Re: [gentoo-user] Easiest way to block domains?

[Andrew Savchenko]

On Tue, 29 Aug 2017 01:38:42 -0400 Walter Dnes wrote:
>   I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I want
> to run it into the ground, not throw it away while it's still
> functional.  With Gentoo optimization, pluse using ICEWM, it's generally
> snappy.  But there are a few web pages that throw the kitchen sink of
> 3rd-pary adservers+trackers.  178 unique servers for one web page will
> peg the load from the web browser to 150% of 1 cpu core.  On a 2-core
> machine, that is bad.  The browser is unresponsive for a few seconds at
> a time.
> 
>   I'm building up a rather large hosts file, but the adservers have a
> gazillion subnames for each domain, in a deliberate attempt to bypass
> hosts files.  It would be more effective block entire domains.  Is there
> a lightweight DNS server, or some iptables trick, or whatever, that'll
> block specified domains?

Use uBlock origin. Both firefox and chromium work perfectly fine
for me on a Core2Duo host. 


Best regards,
Andrew Savchenko


pgp0mlyc7absR.pgp
Description: PGP signature

Re: [gentoo-user] Easiest way to block domains?

[Walter Dnes]

On Tue, Aug 29, 2017 at 10:17:27PM -0500, R0b0t1 wrote
> On Tue, Aug 29, 2017 at 12:38 AM, Walter Dnes  wrote:
> >   I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I want
> > to run it into the ground, not throw it away while it's still
> > functional.
> 
> Unfortunately this isn't a viable strategy because typically you will,
> in a few months, if not a single month, spend more in electricity
> costs than you would purchasing a new single board computer.

  That might be true if running at full load 24x7.  Before going to bed
I run a script that...

* drops the cpu speed down to min (1.2 GHz) from the 2.4 GHz max using my
  own custom-written eselect module.

* turn the display off programmatically.  It uses 2 commands, so it'll
  work regardless of whether I run it from X or a true text console

#!/bin/bash
sleep 1 && xset -display :0.0 dpms force off
setterm --blank force

  The "setterm" command complains when run from X, but that's not a
problem

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Easiest way to block domains?

[Walter Dnes]

On Tue, Aug 29, 2017 at 11:22:14AM +0200, David Haller wrote

> # Farcepalm
> address=/fb.com/127.0.1.1
> address=/fbcdn.net/127.0.1.1
> address=/facebook.com/127.0.1.1
> address=/facebook.net/127.0.1.1
> address=/facebook.de/127.0.1.1
> address=/facebook.fr/127.0.1.1
> address=/facebook.co.uk/127.0.1.1
> address=/whatsapp.de/127.0.1.1
> address=/whatsapp.com/127.0.1.1
> address=/internet.org/127.0.1.1
> address=/internet.com/127.0.1.1
> # ...
> 
> 
> Result:
> 
> $ host fb.com
> fb.com has address 127.0.1.1
> $ nslookup fb.com
> Server: 127.0.0.1
> Address:127.0.0.1#53
> 
> Name:   fb.com
> Address: 127.0.1.1
> 
> It's still a ton of domains to add, but much less generally. I still
> wish it'd do "shell-style" globbing like /facebook.*/ or
> /facebook.{com,net,de,fr,co.uk}/ ... You could write a little
> generator for that if need be ...

  Facebook is better-handled in iptables...

[0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK
[194:15548] -A INPUT -s 31.13.64.0/18 -j FECESBOOK
[0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
[0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK
[0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK
[0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK
[0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK

[0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
[4035959:242209304] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
[56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
[0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK
[0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK
[3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK
[0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK

[4040389:242479012] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
[4040389:242479012] -A FECESBOOK -j DROP

  The [packet:byte] counters show how much traffic each rule gets.  It
may be different dependeng where on the planet you are.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Easiest way to block domains?

[Walter Dnes]

On Tue, Aug 29, 2017 at 11:09:00AM +0200, Heiko Baums wrote

> I'm using the combination of these browser add-ons available for
> Firefox and Chromium:
> 
> uBlock Origin
> uMatrix
> EFF Privacy Badger

  I use Pale Moon.  There's a Pale Moon specific fork of AdBlock, called
AdBlock Latitude https://addons.palemoon.org/addon/adblock-latitude/ but
I prefer to avoid addons.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Easiest way to block domains?

[Mick]

On Wednesday, 30 August 2017 04:17:27 BST R0b0t1 wrote:
> Unfortunately this isn't a viable strategy because typically you will,
> in a few months, if not a single month, spend more in electricity
> costs than you would purchasing a new single board computer.

