Browsing Peace and Privacy With dnsmasq

Screenshot of the dnsmasq extra configuration page in freetz

You can even have the DNS-based adblocking discussed here in your whole network if your router runs dnsmasq (it probably does) and you can edit its configuration (you probably can't). As shown here, with freetz you can.

I'm not a big fan of in-browser adblocking. For one, I have my doubts about several of the extensions – Adblock plus, for instance, comes from a for-profit, though I give you this critique might be partisan. Also, I like to switch browsers freely and certainly don't want to maintain block lists for each of them, and finally quite a few clients other than browsers may render HTML and hence ads.

At least with the pages I want (and don't want) to read, there's a much lighter alternative: DNS-based adblocking. You see, on the relatively few commercial pages I occasionally have reason to visit, ads, tracking pixels, and nasty javascript typically are served from a rather small set of domains – doubleclick.net, googleadservices.com, and a few more like these. If I can make my computer resolve these names to 127.0.0.1 – that is, my computer in IPv4, or yours, if you type that address –, everything your browser would pull from these servers is instantly gone in everything rendering HTML.

So, how do you do that? Well, you first make sure that your computer does the name resolution itself[1]. On Debian, you do that by installing the packages resolvconf (without a second e; in a systemd environment I think you want to use systemd-resolved instead) and dnsmasq; that's really all, and that ought to work out of the box in all reasonably common situations:

$ sudo apt install resolvconf dnsmasq

You will probably have to bring your network down and up again for this to take effect.

Once that's done, you can tell dnsmasq what names to resolve to what. The man page dnsmasq(8) documents what to do under the --address option – you could actually configure dnsmasq through command line options exclusively –, where you can read:

-A, --address=/<domain>[/<domain>...]/[<ipaddr>]

Specify an IP address to return for any host in the given domains. […] A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was [sic, as of bullseye] as for --server […]

– and from the documentation of --server you learn that <domain> is interpreted as a suffix (if you will), such that if you give an address for, say, google.com, it will also be used for foo.google.com or foo.bar.google.com.

But where do these address expressions go? Well, at least in Debian, dnsmasq will read (essentially, see the README in there) any file you drop into /etc/dnsmasq.d and add its content to its configuration. Having configuration snippets in different files really helps maintenance and dist-upgrades in general; in this case, it also helps distributing the blacklist, as extra configuration that may be inappropriate on a different host is kept in some other file.

I tend to prefix snippet names with numbers in case order might one day matter. So, I have a file /etc/dnsmasq.d/10spamreduce.conf containing:

address=/doubleclick.net/127.0.0.1
address=/xiti.com/127.0.0.1
address=/adform.net/127.0.0.1
address=/qualtrics.com/127.0.0.1
address=/criteo.com/127.0.0.1
address=/exactag.com/127.0.0.1
address=/optimizely.com/127.0.0.1
address=/googleadservices.com/127.0.0.1
address=/googletagmanager.com/127.0.0.1
address=/ivwbox.com/127.0.0.1
address=/ivwbox.de/127.0.0.1
address=/connect.facebook.de/127.0.0.1
address=/facebook.net/127.0.0.1
address=/facebook.com/127.0.0.1
address=/addthis.com/127.0.0.1
address=/update.googleapis.com/127.0.0.1
address=/googleusercontent.com/127.0.0.1
address=/edgekey.net/127.0.0.1
address=/ioam.de/127.0.0.1
address=/cookiebot.com/127.0.0.1
address=/moatads.com/127.0.0.1
address=/fonts.gstatic.com/127.0.0.1
address=/fonts.googleapis.com/127.0.0.1
address=/ping.chartbeat.net/127.0.0.1
address=/cookielaw.org/127.0.0.1

When you do the same thing, you should restart dnsmasq and then see the effect like this:

$ sudo service dnsmasq restart
$ dig +short fonts.gstatic.com
127.0.0.1

As you can see, I have also included some trackers and other sources of annoyance in my address list. Of course, if you actually want to read Facebook (ugh) or need to pull Google's fonts (ughugh), you'll have to adapt that list a bit.

In case you have interesting and useful contributions to this list: Please do write in!

[1]Regrettably, with things like DNS over HTTPS, it could be that your browser actually will not use your computer's DNS resolver. Adblocking hence is one extra reason to disable DoH when you see it.

Zitiert in: Musée Historique de Strasbourg: „Von der Pfaffen Grittigkeit“

Kategorie: edv

Letzte Ergänzungen