Utiliser dnsmasq pour cacher et bloquer des requêtes DNS

description

ça consomme moin de mémoire et plus simple à configurer!


Bloquer

Nous avons besoin dans un premier temps d'installer le paquet :

apt install dnsmasq

Puis nous ajoutons ces diretives :

addn-hosts=/etc/hosts.adblock
localise-queries
no-resolv
cache-size=10000
#log-queries=extra #valeur non supporté sur un raspberry en debian 8 
log-facility=/var/log/dnsmasq.log
local-ttl=2
log-async
server=9.9.9.9
interface=eth1

Puis copier et placer ce script à l'emplacement suivant :

nano /opt/get_dns_blacklists.sh
get_dns_blacklists.sh
#!/bin/sh
 
(
 curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep ^0.0.0.0 | awk '{ print $2 }'
 curl -s http://mirror1.malwaredomains.com/files/justdomains
 curl -s http://sysctl.org/cameleon/hosts | grep ^127.0.0.1 | awk '{ print $2 }'
 curl -s https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
 curl -s https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
 curl -s https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
 curl -s https://hosts-file.net/ad_servers.txt | grep ^127.0.0.1 | awk '{ print $2 }'
 curl -s https://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt | awk '{ print $1 }'
) | tr -d "\r" | tr 'A-Z' 'a-z' | sed -e 's/\.$//' |
 grep -v -e '^#' | grep '\.' | sort -u |
 while read domain; do
    echo 0.0.0.0 $domain
done > /etc/hosts.adblock
 
# Custom :
while read domain; do
    echo 0.0.0.0 $domain
done >> /etc/hosts.adblock <<EOF
foo.com
bar.com
EOF
 
/etc/init.d/dnsmasq restart

On peut ensuite automatiser son lancement dans une taĉhe cron. Mettons par exemple qu'elle s'executera tous les Lundi matin :

crontab -e

Puis insérer cette ligne :

0 1 */7 * * /bin/bash /etc/unbound/get_dns_blacklists.sh

Optimiser et faire du cache

+ directives + détail explicite sur leur fonctionnement

configuration par défaut

Exemple de configuration que l'on peut retrouver sur le web :

Click to display ⇲

Click to hide ⇱

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Read resolv.conf serially
strict-order
 
#==========[ NAMESERVER ]==========#
 
# Cache size
cache-size=4096
# Don't read /etc/hosts
no-hosts
# Read additional hosts-file (not only /etc/hosts) to add entries into DNS
addn-hosts=/etc/hosts-dnsmasq
# Auto-append <domain> to simple entries in hosts-file
expand-hosts
 
#=== HOSTNAME OVERRIDES
address=/localhost/127.0.0.1 # *.localhost => 127.0.0.1
 
#==========[ DHCP ]==========#
# Enable for the local network?
dhcp-authoritative
# Tell MS Windows to release a lease on shutdown
dhcp-option=vendor:MSFT,2,1i
 
#=== DHCP
# Domain name
domain=lan
# DNS-resolve hosts in these domains ONLY from /etc/hosts && DHCP leases
local=/lan/
 
# DHCP range & lease time
dhcp-range=192.168.1.70,192.168.1.89,24h 
# Default route
dhcp-option=3,192.168.1.1
 
#=== FIXED LEASES
# LAN MY HOSTS
dhcp-host=00:23:54:5d:27:fa,                    rtfm.lan,               192.168.1.2
dhcp-host=00:23:54:5d:27:fb,                    rtfm.lan,               192.168.1.2
dhcp-host=c8:0a:a9:45:f1:03, 00:1e:64:9e:e9:5e, wtf.lan,                192.168.1.3