Tag Archives: adblocker

Linux

DNS Firewall

If you're running your own DNS server as described here, then you can easily setup your domain zone to block ads, malware, phishing etc etc.
I'll describe the process here.

In named.conf, add the following within the options block:

response-policy {
  zone "sinkhole";
};

Next is to download the RPZ (Response Policy Zone) file from a reputable source. For the purpose of this, I'll be using EnergizedProtection.
This is ~25Mb in size and contains over 900,000 entries.
Next I added a new zone to named.conf:

zone "sinkhole" IN {
        type master;
        file "pri/sinkhole.zone";
        notify yes;
        allow-update { key "rndc-key"; };
};

Though I discovered that a few lines were too long. So before restarting named, run a check:

named-checkconf

will check named.conf for errors and

named-checkzone sinkzone /var/bind/pri/sinkhole.zone

will check the zone file for issues.

# named-checkzone sinkzone /var/bind/pri/sinkhole.zone
dns_master_load: /var/bind/pri/sinkhole.zone:316077: ran out of space
dns_master_load: /var/bind/pri/sinkhole.zone:467504: ran out of space
zone sinkzone/IN: loading from master file /var/bind/pri/test failed: ran out of space
zone sinkzone/IN: not loaded due to errors.

This means that the given line numbers in the zone file are too long.

316077 https.outlook.live.com.user0500.deor.error.c8nkichfistk8dphfvkfd9ssli82.is38avdj8h0k381gx0id7hhkg8l.6dls9sz6hv72290ddkuhs.7lxhhjh86k0f2hrivsb1jku718.7lxhhjh86k0f2hrivsb1jku718.h7g6fi9d0fhy6kk6htk4.kwddz0mtsqe28sh3wkj9nhhsd6drh.linestarts.duckdns.org CNAME .
467504 paypal.com.us.continue.myaccount.account.active.login.us.intl.internationa.transfer.now.login.myaccount.account.active.login.us.intl.internationa.transfer.now.myaccount.account.active.login.us.intl.internationa.transfer.now.newmanhope.duckdns.org CNAME .

To workaround this I've written an update script which is run by cron on a weekly basis.

#!/usr/bin/env bash

zfile='/var/bind/pri/sinkhole.zone'
wget -O- https://block.energized.pro/ultimate/formats/rpz.txt | grep -Pv "(\.)?care2\.com|^#" > "${zfile}"
errs=($(/usr/sbin/named-checkzone sinkzone "${zfile}" | pcregrep -o1 ':(\d+):'))
x=0
for a in ${errs[@]}; do
  a=$[a - ${x} ]
  sed -i "${a}d" "${zfile}"
  x=$[x + 1 ]
done
errs=($(/usr/sbin/named-checkzone sinkzone "${zfile}" | pcregrep -o1 ':(\d+):'))
if [ -z ${errs} ]; then
  echo "Success, restarting named"
  systemctl restart named
else
  echo -e "We missed some errors in ${zfile}.  On lines:\n${errs}"
fi

That's it...done!

Changes this:

into this: