Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/coonrad/macos-dns-sinkhole

Use dnsmasq on macOS to sinkhole DNS traffic to specified domains.
https://github.com/coonrad/macos-dns-sinkhole

dns dnsmasq macos sinkhole

Last synced: 7 days ago
JSON representation

Use dnsmasq on macOS to sinkhole DNS traffic to specified domains.

Host: GitHub
URL: https://github.com/coonrad/macos-dns-sinkhole
Owner: coonrad
License: mit
Created: 2024-06-28T06:13:54.000Z (6 months ago)
Default Branch: main
Last Pushed: 2024-06-28T07:20:16.000Z (6 months ago)
Last Synced: 2024-11-07T02:09:47.230Z (about 2 months ago)
Topics: dns, dnsmasq, macos, sinkhole
Homepage:
Size: 4.88 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# macOS-DNS-sinkhole
Use dnsmasq on macOS to sinkhole DNS traffic to specified domains.

This configuration has some limitations to a standard deployment of dnsmasq. The only DNS traffic directed to dnsmasq are the domains matched in `/etc/resolver`. There doesn't seem to be a simple or easy solution to direct all DNS traffic to dnsmasq in macOS. Despite this limitation it is very easy and useful to be able to block DNS to any specified domains.

## Setup

Install dnsmasq:

```bash
# Macports
port install dnsmasq
# Homebrew
brew install dnsmasq
```

This configuration uses paths for Macports. Adjust your config accordingly for Homebrew.

Create directories.

```bas
sudo mkdir /opt/local/etc/dnsmasq/
sudo mkdir /etc/resolver
```

Edit `/opt/local/etc/dnsmasq.conf`.

```bash
rebind-localhost-ok
stop-dns-rebind
strict-order
domain-needed
bogus-priv
no-hosts
dns-forward-max=5000
cache-size=10000
log-queries
log-facility=/var/log/resolver.log

listen-address=127.0.0.1

conf-file=/opt/local/etc/dnsmasq/domains
```

Edit `/opt/local/etc/dnsmasq/domains`

```bash
# custom domain block list
# each domain must have a matching record in /etc/resolver

# facebook
local=/facebook.com/
local=/facebook.net/
local=/fb.com/
```

Create `/etc/resolver/` files for each domain.

```bash
printf "nameserver 127.0.0.1" | sudo tee /etc/resolver/facebook.com
printf "nameserver 127.0.0.1" | sudo tee /etc/resolver/facebook.net
printf "nameserver 127.0.0.1" | sudo tee /etc/resolver/fb.com
```

Load dnsmasq.

```bash
sudo port load dnsmasq
```

At this point dnsmasq is configured to listen on `127.0.0.1`. Any traffic for the domains in `/etc/resolver` will be directed to dnsmasq. This will result in `NXDOMAIN` and traffic to the specified domain will not resolve. You can verify this by doing `host` or `dig` commands against `127.0.0.1` or viewing the resolver log. (If you don't want to log queries to dnsmasq. Comment out `log-facilty` in the configuration file.)

```bash
Jun 27 23:59:33 dnsmasq[89]: query[A] facebook.com from 127.0.0.1
Jun 27 23:59:33 dnsmasq[89]: config facebook.com is NXDOMAIN
```

With some automation you should be able to block hundreds or thousands of domains. For instance this bash function will grep the domains from the domains file and populate an entry for each one to `/etc/resolver`.

```bash
function dnsmasq_setup() {

# grep list of domains for /etc/resolver
domains=$(grep -o -P '(?<=/).*(?=/)' /opt/local/etc/dnsmasq/domains)

# create /etc/resolver file for each domain
for i in $domains; do
echo "nameserver 127.0.0.1" | sudo tee /etc/resolver/"$i" >/dev/null
done

# restart dnsmasq
sudo port reload dnsmasq
}
```