Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Adblocking through selfhosted DNS
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Adblocking through selfhosted DNS

quickquick Member
edited January 5 in Tutorials

Hello,

I found this tutorial through google, but as I read the comments it is not working, so I did not even try.

Can you maybe help me realizing this with a little vps?

Tagged:

Comments

  • Cyph3rCyph3r Member

    https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

    Thanked by 3quick NanoG6 mik997
  • I did and wrote this 4 years ago. It may still work.

    C, Bash, Perl, PHP, and JS hobbyist. VPS collector. Blog

  • KuJoeKuJoe Member, Provider
    edited January 5

    I run Pi-Hole at home and on my personal servers. Easy to use and setup.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need free hosting? Get AFreeCloud
    Thanked by 2quick HyperSpeed
  • quickquick Member

    @Cyph3r said: https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

  • raindog308raindog308 Super Moderator

    Cyph3r said: https://pi-hole.net/ Just follow this. I

    Droidzone said: I did and wrote this 4 years ago. It may still work.

    Thanks for sharing these...I may give one or the other a go.

    Setting up DNS is easy enough, but I haven't tried getting a subscription feed integrated, which is really the key here.

    My Advice: : VPS Advice | My Blog: raindog308.com

    For LET support, please click here.

  • quickquick Member

    @KuJoe said: I run Pi-Hole at home and on my personal servers. Easy to use and setup.

    should I let this as it is or enter my vps ip or sth else?

  • @quick said:

    @Cyph3r said: https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

    Running the following command should work as mentioned in their guide:

    curl -sSL https://install.pi-hole.net | bash

  • quickquick Member

    @Falco33 said:

    @quick said:

    @Cyph3r said: https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

    Running the following command should work as mentioned in their guide:

    curl -sSL https://install.pi-hole.net | bash

    oh my fault, I forget to mention that I need help during the next step under: static ip adress

    my bad

  • dodedodododedodo Member
    edited January 5

    putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

  • @dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    Specify a rate limit.

  • piohostpiohost Member, Provider

    @dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    Maybe you can give some advice on how to stop this :)

    [ www.PioHost.co.uk ] - [ Shared, VPS & Dedicated Server Hosting - UK ] UK VPS From £10/y CLICK HERE

  • dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

  • NomadNomad Member

    Allow access to only your FQDN/IP address.

    BTW, you don't need a gui for that either. Just get dnsmasq as forwarding + caching host with an ample amount of hosts file entries and you can achieve what you need.

    I never turn down help on improving my Nginx Configuration Template ;)
    NameSilo.com coupons: CheapDoms or Discounted

  • piohostpiohost Member, Provider

    @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

    [ www.PioHost.co.uk ] - [ Shared, VPS & Dedicated Server Hosting - UK ] UK VPS From £10/y CLICK HERE

  • quickquick Member

    it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

  • Cyph3rCyph3r Member

    @quick said: it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

  • Shot2Shot2 Member

    @piohost said:

    @dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    Maybe you can give some advice on how to stop this :)

    Running one's own DNS resolver/cache/forwarder/adblocker is definitely a good thing, provided 1/ it is not public (the "security" part) 2/ properly configured+monitored (the "good netizen" part).

    As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both). The 2nd point requires at least some basic knowledge of the Holy Domain Name System's inner workings, i.e. the strengths and weaknesses of the query/reply model, how to interpret errors, difference in perfs vs. safety between recursion and forwarding, etc.

    Allocating less than /64 means "we are clueless about IPv6". Happy with Aruba, Gandi, HostHatch, Porkbun, VortexNode, vStoike…

  • quickquick Member
    edited January 5

    @Cyph3r said:

    @quick said: it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

    rebooted my phone.. seems to work great so far! thanks for the recommandation

    is this thing secure out of the box?

    I set up fail2ban and changed the ssh port. anything else to do so far?

  • Cyph3rCyph3r Member

    @quick said:

    @Cyph3r said:

    @quick said: it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

    rebooted my phone.. seems to work great so far! thanks for the recommandation

    is this thing secure out of the box?

    I set up fail2ban and changed the ssh port. anything else to do so far?

    It's quite secure but as always its a good idea to set some iptable rules to drop any connection to your DNS that isn't you.

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

    Thanked by 1quick
  • quickquick Member

    @Cyph3r

    can you tell me the exact commands, too, please.

  • Cyph3rCyph3r Member

    @quick said: @Cyph3r

    can you tell me the exact commands, too, please.

    Do you have iptables installed?

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

  • Cyph3rCyph3r Member
    edited January 5
    iptables -A INPUT -p udp -s YOUR_IP_HERE --dport 53 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j DROP
    

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

  • Best way to install i found is; First Install Pi Hole

    curl -sSL https://install.pi-hole.net | bash

    Then follow all commands on this page

    https://lowendbox.com/blog/host-your-own-dns-now-with-100-more-ad-block/

  • Cyph3rCyph3r Member

    @Gravely said: Best way to install i found is; First Install Pi Hole

    curl -sSL https://install.pi-hole.net | bash

    Then follow all commands on this page

    https://lowendbox.com/blog/host-your-own-dns-now-with-100-more-ad-block/

    You're late. But good suggestion.

    MzunguHosting - Affordable Africa hosting - http://mzunguhosting.ml || https://cyph3r.cf/

  • What value goes in IPv4 Default Gateway?

  • piohostpiohost Member, Provider

    Nice, I have now set up Pi-Hole and to make my life easier I installed Webmin + CSF, blocked ports 80 and 53 (TCP + UDP in) and now all I have to do is add any IP I want to whitelist in the Webmin CSF module :)

    [ www.PioHost.co.uk ] - [ Shared, VPS & Dedicated Server Hosting - UK ] UK VPS From £10/y CLICK HERE

  • dodedodododedodo Member
    edited January 6

    @Shot2 said: Running one's own DNS resolver/cache/forwarder/adblocker is definitely a good thing, provided 1/ it is not public (the "security" part) 2/ properly configured+monitored (the "good netizen" part).

