Skip to content

Instantly share code, notes, and snippets.

@erlepereira
Last active September 18, 2024 15:54
Show Gist options
  • Save erlepereira/c11f4f7a3f60cd2071e79018e895fc8a to your computer and use it in GitHub Desktop.
Save erlepereira/c11f4f7a3f60cd2071e79018e895fc8a to your computer and use it in GitHub Desktop.
Using DNSMasq as a caching nameserver & add in a malware etc blocking
#!/bin/sh
# Choose from here https://github.com/StevenBlack/hosts
#HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
HOSTS_RAW=https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts
TMP_LOCATION=/tmp
wget $HOSTS_RAW -P $TMP_LOCATION
awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' $TMP_LOCATION/hosts > /etc/dnsmasq.d/malware.conf
#for ipv6 support uncomment below
#awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' $TMP_LOCATION/hosts > /etc/dnsmasq.d/malware-ipv6.conf
#clean up!
rm $TMP_LOCATION/hosts

Assuming a Properly configured DNSMasq

a quickstart for dnsmasq is given at the end if you have not set it up yet.

something like this will add a great regularly updated malware file for it to use. More security and privacy to you! Specifically, this uses https://github.com/StevenBlack/hosts Choose one of the Raw Hosts file from there to use.

To setup DNSMasq, follow the below ...

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' > /etc/dnsmasq.d/malware.conf`

for ipv6, add in this too

wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' > /etc/dnsmasq.d/malware-ipv6.conf

you could also use that line in a cron job to have it run periodically. I have attached a file dnsmasq-antimalware with this gist, which I dump into /etc/cron.weekly which basically does the above and updates the dnsmasq formatted file weekly

The only thing you might need to configure is your choice of host file. Edit "HOSTS_RAW" as needed.

& of course, restart dnsmasq.

If you have not setup dnsmasq, there is a heap of documentaion online, or just follow the quick steps below.


Quickstart DNSMasq Setup, just in case

  1. Install DNSMasq Debian: apt-get install dnsmasq Others: install dnsmasq from whatever package manager present, it will likely be present in the distro.

  2. Config DNSMasq as Needed. Edit as needed, I have added the main config I use below.

/etc/dnsmasq.conf

( or /etc/dnsmasq.d/dnsmasq.conf if configured in Debian as such )

 domain-needed
 bogus-priv
 no-resolv
 clear-on-reload
 strict-order
 no-negcache
 no-poll
 cache-size=1000
  1. Lets point command line to use dnsmasq by default If you are using the resolvconf package. Basically configure your system so that it /etc/resolv.conf has only one nameserver configured pointing to localhost, or make sure this local dns is the first listed nameserver.

Tip: For many public wifis, you might need to also configure a second nameserver to an externally used dns. I usually leave a second nameserver with a public nameserver of my choosing. No need too, just keep this in mind since it could catch you out.

echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base

  1. Lets also configure NetworkManager to use this dnsmasq. This ensures no other config is needed for each configured interface from NetworkManager.

Put a line like so in

/etc/NetworkManager/NetworkManager.conf:

look for [main] and add a line as indicated below (& of course restart NetworkManager, or just restart)

I use a separate dnsmasq process and hence the config, below basically tells NetworkManager not the touch the resolv.conf

[main]

dns=none
  • with the above config, I do not actually use the /etc/resolv.conf .. so check and adjust your system accordingly with your choice. The above setup for Dnsmasq NetworkManager are really hints only. Milage will vary.

Alternately, the option dns=systemd-resolved could also work instead.

  • This is tested across recent Fedora (24 ) & Debian boxes
  • Bonus tip: Its a smallish step up from here to get DNSCrypt going as well, will add a link once I get down to documenting that.
@automorphism88
Copy link

This script is an example of useless use of cat - awk can read its input from a file instead of stdin if the filename is specified as the second argument, e.g.

awk '$1 == "0.0.0.0"  { print "address=/"$2"/0.0.0.0/"}' /tmp/hosts > /etc/dnsmasq.d/malware.conf

No need for the extra process and pipe. Might also want to delete the temporary file at the end of the script.

@erlepereira
Copy link
Author

erlepereira commented May 26, 2018

Nice catch. Script updated.
Cheers!

@frateche
Copy link

frateche commented Aug 4, 2018

Why not use the dnsmasq "--addn-hosts" option with raw file ?

@pgeorgan
Copy link

I think you have a superfluous backtick in the first command of .md file.

@pgeorgan
Copy link

Why not use the dnsmasq "--addn-hosts" option with raw file ?

That's what I did, as I use dnsmasq in combination with dnscrypt.

@kent-chan-dev
Copy link

Do you know if this would work on DDWRT?

@yutayu
Copy link

yutayu commented Mar 6, 2020

I got this hosts address like this with this script.

address=/www24.a8.net/0.0.0.0/

dnsmasq cannot read this.

systemctl status dnsmasq
bad address at /etc/dnsmasq.d/malware.conf line 17492
all lines this script made are this pattern.

@dimkasta
Copy link

If you want to replicate pihole and return 0.0.0.0 instead of NXDOMAIN, you should replace 0.0.0.0 with #

This also has the benefit that it works both for ipv4 and ipv6, so no need for double entries

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment