👺MASQFilter | a DNSMASQ based Filtering Service🤺

Ronald BartelsRonald Bartels
2 min read

This is a custom configuration of DNSMASQ that can be used on a edge node to provide filtering and security services.

The first step is to provide suitable DNS servers for the edge node resolv.conf file. We provide two variants.

The first variant provides services that include filtering insecure IP addresses:

9.9.9.9 # Quad9
1.1.1.2 # Cloudflare
208.67.222.222 # OpenDNS

The second variant includes the above as well as adult related site blocking:

1.1.1.3 # Cloudflare
208.67.222.123 # OpenDNS
94.140.14.15 #AdGuard

The following custom DNSMASQ configuration file can be used:

cache-size=4096
min-cache-ttl=900
all-servers

The next step is to create a custom-daily.sh script that daily downloads hosts files that provide the ability for DNSMASQ to filter and provide security.

#!/bin/bash
# Daily script which updates DNSMASQ categories
# Location: /usr/local/sbin
threatblock_dir="/etc/extra/MASQF"
sudo mkdir -p /etc/extra
sudo mkdir -p "$threatblock_dir"
# List of URLs
urls=(
  "https://gist.githubusercontent.com/ckuethe/f71185f604be9cde370e702aa179fc2e/raw/53fe52046836ac3009e9505b7b8b8b5de42d84e3/doh-blocklist.txt"
  "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/ips/doh.txt"
  "https://blocklistproject.github.io/Lists/abuse.txt"
  "https://blocklistproject.github.io/Lists/ads.txt"
  "https://blocklistproject.github.io/Lists/crypto.txt"
  "https://blocklistproject.github.io/Lists/drugs.txt"
  "https://blocklistproject.github.io/Lists/facebook.txt"
  "https://blocklistproject.github.io/Lists/fraud.txt"
  "https://blocklistproject.github.io/Lists/gambling.txt"
  "https://blocklistproject.github.io/Lists/malware.txt"
  "https://blocklistproject.github.io/Lists/phishing.txt"
  "https://blocklistproject.github.io/Lists/piracy.txt"
  "https://blocklistproject.github.io/Lists/porn.txt"
  "https://blocklistproject.github.io/Lists/ransomware.txt"
  "https://blocklistproject.github.io/Lists/redirect.txt"
  "https://blocklistproject.github.io/Lists/scam.txt"
  "https://blocklistproject.github.io/Lists/tiktok.txt"
  "https://blocklistproject.github.io/Lists/torrent.txt"
  "https://blocklistproject.github.io/Lists/tracking.txt"
  "https://blocklistproject.github.io/Lists/smart-tv.txt"
  "https://blocklistproject.github.io/Lists/whatsapp.txt"
  "https://blocklistproject.github.io/Lists/vaping.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/light.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/multi.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/pro.plus.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/ultimate.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/tif.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-activision.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-blizzard.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-ea.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-nordvpn.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-reddit.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-signal.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-snapchat.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-steam.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-surfshark.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-telegram.txt"
  "https://nickoppen.github.io/pihole-blocklists/blocklist-tinder.txt"
  "https://raw.githubusercontent.com/crpietschmann/pi-hole-blocklist/main/blocklist-social-all.txt"
  "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/doh-vpn-proxy-bypass.txt"
)
# Loop through URLs and download files
for url in "${urls[@]}"; do
  filename=$(basename "$url")
  filename="${filename%.txt}"  # Remove .txt extension
  curl -s "$url" -o "$threatblock_dir/$filename"
  echo "Downloaded $filename"
done
# Cleanups
curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/porn/hosts" -o "$threatblock_dir/sbporn"
curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts" -o "$threatblock_dir/sbsecurity"
curl "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" -o "$threatblock_dir/sbprivacy"
kill $(cat /var/run/bonding/dnsmasq.pid)
/usr/local/sbin/extra-dnsgate.sh /etc/extra/extra-dnsgate.conf

This script can be scheduled as a daily run.

The final piece is to configure the custom DNSMASQ file with the filters. This is done as follows:

addn-hosts=/etc/extra/MASQ/tiktok
addn-hosts=/etc/extra/MASQ/torrent
conf-file=/etc/extra/MASQF/doh-vpn-proxy-bypass

The above filters out tiktok and torrent sites. The last line prevents VPN and DNS bypass.

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa. Learn more about the best SD-WAN in the world: 👉 Contact Fusion

https://hubandspoke.amastelek.com/cappuccino-a-day
0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

dnsmasqdnsSDWANSoftware Defined Wide Area Networking

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa