3

I´m running a VPN service on Debian(for a few friends) as kind of like a self learning project to gather more experience running a secure and highly available service.

At the moment OpenVPN pushes opendns servers to the clients and clients route all traffic through my server. I would like to implement some kind of Tracking-Block, like a list of know domains/IPs that are used by ad or tracking services (yes I know the list apporach is far from good) that automatically gets blocked for the user when running the VPN. So if user A would for example visit a website shadycompany.com/wedotrackingforaliving that loads various js which connects to one of the domains in my list, the traffic will not be forwared or just dropped.

Thinking about this left me with 2 valid options:

  • Use dnsmasq aliases on all domains to reroute all dns querys that contain a domain from the list to localhost

  • Simply reroute to localhost via the hosts file

So my question is, are there any limitations to either method? Like max. number of rules, performance (https://serverfault.com/a/759896 - considering stated delay for hosts file lookups as (O(log2(n)), considering the list contains around 50000 entries atm) or security wise (bypassing dns etc.?). Is there any best practice for such blocking that is better than the dnsmasq and host file approach?

Community
  • 1
architekt
  • 986
  • 1
  • 7
  • 18

1 Answers1

2

Looking at the dnsmasq man page, it looks like that'll definitely work.

As stated in the man page,

It is possible to use dnsmasq to block Web advertising by using a list of known banner-ad servers, all resolving to 127.0.0.1 or 0.0.0.0, in /etc/hosts or an additional hosts file. The list can be very long, dnsmasq has been tested successfully with one million names. That size file needs a 1GHz processor and about 60Mb of RAM.

Which looks like exactly what you're trying to do.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Cyrus Roshan
  • 521
  • 3
  • 8