Are you sure of this?

Perhaps in a commercial 24x7x365 high compute cycle application this would 
hold water, but in the case of a home PC running 14 hours a day at maximum 
power you might save enough to buy a small spinning SATA drive after a year, 
or a Raspberry Pi without peripherals, but not a new PC.  Of course, if:

1. your PC is not running at full speed all the time;
2. it is not a PentiumD dual core (were they the most power hungry?);
3. you're not still running a CRT monitor;
4. you tend to suspend to RAM when not in front of it;
5. a new PC is not at least 50% more efficient;
6. the price of electricity is not exorbitant (I pay approximately £0.13/KWh + 
£0.29/day)

then you will need other reasons to upgrade.  When the PC you're using is a 
laptop, then the case for upgrading on grounds of savings on electricity costs 
alone is even more tenuous.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Easiest way to block domains?

[R0b0t1]

On Tue, Aug 29, 2017 at 12:38 AM, Walter Dnes  wrote:
>   I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I want
> to run it into the ground, not throw it away while it's still
> functional.

Unfortunately this isn't a viable strategy because typically you will,
in a few months, if not a single month, spend more in electricity
costs than you would purchasing a new single board computer.

> With Gentoo optimization, pluse using ICEWM, it's generally
> snappy.  But there are a few web pages that throw the kitchen sink of
> 3rd-pary adservers+trackers.  178 unique servers for one web page will
> peg the load from the web browser to 150% of 1 cpu core.  On a 2-core
> machine, that is bad.  The browser is unresponsive for a few seconds at
> a time.
>
>   I'm building up a rather large hosts file, but the adservers have a
> gazillion subnames for each domain, in a deliberate attempt to bypass
> hosts files.  It would be more effective block entire domains.  Is there
> a lightweight DNS server, or some iptables trick, or whatever, that'll
> block specified domains?
>

Your single board computer of choice should be able to handle this. If
you need routing capability you are better off building a computer
from scratch. There's mini-ITX boards available with soldered-on
processors that are probably comparable to your system from 2008, but
they use far less electricity.

You could also buy a router and replace the firmware with OpenWRT.
Most have enough space for some pretty involved service provisioning.

R0b0t1.

Re: [gentoo-user] Easiest way to block domains?

[David Haller]

Hello,

On Tue, 29 Aug 2017, Walter Dnes wrote:
>  I'm building up a rather large hosts file, but the adservers have a
>gazillion subnames for each domain, in a deliberate attempt to bypass
>hosts files.  It would be more effective block entire domains.  Is there
>a lightweight DNS server, or some iptables trick, or whatever, that'll
>block specified domains?

Use 'dnsmasq'!!! I have e.g. this "basic" config (shortened to the
relevant parts):

 /etc/dnsmasq.conf 
[..]
# define servers for forwarding, e.g. my router[1]:
server=192.168.178.1
[..]
conf-file=/etc/dnsmasq.d/blocklist.conf
 /etc/dnsmasq.d/blocklist.conf 
# Google
address=/1e100.net/127.0.1.1
address=/google-analytics.com/127.0.1.1
address=/googleadservices.com/127.0.1.1
address=/googlesyndication.com/127.0.1.1
address=/googletagservices.com/127.0.1.1
address=/googletagmanager.com/127.0.1.1
address=/double-click.net/127.0.1.1
address=/doubleclick.com/127.0.1.1
address=/doubleclick.net/127.0.1.1
# Farcepalm
address=/fb.com/127.0.1.1
address=/fbcdn.net/127.0.1.1
address=/facebook.com/127.0.1.1
address=/facebook.net/127.0.1.1
address=/facebook.de/127.0.1.1
address=/facebook.fr/127.0.1.1
address=/facebook.co.uk/127.0.1.1
address=/whatsapp.de/127.0.1.1
address=/whatsapp.com/127.0.1.1
address=/internet.org/127.0.1.1
address=/internet.com/127.0.1.1
# ...


Result:

$ host fb.com
fb.com has address 127.0.1.1
$ nslookup fb.com
Server: 127.0.0.1
Address:127.0.0.1#53

Name:   fb.com
Address: 127.0.1.1

It's still a ton of domains to add, but much less generally. I still
wish it'd do "shell-style" globbing like /facebook.*/ or
/facebook.{com,net,de,fr,co.uk}/ ... You could write a little
generator for that if need be ...

