Re: [gentoo-user] Easiest way to block domains?
On Tue, 29 Aug 2017 01:38:42 -0400 Walter Dnes wrote: > I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I want > to run it into the ground, not throw it away while it's still > functional. With Gentoo optimization, pluse using ICEWM, it's generally > snappy. But there are a few web pages that throw the kitchen sink of > 3rd-pary adservers+trackers. 178 unique servers for one web page will > peg the load from the web browser to 150% of 1 cpu core. On a 2-core > machine, that is bad. The browser is unresponsive for a few seconds at > a time. > > I'm building up a rather large hosts file, but the adservers have a > gazillion subnames for each domain, in a deliberate attempt to bypass > hosts files. It would be more effective block entire domains. Is there > a lightweight DNS server, or some iptables trick, or whatever, that'll > block specified domains? Use uBlock origin. Both firefox and chromium work perfectly fine for me on a Core2Duo host. Best regards, Andrew Savchenko pgp0mlyc7absR.pgp Description: PGP signature
Re: [gentoo-user] Easiest way to block domains?
On Tue, Aug 29, 2017 at 10:17:27PM -0500, R0b0t1 wrote > On Tue, Aug 29, 2017 at 12:38 AM, Walter Dneswrote: > > I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I want > > to run it into the ground, not throw it away while it's still > > functional. > > Unfortunately this isn't a viable strategy because typically you will, > in a few months, if not a single month, spend more in electricity > costs than you would purchasing a new single board computer. That might be true if running at full load 24x7. Before going to bed I run a script that... * drops the cpu speed down to min (1.2 GHz) from the 2.4 GHz max using my own custom-written eselect module. * turn the display off programmatically. It uses 2 commands, so it'll work regardless of whether I run it from X or a true text console #!/bin/bash sleep 1 && xset -display :0.0 dpms force off setterm --blank force The "setterm" command complains when run from X, but that's not a problem -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Easiest way to block domains?
On Tue, Aug 29, 2017 at 11:22:14AM +0200, David Haller wrote > # Farcepalm > address=/fb.com/127.0.1.1 > address=/fbcdn.net/127.0.1.1 > address=/facebook.com/127.0.1.1 > address=/facebook.net/127.0.1.1 > address=/facebook.de/127.0.1.1 > address=/facebook.fr/127.0.1.1 > address=/facebook.co.uk/127.0.1.1 > address=/whatsapp.de/127.0.1.1 > address=/whatsapp.com/127.0.1.1 > address=/internet.org/127.0.1.1 > address=/internet.com/127.0.1.1 > # ... > > > Result: > > $ host fb.com > fb.com has address 127.0.1.1 > $ nslookup fb.com > Server: 127.0.0.1 > Address:127.0.0.1#53 > > Name: fb.com > Address: 127.0.1.1 > > It's still a ton of domains to add, but much less generally. I still > wish it'd do "shell-style" globbing like /facebook.*/ or > /facebook.{com,net,de,fr,co.uk}/ ... You could write a little > generator for that if need be ... Facebook is better-handled in iptables... [0:0] -A INPUT -s 31.13.24.0/21 -j FECESBOOK [194:15548] -A INPUT -s 31.13.64.0/18 -j FECESBOOK [0:0] -A INPUT -s 66.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 74.119.76.0/22 -j FECESBOOK [0:0] -A INPUT -s 103.4.96.0/22 -j FECESBOOK [0:0] -A INPUT -s 173.252.64.0/18 -j FECESBOOK [0:0] -A INPUT -s 204.15.20.0/22 -j FECESBOOK [0:0] -A OUTPUT -d 31.13.24.0/21 -j FECESBOOK [4035959:242209304] -A OUTPUT -d 31.13.64.0/18 -j FECESBOOK [56:3360] -A OUTPUT -d 66.220.144.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK [874:52440] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK [0:0] -A OUTPUT -d 74.119.76.0/22 -j FECESBOOK [0:0] -A OUTPUT -d 103.4.96.0/22 -j FECESBOOK [3306:198360] -A OUTPUT -d 173.252.64.0/18 -j FECESBOOK [0:0] -A OUTPUT -d 204.15.20.0/22 -j FECESBOOK [4040389:242479012] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 [4040389:242479012] -A FECESBOOK -j DROP The [packet:byte] counters show how much traffic each rule gets. It may be different dependeng where on the planet you are. -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Easiest way to block domains?
