Ad blocking via a Raspberry Pi DNS server

[martinr]

The developer of the award-winning Network Toolbox app has posted, on http://networktoolbox.de/raspberry-pi-ad-spy-blocker-post/, a method of setting up a Raspberry Pi as a DNS server with the added bonus that it can be used to block ads - quite effectively, too. And it works for encrypted traffic eg when coming in from outside via ssh or vpn and then back out onto the Internet (eg when on insecure remote wifi).

I've never played with a Raspberry Pi before or done anything as challenging as setting up my own DNS server; however, I found the instructions very straightforward and far less daunting than I imagined. I've been running it now for a few days attached to my Asus RT-AC68U (running Merlin's firmware, of course) and it works without a hitch and works extremely well. I didn't have a keyboard or monitor for the Pi so I used a usb SD card reader to put the Raspbian OS onto the card, and I also used Putty on my laptop, and, whilst I am quite at ease using Putty, the instructions are straightforward enough that someone new to Putty would not have any difficulty.

I post this because I see how often ad blocking pops up and offer this as just another option; possibly there are some disadvantages over other methods, which others far smarter than I will be aware of and which I look forwards to seeing discussed in follow-up posts.

Martin

 

[ryzhov_al]

From the developer of the Network Toolbox app on http://networktoolbox.de/raspberry-pi-ad-spy-blocker-post/

401 Forbidden

Well, no means no.

 

[BWR]

Works fine. Maybe try this page: http://networktoolbox.de/raspberry-pi-ad-spy-blocker/

 

[enr00ted]

The primary and secondary DNS can be anything one prefer right ?

Can't we just simply modify the dnsmasq included by Merlin via jffs configs ?

What kind of method is this ? Host blocking, Dns poisoning ?

Thanks for sharing

 

[ryzhov_al]

Works fine. Maybe try this page: http://networktoolbox.de/raspberry-pi-ad-spy-blocker/

Works fine via 4proxy.de but forbidden for my IP.

 

[martinr]

401 Forbidden

Well, no means no.

I get the same thing - 401 or 404 message, can't remember - but only on the Chrome browser on my laptop for Networktoolbox.de. I have the Zenmate (vpn/proxy?) add-on with Chrome, and have assumed, without checking, that it's to blame, so I use Firefox instead and take it as a reminder that I should be using Firefox in preference to Chrome. Chrome on my iPhone is fine.

Martin

 

[martinr]

The primary and secondary DNS can be anything one prefer right ?

Can't we just simply modify the dnsmasq included by Merlin via jffs configs ?

What kind of method is this ? Host blocking, Dns poisoning ?

Thanks for sharing

Yes, the primary and secondary DNS servers can be what you like. So in my router, I point the primary and secondary DNS servers to the internal IP address of the Raspberry Pi, and in the appropriate config file in the Pi, I list the 2 OpenDNS aervers as the primary and secondary, but you could use Google's or any other of your choice.

I'm sorry I'm not knowledgeable enough to answer your other questions.

Martin

 

[Cake]

I think those raspi are the greatest tool ever, Just picked up a banana pro to replace one of my pi's- for a little more speed while having the same tiny power consumption.

I bit off topic-
I have been using one of my pi's as a samba server, wins server, minecraft server, openvpn server, pbx server. I might add your suggestion of dns server. I am thinking about adding some kind of home security, and email as well.

All I originally wanted was to use openvpn client, and server at the same time on my router. I sure wish there was a gui way to use ddns for openvpn server in the ac68u router instead. I am double nat'ed, and I could never get it to work. (feature request!) Openvpn server just kept using listening on the class C address.

I am really happy with my current setup though, those pi's and the newer clones are amazing. Very cheap on the electric bill. If I remember it uses about 1.8-2 watts at idle, and some of the newer usb hard drives use 2-4 watts. Headless NAS server with 9TB; I would guess a guy can do that with 30 watts or less.

 

[Alfsu]

Alternative for small LAN

Hello all,

I have implemented a hybrid solution using the information provided in this thread with asuswrt-merlin's custom configuration scripts for dnsmasq.

