TIF - Block IPs with DNSmasq - `bogus-nxdomain=1.2.3.4`
hagezi opened this issue · 7 comments
Hi @lynxthecat,
could you add support and test my TIF IP list in DNSmasq format in adblocklean?
bogus-nxdomain=1.2.3.4
All domains resolving to the "blocked" IP should be answered with NXDOMAIN.
The list:
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif-ips.txt
Thank you,
Gerd
Sure, will add this in. Should the dnsmasq blocklist file simply contain those lines?
@Wizballs any thoughts on how we can introduce support for this?
I think the line to change would be:
@lynxthecat bogus-nxdomain=1.2.3.4 is the DNSmasq syntax, But I don't know if you can mix this with the local/server entries in a file. You would have to test that.
@hagezi testing now. How can I test this with your test file once dnsmasq has been restarted? Can you give me an example lookup?
So I tried just appending the bogus-nxdomain lines to the dnsmasq blocklist file.
Does this indicate that it is working:
root@OpenWrt-1:~# nslookup server-99-84-47-183.ewr52.r.cloudfront.net
Server: 127.0.0.1
Address: 127.0.0.1:53
** server can't find server-99-84-47-183.ewr52.r.cloudfront.net: NXDOMAIN
Non-authoritative answer:
If so, then @Wizballs all we need to do is simply insert any lines of format
bogus-nxdomain=1.2.3.4
into our master /tmp/blocklist before compression.
How can I test this with your test file once dnsmasq has been restarted? Can you give me an example lookup?
Determine the IPs of e.g. reddit.com (dig reddit.com), block them with bogus-nxdomain and then try to resolve reddit.com. a dig should then return an NXDOMAIN as status.
Alrighty, bogus-nxdomain=xx.xx.xx now allowed (details in main openwrt thread). I've added this to my default lists due to the added protection. Currently ~200k lines.
Added in 09ed863. New defaults for the blocklist file parts are:
blocklist_urls="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif-ips.txt"