Saturday, October 27, 2018

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with 0.0.0.0 IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with 0.0.0.0 IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

If you have the DNS server installed directly on your computer then don't forget to configure your network adapter's DNS server settings to 127.0.0.1 (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

If you setup the DNS server to be used on the network by all devices then do configure your router's DHCP config and set the IP address of the computer running the DNS server as the DNS for your network. By configuring the router's DHCP, you don't need to manually configure any of your devices on the network.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to support@technitium.com.

34 comments:

  1. Question: As a developer - and a lazy developer at that - I've previously used my own little bash-scripts to populate my hosts-file in linux. In Windows I've formerly tried to use Acrylic DNS with little to no success.
    This, however, works right out of the box - which is fantastic!

    I, however, have a question: Would it be possible to import my own dev-redirects the same way as I today can import or add my own domains to block via blocklist.txt on the local webserver?
    I had a quick peek at the source code and it really isn't my preferred language, but... Am I correct in assuming it's a case of using the provided IP-address instead of replacing it with the sinkhole 0.0.0.0?

    Thing is; I keep lists in simple hosts-format (ip domain) which are updated script-wise according to my location - and thus dhcp-provided ip-address.This way I would be able to run a very script which inserts my local ip-address on current location into said list(s).

    The alternative is, I guess, to enter several A-records in my zones and extending the TTL for the different ip-series accordingly, 1800 for work, 3600 for home, 7200 for public, etc.

    TL;DR:
    Excellent piece of software, would appreciate possibility to import dev-server lists.

    ReplyDelete
    Replies
    1. Thanks for the compliments. The block zone implementation in the DNS Server will use domain names from the block lists and always use 0.0.0.0 IP address to sinkhole the domain name.

      To use domain names for development/production testing scenarios, you can add the domain as a Zone in the DNS Server. You can then set Type A records for IP addresses and then enable/disable individual records or you can disable the entire zone. When zone is disabled, the DNS Server will return records from the actual name server hosting the domain name in production.

      You can easily automate this by using the REST API that the DNS Server web console itself uses in its javascript code. If you have any queries or need any more details, do let me know over email at support@technitium.com.

      Delete
  2. Is there a way to white list certain domains from the block list?

    ReplyDelete
    Replies
    1. Yes, you can add your domains in the Allowed Zones to override the block list.

      Delete
  3. using this app and working well, however the log file dates are an hour out. I'm in the UK so I'm guessing it's not taking into account the DST of +1.

    If somehow it can use the time of the host computer in the logs, it would be appreciated.
    Having to remember to add an hour on is easy enough but makes it hard when tracking requests.

    Many thanks

    ReplyDelete
    Replies
    1. Thanks for the feedback. The date time in logs is in UTC and not GMT so, it does not have daylight saving. I am planning to have some option to set the timezone for logging in next update.

      Delete
  4. Hi,
    Can I redirect 0.0.0.0 to specific url or ip for custom error message ?
    Great software !!!

    regards
    Sam

    ReplyDelete
    Replies
    1. Technically you can return any IP address from the DNS server instead of 0.0.0.0 for blocked domain names but, practically it wont work.

      This is since most websites nowadays are served over HTTPS and thus you wont be able to show custom error message for most websites. If you implement it then users will mostly see SSL certificate error notices instead of your custom error page.

      Secondly most blocked items are Ads that are loaded using iframes and that space will too show SSL errors and create a mess.

      Delete
  5. Hi, I am experimenting with the Ad-blocking for my own local network, but so far, only the computer that I installed the server application has access to the internet, no other devices in my network can access the internet.

    I have change my router's DNS server to use the computer's address with the application installed and I have configure this computer (the one that's currently working) to use loopback address.

    I wonder are there any steps I'm missing or any settings I might forgot to configure?

    Best regards
    Keaw

    ReplyDelete
    Replies
    1. Thanks for the comment. If you have DNS server installed on Windows then you will need to manually add a firewall rule for TCP and UDP port 53. Next release for DNS Server will do this step automatically. If its still not working then do send an email to support@technitium.com with details of your config.

      Delete
    2. Hi again

      Thank you for your suggestion, I have just tried it with my server and it appears that the problem has been fixed!
      Thank you very much! This is definitely one great software

      Best regards
      Keaw

      Delete
  6. Hello!

    The Technitium DNS Server is a fantastic piece of software, and I've been using it for the last several months, with great luck. Thank you for developing it!!

    I am running the DNS Server on a Rasberry Pi 2B+, and it generally ran error-free.
    However, I recently changed the RasPi to also provide WINS service on my network, and so I installed SAMBA (both smbd and nmbd) and configured it to serve as the Domain Master Browser.

    Ever since I did that, I've been struggling with some configuration issues, where the Logging Data (the stats that show up on the Dashboard) have dropped to ZERO. Normally, in the past, it has tracked somewhere between 20,000 and 40,000 queries per day.
    I have been fiddling with the settings, and have managed to both "break" it and "fix" it a couple of times...but I'm still back to the situation where it is no longer logging/tracking the queries that it is serving.

    Is there some sort of binding on the interface that I've broken (by introducing the smbd/nmbd services) which could be interfering with the DNS Server's ability to track the queries it's serving?
    I'm a little lost. I /thought/ I understood what I was doing, but it seems I am unable to get my system back to "the good ol' days" when it was just happily and reliably serving queries, trapping/sinkholing the blocked domains (to kill ads), and *accurately* tracking the metrics of its service.

    Any pointers, thoughts, and/or tips for getting it back to "showroom" state?
    (Put another way, am I going to be reduced to wiping the OS, reinstalling, and rebuilding the DNS Server software?)
    I was hoping that there was some vestige of the guide for how the settings are initialized, but I couldn't find it.

    Many thanks, in advance!

    Mike R.

    ReplyDelete
    Replies
    1. Hi, Thanks for the feedback. I would suggest that you take a look at the logs being generated by the DNS server. It would indicate any issue that is the cause. If you would like to get help in analyzing the log file then do send them with details of your config to support@technitium.com.

      Delete
    2. Thanks for the speedy reply!

      I took a quick glance through the logs, and I see a *WHOLE LOT* of entries like the following:
      /-/-/-/
      [2020-05-10 23:59:50 UTC] DNS Server recursive resolution failed for QNAME: outlook.ms-acdc.office.com; QTYPE: A; QCLASS: IN;
      TechnitiumLibrary.Net.Dns.DnsClientException: DnsClient failed to resolve the request: no response from name servers.
      ---> System.IO.IOException: Unable to write data to the transport connection: Broken pipe.
      ---> System.Net.Sockets.SocketException (32): Broken pipe
      at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      --- End of inner exception stack trace ---
      at System.Net.Sockets.NetworkStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      at System.Net.Security.SslStream.WriteSingleChunk[TWriteAdapter](TWriteAdapter writeAdapter, ReadOnlyMemory`1 buffer)
      at System.Net.Security.SslStream.WriteAsyncInternal[TWriteAdapter](TWriteAdapter writeAdapter, ReadOnlyMemory`1 buffer)
      at System.Net.Security.SslStream.Write(Byte[] buffer, Int32 offset, Int32 count)
      at TechnitiumLibrary.IO.WriteBufferedStream.Flush() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.IO\WriteBufferedStream.cs:line 99
      at TechnitiumLibrary.IO.WriteBufferedStream.Write(Byte[] buffer, Int32 offset, Int32 count) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.IO\WriteBufferedSt
      ream.cs:line 166
      at TechnitiumLibrary.Net.Dns.ClientConnection.TcpClientConnection.Query(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientCon
      nection\TcpClientConnection.cs:line 239
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1156
      --- End of inner exception stack trace ---
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1174
      at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsQuestionRecord questionRecord) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 117
      9
      at DnsServerCore.Dns.DnsServer.<>c__DisplayClass71_0.b__0(Object state) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 1205
      /-/-/-/
      Which has a bunch of gobbledy-gook I can't really understand...although I see a bunch "IO Exception" tags. I am worried this may mean that my SD Card has got one foot (if not two) in the grave.

      Do you see anything else (from the snippet) which might point to anything else?

      Again, many thanks!!
      [I will follow up with an email to the support box, as well. Thx!]

      Cheers,
      Mike R

      Delete
    3. Thanks for the details. The error log just means that the SSL network connection used by the DNS server was closed due to timeout and it just concludes that there was no response from the forwarder server. So, no issues with your SD card.

      Delete
  7. I've finally started diving into whole home network adblocking, because browsing on my phone drives me nuts.

    I have a dedicated windows 10 server that runs PLEX, makes data backups for all of my computers, and is running 24/7. I'm not interested in adding any additional hardware like a pi, as this is simple as hell and just works.

