为了在 WireGuard VPN 上节省流量，使用 dnsmasq 搭建了 AdBlock DNS

你好，我是无能。

我目前使用的是备受称赞的1.5Mbps线路，但有广告时会突然开始加载并产生不必要的流量，我想停止这种情况。
虽然说是1.5Mbps无限流量，但似乎有3天10GB的限制，当变成200kbps通信时简直是地狱，所以很抱歉，我将在自己的环境下搭建一个在VPN上查询的DNS来屏蔽广告。

安装 dnsmasq

我的WireGuard服务器是FreeBSD环境，所以使用pkg。

$ pkg search dnsmasq
dnsmasq-2.90_2,1               Lightweight DNS forwarder, DHCP, and TFTP server
$ pkg install dnsmasq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 7 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        dnsmasq: 2.90_4,1
        gettext-runtime: 0.23
        gmp: 6.3.0
        indexinfo: 0.3.1
        libidn2: 2.3.7
        libunistring: 1.2
        nettle: 3.10.1

Number of packages to be installed: 7

The process will require 15 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/7] Fetching indexinfo-0.3.1.pkg: 100%    6 KiB   5.9kB/s    00:01    
[2/7] Fetching libidn2-2.3.7.pkg: 100%  155 KiB 158.7kB/s    00:01    
[3/7] Fetching dnsmasq-2.90_4,1.pkg: 100%  390 KiB 398.9kB/s    00:01    
[4/7] Fetching nettle-3.10.1.pkg: 100%    2 MiB   1.6MB/s    00:01    
[5/7] Fetching libunistring-1.2.pkg: 100%  683 KiB 699.4kB/s    00:01    
[6/7] Fetching gmp-6.3.0.pkg: 100%  498 KiB 510.4kB/s    00:01    
[7/7] Fetching gettext-runtime-0.23.pkg: 100%  235 KiB 241.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/7] Installing indexinfo-0.3.1...
[1/7] Extracting indexinfo-0.3.1: 100%
[2/7] Installing libunistring-1.2...
[2/7] Extracting libunistring-1.2: 100%
[3/7] Installing gmp-6.3.0...
[3/7] Extracting gmp-6.3.0: 100%
[4/7] Installing libidn2-2.3.7...
[4/7] Extracting libidn2-2.3.7: 100%
[5/7] Installing nettle-3.10.1...
[5/7] Extracting nettle-3.10.1: 100%
[6/7] Installing gettext-runtime-0.23...
[6/7] Extracting gettext-runtime-0.23: 100%
[7/7] Installing dnsmasq-2.90_4,1...
[7/7] Extracting dnsmasq-2.90_4,1: 100%
=====
Message from dnsmasq-2.90_4,1:

--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]

Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq

SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.

$ echo 'dnsmasq_enable="YES" ' >> /etc/rc.local

作为要应用的配置文件路径，将以下内容追加到/usr/local/etc/dnsmasq.conf中。

conf-dir=/usr/local/etc/dnsmasq.d

创建文件夹

mkdir /usr/local/etc/dnsmasq.d
cd /usr/local/etc/dnsmasq.d

这样就引入了adblock列表。

curl -o /usr/local/etc/dnsmasq.d/adblock.conf https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

由于上述内容dnsmasq无法读取，所以进行格式化。

cat adblock.conf | awk '/^0.0.0.0/ {print "address=/"$2"/0.0.0.0"}' > tmp
rm adblock.conf 
mv tmp adblock.conf

确认配置文件

最小化后变成了这样。

# cat dnsmasq.conf | grep -v '^#' | grep [A-z]
no-resolv
server=1.1.1.1
interface=wg0
listen-address=10.0.0.1
log-queries
conf-dir=/usr/local/etc/dnsmasq.d

启动

这样就启动了。

# service dnsmasq start
Starting dnsmasq.

WireGuard 客户端侧

将客户端的DNS服务器设置为dnsmasq的监听IP。因此，这次是10.0.0.1。

测试

对于adblock.conf中记载的域名，这次由于客户端是手机，通过手机连接后，可以确认无法正常访问。

这样一来，通过根据需要添加进行广告分发的域名，就可以实现屏蔽。

dnsmasq 包含子域的指定

如下所示，在域名之前添加.，就可以指定为包含子域的域名。

address=/.test.com/0.0.0.0

对于我的智能手机1.5Mbps线路来说，仅仅是广告分发就相当致命，所以引入这个功能真是太好了，不是吗？
那么下次再见。请多关照。