Saturday, October 27, 2018

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with 0.0.0.0 IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with 0.0.0.0 IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

Don't forget to configure your network adapter's DNS server settings to 127.0.0.1 (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to support@technitium.com.

16 comments:

  1. Question: As a developer - and a lazy developer at that - I've previously used my own little bash-scripts to populate my hosts-file in linux. In Windows I've formerly tried to use Acrylic DNS with little to no success.
    This, however, works right out of the box - which is fantastic!

    I, however, have a question: Would it be possible to import my own dev-redirects the same way as I today can import or add my own domains to block via blocklist.txt on the local webserver?
    I had a quick peek at the source code and it really isn't my preferred language, but... Am I correct in assuming it's a case of using the provided IP-address instead of replacing it with the sinkhole 0.0.0.0?

    Thing is; I keep lists in simple hosts-format (ip domain) which are updated script-wise according to my location - and thus dhcp-provided ip-address.This way I would be able to run a very script which inserts my local ip-address on current location into said list(s).

    The alternative is, I guess, to enter several A-records in my zones and extending the TTL for the different ip-series accordingly, 1800 for work, 3600 for home, 7200 for public, etc.

    TL;DR:
    Excellent piece of software, would appreciate possibility to import dev-server lists.

    ReplyDelete
    Replies
    1. Thanks for the compliments. The block zone implementation in the DNS Server will use domain names from the block lists and always use 0.0.0.0 IP address to sinkhole the domain name.

      To use domain names for development/production testing scenarios, you can add the domain as a Zone in the DNS Server. You can then set Type A records for IP addresses and then enable/disable individual records or you can disable the entire zone. When zone is disabled, the DNS Server will return records from the actual name server hosting the domain name in production.

      You can easily automate this by using the REST API that the DNS Server web console itself uses in its javascript code. If you have any queries or need any more details, do let me know over email at support@technitium.com.

      Delete
  2. Is there a way to white list certain domains from the block list?

    ReplyDelete
    Replies
    1. Yes, you can add your domains in the Allowed Zones to override the block list.

      Delete
  3. using this app and working well, however the log file dates are an hour out. I'm in the UK so I'm guessing it's not taking into account the DST of +1.

    If somehow it can use the time of the host computer in the logs, it would be appreciated.
    Having to remember to add an hour on is easy enough but makes it hard when tracking requests.

    Many thanks

    ReplyDelete
    Replies
    1. Thanks for the feedback. The date time in logs is in UTC and not GMT so, it does not have daylight saving. I am planning to have some option to set the timezone for logging in next update.

      Delete
  4. Hi,
    Can I redirect 0.0.0.0 to specific url or ip for custom error message ?
    Great software !!!

    regards
    Sam

    ReplyDelete
    Replies
    1. Technically you can return any IP address from the DNS server instead of 0.0.0.0 for blocked domain names but, practically it wont work.

      This is since most websites nowadays are served over HTTPS and thus you wont be able to show custom error message for most websites. If you implement it then users will mostly see SSL certificate error notices instead of your custom error page.

      Secondly most blocked items are Ads that are loaded using iframes and that space will too show SSL errors and create a mess.

      Delete
  5. Hi, I am experimenting with the Ad-blocking for my own local network, but so far, only the computer that I installed the server application has access to the internet, no other devices in my network can access the internet.

    I have change my router's DNS server to use the computer's address with the application installed and I have configure this computer (the one that's currently working) to use loopback address.

    I wonder are there any steps I'm missing or any settings I might forgot to configure?

    Best regards
    Keaw

    ReplyDelete
    Replies
    1. Thanks for the comment. If you have DNS server installed on Windows then you will need to manually add a firewall rule for TCP and UDP port 53. Next release for DNS Server will do this step automatically. If its still not working then do send an email to support@technitium.com with details of your config.

      Delete
    2. Hi again

      Thank you for your suggestion, I have just tried it with my server and it appears that the problem has been fixed!
      Thank you very much! This is definitely one great software

      Best regards
      Keaw

      Delete
  6. Hello!

