Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Adblocking through selfhosted DNS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Adblocking through selfhosted DNS

quickquick Member
edited January 2017 in Tutorials

Hello,

I found this tutorial through google, but as I read the comments it is not working, so I did not even try.

Can you maybe help me realizing this with a little vps?

«1

Comments

  • https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    Thanked by 3quick NanoG6 mik997
  • I did and wrote this 4 years ago. It may still work.

  • KuJoeKuJoe Member, Host Rep
    edited January 2017

    I run Pi-Hole at home and on my personal servers. Easy to use and setup.

    Thanked by 2quick HyperSpeed
  • @Cyph3r said:
    https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

  • raindog308raindog308 Administrator, Veteran

    Cyph3r said: https://pi-hole.net/ Just follow this. I

    Droidzone said: I did and wrote this 4 years ago. It may still work.

    Thanks for sharing these...I may give one or the other a go.

    Setting up DNS is easy enough, but I haven't tried getting a subscription feed integrated, which is really the key here.

  • @KuJoe said:
    I run Pi-Hole at home and on my personal servers. Easy to use and setup.

    should I let this as it is or enter my vps ip or sth else?

  • @quick said:

    @Cyph3r said:
    https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

    Running the following command should work as mentioned in their guide:

    curl -sSL https://install.pi-hole.net | bash

  • @Falco33 said:

    @quick said:

    @Cyph3r said:
    https://pi-hole.net/ Just follow this. I have it running on my dedicated server and it works perfectly for blocking all ads. Let me know how it goes for you or if you need help

    that looks awesome. Can someone assist me to install this on my little vps?

    I am on a little 128mb ram ovz from gestion

    Running the following command should work as mentioned in their guide:

    curl -sSL https://install.pi-hole.net | bash

    oh my fault, I forget to mention that I need help during the next step under: static ip adress

    my bad

  • dodedodododedodo Member
    edited January 2017

    putting up a public DNS may open your server up to amplification attacks. You'd be irritating
    fellow internet citizen.

  • @dodedodo said:
    putting up a public DNS may open your server up to amplification attacks. You'd be irritating
    fellow internet citizen.

    Specify a rate limit.

  • @dodedodo said:
    putting up a public DNS may open your server up to amplification attacks. You'd be irritating
    fellow internet citizen.

    Maybe you can give some advice on how to stop this :)

  • dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

  • Allow access to only your FQDN/IP address.

    BTW, you don't need a gui for that either. Just get dnsmasq as forwarding + caching host with an ample amount of hosts file entries and you can achieve what you need.

  • @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

  • it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

  • @quick said:
    it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

  • @piohost said:

    @dodedodo said:
    putting up a public DNS may open your server up to amplification attacks. You'd be irritating
    fellow internet citizen.

    Maybe you can give some advice on how to stop this :)

    Running one's own DNS resolver/cache/forwarder/adblocker is definitely a good thing, provided 1/ it is not public (the "security" part) 2/ properly configured+monitored (the "good netizen" part).

    As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both). The 2nd point requires at least some basic knowledge of the Holy Domain Name System's inner workings, i.e. the strengths and weaknesses of the query/reply model, how to interpret errors, difference in perfs vs. safety between recursion and forwarding, etc.

  • quickquick Member
    edited January 2017

    @Cyph3r said:

    @quick said:
    it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

    rebooted my phone.. seems to work great so far! thanks for the recommandation

    is this thing secure out of the box?

    I set up fail2ban and changed the ssh port. anything else to do so far?

  • @quick said:

    @Cyph3r said:

    @quick said:
    it has something to do with the vps. I set it up on a DO droplet, works fine on the browser, but on my smartphone I am still getting ads on youtube for ex.

    Any tips?

    Are you sure your smartphone is actually using your DNS?

    rebooted my phone.. seems to work great so far! thanks for the recommandation

    is this thing secure out of the box?

    I set up fail2ban and changed the ssh port. anything else to do so far?

    It's quite secure but as always its a good idea to set some iptable rules to drop any connection to your DNS that isn't you.

    Thanked by 1quick
  • @Cyph3r

    can you tell me the exact commands, too, please.

  • @quick said:
    @Cyph3r

    can you tell me the exact commands, too, please.

    Do you have iptables installed?

  • Cyph3rCyph3r Member
    edited January 2017
    iptables -A INPUT -p udp -s YOUR_IP_HERE --dport 53 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j DROP
    
  • Best way to install i found is;
    First Install Pi Hole

    curl -sSL https://install.pi-hole.net | bash

    Then follow all commands on this page

  • @Gravely said:
    Best way to install i found is;
    First Install Pi Hole

    curl -sSL https://install.pi-hole.net | bash

    Then follow all commands on this page

    You're late. But good suggestion.

  • What value goes in IPv4 Default Gateway?

  • Nice, I have now set up Pi-Hole and to make my life easier I installed Webmin + CSF, blocked ports 80 and 53 (TCP + UDP in) and now all I have to do is add any IP I want to whitelist in the Webmin CSF module :)

  • dodedodododedodo Member
    edited January 2017

    @Shot2 said: Running one's own DNS resolver/cache/forwarder/adblocker is definitely a good thing, provided 1/ it is not public (the "security" part) 2/ properly configured+monitored (the "good netizen" part).

    Depends on how you look at it.

    Running your own DNS would take some load off of the bigger DNS's, but I think the greater part of the resolves will end up at one of the ISP's DNS, and they get paid to provide them so they should be fine with it. I also think there's a good chance that a lot of people running their own DNS do not take the necessary steps to secure/monitor it. So in general I'd recommend against it.

  • Cyph3r said: It's quite secure but as always its a good idea to set some iptable rules to drop any connection to your DNS that isn't you.

    Do 3g connections get static(ish) IP's? If not, you can't use your phone anymore once you configure iptables.

  • @dodedodo said:
    Depends on how you look at it.

    Running your own DNS would take some load off of the bigger DNS's, but I think the greater part of the resolves will end up at one of the ISP's DNS, and they get paid to provide them so they should be fine with it. I also think there's a good chance that a lot of people running their own DNS do not take the necessary steps to secure/monitor it. So in general I'd recommend against it.

    Sure... Various software have safe settings by default (e.g. dnsmasq reacts only to local queries), other will definitely need some tweaking (ACLs) and/or good firewalling.

    Still, there's no ISP/NSA/Govt involved, unless you decide to. Two cases:

    • you run your own DNS resolver in recursive-iterative mode: for each query it will first query the roots ('.'), then the various successive delegations ('sucks' registry, 'domain.sucks' owner...), and you will hopefully get some answer. Sure, it puts some tiny load on the root servers, the registry servers, the registrar/poor-guy's authoritative servers... but you get a "really fresh" answer in the end, and retain [a wee bit of] your privacy.

    • you run your own DNS resolver in forwarder mode: for each query, it passes the hot potato to someone else of your choice - be it Google's 8.8.8.8, dat anonymous Open DNS nearby, some ISP's Govt-censored NSA-rotten server (but why would you, eh?).

    In each case, the answer will end up in your local cache, where it may optionally be checked for authenticity as a final step - only if all parties upstream are DNSSEC-enabled. A good resolver may ideally switch between both modes: first, forward the query to spare some sweat and then, if nothing comes, proceed with a clean recursion all by itself.

    Thanked by 1mik997
  • thagoatthagoat Member
    edited January 2017

    Privoxy. Dead simple ad blocking. As a bonus, hidden ip address.
    Runs bodaciously through NAT vps.

Sign In or Register to comment.