Tim's blah blah blah

DNS-based adblocking on VyOS

Here I describe how to enable DNS-based adblocking on VyOS, which uses PowerDNS recursor as DNS resolver.

There’s a few options available to achieve this:

  1. Use squidguard, e.g. see here & here.
  2. Use iptables to block stuff
  3. Use /etc/hosts entries (e.g. via set system static-host-mapping host-name)
  4. Use PowerDNS specifics see here, here and here.

I chose 4. using the native PowerDNS recursor for speed and simplicity (no extra parts needed). To get this working, we can use a Lua script that is called for each DNS resolving. This is based on this script, howeverI return NXDOMAIN which is faster and works for any DNS record type:

-- File: /config/scripts/pdns-adblock-script.lua
-- Docs: https://docs.powerdns.com/recursor/lua-scripting/hooks.html
-- 
-- Load from recursor.conf, e.g. lua-dns-script=/config/scripts/pdns-adblock-script.lua

adservers=newDS()
-- permitted=newDS()

function preresolve(dq)
  -- if permitted:check(dq.qname) or (not adservers:check(dq.qname))  then
  if (not adservers:check(dq.qname)) then
    return false
  end

  -- Return NXDOMAIN (non-existent domain), which 
  dq.rcode = pdns.NXDOMAIN -- set NXDOMAIN answer
  return true  
end

-- Blocklist should contain something like:
-- return{"101com.com", "101order.com"}
adservers:add(dofile("/config/scripts/pdns-adblock-blocklist.lua"))
-- permitted:add(dofile("/config/scripts/pdns-adblock-permitted.lua"))

To get this working, I ensure you populate pdns-adblock-blocklist.lua with a list of your liking. Furthermore, we need to update PowerDNS’ recursor.conf to load this script by adding lua-dns-script=/config/scripts/pdns-adblock-script.lua. However, on VyOS, this file is generated automatically, so we resort to using a script attached as post-commit hook as follows:

#!/bin/vbash
# File: /config/scripts/commit/post-hooks.d/adblock
# N.B. the script name is quite restrictive! See https://vyos.dev/T4917
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

echo "lua-dns-script=/config/scripts/pdns-adblock-script.lua" | sudo tee -a /run/powerdns/recursor.conf

# Need to restart PowerDNS in order to process conf change.
run restart dns forwarding

Now test that this works:

vyos@vyos:~$ host 101com.com
Host 101com.com not found: 3(NXDOMAIN)

Profit!

#debian #vyos #Linux #security #server #unix