• Home
  • Blog
  • Blocking ad networks with named

Blocking ad networks with named

Vincent Danen

August 01, 2015

I've meant to do this for ages, so on my first day of my "staycation", despite vowing to myself that I wouldn't look at a computer screen this week (hey, it's not actually the technical start of my week off is it?), I fiddled this morning with BIND to try and avoid seeing ads on my devices. While AdBlock works great on my browsers, that doesn't transfer well to mobile devices and apps with built-in advertising, etc.

Unless you're running your own BIND DNS server at home, you won't be able to do this. If you have a home network with named running (my local network does) and unless you restrict all outbound DNS and allow DNS lookups only from your named server (which I do, it forces all of the machines on the system to use my DNS server which is configured to only ask OpenDNS for DNS info), this also won't really work for you (at least not in the way that I've done it).

So this assumes some knowledge of BIND and networking. This is not so much a tutorial on how to configure BIND as it is some quick tips and shared info on what I did this morning.

First you need to setup a master zone. Mine looks like this:

zone "rpz.linsec.ca" {
        type master;
        file "master/rpz.linsec.ca.zone";
};

NOTE: You may also need the following in your options section, but I'm not 100% sure as it was there before:

    response-policy {
        zone "rpz.linsec.ca";
    };

This makes anything defined in this zone to be considered authoritative, just like the DNS settings I have for my local network. As an aside, you can use this to block entire domains (like youtube or facebook if you have kids at home staring at screens all day...).

I then wrote a script which pulls data from MVPS Hosts. Their data is meant to be put into a hosts file, but that means it would only work on a single machine and I'm trying to solve a multi-machine/mobile issue, not just a single computer. The script takes my rpz.linsec.ca.zone file and mashes in data from MVPS Hosts and to create a new file that we will use:

#!/bin/sh
IFS=$'\n'

input=$(mktemp /tmp/mvps.hosts.XXXXXX)
output=$(mktemp /tmp/rpz.linsec.ca.zone.XXXXXX)
source="/etc/named/rpz.linsec.ca.zone"
serial=$(grep serial ${source} | awk '{print $1}')
n_serial="$(date +%Y%m%d)01"

curl -s http://winhelp2002.mvps.org/hosts.txt >${input}

dos2unix -o ${input} >/dev/null 2>&1

lines=$(wc -l ${input} | awk '{print $1}')

if [ ${lines} -lt 10000 ]; then
    exit 1
fi

for line in $(cat ${source}); do
    if [ "${line}" == ";START ADHOSTS" ]; then
        break
    else
        echo ${line} >>${output}
   fi
done

echo "" >>${output}
echo ";START ADHOSTS" >>${output}
for hostname in $(cat ${input} | egrep -v '^#' | awk '{print $2}'); do
    if [ "${hostname}" != "localhost" ]; then
        echo "${hostname}    IN    CNAME    ." >>${output}
    fi
done
echo ";END ADHOSTS" >>${output}

perl -pi -e "s/${serial}/${n_serial}/g" ${output}

rm -f ${input}
cp -f ${output} ${source}
rm -f ${output}

Note that you need dos2unix installed. Everything else is fairly standard. The MVPS Hosts file seems to be updated monthly, so this something you could possibly add to a monthly cronjob or just run manually every once in a while. So far it seems to work pretty good over here. I had initially thought about writing something in python, but bash is just so much faster (for me).

Also, if you put things in your zone file before the ";START ADHOSTS" line they'll be retained, so if you do want to block specific domains (you may want to block iadsdk.apple.com and qwapi.com if you don't want to see iOS iAd ads) you still can, and take advantage of the MVPS Hosts list (if someone has a better list, I would love to see it).

I hope this helps someone else out. Comments for improvement are welcome, this was a pretty quick-and-dirty script that, I'll admit, does a few things oddly.

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet