You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

268 lines
18 KiB

  1. # dns based ad/abuse domain blocking
  2. ## Description
  3. A lot of people already use adblocker plugins within their desktop browsers, but what if you are using your (smart) phone, tablet, watch or any other wlan gadget...getting rid of annoying ads, trackers and other abuse sites (like facebook ;-) is simple: block them with your router. When the dns server on your router receives dns requests, you will sort out queries that ask for the resource records of ad servers and return the local ip address of your router and the internal web server delivers a transparent pixel instead.
  4. ## Main Features
  5. * support of the following domain blocklist sources (free for private usage, for commercial use please check their individual licenses):
  6. * [adaway](https://adaway.org)
  7. * => infrequent updates, approx. 400 entries (enabled by default)
  8. * [blacklist]()
  9. * => static local blacklist, located by default in '/etc/adblock/adblock.blacklist'
  10. * [disconnect](https://disconnect.me)
  11. * => numerous updates on the same day, approx. 6.500 entries (enabled by default)
  12. * [dshield](http://dshield.org)
  13. * => daily updates, approx. 4.500 entries
  14. * [feodotracker](https://feodotracker.abuse.ch)
  15. * => daily updates, approx. 0-10 entries
  16. * [hphosts](https://hosts-file.net)
  17. * => monthly updates, approx. 50.000 entries
  18. * [malwaredomains](http://malwaredomains.com)
  19. * => daily updates, approx. 16.000 entries
  20. * [malwaredomainlist](http://www.malwaredomainlist.com)
  21. * => daily updates, approx. 1.500 entries
  22. * [openphish](https://openphish.com)
  23. * => numerous updates on the same day, approx. 1.800 entries
  24. * [palevo tracker](https://palevotracker.abuse.ch)
  25. * => daily updates, approx. 15 entries
  26. * [ransomware tracker](https://ransomwaretracker.abuse.ch)
  27. * => daily updates, approx. 150 entries
  28. * [rolist/easylist](https://easylist-downloads.adblockplus.org/rolist+easylist.txt)
  29. * => weekly updates, approx. 600 entries
  30. * [ruadlist/easylist](https://code.google.com/p/ruadlist)
  31. * => weekly updates, approx. 2.000 entries
  32. * [securemecca](http://www.securemecca.com)
  33. * => infrequent updates, approx. 25.000 entries
  34. * [shallalist](http://www.shallalist.de) (categories "adv" "costtraps" "spyware" "tracker" "warez" enabled by default)
  35. * => daily updates, approx. 32.000 entries (a short description of all shallalist categories can be found [online](http://www.shallalist.de/categories.html))
  36. * [spam404](http://www.spam404.com)
  37. * => infrequent updates, approx. 5.000 entries
  38. * [sysctl/cameleon](http://sysctl.org/cameleon)
  39. * => weekly updates, approx. 21.000 entries
  40. * [whocares](http://someonewhocares.org)
  41. * => weekly updates, approx. 12.000 entries
  42. * [winhelp](http://winhelp2002.mvps.org)
  43. * => infrequent updates, approx. 15.000 entries
  44. * [winspy](https://github.com/crazy-max/WindowsSpyBlocker)
  45. * => infrequent updates, approx. 120 entries
  46. * [yoyo](http://pgl.yoyo.org/adservers)
  47. * => weekly updates, approx. 2.500 entries (enabled by default)
  48. * [zeus tracker](https://zeustracker.abuse.ch)
  49. * => daily updates, approx. 440 entries
  50. * zero-conf like automatic installation & setup, usually no manual changes needed (i.e. ip address, network devices etc.)
  51. * supports a wide range of router modes (incl. AP mode), as long as firewall and dnsmasq are installed and in use
  52. * full IPv4 and IPv6 support
  53. * each blocklist source will be updated and processed separately
  54. * timestamp check to download and process only updated adblock list sources
  55. * overall duplicate removal in separate adblock lists (will be automatically disabled on low memory systems)
  56. * adblock source list parsing by fast & flexible regex rulesets
  57. * additional whitelist for manual overrides, located by default in /etc/adblock/adblock.whitelist
  58. * quality checks during & after update of adblock lists to ensure a reliable dnsmasq service
  59. * adblock statistics, last runtime and list states/counts/update times will be stored in uci config for LuCI frontend
  60. * status & error logging to stdout and syslog
  61. * use two dynamic uhttpd instances as adblock pixel server, separated for ads delivered on port 80 and on port 443
  62. * use dynamic iptables chains/rulesets for adblock related redirects/rejects
  63. * init system support (start/stop/restart/reload/toggle/stats/cfgup/envchk/query)
  64. * hotplug support, the adblock start will be triggered by wan 'ifup' event, this can be restricted to a certain wan interface or disabled at all (see config options below)
  65. * toggle to quickly switch adblock 'on' or 'off'
  66. * envchk function to check the volatile adblock environment only (without list updates)
  67. * query function to quickly identify blocked (sub-)domains, i.e. for whitelisting
  68. * optional: automatic adblock list backup/restore, backups will be (de-)compressed on the fly (disabled by default)
  69. * optional: add new adblock sources via uci config (see example below)
  70. ## Prerequisites
  71. * [openwrt](https://openwrt.org), tested with latest stable release (Chaos Calmer) and with current trunk (Designated Driver)
  72. * [LEDE project](https://www.lede-project.org), tested with trunk > r98
  73. * usual setup with enabled 'iptables', 'dnsmasq' and 'uhttpd' - dump AP modes without these basics are _not_ supported!
