Around five years ago I started looking into different ways to block ads and trackers in the most effective way on my computers. I discovered this hosts list on someonewhocares.org and even wrote a script to automate the process of downloading, verifying, and installing the list on my machines.

https://github.com/bahamas10/someonewhocares

I recently got back into it when I was setting up Encrypted DNS with dnsmasq and dnscrypt-proxy on SmartOS using OpenNIC. I stumbled across the Pi-hole project and really liked it, however I didn't want to run a raspberry pi in my house as part of any critical infrastructure. Instead, I took the essence of that project and found a compiled blocklist to use with my existing dnsmasq setup to block these sites at the DNS level.

notracking

I found notracking/hosts-blocklists which is an automatically updating block list compiled from multiple sources compatible with dnsmasq. I created my own set of scripts to download the latest blocklists from GitHub, verify them, and install them for use with dnsmasq, and finally restart dnsmasq so it picks up the changes.

https://github.com/bahamas10/notracking

I installed this on my nameserver zones with:

mkdir -p /opt/custom/opt/dnsmasq
cd /opt/custom/opt/dnsmasq
git clone git://github.com/bahamas10/notracking.git
cd notracking

Then, ran the update script to pull the latest files

 # ./update
 Thu Jul 19 15:06:07 EDT 2018
 pulling latest domains list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt)
 validating domains list (domains.txt.tmp)
 installing domains list: /opt/custom/opt/dnsmasq/notracking/domains.txt
 pulling latest hostnames list (https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt)
 validating hostnames list (hostnames.txt.tmp)
 installing hostnames list: /opt/custom/opt/dnsmasq/notracking/hostnames.txt
 done.  took 2 seconds

The update command will:

  1. pull the latest hostnames.txt and domains.txt files to a temporary file in the current directory
  2. Validate them using the validate script (ensure the lines are well formed and the IPs are only :: or 0.0.0.0)
  3. Move them from their temporary file to hostnames.txt and domains.txt respectively
  4. Optionally run a command after this is done given as arguments

Note: Node.JS must be installed for the validate script to work.

dnsmasq

To configure dnsmasq to use these lists you simply need to add these lines to its configuration:

# no tracking block lists
conf-file=/opt/custom/opt/dnsmasq/notracking/domains.txt
addn-hosts=/opt/custom/opt/dnsmasq/notracking/hostnames.txt

Automatic Updates

To pull these lists automatically, I added this cronjob:

0 11 * * * cd /opt/custom/opt/dnsmasq/notracking && ./update svcadm -v restart dnsmasq >> /opt/custom/opt/dnsmasq/notracking/cron.log 2>> /opt/custom/opt/dnsmasq/notracking/cron.log

This will pull the latest lists nightly, validate them, install them, and restart dnsmasq on SmartOS.

I also have nagios checks in place to alert me if the files get too old (meaning, the automatic updating is not working).

$ /opt/local/libexec/nagios/check_file_age -w 172800 -c 345600 -f /opt/custom/opt/dnsmasq/notracking/domains.txt
FILE_AGE OK: /opt/custom/opt/dnsmasq/notracking/domains.txt is 29510 seconds old and 5312707 bytes  | age=29510s;172800;345600 size=5312707B;0;0;0

Verify It Works

Query a site that is in the block list on our local DNS server (with the block list) and a public domain server.

$ dig +short @10.0.1.2 doubleclick.net A
0.0.0.0
$ dig +short @8.8.8.8 doubleclick.net A
216.58.192.206