Install BIND for DNS and ad-blocking on CentOS 7

This post is for installing BIND on CentOS 7 to use as a local DNS server, and including a pre-configured zone file containing over 2000 of the most common ad server domain names. Basically what will happen is when you visit a webpage that sends a request to one of these ad servers, it will redirect that request to a webserver running on this DNS server, and serve up a transparent 1x1 pixel gif file. That means the DNS request prevents the HTTP/S request from ever leaving your network, causing webpages to load a tad faster, and provide a 99.9% ad-free browsing experience!

In my setup I have SELinux disabled (sed -i /etc/selinux/config -r -e 's/^SELINUX=.*/SELINUX=disabled/g'). If you disable selinux (or firewalld), you do so at your own risk. It is not advisable to do either if your server is directly accessible on the internet (this one should not be), so please do so at your own risk! At the bottom of this post I've included the simple rules needed for firewalld.

Let's Get Started!

1.) updates and requisites:
yum -y update && yum -y install bind httpd wget && systemctl reboot
2.) BIND configuration:
mv /etc/named.conf /etc/named.conf.orig
vi /etc/named.conf
---
acl "trusted" {
    172.16.1.0/24;
};

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };

    recursion yes;
    allow-recursion { trusted; };
    listen-on { 172.16.1.101; };
    allow-transfer { none; };

    dnssec-enable no;
    dnssec-validation no;
    dnssec-lookaside auto;

    bindkeys-file "/etc/named.iscdlv.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    forwarders {
    8.8.8.8;
    8.8.4.4;
    };
    forward first;

};

logging {
        channel default_debug {
                 file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "domain.local" IN {
    type master;
    file "domain.local.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/named/blacklists/ads";
---

There are a few things in this config that you will need to customize to your environment.
First, at the top is an acl config with currently shows 172.16.1.0/24. You will need to update this to your network.
Second, you will need to find and change the listen-on IP, and set that to the IP of the server you're installing on.
Third, the above config has the forwarders server set to Google's DNS servers. If you're fine with that, no change is needed. If you want to change that, just replace the two IP's there with your ISP's DNS servers, or others.
Lastly, you will need to update the "zone" config, which is set to domain.local. Using blitz.home as an example, it should look like this:

zone "blitz.home" IN {
    type master;
    file "blitz.home.zone";
};
3.) create ad-block zone:
vi /var/named/null.zone.file
---
$TTL 86400
@   IN  SOA dns01.domain.local. hostmaster.domain.local. (
            2016010100  ; serial
            21600       ; refresh after 6 hours
            3600        ; retry after 1 hour
            604800      ; expire after 1 week
            86400   )   ; minimum TTL of 1 day

        IN  NS  dns01.domain.local.

@       IN  A   127.0.0.1
*       IN  A   127.0.0.1
---

Above is the zone file that is used to redirect ad requests. Again, you need to make changes for your environment. In the second line:

@   IN  SOA dns01.domain.local. hostmaster.domain.local. (

you will need to update to your domain. Using my previous example, you would want to set to:

@   IN  SOA dns01.blitz.home.   hostmaster.blitz.home. (

Leave hostmaster as is, but dns01 will need to be changed to the domain name of this server (dns01, in my example). Likewise, you will need to update line 9 as well, to:

IN  NS  dns01.blitz.home.
4.) local DNS forward zone:

When creating the next file, replace domain.local.zone with your domain name as specified in the named config in step #2; i.e. blitz.home.zone. Otherwise, named will not be able to find this file and start the service.

vi /var/named/domain.local.zone   # CHANGE THE FILE NAME AS DIRECTED ABOVE
---
$TTL 86400
@   IN  SOA dns01.domain.local. hostmaster.domain.local. (
            2015122100  ; serial
            21600       ; refresh after 6 hours
            3600        ; retry after 1 hour
            604800      ; expire after 1 week
            86400   )   ; minimum TTL of 1 day

        IN  NS  dns01.domain.local.

dns01       IN  A   172.16.1.101
fw01        IN  A   172.16.1.254
dns         IN  CNAME   dns01
---

Just like in the ad-block zone file, you will need to update line 2 and line 9 with your relevant domain info. Down toward the end of the file I have two examples of how to manually add DNS records (A records). Just use this same format if you want to add any of your own. The bottom line is for creating a CNAME record for dns, and pointing it to my server named dns01. If this server is not named dns01 for you, replace dns01 with the correct name. Now if you ever go back and update this file (which is normal), update the serial (line 3) so named will know to reread this file since it's been updated. The serial is 10 digits, and is best used in a date format (i.e., YYYYMMDDVV, where Y=Year, M=Month, D=Day, V=Version). Just restart the named service after changes have bene made.

5.) download ad blacklist zone file:
mkdir -p /var/named/blacklists
wget -O /var/named/blacklists/ads 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext'

Here we are just making a directory, and downloading a pre-configured zone file with over 2000 ad domains listed, and renamining the file to ads.

6.) httpd config:
wget -O /var/www/html/a.gif 'http://probablyprogramming.com/wp-content/uploads/2009/03/tinytrans.gif'

Above we downloaded the 1x1 transparent gif file that we'll serve up instead of ads. Next we need to update the httpd config with rewrite rules to know when/how to serve the file. We need to open the file for editing, and just add in a few lines inside the <Directory "/var/www"> section.

vi /etc/httpd/conf/httpd.conf
---
<FilesMatch "a.gif$">
    Header set Cache-Control "max-age=290304000, public"
</FilesMatch>

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteRule ^(.*)$ http://localhost/a.gif
---
7.) start services and configure firewalld:
systemctl enable named.service && systemctl enable httpd.service   # Enable services
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
systemctl reboot   # System reboot

From here you just need to configure your client computer to use this server as it's DNS server, and you should then be ad free! If it's not working right, or you're having problem, just me know and I'd be glad to help out!


Related Posts


Share on: Twitter | Facebook | Google+ | Email


comments powered by Disqus