
Adsuck – a small DNS server that spoofs blacklisted addresses - userbinator
https://opensource.conformal.com/wiki/adsuck
======
egwynn
I use `dnsmasq` and configured it to return `NXDOMAIN` for a giant list of ad
domains I found. It doesn’t have feature-parity with this, but the software
was readily available for my platform, which was nice.

~~~
jakeogh
Tool to automate it:
[https://github.com/jakeogh/dnsgate](https://github.com/jakeogh/dnsgate)

~~~
laumars
dnsmasq can read from /etc/hosts so you can automate it just using `curl` (or
other standard UNIX tools):

    
    
       # the first command is a one time only job
       cp -vip /etc/hosts /etc/hosts.default
    
       # the following is the automation.
       curl http://someonewhocares.org/hosts/hosts --silent > /etc/hosts.sowc
       cat /etc/hosts.default /etc/hosts.sowc >> /etc/hosts
    
    

The other benefit of this is you can then just do a `dnsmasq reload` (since
the hosts file is an external configuration file) rather than the full
`dnsmasq restart` that dnsgate performs.

~~~
lmm
Silently putting data fetched over unauthenticated HTTP into your hosts file
doesn't sound like a great idea.

~~~
laumars
Good point. Sadly that's pretty much how all adblockers keep up-to-date
(albeit at least with TLS). Though pragmatically even if the update was
manual, you still need to place some trust in the site when dealing with files
of that size. Granted it would be better if those resources served TLS, but
that would only prevent MITM and not the file being dodgy from source (eg site
hacked).

Thinking a little more about the problem you raised, I guess you could grep it
for IPs that aren't localhost (ie exit the shell script before writing the new
hosts if `grep` returns a zero exit code). Aside that, I'd genuinely be
interested in any ideas you have for keeping the file updated in a secure way
(if at all possible).

~~~
h4waii
[https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057](https://gist.github.com/Holzhaus/ed4ac1675a57f11c3057)
contains a simple reverse grep for doing this.

You should still have a modicum of trust towards the host you're pulling from,
as they can also insert something to potentially break the parsing code, which
opens up a whole 'nother host of issues.

------
laumars
This is a nice idea, but it's really easy to replicate using dnsmasq and a
custom hosts file (I use "Someone Who Cares"[1], but others exist as well,
[2][3])

dnsmasq can read from the hosts file and the whole thing is automatically
updated once a week with the latest bad domains (a simple `curl` request is
all that's needed)

This method also ports much easier to other *nixes and even Windows since
dnsmasq already has wider platform support.

[1] [http://someonewhocares.org/hosts/](http://someonewhocares.org/hosts/)

[2]
[http://winhelp2002.mvps.org/hosts.htm](http://winhelp2002.mvps.org/hosts.htm)

[3]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

~~~
pgl
It's a lot less resource intensive not to use a hosts file. This might not be
a concern for people with modern machines, but having a hosts file with 12,000
lines in it does take a certain amount of processing.

If I might mention my own site for a minute, I maintain a list of ad server
(and tracking server) hostnames:
[http://pgl.yoyo.org/adservers/](http://pgl.yoyo.org/adservers/)

You can view the list as a dnsmasq config file, a BIND config file, and a
bunch of other formats.

~~~
userbinator
Also, running your own DNS server means you can do this for _every_ device,
even those for which you can't easily access the HOSTS file or perhaps don't
even have such a facility (locked-down mobile devices, embedded systems, etc)
and not have to worry about keeping multiple copies of HOSTS files in sync and
updated.

Although I don't have such devices in my network, I've heard that others do
this to their "smart" TV/media box/creepy home surveillance gadgets.

~~~
pgl
Yes, absolutely! It's way easier to configure your wifi router (or cable
modem, or whatever acts as the DHCP server on your network) to use a local DNS
server that blocks ads. Then ad blocking just _works_ , whatever you connect
to your network.

~~~
chrismbarr
is the best way to do this to run something like DD-WRT? Or is there a way to
accomplish this with stock router firmware? I ask because I recently tried to
install DD-WRT but ran into issue and had to revert to my stock firmware.

~~~
laumars
Personally I run dnsmasq on my file server (separate FreeBSD jail), but before
then I was running it on my Asus router with pretty much the stock firmware.
So I don't think there is a "best" approach specifically - just whatever works
for you.

What's your router model?

~~~
chrismbarr
Very late in seeing this comment! It's a Netgear WNDR3700v4. DD-WRT __is
__supported on it, and i did successfully get it installed, but I had no
connection to the internet with it. There was a wiki page for my specific
router model with instructions which I followed. I went back & forth with
people on their forums and they were pretty much telling me "oh yeah, don't
install _that_ version that the instructions tell you to!" and "well yeah,
this whole project is beta, so what do you expect?" All of that combined kind
of turned me off to this project from now on :/

------
CrLf
Take a look at PowerDNS Recursor or Unbound, both of which have scripting
capabilities than enable this type of behavior and much more (Lua for
PowerDNS, Python for Unbound).

I'd say a script for any of these would be a better choice.

~~~
pgl
I just yesterday added an Unbound format for my list!
[http://pgl.yoyo.org/as/#unbound](http://pgl.yoyo.org/as/#unbound)

~~~
vbezhenar
I used just 'local-zone' entry. Unbound answers NXDOMAIN for those domains,
and it prevents next HTTP request to 127.0.0.1. I'm not sure what approach is
better.

~~~
pgl
To be honest, I don't use Unbound myself - I was just going off what was sent
to me as an example of the format to use.

------
wodenokoto
Why do you need to spoof as opposed to block domains?

~~~
laumars
In the case of this HN submission, they're the same thing. From what I can
gather, Adsuck is essentially just a DNS forwarder that sends NX DOMAIN for
blacklisted domains but forwards the DNS requests for all other DNS lookups.
So "spoof" is a little misleading since it's actually doing the job of a
normal DNS forwarder - albeit tuned with privacy in mind. So I think it's fair
to say this method could more accurately be defined as "block[ing] domains"
rather than "spoofing DNS". However I'd welcome a correction if I'm wrong.

------
Khaine
I wrote a simple python script to blacklist bad domains for unbound
[https://github.com/khainebot/DNS-Unbound-Blocklist-
Downloade...](https://github.com/khainebot/DNS-Unbound-Blocklist-Downloader)

------
fonosip
Similar service [http://ba.net/adblock](http://ba.net/adblock)

------
walkingolof
Is there any upside of blocking using a [browser] plugin compared to this ?

~~~
nfd
If you're Joe User, it's much easier to install a browser plugin or hosts file
than it is to set up a DNS server of your own, route your machines to it (even
internally), configure it properly...

~~~
jszymborski
Personally, it's also less annoying to shut off uBlock/etc per site than to go
into hosts, commenting out a domain, then uncommenting when I'm done when
visiting sites that break when you cut off google analytics or doubleclick

------
ausjke
the only issue with all these dns-based blacklists is that, you normally can
use its IP directly to fully bypass them.

~~~
ausjke
plus it applies to all the domain, i.e. it treats all the machines the same,
sometimes you may not want that.

------
b3lvedere
I like these ideas, but i don't like setting up a complete operating system
just for DNS purposes.

I know i could add it to other existing servers, but i'd really love a really
small independent virtual machine which sole purpose would be DNS.

~~~
longsleep
Take a look at
[https://github.com/longsleep/adblockrouter](https://github.com/longsleep/adblockrouter)
\- i hacked this together some months ago and use it since to provide DNS
blacklisting to dnsmasq running on OpenWRT. If your OpenWRTC router has wget
and ssl, it even runs directly on it.

