Domain blocking using DNS

Get rid of unwanted advertising banners and prevent certain third-party sites from tracking your browsing habits. Use DNS to block undesirable domains, advertisements and other browsing harassment's.

Many web pages include images or other content that is not drawn from the principal site being viewed but, instead, from some other, third-party, site. These third-party organizations can use cookies and the connection IP address to track a person's browsing habits across many different web sites. This technique might be considered undesirable for several reasons including a potential loss of personal privacy and the fact that the advertising banners use up bandwidth that you, the viewer, are possibly paying for. The technique described in this page can be used to block access to these sites by intercepting the references to them and returning some other information instead. The technique can be used on any machine that has its own name server but is ideally suited for use within organizations where a single name server can be used to block access for every machine on the local network.

Content revision history:
Article first written, spring 2004
Added information about Metronet, 2nd March 2005.

Introduction

Banner advertisements appear on many web sites but are often provided by a third party web site. For example, in May 2004 the “ebay.co.uk” web site contained advertisements supplied by “doubleclick.net”. Other web sites also contain advertisements provided by “doubleclick”. Every time the web browser displays the image used for the advertisement information is necessarily transmitted to the advert provider (doubleclick in this case) and this information can be stored and aggregated to provide a profile of the browsing habits of an individual person.

Penguin trapped in vice in milling machine
Should you find yourself caught in a tricky situation while configuring equipment, do< take care not to lose your head.

I have two main reasons for not wanting such advertisements to appear. First, the advertising company can accumulate information about the sites a user has visited, and what they did while there. The exact information transmitted to the advertiser depends to some extent on the primary web site being visited and on the browser being used and how it is configured but in most cases the information will be quite detailed and will allow the advertiser to build-up a significant body of information for analysis. The second reason for wanting to inhibit these advertisements is simply that they consume bandwidth that has to be paid for. In effect the user is paying for the advertiser's spying and paying to see advertisements that the user does not actually want to see.

There are other ways of blocking these advertisements (and other undesirable domains). Persons using the Microsoft Windows operating system will find that various blocking software packages are available; a quick web search or usenet search should reveal a few names. Also some people find that they can use the “hosts” file (or its equivalent) to good effect. Both of these approaches have some significant drawbacks:

The principle drawback is that the software package or “hosts” file must be installed on every machine and kept up to date on every machine. The hosts file method also suffers from the need to provide fully-qualified domain names.

(In 2005 some ISPs started to provide blocking facilities. Once such company was called Metronet, later bought by PlusNet; for more information about this company please see external links at the end of this article.)

The method outlined in this page naturally has its own drawbacks, principally that for some people it will be too complicated. However if you are managing a cluster (large or small) of machines then the complexity of the initial configuration will be amply outweighed by the simplicity of keeping every machine on the network protected against many unwanted sites regardless of what operating system or internet browser software is being used.

Prerequisites

The prerequisite for this technique is that you should have a domain name server running on your machine or on your network. My own network uses the “bind” name server software and this software is included in many GNU/Linux distributions. You will also need a web server somewhere that can receive and respond to the intercepted requests.

General theory

All machines on the network are told to use the internal nameserver for DNS lookup. The internal name server will be given the IP addresses of two or three external name servers that it can refer to whenever it doesn't already know the answer to a look up request.

In general in a simple, small organization scenario, the configuration files for your internal name server should only define the domains that you actually own and/or control. Also the name server might contain definitions for your own internal network so that, for example, all machines can access the print server as “printserver.local” or some other name rather than by IP number.

However, there is no technical reason why you cannot create definitions for other domains, real or imaginary. If the domain is a real one but not one of your own then every time an attempt is made to access that domain your name server configuration will determine where the request actually is sent. If the domain in question is, for example, an advertising domain then you might simply wish to redirect it to your own internal web server and have the web server generate a blank page.

The need for a webserver

The nameserver method of advertisement blocking works best if you have a web server that you can refer to. If you are have sufficient skill and confidence to set up a nameserver then you can almost certainly set up a web server as well. However, depending on your exact circumstances, you might already have a server you can use and thereby spare yourself some effort.

Many Windows machines have a miniature web server installed and running by default (actually that has been a major contributory cause of poor security with Windows machines but here you are going to get some advantage out of it). If you have GNU/Linux it is also possible that you will have a web server running on your own machine — many Linux distributions include two or three http servers and might install one of them as part of the default installation. If your computer is connected to a corporate local network then it is possible that one of the computers on the network will have a web server running. If you have an ADSL connection to the internet there is a very small possibility that your ADSL modem will be able to act as the necessary web server.

One way or another you will usually need a web server of some form in order to get the best speed. You need a web server to refer to so that your web browser does not hang around waiting to get a response from a computer that doesn't exist. If you do not have a web server to refer to then you might find that this method blocks the adverts but makes your browsing of advert riddled sites unacceptably slow.

Once you have found a webserver you need to know its IP address. If the webserver is running on your own computer then you can use the address 127.0.0.1 and if you are not sure whether you have a web server or not this is also the number you should use. If you are going to refer to a web server on your local network then its IP address will probably by something like 192.168.x.y or 10.x.y.z (where x, y and z are numbers between 0 and 255).

If you do not know whether you have a web server running on your own computer you can try the following experiment: Edit the hosts file and add the following line:

127.0.0.1    hoopy.local

Make sure you save the file. Now go to your web browser and type in the address “hoopy.local” and see what happens. If you immediately see a page that contains a “Error 404 page not found” message, or something similar, then you probably have a web browser running on your computer. If there is a delay of a few seconds and then just a blank page appears then you probably don't have a web browser running on your computer and you will either need to install one, find one on your local network, choose a different method of blocking advertisements, or put up with delays when you are visiting web pages that contain references to web sites that you have blocked.

If you don't have a web server running on your own computer then there are a couple of other things you can try: If your computer is part of a local area network such as in an office then it is possible that your IT administrator will be able to set up a web server for you. If your computer connects to the internet on an ADSL connection and you have an ethernet modem (quite likely in a small office situation) then there is a small possibility that you will be able to use the ethernet modem as the web server ... see this page: Web server in ADSL modems.

Now lets get back to dealing with the name server ...

Example configuration files for the bind name server

The relevant parts of the configuration files that I use are reproduced below. The names and locations of these files are those used by SuSE Linux in their version 8.1 distribution. Other distributions might have the files in different locations but the same principles will apply.

/etc/named.conf

The listing below contains the contents of the file:
    /etc/named.conf
This file is the principal configuration file for the “bind” name server program.

# This is a configuration file for the name server BIND. 
# The options shown below are valid for the particular 
# installation that this site was created for.

options {
    # The directory statement defines the name servers 
    # working directory

    directory "/var/named";

    # The forwarders record contains a list of servers to
    # which queries should be forwarded.  Enable this line and
    # replace the the 0.0.0.0 IP-address with the correct
    # values for your internet provider's name server.
    # Up to three servers may be listed.

    forwarders { 
                0.0.0.0;
                0.0.0.0; 
    #           0.0.0.0;
               };

    # Enable the next entry to prefer usage of the name 
    # server declared in the forwarders section.

    # forward first;

    # The listen-on record contains a list of local network
    # interfaces to listen on.  Optionally the port can be 
    # specified.  Default is to listen on all interfaces found
    # on your system.  The default port is 53.

    #listen-on port 53 { 127.0.0.1; };

    # The allow-query record contains a list of networks or
    # IP-addresses to accept and deny queries from. The 
    # default is to allow queries from all hosts.

    #allow-query { 127.0.0.1; };

    # If notify is set to yes (default), notify messages are
    # sent to other name servers when the the zone data is
    # changed. Instead of setting a global 'notify' statement
    # in the 'options' section, a separate 'notify' can be
    # added to each zone definition.

    notify no;
	
};

# The following three zone definitions don't need any modification.
# The first one defines localhost while the second defines the
# reverse lookup for localhost.  The last zone "." is the 
# definition of the root name servers. 

zone "localhost" in
    {
    type master;
    file "localhost.zone";
    };

zone "0.0.127.in-addr.arpa" in {
	type master;
	file "127.0.0.zone";
};

zone "." in {
	type hint;	
	file "root.hint";
};

# You can insert further zone records for your own domains below.

##########################################
#    This section should contain entries for any domains that are
#    need to be defined for this name server.  A private user on
#    a single computer probably will possibly not need anything here.
#    A small business network will likely want at least one entry
#    to define key machines on the local area network.

#    If you are not running a local network simply delete (or 
#    comment-out) this entire section.

#    This definition allows us to refer to machines on our own
#    network by names such as "printserver.local".  This means
#    that we have effectively defined a domain called "local"
#    but we could have called it something different, like, for
#    example "banana" and then referred to our machines by names
#    such as "printserver.banana" ...

#    When you first set up networking on a computer running SuSE
#    Linux 8.1 & 9.0 it will be assumed that the local domain is
#    actually called "local" and that is the name given by YaST
#    by default.  Consequently, unless you have changed this local 
#    domain name with YaST it is probably a good idea to stick
#    with "local" as the name.


Zone "local" IN
    {
    type master;
    file "zones/local.zone";
    };

##############################################
#   Next, the intercept zone.  This is used to trap references to
#   any domain that you do not want to be accessed.
#   For neatness each entry has been formatted as a single line and
#   this makes it easier to see what is what when this list grows
#   longer.

Zone "adserver.com"         IN  { type master; file "zones/intercept.zone"; };
zone "doubleclick.net"      IN  { type master; file "zones/intercept.zone"; };
zone "doubleclick.com"      IN  { type master; file "zones/intercept.zone"; };
zone "doubleclick.org"      IN  { type master; file "zones/intercept.zone"; };
zone "mediaplex.com"        IN  { type master; file "zones/intercept.zone"; };

#   Add the domain names for any other sites that you do not want users or
#   machines to access.

 

/var/named/zones/intercept.zone

The box listing below contains the contents of the file:
    /var/named/zones/intercept.zone
This file is referred to by the file “/etc/named.conf”, as shown above.

