# Assuming a Properly configured DNSMasq ###### a quickstart for dnsmasq is given at the end if you have not set it up yet. --- something like this will add a great regularly updated malware file for it to use. More security and privacy to you! Specifically, this uses https://github.com/StevenBlack/hosts Choose one of the Raw Hosts file from there to use. To setup DNSMasq, follow the below ... ``` wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/0.0.0.0/"}' > /etc/dnsmasq.d/malware.conf` ``` for ipv6, add in this too ``` wget -O- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | awk '$1 == "0.0.0.0" { print "address=/"$2"/::1/"}' > /etc/dnsmasq.d/malware-ipv6.conf ``` you could also use that line in a cron job to have it run periodically. I have attached a file **dnsmasq-antimalware** with this gist, which I dump into /etc/cron.weekly which basically does the above and updates the dnsmasq formatted file weekly The only thing you *might* need to configure is your choice of host file. Edit "HOSTS_RAW" as needed. & of course, restart dnsmasq. If you have not setup dnsmasq, there is a heap of documentaion online, or just follow the quick steps below. *** ## Quickstart DNSMasq Setup, just in case 1. Install DNSMasq Debian: apt-get install dnsmasq Others: install dnsmasq from whatever package manager present, it will likely be present in the distro. 2. Config DNSMasq as Needed. Edit as needed, I have added the main config I use below. #### /etc/dnsmasq.conf ( or /etc/dnsmasq.d/dnsmasq.conf if configured in Debian as such ) ``` domain-needed bogus-priv no-resolv clear-on-reload strict-order no-negcache no-poll cache-size=1000 ``` 3. Lets point command line to use dnsmasq by default If you are using the resolvconf package. Basically configure your system so that it /etc/resolv.conf has only one nameserver configured pointing to localhost, or make sure this local dns is the *first* listed nameserver. Tip: For many public wifis, you might need to also configure a second nameserver to an externally used dns. I usually leave a second nameserver with a public nameserver of my choosing. No need too, just keep this in mind since it could catch you out. `echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base` 4. Lets also configure NetworkManager to use this dnsmasq. This ensures no other config is needed for each configured interface from NetworkManager. Put a line like so in #### /etc/NetworkManager/NetworkManager.conf: look for [main] and add a line as indicated below (& of course restart NetworkManager, or just restart) I use a separate dnsmasq process and hence the config, below basically tells NetworkManager not the touch the resolv.conf ``` [main] dns=none ``` * with the above config, I do not actually use the /etc/resolv.conf .. so check and adjust your system accordingly with your choice. The above setup for Dnsmasq + NetworkManager are really hints only. Milage will vary. Alternately, the option dns=systemd-resolved could also work instead. * This is tested across recent Fedora (24+) & Debian boxes * Bonus tip: Its a smallish step up from here to get DNSCrypt going as well, will add a link once I get down to documenting that.