    Depends on how you look at it.

    Running your own DNS would take some load off of the bigger DNS's, but I think the greater part of the resolves will end up at one of the ISP's DNS, and they get paid to provide them so they should be fine with it. I also think there's a good chance that a lot of people running their own DNS do not take the necessary steps to secure/monitor it. So in general I'd recommend against it.

  • Cyph3r said: It's quite secure but as always its a good idea to set some iptable rules to drop any connection to your DNS that isn't you.

    Do 3g connections get static(ish) IP's? If not, you can't use your phone anymore once you configure iptables.

  • Shot2Shot2 Member

    @dodedodo said: Depends on how you look at it.

    Running your own DNS would take some load off of the bigger DNS's, but I think the greater part of the resolves will end up at one of the ISP's DNS, and they get paid to provide them so they should be fine with it. I also think there's a good chance that a lot of people running their own DNS do not take the necessary steps to secure/monitor it. So in general I'd recommend against it.

    Sure... Various software have safe settings by default (e.g. dnsmasq reacts only to local queries), other will definitely need some tweaking (ACLs) and/or good firewalling.

    Still, there's no ISP/NSA/Govt involved, unless you decide to. Two cases:

    • you run your own DNS resolver in recursive-iterative mode: for each query it will first query the roots ('.'), then the various successive delegations ('sucks' registry, 'domain.sucks' owner...), and you will hopefully get some answer. Sure, it puts some tiny load on the root servers, the registry servers, the registrar/poor-guy's authoritative servers... but you get a "really fresh" answer in the end, and retain [a wee bit of] your privacy.

    • you run your own DNS resolver in forwarder mode: for each query, it passes the hot potato to someone else of your choice - be it Google's 8.8.8.8, dat anonymous Open DNS nearby, some ISP's Govt-censored NSA-rotten server (but why would you, eh?).

    In each case, the answer will end up in your local cache, where it may optionally be checked for authenticity as a final step - only if all parties upstream are DNSSEC-enabled. A good resolver may ideally switch between both modes: first, forward the query to spare some sweat and then, if nothing comes, proceed with a clean recursion all by itself.

    Allocating less than /64 means "we are clueless about IPv6". Happy with Aruba, Gandi, HostHatch, Porkbun, VortexNode, vStoike…

    Thanked by 1mik997
  • thagoatthagoat Member
    edited January 6

    Privoxy. Dead simple ad blocking. As a bonus, hidden ip address.
    Runs bodaciously through NAT vps.

    Here there be monsters.

  • raindog308raindog308 Super Moderator

    Shot2 said: As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both).

    ...but would that work if I was on, say, my phone on cellular? It's DHCP and I have no idea what the ranges could be.

    Then again, I don't think there's a way to change DNS on cellular on an iPhone so perhaps this is irrelevant for me.

    dodedodo said: Running your own DNS would take some load off of the bigger DNS's,

    ...for one guy? Even for 100? I'm skeptical they'd notice.

    "Hey DNS ops, just want to give you a head's up that we're coming into raindog308's morning timezone and he usually surfs for a bit while he's on the john, so watch your monitors..."

    My Advice: : VPS Advice | My Blog: raindog308.com

    For LET support, please click here.

  • Shot2Shot2 Member

    @raindog308 said:

    Shot2 said: As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both).

    ...but would that work if I was on, say, my phone on cellular? It's DHCP and I have no idea what the ranges could be.

    Then again, I don't think there's a way to change DNS on cellular on an iPhone so perhaps this is irrelevant for me.

    If the client address/range is unpredictable, forget about ACLs. Might still be feasible (but dirty) through clever firewall rules - port knocking, basically...

    dodedodo said: Running your own DNS would take some load off of the bigger DNS's,

    ...for one guy? Even for 100? I'm skeptical they'd notice.

    "Hey DNS ops, just want to give you a head's up that we're coming into raindog308's morning timezone and he usually surfs for a bit while he's on the john, so watch your monitors..."

    Nowadays large public dns systems (including the root servers) are designed to withstand (D)DoS in the multi-Gbps range; I doubt they care about a bunch of benevolent guys sparing them some bytes here and there...

    Allocating less than /64 means "we are clueless about IPv6". Happy with Aruba, Gandi, HostHatch, Porkbun, VortexNode, vStoike…

  • http://optimal.com/

    https://noad.zone/

    https://alternate-dns.com/

    isnt one of the above way easier?

    Also, can you run privoxy on a router ?

  • @piohost said:

    @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

    Wouldn't OVHs Anti-DDoS system catch that?

  • ethancedrikethancedrik Member
    edited January 6

    ISPs generally have powerful DNS servers that can handle large amounts of requests, in the tens of billions.

    There's another thread here where someone was talking about Telstras DNS and they said they actually noticed a speed improvement when switching to a different DNS servers, I've also heard of ISP DNS servers going down completely so I guess that's not always the case of reliability

  • piohostpiohost Member, Provider

    @ethancedrik said:

    @piohost said:

    @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

    Wouldn't OVHs Anti-DDoS system catch that?

    Catch what? If i leave my pi hole server open then of course if it gets used for amplification then OVH would block the attack but they would also cut my service until i sort it.

    [ www.PioHost.co.uk ] - [ Shared, VPS & Dedicated Server Hosting - UK ] UK VPS From £10/y CLICK HERE

  • Maybe use a firewall rule to only allow it to send traffic to your IP address?

    I just realized what you said earlier in that it's your server sending the attack not someone attacking your server

Sign In or Register to comment.