  74. * additional required software packages:
  75. * a download utility: 'uclient-fetch' and 'wget' (full versions with ssl support) are supported. Normally you should use 'wget', it's quite stable and supports the online timestamp checks. If you need a smaller memory footprint try 'uclient-fetch' without openssl dependency. The default ustream ssl backend 'libustream-polarssl' has issues with certain https sites and is currently not supported. To change the ssl backend see example below.
  76. * optional: 'kmod-ipt-nat6' for IPv6 support
  77. * the above dependencies and requirements will be checked during package installation & script runtime
  78. ## OpenWrt / LEDE trunk Installation & Usage
  79. * install 'adblock' (_opkg install adblock_)
  80. * adblock starts automatically during boot, triggered by wan-ifup event, check _logread -e "adblock"_ for adblock related information
  81. * optional: start/restart/stop the adblock service manually with _/etc/init.d/adblock_
  82. * optional: enable/disable your required adblock list sources in _/etc/config/adblock_ - 'adaway', 'disconnect' and 'yoyo' are enabled by default
  83. * optional: maintain the adblock service in LuCI under 'System => Startup'
  84. ## LuCI adblock companion package
  85. * for easy management of the various blocklist sources and adblock options there is also a nice & efficient LuCI frontend available
  86. * install 'luci-app-adblock' (_opkg install luci-app-adblock_)
  87. * the application is located in LuCI under 'Services' menu
  88. * _Thanks to Hannu Nyman for this great adblock LuCI frontend!_
  89. ## Chaos Calmer installation notes
  90. * 'adblock' and 'luci-app-adblock' are _not_ available as .ipk packages in the Chaos Calmer download repository
  91. * download both packages from a development snapshot package directory:
  92. * for 'adblock' look [here](https://downloads.lede-project.org/snapshots/packages/x86_64/packages/)
  93. * for 'luci-app-adblock' look [here](https://downloads.lede-project.org/snapshots/packages/x86_64/luci/)
  94. * manually transfer the packages to your routers temp directory (with tools like _sshfs_ or _winscp_)
  95. * install the packages with _opkg install <...>_ as described above
  96. ## Tweaks
  97. * **storage:** to process & store all blocklist sources at once it might helpful to enlarge your temp directory with a swap partition => see [openwrt wiki](https://wiki.openwrt.org/doc/uci/fstab) for further details
  98. * **white-/blacklist:** add domain white- or blacklist entries to always-allow or -deny certain (sub) domains, by default both lists are located in _/etc/adblock_. Please add one domain per line - ip addresses, wildcards & regex are _not_ allowed (see example below)
  99. * **backup/restore:** enable the backup/restore feature, to restore automatically the latest compressed backup of your adblock lists in case of any processing error (i.e. a single blocklist source is down). Please use an (external) solid partition and _not_ your volatile router temp directory for this
  100. * **list updates:** for a scheduled call of the adblock service add an appropriate crontab entry (see example below)
  101. * **hotplug fine tuning:** to restrict hotplug support to a certain wan interface or to disable it at all, you can set 'adb\_hotplugif' to an existing interface like 'wan' or to a non-existing 'dummy' interface
  102. * **new list sources:** you could add new blocklist sources on your own via uci config, all you need is a source url and an awk one-liner (see example below)
  103. * **AP mode:** in 'AP mode' adblock uses automatically the local router ip as nullip address. To make sure that your LuCI interface will be still accessible, you have to change the local uhttpd instance to ports <> 80/443 (see example below), also make sure that firewall and dnsmasq are installed and running
  104. * **restricted mode:** to disable flash writes with adblock status information to the adblock config file (used by LuCI frontend), please set 'adb\_restricted' to '1'
  105. * **adblock toggle:** to quickly switch adblocking 'on' or 'off', simply use _/etc/init.d/adblock toggle_
  106. * **adblock statistics:** to update only the adblock statistics (without updating the block lists as well), please run _/etc/init.d/adblock stats_
  107. * **adblock query `<DOMAIN>`:** to query the active blocklists for a specific domain, please run _/etc/init.d/adblock query `<DOMAIN>`_ (see example below)
  108. * **configuration update:** to update an outdated adblock config file with the current default version, please run _/etc/init.d/adblock cfgup_, make your individual changes and start the adblock service again
