Blocking Undesired Domain Names

Blocking undesired domain names is a security exercise. While advertising often is a reason for blocking sites, many web sites are used to deliver undesired content and malware. An obvious example is porn. While people should be free to pursue such content, certain categories of that content can lead to trouble.

Often parents want to shield children from undesirable content, but adults might want to shield themselves as well. Jack-booted thugs dressed in black Ninja outfits with ski masks love destroying property at 6 AM. Protecting property by blocking undesired content from home and office computers is a sane pursuit.

Blocking advertisements is only one element of undesirable content.

There are several approaches to blocking undesired domain names. For more than a dozen years I have been using a hosts file approach using dnsmasq. The same blockage could be accomplished with BIND Response Policy Zones or Squid proxy caching. A group of people using a project called Pi-Hole use the same techniques and provide a web browser interface.

The advantage of blocking undesired domain names at this level rather than with web browser add-ons is the blockage affects all software and all computers on the LAN.

The magic with dnsmasq is using the addn-hosts option.

I use a text file formatted the same as a hosts file. I name the file /etc/hosts-blocked. My dnsmasq.conf file contains the following:


I use a shell script to update the list. There are many sources for maintaining this list. I use two online sources. I update the block list with a weekly cron job.

The update script is written to ensure certain domains do not get added to the block lists. That list is named /etc/hosts-do-not-block.

Originally I started with the well-known hosts file from the Windows MVP site. Then I wrote a script that weekly updates my /etc/hosts-blocked file. These days I use the original MVP site and to update the list. This is not a fresh update. My script saves my current list and merges the differences from the updated list. Thus my list continually grows.

I am guessing some of these URLs are outdated and no longer active.

Does the blocking strategy succeed? The dnsmasq logs indicate about 13% of the queried domain names are being “blocked.” That is, being redirected to my block list rather than an upstream DNS server. That number only reveals the number of blocked domain names and not the amount of blocked content.

Occasional checks of the dnsmasq process show less than 40KB of RAM being used.

What about web sites designed to detect not loading advertisements? If the site is designed not to allow any access then I vote with my feet. Nothing to see there. That said, most sites are designed to perform the detection through JavaScript, which I limit through the NoScript add-on. That is, if JavaScript is disabled then there is no detection scheme. Another simple trick is disable the web page style sheet to reveal the underlying content. I use the Read Easily add-on for Firefox, which is an excellent tool for bypassing idiotic web site designs based solely on the bane of the web.

Some folks argue that the hosts file approach is inefficient, is not “l33t,” and does not provide regex granularity. Or support easy temporary toggling. I disagree. This system works beautifully. The great part is there is no slow down or latency whatsoever with DNS.

Would Firefox add-ons provide me benefit? Possibly informational at most. I long have been trying to control bandwidth and avoid latency because of my connectivity challenges. Little did I know when I first started with this approach that years later this same strategy would help me control the sickness of bandwidth wasting advertising, tracking, and spying.

Further, web browser add-ons only affect the web browser. I prefer a system-wide or network-wide strategy.

My hosts-based approach is enormously effective. Along with short cookies and JavaScript white lists I am not bothered with this spying and tracking nonsense. I avoid many undesired web sites and servers. I do not pretend that I block 100% of all such efforts, but I neutralize more than a significant majority of those efforts.

Using this strategy does not ruin my browsing experience. At all. Quite the opposite.

Advertisers, marketers, and scum web site owners have moved well beyond the realm of creepiness and decided to declare war against me. War? Yes, they believe I am a target. I am fighting back.

Posted: Category: Tutorial Tagged: General

Next: Blocking Facebook Domain Names

Previous: Contempt for Advertisers