Month: January 2020

DNS based ad/tracking blocking setup with NextDNS (at home)

In the past I played with AdBlock, pi-hole, now with NextDNS. In this article, I will show you the major differences, then at the end I will show a step-by-step guide for installing and setting up dnsmasq+netxdns client (so you can skip the first part, if you just need the install guide 🙂 ).

Why DNS based ad and tracking blocking?

  • Using browser plugins might get pain in the ass, as sites can detect if you use it and make you disable it.
  • Sites can load slower, as your browser needs to deal with the not needed ads as well
  • Your internet usage is higher when you load additional ads
  • Companies can track, what sites you visit and show ads based on that (Facebook, Google, etc…)

What solutions can you use?

There are several options with which you can do DNS based ad-blocking:

  • Add lists to your hosts file (client or server)
  • Use an on-premis service like pi-hole
  • Use a cloud service like NextDNS
  • Use a hybrid solution: on-premis server + cloud provider

Add lists to your hosts file (client or server)

This is the most simple solution, there are bunch of lists on the internet, basically these are key-value pairs. If the name is in the list, then your host will resolve it to it’s local address, so your browser will not be able to reach that resource.

ProsCons
You can set it up without a server in your networkHard to keep it updated, have to mess with it
Provider independentWill only do ad blocking on the local machine
Works on all platforms (Windows, Linux, Mac)

Set up an on-prem system (like pi-hole)

When you have multiple hosts in your home (and probably you have: PC, Laptop, Smartphones, TVs, Home automation tools, etc..), you might want to have one centralized server for your DNS filtering. Pi-hole is a great solution for this, it was originally created for Raspberry Pis, which are small boards, on which you can run Linux (like a small home server). You can easily install it on bare-metal or via Docker.

Once you installed it, you can load any lists, what you can find on the internet.

ProsCons
You have total control over it, as it’s running on your deviceYou have to know, how to manage Linux
It’s free to useYou have to buy the hardware
You can easily manage pi-hole via it’s admin interfaceYou have to keep it running, update it, manage it, etc..
Most security/privacy, as it’s running on your deviceYou can only reach it from outside of your home via a VPN

For a security expert, this would be a great solution, as you have total control in your hands. However it gets messy, when you want to make your phone/tablet to use it, when your are out from home, as you have to use a VPN to stay secure.

Using a cloud provider like NextDNS

Using a cloud provider can make your life much easier, you just need to set their DNS servers and that’s it. NextDNS even has some client tools (which.. are really not necessary, but convenient for the masses).

ProsCons
You don’t need any technical knowledgeYou loose privacy at one point, as this service is managed by “someone else”
You can easily manage it via their web-adminYou might need to pay for it
You can also set it up on your smartphone, tablet, pcYou can’t really set it up on your no-to-smart smart devices, like TVs, Home automation tools

Using a hybrid solution with an on-primes server and cloud provider

If you have a little Linux knowledge and you have a home server/Raspberry Pi or anything, which is capable running Linux, you can easily set up a local server, then you can advertise it’s local IP address via DHCP from your home router.

Now I will show the steps needed for setting up dnsmasq and netxdns cli on a Linux box.

  • dnsmasq is a dns server, we will use it for caching, as once we have the resolved DNS address, then we don’t want to go to the cloud provider anymore (so we maybe need to pay less 😉 )
  • nextdns cli is a simple cli app created by NextDNS, it can act as a DoH (DNS over HTTPs) proxy, so your DNS traffic will be encrypted towards the internet but will be regular non-encrypted on the local network.

Setting up NextDNS cli

NextDNS cli is an open-source project, it’s managed by NextDNS. The repository can be found on github: https://github.com/nextdns/nextdns

The installation is easy, this will add the NextDNS repo to your repo manager (yum, apt, etc), the list of supported systems is reachable here: https://github.com/nextdns/nextdns/wiki

sh -c 'sh -c "$(curl -sL https://nextdns.io/install)"'

The installation is a next-next-finish script, it will ask for basic things like you NextDNS ID. It will create a basic configuration, so you can edit it later. It will also make the nextdns client to start on startup of the system.

After installing it, we need to configure it to listen on the local address of the server (localhost/127.0.0.1). To do this, the setup-router must be set to false! (It’s not for this use anyways..)

/etc/nextdns.conf

log-queries true
report-client-info true
detect-captive-portals false
hardened-privacy true
timeout 5s
setup-router false
auto-activate false
listen 127.0.0.1:53
config <REMOVED>
bogus-priv true
use-hosts false

After changing the settings, restart the service

service nextdns restart

And check the logs, if everything is fine

nextdns log

Ad this point, nextdns is listen on 127.0.0.1:53, so non of your clients should be able to reach it. But this is fine. To check, you can use netstat:

netstat -dnlp | grep nextdns
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3762/nextdns
udp 0 0 127.0.0.1:53 0.0.0.0:* 3762/nextdns

Setting up dnsmasq

Dnsmasq is part of most of the basic repositories, so just try to install it (if it’s not found, then you need to find and add the proper repo)

yum install dnsmasq

Add the following to the dnsmasq configuration (/etc/dnsmasq.conf)

domain=local.local
resolv-file=/etc/resolv.dnsmasq
min-port=4096
cache-size=10000
listen-address=<IP of your server>
bind-interfaces
port=53

In the resolv-file, we will tell dnsmasq, to use our nextdns client as the upstream DNS server. The listen-address must be the address of your server (like 192.168.X.X or 10.X.X.X etc)

Add the server to the resolve file (/etc/resolv.dnsmasq)

nameserver 127.0.0.1

This means, that dnsmasq will be the only, who can directly acccess the nextdns client.

Restart dnsmasq and make it start on system startup

service dnsmasq restart
systemctl enable dnsmasq

To verify, use netstat again:

netstat -dnlp | grep 53
tcp 0 0 127.0.0.1:53   0.0.0.0:*           LISTEN      3762/nextdns
tcp 0 0 <IP>:53        0.0.0.0:*           LISTEN      3589/dnsmasq
udp 0 0 127.0.0.1:53   0.0.0.0:*                       3762/nextdns
udp 0 0 <IP>:53        0.0.0.0:*                       3589/dnsmasq

Enable your new service on all your hosts in the network

Now your server is ready to take requests. You need to add the server’s IP address to the DHCP server settings of your home router, so it will tell the clients to use dnsmasq.

Setting up this can be different among different brands, so please contact your router’s manual if you need help.

Is it working?

To check, if dnsmasq is doing caching properly, you can execute the following on your server:

 pkill -USR1 dnsmasq

This will send a special signal to dnsmasq, so it will just put some statistics into the logs. If everything is fine, you should see something like this in /var/log/messages:

cat /var/log/messages | grep dnsmasq
[...]
dnsmasq[3589]: queries forwarded 9519, queries answered locally 1220
[...]

This shows, that around 10k queries were sent to nextdns client and around 1.3k queries were answered locally from the cache.

Conclusion

At this point, all your home systems are using NextDNS via your home server. Yes, even your coffee maker, so now more ads on that. But what’s with your Smartphone/Laptop/Tablet when you are not at home?

So now your queries are encrypted on the internet, and your ads are blocked. (You just gave up a little on privacy, as now NextDNS is the one, who knows everything 😉 )