    I started w/ pi-hole in a docker container, and I was having major reliability issues to the point that it's dead to me. I can't get those hours back and I don't want to try.

    So, on to Technitium DNS. Holy crap the setup on this was simple. Why it doesn't get mentioned more is beyond me. I've got it up and running with my USG, and so far it seems to be working great.





    My questions are as follows, what settings should I enable/disable to make this as secure, reliable/wife approval factor, and low maintenance as possible?



    For instance, should I enable the following settings?

    Enable HTTPS

    Enable HTTP to HTTPS Redirection

    Enable DNS-over-HTTP

    Enable DNS-over-TLS

    Enable DNS-over-HTTPS

    ReplyDelete
    Replies
    1. Thanks for the compliments. You got it working well already and most things work well with the default settings.

      For the settings that you asked:
      - Enable HTTPS: This will enable HTTPS for the web console. It requires a valid TLS certificate to work. Its useful if you want to access the DNS server web console over the Internet.

      - Enable HTTP to HTTPS Redirection: This will redirect the web console request to HTTPS url if HTTPS is enabled.

      - Enable DNS-over-HTTP, Enable DNS-over-TLS, & Enable DNS-over-HTTPS: These options are to allow hosting your own DNS service for these protocols just like how Google or Cloudflare runs their DNS services. You do not need to enable these settings to consume these protocols. If you want to just use Google or Cloudflare DNS service then you can just configure them as a forwarder in the settings.

      If you have any more queries then do send them to support@technitium.com.

      Delete
  8. Thanks for the feedback. I will get this option added in next update.

    ReplyDelete
  9. So, due to one critical bug, I had just released v6.2 which adds this feature to return NXDOMAIN. Just check the settings near the option to setup block list URLs. Let me know if that worked for you.

    ReplyDelete
  10. Good day, I have been looking for an amazing DNS server like this.
    Please am new to the configuration, am running this server in a school for students and I would like to block all websites and allow access to only specified websites. Thanks

    ReplyDelete
    Replies
    1. Hi. Thanks for the compliments. You can block all domain names by adding "*" to the Blocked tab on the web panel and then add the domains you want to allow in the Allowed tab. Maintaining this could be tricky since websites use a lot of 3rd party resources and so you will have to allow all the other domain names that are used by the website to make it load correctly.

      Delete
  11. How do I whitelist an IP so that it doesn't get any links blocked on it

    ReplyDelete
    Replies
    1. You can only block or allow domain names using DNS server. For IP addresses you will need to use firewall.

      Delete
  12. How can I make this apps on Win11 to auto start after I reboot my computer or just power my machine?

    ReplyDelete
    Replies
    1. If you have installed using the Windows setup then it will start automatically by default.

      Delete
  13. Hi there, so far im loving technitium dns serrver.
    Is there any file where i can dump all my exported gravity blocklist from pihole in a txt, other than the import on the blocked in the gui.
    thanks in advance

    ReplyDelete
    Replies
    1. You don't need to export it in the Blocked section in GUI. Just switch to Settings > Blocking section where you can enter the exact same block list URLs from your pihole and it would work as expected.

      Delete
  14. Hello there,
    Technitium DNS works great at blocking ads, however, it leaves 'Refused to connect' placeholders on place of blocked ads.
    Any way to make them disappear? Like uBlock Origin?

    ReplyDelete
    Replies
    1. Thanks for asking. This is not possible with DNS level blocking so you will need to rely on browser based blocking plugins that can access the web page content and remove items from them. Its recommended to use both DNS and browser blockers together to have optimal blocking.

      Delete
    2. I just thought that I could find or set website with empty page on it and set it in Custom Blocking Addresses in Blocking Type, but it seems it's for something else.

      Delete
    3. You can install the Block Page app which can display a webpage when a domain name is blocked which is configured by setting the IP address of the server as the Custom Blocking Address. However, since most websites today use HTTPS, you will see SSL errors instead of the "Refused to connect" page which will need you to accept the error before the blank page is shown.

      Delete
  15. I was looking for a well featured but easy to configure DNS for docker compose deployment. Oh man, what a great software this is. I'm glad I found and installed it. I'm considering permanently replacing the pfSense DNS for easy configuration and monitoring while performing well under high load. Thank you for creating and maintaining this gem!

    ReplyDelete