something like this will add a great regularly updated malware file for it to use. More security and privacy to you! Specifically, this uses https://github.com/StevenBlack/hosts Choose one of the Raw Hosts file from there to use.
To setup DNSMasq, follow the below ...
wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' > /etc/dnsmasq.d/malware.conf`
for ipv6, add in this too
wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' > /etc/dnsmasq.d/malware-ipv6.conf
you could also use that line in a cron job to have it run periodically. I have attached a file dnsmasq-antimalware with this gist, which I dump into /etc/cron.weekly which basically does the above and updates the dnsmasq formatted file weekly
The only thing you might need to configure is your choice of host file. Edit "HOSTS_RAW" as needed.
& of course, restart dnsmasq.
If you have not setup dnsmasq, there is a heap of documentaion online, or just follow the quick steps below.
-
Install DNSMasq Debian: apt-get install dnsmasq Others: install dnsmasq from whatever package manager present, it will likely be present in the distro.
-
Config DNSMasq as Needed. Edit as needed, I have added the main config I use below.
( or /etc/dnsmasq.d/dnsmasq.conf if configured in Debian as such )
domain-needed
bogus-priv
no-resolv
clear-on-reload
strict-order
no-negcache
no-poll
cache-size=1000
- Lets point command line to use dnsmasq by default If you are using the resolvconf package. Basically configure your system so that it /etc/resolv.conf has only one nameserver configured pointing to localhost, or make sure this local dns is the first listed nameserver.
Tip: For many public wifis, you might need to also configure a second nameserver to an externally used dns. I usually leave a second nameserver with a public nameserver of my choosing. No need too, just keep this in mind since it could catch you out.
echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base
- Lets also configure NetworkManager to use this dnsmasq. This ensures no other config is needed for each configured interface from NetworkManager.
Put a line like so in
look for [main] and add a line as indicated below (& of course restart NetworkManager, or just restart)
I use a separate dnsmasq process and hence the config, below basically tells NetworkManager not the touch the resolv.conf
[main]
dns=none
- with the above config, I do not actually use the /etc/resolv.conf .. so check and adjust your system accordingly with your choice. The above setup for Dnsmasq + NetworkManager are really hints only. Milage will vary.
Alternately, the option dns=systemd-resolved could also work instead.
- This is tested across recent Fedora (24+) & Debian boxes
- Bonus tip: Its a smallish step up from here to get DNSCrypt going as well, will add a link once I get down to documenting that.
If you want to replicate pihole and return 0.0.0.0 instead of NXDOMAIN, you should replace 0.0.0.0 with #
This also has the benefit that it works both for ipv4 and ipv6, so no need for double entries