Adblocking with DNS


Ads on websites can be both annoying and resource intensive for older PowerPC systems. Waiting for the browser to load all the ads just so you can use the site can be trying on your patience. This is where adblocking becomes a great help.

Dan has a really good post comparing different types of adblocking tools for TenFourFox. I would like to suggest another method you can use that will take the work of adblocking off of your browser and machine by using DNS. If you have a spare machine (I will be using my Mac mini G4 running Jessie) then setting this up will be pretty simple.

First we will install bind9 then setup DNS caching and forwarding. Then we will setup the adblock portion. Finally we will set up a simple webserver to present a transparent pixel instead of the ads.


Setting up DNS caching

First we will need to install bind9 if you have not already. This is as simple as running the command as root, apt-get install bind9. Next you will want to edit the file /etc/bind/named.conf.options. Below is my file.

acl goodclients {
    192.168.0.0/24;
    localhost;
    localnets;
};

options {
    directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders. 
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

     forwarders {
         208.67.222.222;
        208.67.220.220;
     };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};


The acl section defines who is allowed to ask queries to the DNS server. This stops unwanted people from trying to use your server. It is better suited if this was server was accessible from the internet, but it is good practice to do.

Next we want to turn on recursion and define who is allowed to query. DNS recursion is when the DNS server queries other servers on behalf of the client and sends the reply back.

Then we will define the forwarders to use. Some people refer google DNS, but I like using OpenDNS. This should be all you need to set up caching. A great tutorial on DNS caching the can be found at Digitial Ocean.


Adblocking

Now you need to get a blacklist file, which can be found here. Select the bind8 option and download the file. The open it and edit the zone lines to look as follows.

zone “101com.com” IN { type master; notify no; file “/etc/bind/null.zone.file”; };

If you are handy with vim then doing this should be really quick and easy.

The next thing is to copy the file to the /etc/bind directory and add this line to the /etc/bind/named.conf.local file.

include “/etc/bind/blacklist”;

Now it is time to create the /etc/bind/null.zone.file. This will redirect the ad urls to the simple webserver we will setup shortly. You want to set the A records to point the web server. In my case the mini serves as both. Here is my file.

$TTL 86400 ; one day

@ IN SOA ads.attlocal.net. hostmaster.attlocal.net. (
2002061000 ; serial number YYMMDDNN
28800 ; refresh 8 hours
7200 ; retry 2 hours
864000 ; expire 10 days
86400 ) ; min ttl 1 day
NS debian-minippc.attlocal.net

A web server

@ IN A web server
* IN A web server


Now you want to restart bind so that it takes all these changes you made. The first command to run is named-confcheck. This does a sanity check on the configs. If all is good then you should return to the prompt. Then to restart the command is systemctl bind9 restart and to check status of the service systemctl status bind9.

This finishes all that you need to set up the DNS server.


Pixelserver

Like I said in the beginning we want to set up a simple server to present a transparent image to replace the ads. If not then you page will full of page not found errors.

Pixelserver is a simple pearl script that can be found here. Download the file and edit it so that the listening ip address is your server. Then you change the permissions and run the server.
chmod u+x pixelserver.pl
./pixelserver.pl

Now point your machine to get DNS requests to your  server and test. Here is an example of a successful query.
herminio-hernandezs-power-mac-g4:~ herminio$ nslookup foo.doubleclick.com
Server: dns server
Address: dns server#53

Name: foo.doubleclick.com
Address: pixelserver

You should see the domain name point to your web server. Now browse the web ad free!

UPDATE I:

If you want to start the pixelserver.pl script on boot. Then you going to have it managed by systemd. This is not too hard to do.

First I put a copy of the script in the /usr/bin directory. Then entered the /etc/systemd/system directory and create a service file ( I called mine pixelserv.service). Here is what it looks like.

[Unit]
Description=pixelsirv.pl

[Service]
ExecStart=/usr/bin/pixelserver.pl

[Install]
WantedBy=multi-user.target

Then run systemctl enable pixelserv.service after run systemctl restart pixelserv.service. Now check to see if systemd is running the service.
root@debian-minippc:/etc/systemd/system# systemctl status pixelserv.service
● pixelserv.service - pixelsirv.pl
Loaded: loaded (/etc/systemd/system/pixelserv.service; enabled)
Active: active (running) since Thu 2015-11-19 00:37:26 CST; 7s ago
Main PID: 5345 (pixelserver.pl)
CGroup: /system.slice/pixelserv.service
└─5345 /usr/bin/perl -Tw /usr/bin/pixelserver.pl

UPDATE II:

If you do not turn off dnssec-validation in the /etc/bind/named.conf.options file then forwarding will break. Change the setting to what you see below then restart bind.

dnssec-validation no;

UPDATE III:

If anyone is stuck with provider wifi router that will not let you modify the DNS option in DHCP then you can add this line to the /etc/dhcp/dhclient.conf file.
prepend domain-name-servers server ip address
Then run the command dhclent <interface> to restart dhcp and you should be good.

6 comments:

  1. I like this a lot. Not only because it's a better adblock solution for the masses, but that a solution done this way would make a fanboy's head explode. Gotta love that! :)

    Their solution would be to tell people to install something bloated like ABP, which is something a child can figure out.

    Great work, Herminio!

    ReplyDelete
    Replies
    1. Thanks Zen!

      I do like this solution for browsing on my PPC machines. I still have ublock installed on Firefox, but I can now turn it off when I am home. It is consuming the most RAM on the mini %10 of 512MB.

      My next project is to set web content caching but I am think I should upgrade the mini to 1GB of RAM before I do that or rebuild Jessie w/oa DE. Xorg and lightdm are both #2 and #3 in RAM usage.

      Delete
    2. By 'it' I meant bind9 running on the macmini.

      Delete
    3. I use bluhell firewall directly in FF, which is very very light. It runs on only 30 KB RAM. Yes, really.

      It's not just an ad blocker though. The developer describes it as "Ad-Blocker and Tracking/Privacy Protector".

      Delete
    4. kind of like ublock + privacy badger in one add-on?

      Delete
    5. I have not used either of those, so I cannot comment on any similarities. I looked up ublock once, but found its rated memory use too high. I forget the number now, but it was too close to ABP for me.

      Regardless, I think this DNS method is better. More of a blanket sweeping ad blocking.

      Delete