On Tue, Aug 29, 2017 at 11:09:00AM +0200, Heiko Baums wrote > I'm using the combination of these browser add-ons available for > Firefox and Chromium: > > uBlock Origin > uMatrix > EFF Privacy Badger I use Pale Moon. There's a Pale Moon specific fork of AdBlock, called AdBlock Latitude https://addons.palemoon.org/addon/adblock-latitude/ but I prefer to avoid addons. -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Easiest way to block domains?
On Wednesday, 30 August 2017 04:17:27 BST R0b0t1 wrote: > Unfortunately this isn't a viable strategy because typically you will, > in a few months, if not a single month, spend more in electricity > costs than you would purchasing a new single board computer. Are you sure of this? Perhaps in a commercial 24x7x365 high compute cycle application this would hold water, but in the case of a home PC running 14 hours a day at maximum power you might save enough to buy a small spinning SATA drive after a year, or a Raspberry Pi without peripherals, but not a new PC. Of course, if: 1. your PC is not running at full speed all the time; 2. it is not a PentiumD dual core (were they the most power hungry?); 3. you're not still running a CRT monitor; 4. you tend to suspend to RAM when not in front of it; 5. a new PC is not at least 50% more efficient; 6. the price of electricity is not exorbitant (I pay approximately £0.13/KWh + £0.29/day) then you will need other reasons to upgrade. When the PC you're using is a laptop, then the case for upgrading on grounds of savings on electricity costs alone is even more tenuous. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Easiest way to block domains?
On Tue, Aug 29, 2017 at 12:38 AM, Walter Dneswrote: > I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I want > to run it into the ground, not throw it away while it's still > functional. Unfortunately this isn't a viable strategy because typically you will, in a few months, if not a single month, spend more in electricity costs than you would purchasing a new single board computer. > With Gentoo optimization, pluse using ICEWM, it's generally > snappy. But there are a few web pages that throw the kitchen sink of > 3rd-pary adservers+trackers. 178 unique servers for one web page will > peg the load from the web browser to 150% of 1 cpu core. On a 2-core > machine, that is bad. The browser is unresponsive for a few seconds at > a time. > > I'm building up a rather large hosts file, but the adservers have a > gazillion subnames for each domain, in a deliberate attempt to bypass > hosts files. It would be more effective block entire domains. Is there > a lightweight DNS server, or some iptables trick, or whatever, that'll > block specified domains? > Your single board computer of choice should be able to handle this. If you need routing capability you are better off building a computer from scratch. There's mini-ITX boards available with soldered-on processors that are probably comparable to your system from 2008, but they use far less electricity. You could also buy a router and replace the firmware with OpenWRT. Most have enough space for some pretty involved service provisioning. R0b0t1.
Re: [gentoo-user] Easiest way to block domains?
Hello, On Tue, 29 Aug 2017, Walter Dnes wrote: > I'm building up a rather large hosts file, but the adservers have a >gazillion subnames for each domain, in a deliberate attempt to bypass >hosts files. It would be more effective block entire domains. Is there >a lightweight DNS server, or some iptables trick, or whatever, that'll >block specified domains? Use 'dnsmasq'!!! I have e.g. this "basic" config (shortened to the relevant parts): /etc/dnsmasq.conf [..] # define servers for forwarding, e.g. my router[1]: server=192.168.178.1 [..] conf-file=/etc/dnsmasq.d/blocklist.conf /etc/dnsmasq.d/blocklist.conf # Google address=/1e100.net/127.0.1.1 address=/google-analytics.com/127.0.1.1 address=/googleadservices.com/127.0.1.1 address=/googlesyndication.com/127.0.1.1 address=/googletagservices.com/127.0.1.1 address=/googletagmanager.com/127.0.1.1 address=/double-click.net/127.0.1.1 address=/doubleclick.com/127.0.1.1 address=/doubleclick.net/127.0.1.1 # Farcepalm address=/fb.com/127.0.1.1 address=/fbcdn.net/127.0.1.1 address=/facebook.com/127.0.1.1 address=/facebook.net/127.0.1.1 address=/facebook.de/127.0.1.1 address=/facebook.fr/127.0.1.1 address=/facebook.co.uk/127.0.1.1 address=/whatsapp.de/127.0.1.1 address=/whatsapp.com/127.0.1.1 address=/internet.org/127.0.1.1 address=/internet.com/127.0.1.1 # ... Result: $ host fb.com fb.com has address 127.0.1.1 $ nslookup fb.com Server: 127.0.0.1 Address:127.0.0.1#53 Name: fb.com Address: 127.0.1.1 It's still a ton of domains to add, but much less generally. I still wish it'd do "shell-style" globbing like /facebook.*/ or /facebook.{com,net,de,fr,co.uk}/ ... You could write a little generator for that if need be ... You can also use conf-dir instead of conf-file: -7, --conf-dir=[,..], Read all the files in the given directory as configuration files. If extension(s) are given, any files which end in those extensions are skipped. Any files whose names end in ~ or start with . or start and end with # are always skipped. If the exten- sion starts with * then only files which have that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command line or in a configuration file. If giving it on the command line, be sure to escape * characters. Actually, I've just switched to conf-dir=/etc/dnsmasq.d,*.conf so I can script some stuff (Makefile, .in template, to e.g. expand at least {a,b,c} style globs ;) HTH, -dnh [1] note: I do not use my router with its provider-provided DNS-servers, but I use open servers from opendns.com and www.privacyfoundation.ch or others. Not goggles though. -- Living on Earth may be expensive, but it includes an annual free trip around the Sun. -- BSD fortune file
Re: [gentoo-user] Easiest way to block domains?
Am Tue, 29 Aug 2017 01:38:42 -0400 schrieb "Walter Dnes": > I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I > want to run it into the ground, not throw it away while it's still > functional. With Gentoo optimization, pluse using ICEWM, it's > generally snappy. But there are a few web pages that throw the > kitchen sink of 3rd-pary adservers+trackers. 178 unique servers for > one web page will peg the load from the web browser to 150% of 1 cpu > core. On a 2-core machine, that is bad. The browser is unresponsive > for a few seconds at a time. > > I'm building up a rather large hosts file, but the adservers have a > gazillion subnames for each domain, in a deliberate attempt to bypass > hosts files. It would be more effective block entire domains. Is > there a lightweight DNS server, or some iptables trick, or whatever, > that'll block specified domains? I'm using the combination of these browser add-ons available for Firefox and Chromium: uBlock Origin uMatrix EFF Privacy Badger uBlock Origin is an ad blocker. uMatrix is similar to NoScript but a lot more flexible and easier to use, and comes with some hosts files (not copied to /etc/hosts). And Privacy Badger blocks domains, JavaScripts, cookies etc. that are used to create a profile of yours. Those three are doing quite a good job from what I can tell. And surfing on a Raspberry Pi 3 is also a lot better with these. That said, it's not only ad servers which cause a massive CPU load, it's also badly designed and overloaded websites which contain a lot of JavaScript and load content from several other servers, particularly from JavaScript hosts and CDNs. Heiko
Re: [gentoo-user] Easiest way to block domains?
On Tuesday, 29 August 2017 08:25:18 BST J. Roeleveld wrote: > On 29 August 2017 08:53:16 GMT+02:00, Walter Dneswrote: > >On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote > > > >> Look into proxy servers. > >> I think privoxy should be able to do the trick. > >> > > Looking at the /usr/portage/net-proxy directory, I see several proxy > > > >programs. I checked the privoxy man page at linux.die.net and it > >mentions that some features are not available under https. Is this a > >privoxy limit, or is it a limitation of proxies in general? > > > > Is "tinyproxy" noticeably simpler than privoxy? My main requirement > > > >is to block a list of domains. Is it possible for a proxy to edit a > >webpage on-the-fly, so that references to unwanted URLs are stripped > >out, and the browser doesn't waste time trying to download from a > >blocked adserver? > > Checked the FAQ, blocking by host pattern will work. Blocking by content of > the page will not. > > For blocking ads, this will be sufficient. > If you want to block pages because it mentions cats or other suspicious > words, https will not work as the data is encrypted. > > -- > Joost It may be worth trying ublock origin addon for Firefox and on Chromium in addition try ublock origin extra. They have made a difference here. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Easiest way to block domains?
