Every so often I’ll log DNS queries so I can discover domains I’d like
to block: anything that’s a beacon, webbug, tracker, or the like. When
I find those domains I add them to /etc/hosts with an non-routable
address of 0.0.0.0. Probably not kosher, but it’s better than it
trying localhost and potentially hitting a webserver I have running.
I installed dnsmasq and run it
without starting a daemon.
I have to configure 127.0.0.1 to be the first nameserver so the
requests go to the local port 53 first. The DNS requests then pass
through dnsmasq and onto the next DNS server since I don’t actually
resolve any addresses.
I leave it open in a terminal window and hope that I remember to kill
it later because it collects a lot of information:
From there, I can collate the query lines and sort them by frequency:
Right away two domains stand out: play.google.com and
otmwumj6qw5em0zb.me. The first is a Google service I don’t want and
the second was probably from some clickbait trap. I usually don’t care
enough to investigate further.
I investigate with whois and find otmwumj6qw5em0zb.me hidden
behind Domains By Proxy, so likely something I don’t want to use:
Now, here’s the tricky part. I want to block these at the DNS level
by returning a null host. But, if I took a long list of suspects and
blocked them all at once, I’m likely to break part of (well, more of)
the web for me. I’ll add them one at a time and wait a bit if I’m unsure
what they do. If something breaks horribly, such as GMail not working,
I’ll back out the small change.