    The Technitium DNS Server is a fantastic piece of software, and I've been using it for the last several months, with great luck. Thank you for developing it!!

    I am running the DNS Server on a Rasberry Pi 2B+, and it generally ran error-free.
    However, I recently changed the RasPi to also provide WINS service on my network, and so I installed SAMBA (both smbd and nmbd) and configured it to serve as the Domain Master Browser.

    Ever since I did that, I've been struggling with some configuration issues, where the Logging Data (the stats that show up on the Dashboard) have dropped to ZERO. Normally, in the past, it has tracked somewhere between 20,000 and 40,000 queries per day.
    I have been fiddling with the settings, and have managed to both "break" it and "fix" it a couple of times...but I'm still back to the situation where it is no longer logging/tracking the queries that it is serving.

    Is there some sort of binding on the interface that I've broken (by introducing the smbd/nmbd services) which could be interfering with the DNS Server's ability to track the queries it's serving?
    I'm a little lost. I /thought/ I understood what I was doing, but it seems I am unable to get my system back to "the good ol' days" when it was just happily and reliably serving queries, trapping/sinkholing the blocked domains (to kill ads), and *accurately* tracking the metrics of its service.

    Any pointers, thoughts, and/or tips for getting it back to "showroom" state?
    (Put another way, am I going to be reduced to wiping the OS, reinstalling, and rebuilding the DNS Server software?)
    I was hoping that there was some vestige of the guide for how the settings are initialized, but I couldn't find it.

    Many thanks, in advance!

    Mike R.

    ReplyDelete
    Replies
    1. Hi, Thanks for the feedback. I would suggest that you take a look at the logs being generated by the DNS server. It would indicate any issue that is the cause. If you would like to get help in analyzing the log file then do send them with details of your config to support@technitium.com.

      Delete
    2. Thanks for the speedy reply!

      I took a quick glance through the logs, and I see a *WHOLE LOT* of entries like the following:
      /-/-/-/
      [2020-05-10 23:59:50 UTC] DNS Server recursive resolution failed for QNAME: outlook.ms-acdc.office.com; QTYPE: A; QCLASS: IN;
      TechnitiumLibrary.Net.Dns.DnsClientException: DnsClient failed to resolve the request: no response from name servers.
      ---> System.IO.IOException: Unable to write data to the transport connection: Broken pipe.
      ---> System.Net.Sockets.SocketException (32): Broken pipe
      at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      --- End of inner exception stack trace ---
      at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      at System.Net.Security.SslStream.WriteSingleChunk[TWriteAdapter](TWriteAdapter writeAdapter, ReadOnlyMemory`1 buffer)
      at System.Net.Security.SslStream.WriteAsyncInternal[TWriteAdapter](TWriteAdapter writeAdapter, ReadOnlyMemory`1 buffer)
      at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count)
      at TechnitiumLibrary.IO.WriteBufferedStream.Flush() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.IO\WriteBufferedStream.cs:line 99
      at TechnitiumLibrary.IO.WriteBufferedStream.Write(Byte[] buffer, Int32 offset, Int32 count) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.IO\WriteBufferedSt
      ream.cs:line 166
      at TechnitiumLibrary.Net.Dns.ClientConnection.TcpClientConnection.Query(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientCon
      nection\TcpClientConnection.cs:line 239
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156
      --- End of inner exception stack trace ---
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1174
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsQuestionRecord questionRecord) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 117
      9
      at DnsServerCore.Dns.DnsServer.<>c__DisplayClass71_0.b__0(Object state) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 1205
      /-/-/-/
      Which has a bunch of gobbledy-gook I can't really understand...although I see a bunch "IO Exception" tags. I am worried this may mean that my SD Card has got one foot (if not two) in the grave.

      Do you see anything else (from the snippet) which might point to anything else?

      Again, many thanks!!
      [I will follow up with an email to the support box, as well. Thx!]

      Cheers,
      Mike R

      Delete
    3. Thanks for the details. The error log just means that the SSL network connection used by the DNS server was closed due to timeout and it just concludes that there was no response from the forwarder server. So, no issues with your SD card.

      Delete