^127\.0\.0\.1 $site/d" $HOSTSDENY
done
/bin/sed -i "s/^127\.0\.0\.1 /server=\//g" $HOSTSDENY
/bin/sed -i "s/\$/\//g" $HOSTSDENY


# ------------
# Grab the advertisement domain block list I maintain independently on my VPS
# ------------
curl -o /etc/dnsmasq.d/adblocklist-from-vps.conf http://sanyalnet-cloud-vps.freeddns.org/adblocklist.conf
/bin/sed -i "s/0.0.0.0/$IP/g" /etc/dnsmasq.d/adblocklist-from-vps.conf


# restart dnsmaq
/sbin/service dnsmasq restart


# report what we have done
date
echo
echo
echo ---
echo /etc/dnsmasq.d/adblocklist.conf:
echo ---
cat /etc/dnsmasq.d/adblocklist.conf
echo ---
echo
echo
echo ---
echo /etc/dnsmasq.d/adblockserverlist.conf:
echo ---
cat /etc/dnsmasq.d/adblockserverlist.conf
echo ---
echo
echo
echo ---
echo /etc/dnsmasq.d/adblocklist-from-vps.conf
echo ---
cat /etc/dnsmasq.d/adblocklist-from-vps.conf
echo ---
echo
/sbin/service dnsmasq status

# --
# if lighttpd document root is present, copy the blocklist there (for web access by others)
# --
if [ -d "/var/www/lighttpd/" ]; then
        cp -f /etc/dnsmasq.d/adblocklist.conf /var/www/lighttpd/
        chown lighttpd:lighttpd /var/www/lighttpd/adblocklist.conf
        chmod a+r /var/www/lighttpd/adblocklist.conf
fi

echo
echo That is all folks.