You can also use conf-dir instead of conf-file:


   -7, --conf-dir=[,..],
  Read  all  the  files  in  the  given directory as configuration
  files. If extension(s) are given, any files which end  in  those
  extensions  are skipped. Any files whose names end in ~ or start
  with . or start and end with # are always skipped. If the exten-
  sion starts with * then only files which have that extension are
  loaded. So --conf-dir=/path/to/dir,*.conf loads all  files  with
  the  suffix .conf in /path/to/dir. This flag may be given on the
  command line or in a configuration file. If  giving  it  on  the
  command line, be sure to escape * characters.


Actually, I've just switched to

conf-dir=/etc/dnsmasq.d,*.conf

so I can script some stuff (Makefile, .in template, to e.g. expand
at least {a,b,c} style globs ;)

HTH,
-dnh

[1] note: I do not use my router with its provider-provided
DNS-servers, but I use open servers from opendns.com and
www.privacyfoundation.ch or others. Not goggles though.

-- 
Living on Earth may be expensive, but it includes an annual free trip
around the Sun.   -- BSD fortune file

Re: [gentoo-user] Easiest way to block domains?

[Heiko Baums]

Am Tue, 29 Aug 2017 01:38:42 -0400
schrieb "Walter Dnes" :

>   I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I
> want to run it into the ground, not throw it away while it's still
> functional.  With Gentoo optimization, pluse using ICEWM, it's
> generally snappy.  But there are a few web pages that throw the
> kitchen sink of 3rd-pary adservers+trackers.  178 unique servers for
> one web page will peg the load from the web browser to 150% of 1 cpu
> core.  On a 2-core machine, that is bad.  The browser is unresponsive
> for a few seconds at a time.
> 
>   I'm building up a rather large hosts file, but the adservers have a
> gazillion subnames for each domain, in a deliberate attempt to bypass
> hosts files.  It would be more effective block entire domains.  Is
> there a lightweight DNS server, or some iptables trick, or whatever,
> that'll block specified domains?

I'm using the combination of these browser add-ons available for
Firefox and Chromium:

uBlock Origin
uMatrix
EFF Privacy Badger

uBlock Origin is an ad blocker.
uMatrix is similar to NoScript but a lot more flexible and easier to
use, and comes with some hosts files (not copied to /etc/hosts).
And Privacy Badger blocks domains, JavaScripts, cookies etc. that are
used to create a profile of yours.

Those three are doing quite a good job from what I can tell. And surfing
on a Raspberry Pi 3 is also a lot better with these.

That said, it's not only ad servers which cause a massive CPU load, it's
also badly designed and overloaded websites which contain a lot of
JavaScript and load content from several other servers, particularly
from JavaScript hosts and CDNs.

Heiko

Re: [gentoo-user] Easiest way to block domains?

[Mick]

On Tuesday, 29 August 2017 08:25:18 BST J. Roeleveld wrote:
> On 29 August 2017 08:53:16 GMT+02:00, Walter Dnes  
wrote:
> >On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote
> >
> >> Look into proxy servers.
> >> I think privoxy should be able to do the trick.
> >> 
> >  Looking at the /usr/portage/net-proxy directory, I see several proxy
> >
> >programs.  I checked the privoxy man page at linux.die.net and it
> >mentions that some features are not available under https.  Is this a
> >privoxy limit, or is it a limitation of proxies in general?
> >
> >  Is "tinyproxy" noticeably simpler than privoxy?  My main requirement
> >
> >is to block a list of domains.  Is it possible for a proxy to edit a
> >webpage on-the-fly, so that references to unwanted URLs are stripped
> >out, and the browser doesn't waste time trying to download from a
> >blocked adserver?
> 
> Checked the FAQ, blocking by host pattern will work. Blocking by content of
> the page will not.
> 
> For blocking ads, this will be sufficient.
> If you want to block pages because it mentions cats or other suspicious
> words, https will not work as the data is encrypted.
> 
> --
> Joost

It may be worth trying ublock origin addon for Firefox and on Chromium in 
addition try ublock origin extra.  They have made a difference here.

-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Easiest way to block domains?

[J. Roeleveld]

On 29 August 2017 08:53:16 GMT+02:00, Walter Dnes  wrote:
>On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote
>
>> Look into proxy servers.
>> I think privoxy should be able to do the trick.
>
>  Looking at the /usr/portage/net-proxy directory, I see several proxy
>programs.  I checked the privoxy man page at linux.die.net and it
>mentions that some features are not available under https.  Is this a
>privoxy limit, or is it a limitation of proxies in general?
>
>  Is "tinyproxy" noticeably simpler than privoxy?  My main requirement
>is to block a list of domains.  Is it possible for a proxy to edit a
>webpage on-the-fly, so that references to unwanted URLs are stripped
>out, and the browser doesn't waste time trying to download from a
>blocked adserver?

