Wednesday, July 28, 2010

DNSmasq


Introduction

I use DNSmasq to provide DNS, DHCP, tftpd and ad blocking to my home network.

DNSmasq

Debian Etch

Install DNSmasq from testing because it has a newer version with integrated tftpd server.
apt-get -t testing install dnsmasq

Debian Lenny and Ubuntu

aptitude install dnsmasq

Configure DNSmasq

I prefer to keep my DNSmasq configuration outside the distributed .conf file, it makes upgrades much less of a headache.
Edit '/etc/dnsmasq.conf'
nano /etc/dnsmasq.conf
Add the following to the last line of the file...
conf-file=/etc/dnsmasq.intranet.conf
Now I need to setup my DNSmasq configuration.
Sample
# The following two options make you a better netizen, since they
 # tell dnsmasq to filter out queries which the public DNS cannot
 # answer, and which load the servers (especially the root servers)
 # uneccessarily. If you have a dial-on-demand link they also stop
 # these requests from bringing up the link uneccessarily. 
 
 # Never forward plain names (without a dot or domain part)
 domain-needed
 # Never forward addresses in the non-routed address spaces.
 bogus-priv
   
 # By  default,  dnsmasq  will  send queries to any of the upstream
 # servers it knows about and tries to favour servers to are  known
 # to  be  up.  Uncommenting this forces dnsmasq to try each query
 # with  each  server  strictly  in  the  order  they   appear   in
 # /etc/resolv.conf
 strict-order
 
 # Set this (and domain: see below) if you want to have a domain
 # automatically added to simple names in a hosts-file.
 expand-hosts
 
 # Set the domain for dnsmasq. this is optional, but if it is set, it
 # does the following things.
 # 1) Allows DHCP hosts to have fully qualified domain names, as long
 #     as the domain part matches this setting.
 # 2) Sets the "domain" DHCP option thereby potentially setting the
 #    domain of all systems configured by DHCP
 # 3) Provides the domain part for "expand-hosts"
 domain=example.org
 
 # Uncomment this to enable the integrated DHCP server, you need
 # to supply the range of addresses available for lease and optionally
 # a lease time. If you have more than one network, you will need to
 # repeat this for each network on which you want to supply DHCP
 # service.
 dhcp-range=192.168.1.100,192.168.1.199,12h
 
 # Override the default route supplied by dnsmasq, which assumes the
 # router is the same machine as the one running dnsmasq.
 #dhcp-option=3,1.2.3.4
 
 # Do the same thing, but using the option name
 dhcp-option=option:router,192.168.1.1
 dhcp-option=option:dns-server,192.168.1.77,192.168.1.1
 dhcp-option=option:domain-name,example.org
 
 # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
 # probably doesn't support this......
 dhcp-option=option:domain-search,example.org

Configure /etc/resolv.conf

We have configured DNSmasq to query the DNS servers in the order they appear in '/etc/resolv.conf'. I have done this because I use OpenDNS and failover to my ISPs DNS server in the unlikely eventOpenDNS is not available.
nano /etc/resolv.conf
Add the following and save the file.
search example.org
 
 #OpenDNS Servers
 nameserver 208.67.222.222
 nameserver 208.67.220.220
 
 #Your ISPs DNS Servers
 nameserver 212.159.13.49
 nameserver 212.159.13.50
 nameserver 212.159.6.9

Configure hosts

Here is an example hosts file for your DNSmasq server.
nano /etc/hosts
Add the following and save the file.
192.168.1.1 router.example.org router
 192.168.1.10 server-a.example.org server-a
 192.168.1.11 server-b.example.org server-b
Restart DNSmasq
/etc/init.d/dnsmasq restart

Ad Blocking

We need a couple of supporting utilities to complete DNSmasq's ad blocking duties.

Enable adblocking configuration

nano /etc/dnsmasq.conf
Add the following to the last line of the file...
conf-file=/etc/dnsmasq.adblock.conf

Get Ad Block List

First we need to create a simple script to get the ad block list.
nano /usr/local/bin/get-ad-block-list.sh
#!/bin/sh

# Down the DNSmasq formatted ad block list
wget "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext" -O /tmp/adblock.tmp

# Replace all occurrences of 127.0.0.1 with the IP address our ad block server is listening on.
cat /tmp/adblock.tmp | sed 's/127.0.0.1/192.168.1.78/g' | sed 's/googleadservices/ggggggadservices/' | sed 's/tradedoubler.com/tttttdoubler.com/'> /etc/dnsmasq.adblock.conf

# Restart DNSmasq
/etc/init.d/dnsmasq restart
Now we will setup a cron job to run that on a weekly basis.
ln -s /usr/local/bin/get-ad-block-list.sh /etc/cron.weekly/get-ad-block-list

Create a pixel server

Pixelserv is a super minimal webserver, it's one and only purpose is serving a 1x1 pixel transparent gif file. We will redirect web requests, for adverts, to pixelserv.
wget http://proxytunnel.sourceforge.net/files/pixelserv.pl.txt -O /usr/local/bin/pixelserv.pl
 chmod 755 pixelserv.pl
We will now edit pixelserv.pl and change the IP address it listen on.
nano /usr/local/bin/pixelserv.pl
Change...
$sock = new IO::Socket::INET (  LocalHost => '0.0.0.0',
...to...
$sock = new IO::Socket::INET (  LocalHost => '192.168.1.78',
We need a simple init script for starting/stopping pixelserv.pl.
vi /etc/init.d/pixelserv
#! /bin/sh
# /etc/init.d/pixelserv
#
 
# Carry out specific functions when asked to by the system
case "$1" in
   start)
     echo "Starting pixelserv "
     /usr/local/bin/pixelserv.pl &
     ;;
   stop)
     echo "Stopping script pixelserv"
     killall pixelserv.pl
     ;;
   *)
     echo "Usage: /etc/init.d/pixelserv {start|stop}"
     exit 1
     ;;
esac
 
exit 0

chmod 755 /etc/init.d/pixelserv
Test that the pixelserv init script work correctly by running '/etc/init.d/pixelserv start' and checking that the 'pixelserv.pl' process is running. Now run '/etc/init.d/pixelserv stop' and check the the 'pixelserve.pl' process is no longer running. If everything works correctly, add the pixelserv init script to startupshutdown sequences...
update-rc.d pixelserv defaults

Testing the Ad Blocking

Go and visit some websites which have adverts in their pages and check if they are removed :-)
References
By at
Labels: