Built an AdBlock DNS with dnsmasq to save packets on WireGuard VPN
Hello, I'm incompetent.
I'm currently on a 1.5Mbps line, but when there are ads, loading starts all at once and unnecessary packets are generated, so I want to stop this.
Although it's 1.5Mbps unlimited, there seems to be a 10GB limit in 3 days, and it was hell when the communication became 200kbps, so I apologize, but I will set up a DNS that queries on my VPN environment to block ads.
Install dnsmasq
My WireGuard server is a FreeBSD environment, so I will use pkg.
$ pkg search dnsmasq
dnsmasq-2.90_2,1 Lightweight DNS forwarder, DHCP, and TFTP server
$ pkg install dnsmasq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 7 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
dnsmasq: 2.90_4,1
gettext-runtime: 0.23
gmp: 6.3.0
indexinfo: 0.3.1
libidn2: 2.3.7
libunistring: 1.2
nettle: 3.10.1
Number of packages to be installed: 7
The process will require 15 MiB more space.
3 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/7] Fetching indexinfo-0.3.1.pkg: 100% 6 KiB 5.9kB/s 00:01
[2/7] Fetching libidn2-2.3.7.pkg: 100% 155 KiB 158.7kB/s 00:01
[3/7] Fetching dnsmasq-2.90_4,1.pkg: 100% 390 KiB 398.9kB/s 00:01
[4/7] Fetching nettle-3.10.1.pkg: 100% 2 MiB 1.6MB/s 00:01
[5/7] Fetching libunistring-1.2.pkg: 100% 683 KiB 699.4kB/s 00:01
[6/7] Fetching gmp-6.3.0.pkg: 100% 498 KiB 510.4kB/s 00:01
[7/7] Fetching gettext-runtime-0.23.pkg: 100% 235 KiB 241.2kB/s 00:01
Checking integrity... done (0 conflicting)
[1/7] Installing indexinfo-0.3.1...
[1/7] Extracting indexinfo-0.3.1: 100%
[2/7] Installing libunistring-1.2...
[2/7] Extracting libunistring-1.2: 100%
[3/7] Installing gmp-6.3.0...
[3/7] Extracting gmp-6.3.0: 100%
[4/7] Installing libidn2-2.3.7...
[4/7] Extracting libidn2-2.3.7: 100%
[5/7] Installing nettle-3.10.1...
[5/7] Extracting nettle-3.10.1: 100%
[6/7] Installing gettext-runtime-0.23...
[6/7] Extracting gettext-runtime-0.23: 100%
[7/7] Installing dnsmasq-2.90_4,1...
[7/7] Extracting dnsmasq-2.90_4,1: 100%
=====
Message from dnsmasq-2.90_4,1:
--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]
Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq
SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
$ echo 'dnsmasq_enable="YES" ' >> /etc/rc.local
Add the following to /usr/local/etc/dnsmasq.conf as the configuration file path to apply:
conf-dir=/usr/local/etc/dnsmasq.d
Create folder
mkdir /usr/local/etc/dnsmasq.d
cd /usr/local/etc/dnsmasq.d
Now, introduce the list for adblock.
curl -o /usr/local/etc/dnsmasq.d/adblock.conf https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
The above cannot be read by dnsmasq, so I will format it.
cat adblock.conf | awk '/^0.0.0.0/ {print "address=/"$2"/0.0.0.0"}' > tmp
rm adblock.conf
mv tmp adblock.conf
Verify configuration file
This is what it looks like with the minimum settings.
# cat dnsmasq.conf | grep -v '^#' | grep [A-z]
no-resolv
server=1.1.1.1
interface=wg0
listen-address=10.0.0.1
log-queries
conf-dir=/usr/local/etc/dnsmasq.d
Startup
This will start it.
# service dnsmasq start
Starting dnsmasq.
WireGuard Client
Set the client-side DNS server to the dnsmasq ListenIP. Therefore, in this case, it will be 10.0.0.1.
Testing
For the domains listed in adblock.conf, in this case, the client is a smartphone, so connecting with the smartphone confirms that access is successfully blocked.
With this, it is now possible to block domains that deliver ads by adding them as needed.
dnsmasq subdomain specification
By adding . before the domain as shown below, you can specify it as a domain including subdomains.
address=/.test.com/0.0.0.0
For my smartphone's 1.5Mbps line, just having ads delivered is quite critical, so I'm glad I implemented this.
That's all for now. Thank you.