Checked the FAQ, blocking by host pattern will work. Blocking by content of the 
page will not.

For blocking ads, this will be sufficient.
If you want to block pages because it mentions cats or other suspicious words, 
https will not work as the data is encrypted.

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] Easiest way to block domains?

[J. Roeleveld]

On 29 August 2017 08:53:16 GMT+02:00, Walter Dnes  wrote:
>On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote
>
>> Look into proxy servers.
>> I think privoxy should be able to do the trick.
>
>  Looking at the /usr/portage/net-proxy directory, I see several proxy
>programs.  I checked the privoxy man page at linux.die.net and it
>mentions that some features are not available under https.  Is this a
>privoxy limit, or is it a limitation of proxies in general?
>
>  Is "tinyproxy" noticeably simpler than privoxy?  My main requirement
>is to block a list of domains.  Is it possible for a proxy to edit a
>webpage on-the-fly, so that references to unwanted URLs are stripped
>out, and the browser doesn't waste time trying to download from a
>blocked adserver?

Not sure about that. But did you check the main page? (www.privoxy.org)

--
Joost 
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] Easiest way to block domains?

[Stroller]

> On 29 Aug 2017, at 06:38, Walter Dnes  wrote:
> 
> …  But there are a few web pages that throw the kitchen sink of
> 3rd-pary adservers+trackers.  178 unique servers for one web page will
> peg the load from the web browser to 150% of 1 cpu core.  On a 2-core
> machine, that is bad.  The browser is unresponsive for a few seconds at
> a time.

I use Ghostery on my Mac - I couldn't use the web without it now.

They have versions for Firefox and Opera - it might not be as full-featured as 
you'd like, but it's very easy to install and use, so might be worth a try.

Stroller.

Re: [gentoo-user] Easiest way to block domains?

[Walter Dnes]

On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote

> Look into proxy servers.
> I think privoxy should be able to do the trick.

  Looking at the /usr/portage/net-proxy directory, I see several proxy
programs.  I checked the privoxy man page at linux.die.net and it
mentions that some features are not available under https.  Is this a
privoxy limit, or is it a limitation of proxies in general?

  Is "tinyproxy" noticeably simpler than privoxy?  My main requirement
is to block a list of domains.  Is it possible for a proxy to edit a
webpage on-the-fly, so that references to unwanted URLs are stripped
out, and the browser doesn't waste time trying to download from a
blocked adserver?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] Easiest way to block domains?

[J. Roeleveld]

On 29 August 2017 07:38:42 GMT+02:00, Walter Dnes  wrote:
>  I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I want
>to run it into the ground, not throw it away while it's still
>functional.  With Gentoo optimization, pluse using ICEWM, it's
>generally
>snappy.  But there are a few web pages that throw the kitchen sink of
>3rd-pary adservers+trackers.  178 unique servers for one web page will
>peg the load from the web browser to 150% of 1 cpu core.  On a 2-core
>machine, that is bad.  The browser is unresponsive for a few seconds at
>a time.
>
>  I'm building up a rather large hosts file, but the adservers have a
>gazillion subnames for each domain, in a deliberate attempt to bypass
>hosts files.  It would be more effective block entire domains.  Is
>there
>a lightweight DNS server, or some iptables trick, or whatever, that'll
>block specified domains?

Look into proxy servers.
I think privoxy should be able to do the trick.

--
Joost
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[gentoo-user] Easiest way to block domains?

[Walter Dnes]

  I'm running a Core2-duo desktop from 2008 with 3 gigs of ram.  I want
to run it into the ground, not throw it away while it's still
functional.  With Gentoo optimization, pluse using ICEWM, it's generally
snappy.  But there are a few web pages that throw the kitchen sink of
3rd-pary adservers+trackers.  178 unique servers for one web page will
peg the load from the web browser to 150% of 1 cpu core.  On a 2-core
machine, that is bad.  The browser is unresponsive for a few seconds at
a time.

  I'm building up a rather large hosts file, but the adservers have a
gazillion subnames for each domain, in a deliberate attempt to bypass
hosts files.  It would be more effective block entire domains.  Is there
a lightweight DNS server, or some iptables trick, or whatever, that'll
block specified domains?

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications