dnsmasq integration? - Githubissues

Ultimate-Hosts-Blacklist / Ultimate.Hosts.Blacklist

The Ultimate Unified Hosts file for protecting your network, computer, smartphones and Wi-Fi devices against millions of bad web sites. Protect your children and family from gaining access to bad web sites and protect your devices and pc from being infected with Malware or Ransomware.

MIT License

1.29k stars 159 forks source link

dnsmasq integration? #599

Open wellloaded opened 3 years ago

wellloaded commented 3 years ago

Is there any straight forward way to have these lists used by dnsmasq?

Or do we perhaps need a new format since dnsmasq defines domains in the format:

address=/foobar.test/127.0.0.1

thanks

rusty-snake commented 3 years ago

I wrote a program which downloads domains.list and converts it into a dnsmasq configuration. See https://gitlab.com/rusty-snake/uhb2dnsmasq.

What I learned?

dnsmasq also blocks sub-domains. This can result in over-blocking, see https://github.com/Ultimate-Hosts-Blacklist/whitelist/issues/157 for an example.
Not all domains in the list are accepted by dnsmasq (https://github.com/Ultimate-Hosts-Blacklist/whitelist/issues/154, https://gitlab.com/rusty-snake/uhb2dnsmasq/-/blob/ea1d265be8764a46c6ba5b32843964d4343ab1dd/src/main.rs#L116 and much more). You need to do syntax checks, have a own badlist or use heuristics to filter such domains. (Note: the syntax checks in uhb2dnsmasq have a lot of false positive due to https://github.com/rushmorem/publicsuffix/issues/33.)
For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

spirillen commented 3 years ago

You guys should really try PowerDNS Recursor :smiley: or Unbound (but I prefer to advise recursor as it do full support for RPZ)

In the recursor you can litterally attach a hosts formatted file and it does it very well

# etc-hosts-file        Path to 'hosts' file
# etc-hosts-file=/etc/hosts
# export-etc-hosts      If we should serve up contents from /etc/hosts
# export-etc-hosts=off
# export-etc-hosts-search-suffix        Also serve up the contents of /etc/hosts with this suffix
# export-etc-hosts-search-suffix=

sudo grep 'local' /etc/powerdns/recursor.conf.dpkg-dist 
# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
local-address=0.0.0.0, ::1
# local-port    port to listen on
# local-port=53
# logging-facility      Facility to log messages as. 0 corresponds to local0
# non-local-bind        Enable binding to non-local addresses by using FREEBIND / BINDANY socket options

Now disable systemd-resold and dnsmasq, restart pdns-recursor you have started the road to your own control of DNS quesries

amastelek commented 3 years ago

Just use the --addn-hosts= option in the configuration file. Works like a charm.

rusty-snake commented 3 years ago

Just use the --addn-hosts= option in the configuration file. Works like a charm.

@amastelek How did you tested this?

For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

spirillen commented 3 years ago

For the record: dnsmasq's addn-hosts option still resolves AAAA queries (IPv6) if there is a 0.0.0.0 example.com line in the hosts-file. Of course A queries (IPv4) are resolved to 0.0.0.0.

That is not an issue within the PowerDNS recursor, it only serves what it sees.

If record example.org is 0.0.0.0, the example.org is 0.0.0.0 and nothing else, it have found and answer....

Don't remember exactly how this is for unbound, but I do believe to remember it is similar to dnsmasq's issues, but check it online to be sure.