NIX4NetEng #6 DNS, ad-blocking, and quality of experience

The sixth [and arguably very overdue] installment of my NIX4NetEng series, this began as an overly complex diatribe about DNS. As it evolved, I realized that DNS is so complex and far reaching that it could never be contained in one meager post. DNS is a powerful tool. It has existed for so long that many that have never had the responsibility of running an authoritative or recursive resolver may take for granted the extensive reach of a tool so engrained in the fabric of the internet that it is frequently overlooked, much like a utility such as electricity or running water. Over time DNS has been reviled as the weak link in the chain that is the internet and and revered as the binding agent that makes the internet as we know it function. As someone that has run service provider and large campus resolvers, both recursive and authoritative, my opinion is that it is both. In the old days, and even now, black hat players will often target resolvers to perform DNS poisioning and will employ techniques such as flux and double flux to obfuscate their bot herders. Content providers use DNS tricks and anycast DNS to steer eyeballs to the topologically closest resource. Wifi hotspots use DNS to capture and force users through a captive portal. As users at large surf the web, advertisers utilize DNS to deliver advertising. Google does this, Yahoo does it, Hulu and other streaming video services do it. It has also been known to deliver pretty nasty malware. That’s why when internet and security ninja Sam Oehlert pointed me at this project called pi-hole, I knew that it would be a blog post. Pi-Hole is a recursive resolver based on the venerable dnsmasq that actively blocks and logs ads. And it WORKS. The initial project was aimed at running this on a raspberry pi as a hardware based resolver for a small network. While this works well, it’s really just a linux service that can be run as a docker container or a standard LXC container. I decided to set this up as a linux container on my proxmox box. The install is as simple as running a single command and walking through some simple menus.

curl -L install.pi-hole.net | bash

The install is straightforward and allows for both IPv4 and IPv6 ad blocking, should your network support it (which is should!). Like any self funded opensource project, I have found a few caveats and hidden features with it:
Feb 27 16:28:04 dnsmasq[7620]: /etc/pihole/gravity.list s.youtube.com is 10.209.209.10
Feb 27 16:28:04 dnsmasq[7620]: query[AAAA] pubads.g.doubleclick.net from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: /etc/pihole/gravity.list pubads.g.doubleclick.net is 2001:470:c03a:809::a
Feb 27 16:28:04 dnsmasq[7620]: query[A] pubads.g.doubleclick.net from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: /etc/pihole/gravity.list pubads.g.doubleclick.net is 10.209.209.10
Feb 27 16:28:04 dnsmasq[7620]: query[A] r2—sn-vgqs7nls.googlevideo.com from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: forwarded r2—sn-vgqs7nls.googlevideo.com to 75.75.76.76
Feb 27 16:28:04 dnsmasq[7620]: query[AAAA] r2—sn-vgqs7nls.googlevideo.com from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: forwarded r2—sn-vgqs7nls.googlevideo.com to 75.75.76.76
Feb 27 16:28:04 dnsmasq[7620]: query[AAAA] manifest.googlevideo.com from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: forwarded manifest.googlevideo.com to 75.75.76.76
Feb 27 16:28:04 dnsmasq[7620]: query[A] manifest.googlevideo.com from 10.209.89.21
Feb 27 16:28:04 dnsmasq[7620]: forwarded manifest.googlevideo.com to 75.75.76.76
  Pi-hole Explained from Pi-hole on Vimeo.   Completely ignoring the merit or unethical nature of blocking revenue generating advertisements (which I personally make a small amount of money on from on my youtube channel), this is a recommended project that exposes networking folks to unix, critical network services, as well as security. Throw them some beer or coffee money if you find it useful. They’ve earned it.