adsuck

From ConformalOpenSource
Revision as of 11:51, 16 September 2011 by Davec (Talk | contribs)

Jump to: navigation, search


adsuck is a small DNS server that spoofs blacklisted addresses and forwards all other queries. The idea is to be able to prevent connections to undesirable sites such as ad servers, crawlers and other nasties. It can be used locally, for the road warrior, or on the network perimeter in order to protect machines from malicious sites. It also has the capability to match website names using regex and there is also a mechanism to spoof DNS queries to specified IP addresses.

Please read the manual page for additional information.

Installation

The code was written on OpenBSD and the port contains the installation instructions. For non-OpenBSD installation it must be done by hand. There are 2 methods of using adsuck:

  • as a local resolver for the road-warrior
  • as a perimeter resolver to protect local networks

local resolver setup

  • Make and install adsuck somewhere that is available at boot
  • Create a chroot directory for adsuck with 755 permissions and owner root (e.g. /var/adsuck)
  • Create a _adsuck user and make its home directory the chroot directory
  • Create a _adsuck group
  • Copy the blacklist files, e.g. hosts.small, to the chroot directory
  • Modify the dhclient script to not overwrite /etc/resolv.conf and instead write that file to the chroot directory
  • Modify the dhclient script to send SIGHUP to the adsuck daemon whenever it gets a new nameserver
  • Modify the /etc/resolv.conf file to only one line reading: nameserver 127.0.0.1
  • Add adsuck somewhere as a daemon so that it runs during boot, preferably after dhclient and syslogd start
  • Run adsuck, e.g. /usr/local/sbin/adsuck -c /var/adsuck -f /resolv.conf /hosts.small

NOTE: adsuck runs in a chroot environment and the above example would require 2 files in /var/adsuck; namely hosts.small and resolv.conf. Also note that in this example the dhclient script needs to overwrite /var/adsuck/resolv.conf every time it gets a new nameserver AND it has to send SIGHUP to the adsuck daemon to reread that file.

perimeter resolver setup

This must be done on the perimeter resolver, the machine running a valid nameserver for the network in question.

  • Make and install adsuck somewhere that is available at boot
  • Create a chroot directory for adsuck with 755 permissions and owner root, e.g. /var/adsuck
  • Create an _adsuck user and make its home directory the chroot directory
  • Create an _adsuck group
  • Copy the blacklist files, e.g. hosts.small, to the chroot directory
  • Create a resolv.conf file that contains your actual resolver information inside the chroot, e.g. nameserver 192.168.0.1
  • Create an alias IP on the resolver for adsuck to listen on e.g. 192.168.0.2 when the resolver has IP 192.168.0.1
  • Add adsuck somewhere as a daemon so that it runs during boot, preferably after dhclient and syslogd start
  • Run adsuck, e.g. /usr/local/sbin/adsuck -l 192.168.0.2 -c /var/adsuck -f /resolv.conf /hosts.small

NOTE: Refer to the local resolver information above if you use DHCP for the perimeter resolver network access.

adsuck resources