  109. * **debugging:** for script debugging please set the 'adb\_debug' variable in the header of _/etc/init.d/adblock_ to '1'
  110. * **mute output** to mute the normal adblock output and print only warn/error messages, please set 'adb\_loglevel to '0'
  111. * **disable active dns probing in windows:** to prevent a possible yellow exclamation mark on your internet connection icon (which wrongly means connected, but no internet), please change the following registry key/value from "1" to "0" _HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActiveProbing_
  112. ## Further adblock config options
  113. * usually the adblock autodetection works quite well and no manual config overrides are needed, all options apply to the 'global' config section:
  114. * adb\_enabled => main switch to enable/disable adblock service (default: '1', enabled)
  115. * adb\_cfgver => config version string (do not change!) - adblock will check this entry during startup
  116. * adb\_lanif => name of the logical lan interface (default: 'lan')
  117. * adb\_nullport => port of the adblock uhttpd instance used for ads delivered on port 80 (default: '65534')
  118. * adb\_nullportssl => port of the adblock uhttpd instance used for ads delivered on port 443 (default: '65535')
  119. * adb\_nullipv4 => IPv4 blackhole ip address (default: '198.18.0.1', in AP mode: local router ip)
  120. * adb\_nullipv6 => IPv6 blackhole ip address (default: '::ffff:c612:0001', in AP mode: local router ip)
  121. * adb\_forcedns => redirect all local DNS queries to the local dnsmasq resolver (default: '1', enabled / always disabled in 'AP mode')
  122. * adb\_fetchttl => set the timeout for list downloads (default: '5' seconds)
  123. * adb\_restricted => disable updates of the adblock config file (no flash writes) during runtime (default: '0', disabled)
  124. * adb\_hotplugif => restrict hotplug support to a certain wan interface or disable it at all (default: '', disabled)
  125. * adb\_loglevel => set it to '0' to mute normal adblock output and print only error messages (default: '1', normal output)
  126. ## Examples
  127. **example to change the ssl backend for 'uclient-fetch':**
  128. <pre><code>
  129. opkg update
  130. opkg remove --force-depends libustream-polarssl
  131. opkg install libustream-mbedtls
  132. </code></pre>
  133. **example cronjob for a regular block list update:**
  134. <pre><code>
  135. # configuration found in /etc/crontabs/root
  136. # start adblock script once a day at 6 a.m.
  137. #
  138. 0 06 * * * /etc/init.d/adblock start
  139. </code></pre>
  140. **example blacklist entry (/etc/adblock/adblock.blacklist):**
  141. <pre><code>
  142. ads.example.com
  143. This entry blocks the following (sub)domains:
  144. http://ads.example.com/foo.gif
  145. http://server1.ads.example.com/foo.gif
  146. https://ads.example.com:8000/
  147. This entry does not block:
  148. http://ads.example.com.ua/foo.gif
  149. http://example.com/
  150. </code></pre>
  151. **example whitelist entry (/etc/adblock/adblock.whitelist):**
  152. <pre><code>
  153. here.com
  154. This entry removes the following (sub)domains from the blocklists:
  155. maps.here.com
  156. here.com
  157. This entry does not remove:
  158. where.com
  159. www.adwhere.com
  160. </code></pre>
  161. **example uhttpd configuration in AP mode:**
  162. <pre><code>
  163. # configuration found in /etc/config/uhttpd
  164. # change default http/https ports <> 80/443
  165. #
  166. config uhttpd 'main'
  167. list listen_http '0.0.0.0:88'
  168. list listen_https '0.0.0.0:445'
  169. </code></pre>
  170. **example to query active blocklists for a certain (sub-)domain, i.e. for whitelisting:**
  171. <pre><code>
  172. /etc/init.d/adblock query "example.www.doubleclick.net"
  173. => distinct results for domain 'example.www.doubleclick.net' (overall 0)
  174. no matches in active blocklists
  175. => distinct results for domain 'www.doubleclick.net' (overall 1)
  176. adb_list.winhelp : www.doubleclick.net
  177. => distinct results for domain 'doubleclick.net' (overall 252)
  178. adb_list.adaway : ad-g.doubleclick.net
  179. adb_list.hphosts : 1016557.fls.doubleclick.net
  180. adb_list.rolist : feedads.g.doubleclick.net
  181. adb_list.securemecca : 1168945.fls.doubleclick.net
  182. adb_list.sysctl : ad.co.doubleclick.net
  183. adb_list.whocares : 3ad.doubleclick.net
  184. adb_list.winhelp : 1435575.fls.doubleclick.net
  185. The query function checks against the submitted (sub-)domain and recurses automatically to the upper top level domain(s).
