Goal: to set up a free category based DNS filter
Setup
I’m starting this with a clean install of Debian 11.
Install dnsmasq and create folder structure
apt install dnsmasq -y
mkdir /dnsbl
mkdir /dnsbl/lists
mkdir /dnsbl/update
Make a new file where we will keep a csv of all the lists we want to use. Make sure it has the syntax of “category;url”
nano /dnsbl/update/lists
I’m starting out with the following categories from the BlockList Project (https://blocklist.site/)
abuse;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/abuse-dnsmasq.txt
adobe;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/adobe-dnsmasq.txt
ads;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/ads-dnsmasq.txt
basic;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/basic-dnsmasq.txt
crypto;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/crypto-dnsmasq.txt
drugs;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/drugs-dnsmasq.txt
facebook;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/facebook-dnsmasq.txt
fraud;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/fraud-dnsmasq.txt
porn;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/porn-dnsmasq.txt
piracy;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/piracy-dnsmasq.txt
phishing;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/phishing-dnsmasq.txt
malware;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/malware-dnsmasq.txt
gambling;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/gambling-dnsmasq.txt
ransomware;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/ransomware-dnsmasq.txt
youtube;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/youtube-dnsmasq.txt
whatsapp;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/whatsapp-dnsmasq.txt
vaping;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/vaping-dnsmasq.txt
twitter;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/twitter-dnsmasq.txt
tracking;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/tracking-dnsmasq.txt
torrent;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/torrent-dnsmasq.txt
tiktok;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/tiktok-dnsmasq.txt
smart-tv;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/smart-tv-dnsmasq.txt
scam;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/scam-dnsmasq.txt
redirect;https://raw.githubusercontent.com/blocklistproject/Lists/master/dnsmasq-version/redirect-dnsmasq.txt
Next, we’ll add a script & cronjob to update these lists daily
nano /dnsbl/update/update-list.sh
#!/bin/bash
# get list with categories from github
while IFS=";" read -r category url
do
#download list and rename file to $category
wget $url -O /dnsbl/lists/$category
#modify the files to filter bad syntax
sed -i '/-./d' /dnsbl/lists/$category
done < /dnsbl/update/lists
service dnsmasq restart
add the cronjob
crontab -e
0 3 * * * /bin/bash /dnsbl/update/update-list.sh >/dev/null 2>&1
Config script
I’ve created a cli config script for easy management.
nano /dnsbl/config.sh
#bin/bash
function menu(){
echo "======================================"
echo "1) show blocked categories"
echo "2) show all categories"
echo "3) add category to block list"
echo "4) remove category from block list"
echo "5) exit"
echo "======================================"
read -p 'select action: ' choice
echo " "
process
}
function restart(){
service dnsmasq restart
}
function process(){
if [ $choice == 1 ]
then
echo "Blocked categories:"
grep "dnsbl/lists" /etc/dnsmasq.conf
echo " "
menu
elif [ $choice == 2 ]
then
echo "All categories:"
ls /dnsbl/lists/
echo " "
menu
elif [ $choice == 3 ]
then
read -p "Enter category to be blocked: " categoryAdd
echo "conf-file=/dnsbl/lists/$categoryAdd" >> /etc/dnsmasq.conf
echo " "
restart
menu
elif [ $choice == 4 ]
then
read -p "Enter category to be unblocked: " categoryRemove
sed -i '/$categoryRemove/d' /etc/dnsmasq.conf
echo " "
restart
menu
elif [ $choice == 5 ]
then
exit
else
echo "invalid input... "
menu
fi
}
menu
set the permissions
chmod +x /dnsbl/config.sh
Run the update script once to perform the initial download
bash /dnsbl/update/update-list.sh
You can now run /dnsbl/config.sh to update
Custom list
To create a custom DNS category, create a new file with your category name:
nano /dnsbl/lists/customCategoryName
Create your own list in this file. Make sure the handle the syntax according to the dnsmasq manpages:
server=/domain/
Save the list and use the config.sh interface to activate the list.