[Dnsmasq-discuss] dnsmasq + apache for less annoying web?

Grant Coady grant_nospam@dodo.com.au
Wed, 02 Mar 2005 19:12:44 +1100


Greetings,

Peter Willis pointed me at:
http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt

Which offers a clue, but double handles domain names, but 
combining that example with an anti-proxy method from the 
apache FAQ, one can setup an efficient deny_domain list.

I present this information because I found it useful, perhaps 
others have different approaches or comments?

This is how I see it:

o Dropping uninteresting domains in the firewall no good 
  as user forced to endure timeouts.

o Blocking javascript globally is no good as some sites 
  require scripting for correct operation.

o Apache virtual server operation makes the first server 
  the default.  This first entry may be used to filter 
  anything as 'valid' virtual hosts are explicitly named 
  later in the configuration.

o Dnsmasq may include other configuration files, we may 
  use this feature to maintain a single deny_domain list.

o Reading page source and finding 'pop-under version 1.8...' 
  javascript indicates blocking *.js from known domains may 
  prove a good thing.

o Returning a script.js instead of an image for .js requests 
  seems safer to me, so I return 'splat.js' (//splat!)

o It is very easy to build on other people's efforts, but 
  there may be errors lurking...

Changes:

Added a line to /etc/dnsmasq: 
  conf-file=/usr/local/etc/deny_domains

Which contains:

address=/2o7.net/192.168.1.1
address=/6to23.com/192.168.1.1
address=/adbureau.net/192.168.1.1
. . . (103 entries)

Added the following to the start of virtual hosting section 
in /etc/apache/httpd.conf (much context included, the 'req_ref' 
is logger request + referer, from 'combined' minus user-agent):
. . .
# Use name-based virtual hosting.
#
NameVirtualHost *:80

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

# First server listed is the default server, based on information from
#  http://httpd.apache.org/docs/misc/FAQ.html Q.22, we setup the default
#  to return an error to hosts seeking an open proxy.
# All public access virtual servers have their document root one level
#  down from the server document root set above; the main root is
#  available only to local machines.  Grant Coady -- 2005-02-03

#<VirtualHost *>
#  ServerName default.only
#  <Location />
#    Order allow,deny
#    Deny from all
#  </Location>
#</VirtualHost>

# idea: http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt
# problem with their solution is it requires naming each unwanted domain,
#  instead we try to merge it with the default 'unknown host' that denies
#  access by IP address.  Our deny_list is part of dnsmasq, right now with
#  the above commented out setting, the server returns 'forbidden' for
#  access as 192.168.1.1 -- no need for IP alias games, nor maintaining
#  duplicated ad-host-deny-list.  That's the plan, let's see now...

<VirtualHost *>
    ServerName   default.only
    DocumentRoot /var/www/web/splat
    ErrorLog     /var/log/apache/splat-error.log
    CustomLog    /var/log/apache/splat-access.log req_ref

    <Directory "/var/www/web/splat">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
        RewriteEngine On
        RewriteCond \.js$ [nocase]
        RewriteRule .* splat.js
        RewriteRule .* index.gif [last]
    </Directory>
# FIXME don't think I need next bit?
#    <IfModule mod_dir.c>
#        DirectoryIndex index.html index.htm index.shtml index.cgi index.pl index.php
#    </IfModule>
</VirtualHost>
. . .

Results?

Apache access log shows deny_domain list members are receiving 
87 byte image, the 10 byte splat.js but mainly a 304 (no new 
file) response.

Normal access by valid virtual domain names is unaffected.  

Works for me so far...

Cheers,
Grant.