I’m trying to implement DNS-based ad-blocking on VyOS. There is method described here, but this requires adding
lua-dns-script=adblock.lua
to recursor.conf which I found under /run/powerdns with the explicit warning it’s overridden by VyoS. I could hack this with an @reboot crontab entry to add the above line, but I’m looking for a better way.
How do I add a config entry permanently to recursor.conf?
You could alter the file and restart the service in a post-commit hook.
I just run Pihole on a container on VyOS. And don’t run PDNS at all.
@sarthurdev: thanks, I’ll give that a try!
@jbhardman : thanks, but I was looking for a native solution without too much extra hassle/maintenance. I might give Pi-hole a try later on.
Seems to work! I now have the following setup:
Two files for PowerDNS, a blocklist (to be expended) and a parsing script:
vyos@vyos:~$ ls -l /run/powerdns/adblock-*
-rwxr-xr-x 1 pdns pdns 223 Feb 26 22:01 /run/powerdns/adblock-blocklist.lua
-rwxr-xr-x 1 pdns pdns 1080 Feb 27 15:21 /run/powerdns/adblock-script.lua
vyos@vyos:~$ cat /run/powerdns/adblock-script.lua
adservers=newDS()
-- permitted=newDS()
function preresolve(dq)
-- if permitted:check(dq.qname) or (not adservers:check(dq.qname)) then
if (not adservers:check(dq.qname)) then
return false
end
-- Return NXDOMAIN (non-existent domain), which
dq.rcode = pdns.NXDOMAIN -- set NXDOMAIN answer
return true
end
-- Blocklist should contain something like:
-- return{"101com.com", "101order.com"}
adservers:add(dofile("/run/powerdns/adblock-blocklist.lua"))
-- permitted:add(dofile("/srv/config/permitted.lua"))
vyos@vyos:~$ cat /run/powerdns/adblock-blocklist.lua
return{"101com.com", "101order.com"}
And the final magic happens as post-commit hook script in /config/scripts/commit/post-hooks.d/adblock.
Two notes:
.sh as . is not allowed in the filename (see also here and here).vyos@vyos:~$ ls -l /config/scripts/commit/post-hooks.d/
total 4
-rwxr-xr-x 1 root vyattacfg 411 Feb 27 20:20 adblock
#!/bin/vbash
# N.B. the script name is quite restrictive! See https://vyos.dev/T4917
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
echo "lua-dns-script=/run/powerdns/adblock-script.lua" | sudo tee -a /run/powerdns/recursor.conf
# Need to restart PowerDNS in order to process conf change.
run restart dns forwarding
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
Small fix: don’t store the script in /run/powerdns/ which is cleared on reboot, but in /config/scripts/ instead:
vyos@vyos:~$ cat /config/scripts/pdns-adblock-script.lua
adservers=newDS()
-- permitted=newDS()
function preresolve(dq)
-- if permitted:check(dq.qname) or (not adservers:check(dq.qname)) then
if (not adservers:check(dq.qname)) then
return false
end
-- Return NXDOMAIN (non-existent domain), which
dq.rcode = pdns.NXDOMAIN -- set NXDOMAIN answer
return true
end
-- Blocklist should contain something like:
-- return{"101com.com", "101order.com"}
adservers:add(dofile("/config/scripts/pdns-adblock-blocklist.lua"))
-- in case you want to have whitelisted sites
-- permitted:add(dofile("/config/scripts/pdns-adblock-permitted.lua"))
vyos@vyos:~$ cat /config/scripts/pdns-adblock-blocklist.lua
return{"101com.com", "101order.com"}
vyos@vyos:~$ cat /config/scripts/commit/post-hooks.d/adblock
#!/bin/vbash
# N.B. the script name is quite restrictive! See https://vyos.dev/T4917
source /opt/vyatta/etc/functions/script-template
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
echo "lua-dns-script=/config/scripts/pdns-adblock-script.lua" | sudo tee -a /run/powerdns/recursor.conf
# Need to restart PowerDNS in order to process conf change.
run restart dns forwarding
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.