This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware. An alternative is to use Pi-hole, which gives many features such as web UI, statistics, DNS-over-HTTPS, and possibly better written code ;)
The blocklists used are:
- Ad blocklist from Yoyo Internet Services
- High risk domains from DShield
- Medium risk domains from DShield
- Low risk domains from DShield
Assumptions:
- WAN interface is eth0 and is using DHCP
- All other interfaces are for LAN
Switch to the root user and create a bash script with vi in root home directory.
root@ERX:~# sudo -i
root@ERX:~# vi ~/update-adblock-dnsmasq.sh
Enable insert in 'vi' by pressing 'i'. Paste the following to the bash script
#!/bin/bash
# Blocklists pre-formatted as "address=/<domain>/<blackhole ip>
# NB: the script later implies pre-formatted blocklists use 127.0.0.1 as the blackhole IP
formatted_blocklists=("https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext")
# Blocklists with raw IP addresses
raw_blocklists=("https://www.dshield.org/feeds/suspiciousdomains_High.txt"
"https://www.dshield.org/feeds/suspiciousdomains_Medium.txt"
"https://www.dshield.org/feeds/suspiciousdomains_Low.txt"
)
# Blackhole/IP to respond to DNS query if domain is on blocklist
# IP "0.0.0.0" is a black hole. Per RFC 1122, section 3.2.1.3 "This host on this network. MUST NOT be sent, except as a source address as part of an initialization procedure by which the host learns its own IP address."
blackhole_ip="0.0.0.0"
# Block configuration to be used by dnsmasq
blocklist="/etc/dnsmasq.d/dnsmasq-blocklist.conf"
# Temp blocklists
tmp_blocklist="/tmp/dnsmasq-blocklist.conf.tmp"
tmp_formatted_blocklist="/tmp/dnsmasq-formatted_blocklist.conf.tmp"
tmp_raw_blocklist="/tmp/dnsmasq-raw_blocklist.conf.tmp"
# Make sure we're starting with empty blocklists
rm -f $tmp_formatted_blocklist
rm -f $tmp_raw_blocklist
rm -f $tmp_blocklist
# replace pre-formatted blocklist black hole IP with our preference
# NB: This implies pre-formatted blocklists use 127.0.0.1
for i in "${formatted_blocklists[@]}"
do
curl -s "$i" | sed "s/127\.0\.0\.1/$blackhole_ip/" >> $tmp_formatted_blocklist
done
# Download blocklists
for i in "${raw_blocklists[@]}"
do
curl -s "$i" >> $tmp_raw_blocklist
done
# Remove comment lines
sed -i "/^#/d" $tmp_formatted_blocklist
# Remove comment lines
sed -i "/^#/d" $tmp_raw_blocklist
# Format raw blocklist
# Add to start of all lines: '/address='
sed -i "s/^/address=\//g" $tmp_raw_blocklist
# Add to end of all lines: '/$blackhole_ip'
sed -i "s/$/\/$blackhole_ip/" $tmp_raw_blocklist
# Join files to one
cat $tmp_raw_blocklist >> $tmp_formatted_blocklist
# Remove invalid lines
grep -E "^address=\/.{1,}\..{1,}\/0\.0\.0\.0" $tmp_formatted_blocklist > $tmp_blocklist
# Keep only unique entries
sort $tmp_blocklist | uniq > $blocklist
# Clean up temp blocklists
rm -f $tmp_raw_blocklist
rm -f $tmp_formatted_blocklist
rm -f $tmp_blocklist
# Restart dnsmasq to load new config
/etc/init.d/dnsmasq force-reload
Save the bash file by hitting escape, ':wq', and enter.
Make sure you're root, chmod the script, and run the script.
root@ERX:~# sudo -i
root@ERX:~# chmod a+x ~/update-adblock-dnsmasq.sh
root@ERX:~# ~/update-adblock-dnsmasq.sh
Make sure no errors were written to the console. Then add the script to crontab. Contab will generate a new blocklist everyday from your blocklist sources.
root@ERX:~# (crontab -l ; echo "20 4 * * * /root/update-adblock-dnsmasq.sh") | crontab -
Disconnect from the router
root@ERX:~# logout
admin@ERX:~# exit
Visit the following sites to confirm the ad-blocker is working: