On Thu, Jul 16, 2015 at 2:44 AM, Stefan Wollny <[email protected]> wrote:
> Am 07/16/15 um 02:29 schrieb David Higgs: > > On Wed, Jul 15, 2015 at 5:09 PM, Erling Westenvik < > > [email protected]> wrote: > > > >> On Wed, Jul 15, 2015 at 08:25:03PM +0200, Stefan Wollny wrote: > >>> Hi misc@! > >>> > >> > [ ... ] > >> > >> > > I use adsuck without issues on my gateway; it hangs off a stable DHCP > > uplink so I don't have to monkey with /var/adsuck/resolv.conf after > initial > > setup. The following lets me blackhole DNS for internal devices without > > exposing the service to external hosts. Also, I figured out how to > > regularly update the hosts file. > > > > > > [/etc/rc.conf.local] > > pkg_scripts="adsuck" > > adsuck_flags="-c /var/adsuck -f /files/resolv.conf /files/hosts.small" > > > > [/etc/pf.conf] > > # redirect all DNS from internal networks to adsuck > > # note: adsuck does not handle TCP DNS > > # note: gateway lookups are unfiltered > > match in on $internal_ifs proto udp to port domain rdr-to 127.0.0.1 > > > > [/etc/weekly.local] > > # periodically update blackhole list, needs reformatting > > if TMP=`mktemp`; then > > HFILE=/var/adsuck/files/hosts.small > > trap 'rm -f $TMP; exit 1' 0 1 15 > > mv $HFILE $HFILE.out > > ftp -Vo $TMP http://winhelp2002.mvps.org/hosts.txt > > sed -e 's/^M$//' -e '/::1/d' -e 's/^0.0.0.0/127.0.0.1/' $TMP > > > $HFILE > > /etc/rc.d/adsuck reload > /dev/null > > else > > echo "Cannot install adsuck hosts file" > > fi > > > > --david > > > > Hi David! > > Thank you for sharing your solution. > > I think you can omit the "adsuck_flags"-line in /etc/rc.conf.local as > the rc.d-script for adsuck has identical parameters for 'daemon_flags'. > > Basically I used the same script for updating hosts.small though your > implementation seems to be more sophisticated - mine is just more > complex as I want to keep the entries for my private network (plus some > additions/exceptions mvps does not have). Another thing is that I fetch > the zip-file as I used adsuck on my laptop and sometimes the connections > are slooow - that's why I update manually at irregular intervals. > > I find it astounding that using the mvps-entries on a regular > /etc/hosts-file gives me the same results without any noticeable delay - > what is adsuck actually providing if I get the same with one daemon less? > > If all you have is an endpoint (that doesn't provide DNS for anyone else), there is no benefit to using adsuck. A correctly-configured resolv.conf should find all the blackholed hosts directly from /etc/hosts. You are right, and this is the better solution for road warriors. However, DNS servers like my gateway will (generally?) not consult the local /etc/hosts file. Adsuck provides blackholing as a service for my internal networks from a single point, including devices (e.g. smartphones) that can't otherwise do this. I wouldn't call my script particularly sophisticated; it definitely needs improvement in handing of failed commands. Good point on the adsuck_flags variable - once upon a time I was different options. --david