On 29 August 2017 08:53:16 GMT+02:00, Walter Dneswrote: >On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote > >> Look into proxy servers. >> I think privoxy should be able to do the trick. > > Looking at the /usr/portage/net-proxy directory, I see several proxy >programs. I checked the privoxy man page at linux.die.net and it >mentions that some features are not available under https. Is this a >privoxy limit, or is it a limitation of proxies in general? > > Is "tinyproxy" noticeably simpler than privoxy? My main requirement >is to block a list of domains. Is it possible for a proxy to edit a >webpage on-the-fly, so that references to unwanted URLs are stripped >out, and the browser doesn't waste time trying to download from a >blocked adserver? Checked the FAQ, blocking by host pattern will work. Blocking by content of the page will not. For blocking ads, this will be sufficient. If you want to block pages because it mentions cats or other suspicious words, https will not work as the data is encrypted. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Easiest way to block domains?
On 29 August 2017 08:53:16 GMT+02:00, Walter Dneswrote: >On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote > >> Look into proxy servers. >> I think privoxy should be able to do the trick. > > Looking at the /usr/portage/net-proxy directory, I see several proxy >programs. I checked the privoxy man page at linux.die.net and it >mentions that some features are not available under https. Is this a >privoxy limit, or is it a limitation of proxies in general? > > Is "tinyproxy" noticeably simpler than privoxy? My main requirement >is to block a list of domains. Is it possible for a proxy to edit a >webpage on-the-fly, so that references to unwanted URLs are stripped >out, and the browser doesn't waste time trying to download from a >blocked adserver? Not sure about that. But did you check the main page? (www.privoxy.org) -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [gentoo-user] Easiest way to block domains?
> On 29 Aug 2017, at 06:38, Walter Dneswrote: > > … But there are a few web pages that throw the kitchen sink of > 3rd-pary adservers+trackers. 178 unique servers for one web page will > peg the load from the web browser to 150% of 1 cpu core. On a 2-core > machine, that is bad. The browser is unresponsive for a few seconds at > a time. I use Ghostery on my Mac - I couldn't use the web without it now. They have versions for Firefox and Opera - it might not be as full-featured as you'd like, but it's very easy to install and use, so might be worth a try. Stroller.
Re: [gentoo-user] Easiest way to block domains?
On Tue, Aug 29, 2017 at 05:41:53AM +, J. Roeleveld wrote > Look into proxy servers. > I think privoxy should be able to do the trick. Looking at the /usr/portage/net-proxy directory, I see several proxy programs. I checked the privoxy man page at linux.die.net and it mentions that some features are not available under https. Is this a privoxy limit, or is it a limitation of proxies in general? Is "tinyproxy" noticeably simpler than privoxy? My main requirement is to block a list of domains. Is it possible for a proxy to edit a webpage on-the-fly, so that references to unwanted URLs are stripped out, and the browser doesn't waste time trying to download from a blocked adserver? -- Walter DnesI don't run "desktop environments"; I run useful applications
Re: [gentoo-user] Easiest way to block domains?
On 29 August 2017 07:38:42 GMT+02:00, Walter Dneswrote: > I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I want >to run it into the ground, not throw it away while it's still >functional. With Gentoo optimization, pluse using ICEWM, it's >generally >snappy. But there are a few web pages that throw the kitchen sink of >3rd-pary adservers+trackers. 178 unique servers for one web page will >peg the load from the web browser to 150% of 1 cpu core. On a 2-core >machine, that is bad. The browser is unresponsive for a few seconds at >a time. > > I'm building up a rather large hosts file, but the adservers have a >gazillion subnames for each domain, in a deliberate attempt to bypass >hosts files. It would be more effective block entire domains. Is >there >a lightweight DNS server, or some iptables trick, or whatever, that'll >block specified domains? Look into proxy servers. I think privoxy should be able to do the trick. -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
[gentoo-user] Easiest way to block domains?
I'm running a Core2-duo desktop from 2008 with 3 gigs of ram. I want to run it into the ground, not throw it away while it's still functional. With Gentoo optimization, pluse using ICEWM, it's generally snappy. But there are a few web pages that throw the kitchen sink of 3rd-pary adservers+trackers. 178 unique servers for one web page will peg the load from the web browser to 150% of 1 cpu core. On a 2-core machine, that is bad. The browser is unresponsive for a few seconds at a time. I'm building up a rather large hosts file, but the adservers have a gazillion subnames for each domain, in a deliberate attempt to bypass hosts files. It would be more effective block entire domains. Is there a lightweight DNS server, or some iptables trick, or whatever, that'll block specified domains? -- Walter DnesI don't run "desktop environments"; I run useful applications