$TTL 1W
; This zone file is used as part of an interception
; mechanism that can be used to trap attempts to visit
; certain domains.  Its principle intended use is to
; prevent access to advertising sites.
;
; This file can be used to define multiple domains because
; it makes use of the @ directive to refer to the domain 
; defined by the file that included this file.
;

@		IN SOA	dns   root	(
    2004051203  ; serial  (year, month, day, count)
    2W		; refresh
    1H		; retry
    6W		; expiry
    1W 		; minimum
    )		

                 IN NS         dns
                 IN MX     10  mailserver

@                IN A          192.168.0.99
*                IN A          192.168.0.99

When the file listed above is used to define a particular domain then all attempts to contact that domain will be referred to the machine that has IP address 192.168.0.99. On my own network this machine is a web server. However the intercepted domains are not known to the web server and therefore it simply responds with a standard error response — that for “Error 404”, page not found. In fact the web server has been given a special page to use for 404 errors and so the result is that every banner advertisement from an intercepted domain is replaced with a simple message along the lines of “Error 404: Intercepted or not found”.

If this technique were being used on a standalone machine then the IP address might be better set to 127.0.0.1, indicating the local machine. If there is no web server available anywhere on your network or local machine then other IP numbers, such as 0.0.0.0 could be tried. The trick is to find something that will cause your web browser to respond quickly. If you simply use an IP address that doesn't exist on your network then it is possible that the browser will wait for a long time every time it tries to access one of the intercepted domains because it will be trying to make contact with a computer that isn't there.

/var/named/zones/local.zone

For completeness, the box below contains the contents of the file:
      /var/named/zones/local.zone
This file is referred to by the file “/etc/named.conf”, as shown above.

$TTL 1W
; This zone file is used as part of an interception
; mechanism that can be used to trap attempts to visit
; certain domains.  Its principle intended use is to
; prevent access to advertising sites.
;
; This file can be used to define multiple domains because
; it makes use of the @ directive to refer to the domain 
; defined by the file that included this file.
;

@		IN SOA	dns   root	(
    2004031807  ; serial  (year, month, day, count)
    2W		; refresh
    1H		; retry
    6W		; expiry
    1W 		; minimum
    )		

                 IN NS         dns
                 IN MX     10  mailserver
printserver      IN A          192.168.1.92
gateway          IN A          192.168.1.91

webserver        IN A          192.168.0.99
mailserver       IN A          192.168.1.93


@                IN A          192.168.0.99
*                IN A          192.168.0.99


www              CNAME         webserver


Important note, this file shows the hostnames and IP addresses for machines on our local network. On your local network the names and IP addresses will almost certainly be quite different so don't copy this file verbatim — it is shown here only to help you get a better understanding and to present you with a reasonably complete set of information.

If you are running a single computer then this particular file is irrelevant and not needed.

Other precautions

This particular document discusses the use of DNS to block advertisements. There are, however, some other privacy and security related precautions that can be considered for each individual machine. These are:

Instruct your web browser to reject third-party cookies.

Instruct your web browser to discard cookies at the end of a browsing session

Instruct your web browser to ignore (refuse to open) pop‑up windows that were not explicitly requested by the user.

If these features are not available on your web browser then consider changing your web browser. The “Opera” browser (available for GNU/Linux and Windows) provides all of these features and, additionally, provides fast and good page rendering with helpful viewing options. As always, a search of Usenet will yield a variety of opinions about different browsers and their relative merits.

Links

BIND
Name server software.
openSUSE
Creators and purveyors of several distributions of GNU/Linux.
Opera Software
A rather good web browser and email client. Versions are available for GNU/Linux, MS-Windows and certain mobile telephones and handheld computers. It has useful configuration options, is fast, and provides several useful features that make it easier to view and navigate web pages.
Mozilla
A popular, open source web browser.
Using the “hosts” file to block advertisements
Using the hosts file is not a great method of blocking advertisements and hindering tracking but it can be effective and it has the advantages of being free and being easy enough for many computer users to do by themselves.

The following are links to organizations that provide other methods of blocking advertisements and unwanted material. You could use their methods instead of, or in addition to, your own DNS of the sort described in the above article. They are mentioned here only to give you something else to think about and they are not affiliated with or recommended by or otherwise associated with LearnLinux.co.uk (the site you are looking at now). There might be other organizations with similar products or with products that are more suitable for your needs. An internet search for terms such as “junkbuster”, “advertisement blocklist”, “ad blocking” will possibly find you some useful pages to explore.

guidescope.com
A company that provides software for blocking unwanted material.
junkbusters.com
An organization that provides software for blocking unwanted material.
Metronet
Metronet are an ADSL provider in the United Kingdom. They also offer a free, configurable, firewall at their end of your connection and (starting March 2005) allow you to browse the web via a configurable proxy server that you can use to block adverts, adult sites or other sites of your own choosing.

End of document

 

Navigation: (site map) learn linux home pagetechnical articles