the elephant in this room

Posted Jun 1, 2015 11:11 UTC (Mon) by ballombe (subscriber, #9523)
In reply to: the elephant in this room by tpo
Parent article: Speed and bandwidth improvements with Firefox Tracking Protection

> Uhm, there seems to be a, wait..., salmon (?) colored (actually #ffcc99) elephant standing in this LWN room with "//pagead2.googlesyndication.com/pagead/show_ads.js" written on it.

My /etc/host has (inter alia)

0.0.0.0 pagead2.googlesyndication.com

so no, I do not see it.

But at some point, Linux distributions are going to be complicit of user tracking by not
implementing some basic protection by default.
But how to do it while staying neutral is not obvious.

domain name blacklisting

Posted Jun 1, 2015 12:09 UTC (Mon) by tpo (subscriber, #25713) [Link] (6 responses)

Is there a way to do:

0.0.0.0 *.googlesyndication.com *.doubleclick.net
0.0.0.0 *.2o7.com

and so on? That's what I'd *really* like to do... however I don't know of any nice and elegant solution for this, short of some ugly local hack via a transparent DNS proxy.

Optimally there should be some resolver plugin that could be activated via nsswitch.conf, that does this, but AFAIK there is no such thing?
*t

domain name blacklisting

Posted Jun 1, 2015 12:27 UTC (Mon) by anselm (subscriber, #2796) [Link] (3 responses)

Dnsmasq can do this sort of thing and I personally would consider this reasonably nice and elegant. To sweeten the deal, dnsmasq can also perform other potentially useful services, like local caching of results, DNSSEC validation, and so on.

domain name blacklisting

Posted Jun 1, 2015 12:54 UTC (Mon) by tpo (subscriber, #25713) [Link] (2 responses)

Thanks for the reference -

I know dnsmask a bit and I don't like it much for its complexity: it has the kitchen sink integrated, which is also reflected in its epic manpage. The problem at hand seems to be so trivial (blacklisting domains) that I'd expect that a solution would be accordingly trivial (a simple /etc/hosts.blacklist would do)...

domain name blacklisting

Posted Jun 1, 2015 14:09 UTC (Mon) by dmarti (subscriber, #11625) [Link]

Unbound has "include" and "local-data".

https://www.unbound.net/documentation/unbound.conf.html

I recently set up an Unbound internal DNS server and it works great.

The missing piece is a script that will parse the EasyPrivacy list and generate an "include"able file containing the correct "local-data" lines.

domain name blacklisting

Posted Jun 1, 2015 15:56 UTC (Mon) by kdave (subscriber, #44472) [Link]

Dnsmasq allows to use multiple hosts files, so it's easy to separate your true /etc/hosts and 3rd party list(s). The config option is 'addn-hosts=/path', multiple allowed.

domain name blacklisting

Posted Jun 1, 2015 16:07 UTC (Mon) by kdave (subscriber, #44472) [Link]

Interesting that you mention the nsswitch approach. I've played with that some time ago and in the end it was easier to configure dnsmasq to accept multiple hosts files than to implement the getXXbyYY callbacks in a nss module. In retrospect I think that NSS is the wrong level to solve it. The resolver approach builds on top of working code (it has to parse hosts anyway), may do caching and shares the configuration.

domain name blacklisting

Posted Jun 1, 2015 19:05 UTC (Mon) by dsowen (subscriber, #81373) [Link]

For several years, I've been running both dnscache and tinydns (the djbdns package) on my network.

I configure dnscache to send all requests for *.example.com to the local tinydns instead of resolving recursively from the DNS roots. I configure tinydns to be an authority for that domain (this is only inward-facing), then leave it with no A records for it. So a query for anything in *.example.com fails immediately, and I think that even the failure gets cached.

I have a short bash script to add a domain to both dnscache and tinydns and reload each. Whenever I catch a site misbehaving, I open up the browser's dev tools, track it down, and ban it. I don't mind ads, generally; ad servers that don't misbehave don't get banned.

When visitors use my network, they comment on how fast everything loads (but I have only 5 Mbps incoming) and how clean every site looks.