Specifically, placed the content of http://download.networktoolbox.de/dnsmasq.conf.tail
into the /jffs/configs/dnsmasq.conf.add file

It appears to have accomplished the same purpose, however router performance may be affected; will test for a while to see how much.

 

[martinr]

401 Forbidden

Well, no means no.

My hunch was right: when I disabled the ZenMate add-on in my Chrome browser, I had no problem accessing Networktoolbox.de. I guess you had ZenMate or similar running. I mentioned it to Marcus Roskosch, the developer. He said:

"It should work now but the issue is, that zenmate redirects traffic using services that are hosted on cheap server farms that will also be used to attack websites so these particular server farms have been blocked by my intrusion detection system."

Thinking the 401 Error was a quirk confined only to my laptop, I'd ignored it and used Firefox instead. Glad that's cleared up. Thanks.

Martin

 

[Lotta Cox]

Doesn't look like it blocks much. And why do they block gameforge?
I use this host file and blocks ads pretty well:
http://someonewhocares.org/hosts/

 

[martinr]

Doesn't look like it blocks much. And why do they block gameforge?
I use this host file and blocks ads pretty well:
http://someonewhocares.org/hosts/

I suspect you mean "Doesn't look like it WOULD block much..."

I posted this topic more as an alternative to some of the other methods that have been discussed rather than for the contents of the developer's filter file. However, as the instructions mention, under "Maintain your filters manually":

"If you want to alter the filtering rules, you just need to maintain the /etc/dnsmasq.conf file (e.g. using sudo nano /etc/dnsmasq.conf as explained before).......If you want to add a new filter yourself, just add such a line at any location in this /etc/dnsmasq.conf file."

One of the several appealing things about this Raspberry Pi method of blocking ads became apparent after having read Merlin's warning about writing too often to jffs (apart from my being put off by messing too deeply in my router):

"I do not recommend doing frequent writes to this area, as it will prematurely wear out the flash RAM. This is a good place to put files that are written once like scripts or kernel modules, or that rarely get written to. Do not put files that get constantly written to (such as logfiles) - store these on a USB disk instead. Replacing a worn out USB flash disk is much cheaper than replacing the whole router if flash sectors get worn out - they have a limited number of write cycles."



But you also raise an interesting point about which I had already asked the developer, Marcus Roskosch; namely, the relatively small size of his own filter file compared to the massive size of ready-made hosts files on the Internet. He replied:

"The Hosts files I could find were often outdated and contained hosts that no longer exist. Also they often didn't contain hosts I wanted to filter out.

In addition the format of hosts files is not compatible. dnsmasq can also read a hosts file format and this is exactly what I tried first. The disadvantage was that when using such a file, subdomains will not be covered whereas when using the address=... format in the config file, subdomains are indeed covered. " So, as his instructions state, " such a filter like address=/adform.net/0.0.0.0 will also filter all subdomains of adform.net like ad.adform.net etc." (My bold lettering)

Nevertheless, the proof of the pudding is in the eating and I haven't seen a single ad in the several days I've been running the Pi. And if I did, and it bothered me, I could always add it myself. And it's fast, too.

Martin

 

[Lotta Cox]

lol

I'll stick with the hosts. Super easy and blocks way more.

 

[mtganzer]

Doesn't look like it blocks much. And why do they block gameforge?
I use this host file and blocks ads pretty well:
http://someonewhocares.org/hosts/

If you only have one or 2 pc's, that is fine. But what if you have multiple PC's, Android tablets, and Linux systems you want to protect? And what if you want to incorporate not just the someonewhocares list, but also pgl.yoyo.org list, the
malwaredomainlist.com list, and perhaps others?

There are other articles besides the original that provide more complete solutions using dnsmasq. I am at the moment tinkering with pi-hole (http://jacobsalmela.com/raspberry-pi-ad-blocker-advanced-setup/), which grabs the above lists plus a couple more, writes them into dnsmasq format, and removes duplicates, resulting in a list of 50424 entries!

But to put this in the context of the Asus-Merlin mesage board, I agree this is probably something you DON'T want to run on the router flash. The raspberry pi flash card can be replaced easily. But I am thinking of moving over to my re-flashed (Arch Linux) Zyxel NAS.