Tim's blah blah blah

DNS-based adblocking on VyOS

(Updated: )

Here I describe how to enable DNS-based adblocking on VyOS, which uses PowerDNS recursor as DNS resolver.

Adblocking on VyOS using PowerDNS

There’s a few options available to achieve this:

  1. Use squidguard, e.g. see here & here.
  2. Use iptables to block stuff
  3. Use /etc/hosts entries (e.g. via set system static-host-mapping host-name)
  4. Use PowerDNS specifics see here, here and here [chosen].

I chose 4. using the native PowerDNS recursor for speed and simplicity (no extra parts needed). To get this working, we can use a Lua script that is called for each DNS resolving. This is based on this script, however I return NXDOMAIN which should be faster (although pihole claims some clients might still try to resolve) and works for any DNS record type:

-- File: /config/scripts/pdns-adblock-script.lua
-- Docs: https://docs.powerdns.com/recursor/lua-scripting/hooks.html
-- 
-- Load from recursor.conf, e.g. lua-dns-script=/config/scripts/pdns-adblock-script.lua

adservers=newDS()
-- permitted=newDS()

function preresolve(dq)
  -- if permitted:check(dq.qname) or (not adservers:check(dq.qname))  then
  if (not adservers:check(dq.qname)) then
    return false
  end

  -- Return NXDOMAIN (non-existent domain), which 
  dq.rcode = pdns.NXDOMAIN -- set NXDOMAIN answer
  return true  
end

-- Blocklist should contain something like:
-- return{"101com.com", "101order.com"}
adservers:add(dofile("/config/scripts/pdns-adblock-blocklist.lua"))
-- permitted:add(dofile("/config/scripts/pdns-adblock-permitted.lua"))

To get this working, I ensure you populate pdns-adblock-blocklist.lua with a list of your liking. Furthermore, we need to update PowerDNS’ recursor.conf to load this script by adding lua-dns-script=/config/scripts/pdns-adblock-script.lua.

Ensure configuration is permanent

However, on VyOS, recursor.conf is generated automatically, so we resort to using a script attached as post-commit hook as follows:

#!/bin/vbash
# File: /config/scripts/commit/post-hooks.d/adblock
# N.B. the script name is quite restrictive! See https://vyos.dev/T4917
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

echo "lua-dns-script=/config/scripts/pdns-adblock-script.lua" | sudo tee -a /run/powerdns/recursor.conf

# Need to restart PowerDNS in order to process conf change.
run restart dns forwarding

Populate adblock list

To fill pdns-adblock-blocklist.lua I wrote a script that supports a few different adblocking formats, and has a few sources predefined. Apply some judgement when choosing adblock sources as it might contain false positives or even malicious entries, although I’m not sure of a vector how this can be exploited.

Testing

Now test that this works:

vyos@vyos:~$ host 101com.com
Host 101com.com not found: 3(NXDOMAIN)

Profit!

#vyos #Linux #security #networking #server