  186. For every domain it returns the overall count plus a distinct list of active blocklists with the first relevant result.
  187. In the example above you have to whitelist "www.doubleclick.net" to free the submitted domain.
  188. </code></pre>
  189. **example to identify blocked domains during web browsing, i.e. for whitelisting:**
  190. <pre><code>
  191. 1. the easy way ...
  192. enable the network analysis builtins in chrome or firefox to identify domains
  193. which are redirected to the adblock null-ip (default 198.18.0.1), add these domains to your whitelist
  194. 2. a bit harder ...
  195. enable 'Log queries' in the dnsmasq configuration (via LuCI Network => DHCP/DNS),
  196. ssh to your router and start tracing with 'logread -f -e "dnsmasq" -e "198.18.0.1"'
  197. switch to your client, access the relevant site and check all domains
  198. that are blocked/listed in logread, add these domains to your whitelist
  199. => finally restart the adblock service (/etc/init.d/adblock restart) in both variants
  200. </code></pre>
  201. **example to add a new blocklist source:**
  202. <pre><code>
  203. 1. the easy way ...
  204. example: https://easylist-downloads.adblockplus.org/rolist+easylist.txt
  205. adblock already supports an easylist source, called 'ruadlist'. To add the additional local easylist
  206. as a new source, copy the existing config source 'ruadlist' section and change only
  207. the source name, the url and the description - that's all!
  208. config source 'rolist'
  209. option enabled '0'
  210. option adb_src 'https://easylist-downloads.adblockplus.org/rolist+easylist.txt'
  211. option adb_src_rset '{FS=\"[|^]\"} \$0 ~/^\|\|([A-Za-z0-9_-]+\.){1,}[A-Za-z]+\^$/{print tolower(\$3)}'
  212. option adb_src_desc 'focus on romanian ad related domains plus generic easylist additions, weekly updates, approx. 600 entries'
  213. 2. a bit harder ...
  214. to add a really new source with different domain/host format you have to write a suitable
  215. awk one-liner on your own, so basic awk skills are needed. As a starting point check the already
  216. existing awk strings (adb_src_rset) in adblock config, maybe you need only small changes for your individual list.
  217. Download the desired list and test your new awk string locally with:
  218. cat new.list | awk 'fs__individual search__search core__result'
  219. 'fs' => field separator (optional)
  220. 'individual search' => individual search part to filter out needless list information
  221. 'search core' => always '([A-Za-z0-9_-]+\.){1,}[A-Za-z]+', this is part of all list sources and should be unchanged
  222. 'result' => always '{print tolower(\$n)}', only the output column 'n' may vary
  223. the output result should be a sequential list with one domain/host per line - nothing more.
  224. If your awk one-liner works quite well, add a new source section in adblock config and test your new source
  225. </code></pre>
  226. ## Background
  227. This adblock package is a dns/dnsmasq based adblock solution.
  228. Queries to ad/abuse domains are never forwarded and always replied with a local IP address which may be IPv4 or IPv6. For that purpose adblock uses an ip address from the private 'Benchmark Test' subnet (198.18.0.1 / ::ffff:c612:0001) by default (in AP mode the local router ip address will be used). Furthermore all ad/abuse queries will be filtered by ip(6)tables and redirected to two uhttpd instances, separated for ads delivered on port 80 and on port 443 (in PREROUTING chain) or rejected (in FORWARD or OUTPUT chain). In 'AP mode' only the uhttpd related rules in PREROUTING chain are enabled.
  229. All iptables and uhttpd related adblock additions are non-destructive, no hard-coded changes in 'firewall.user', 'uhttpd' config or any other system related config files. There is _no_ adblock background daemon running, the (scheduled) start of the adblock service keeps only the adblock lists up-to-date.
  230. ## Support
  231. Please join the adblock discussion in this [openwrt forum thread](https://forum.openwrt.org/viewtopic.php?id=59803) or contact me by mail <dev@brenken.org>
  232. ## Removal
  233. * stop all adblock related services with _/etc/init.d/adblock stop_
  234. * optional: remove the adblock package (_opkg remove adblock_)
  235. Have fun!
  236. Dirk