If you like the idea of
- Saving bandwidth
- Removing annoying adds while browsing the web
- Minimising the likelihood of having your privacy compromised, by way of spy-ware, unwanted analytics, Cross-Site Scripting (XSS), and others
- Gaining control over who can download what
- Monitoring what exactly is being downloaded or even attempted
Keep reading, if you’d like to know the process I took to acquire the above.
hosts file
Most/all Operating Systems have a hosts file.
You can add all the dodgy domains you want blocked, to your hosts file and direct them to localhost.
Example of hosts file with blocked domains
Providing your hosts file is kept up to date.
This is one alternative to blocking these domains.
Example host files
http://hostsfile.mine.nu/downloads/
http://winhelp2002.mvps.org/hosts.htm
http://someonewhocares.org/hosts/
On some systems if you add the dodgy sites to your hosts file, you may experience the “waiting for the ad server” problem.
As far as your browser is concerned, these URL’s don’t exist (because it’s looking at localhost).
Your browser may wait for a timeout for the blocked server.
In this case you could use eDexter to serve up a local image instead of waiting for a server timeout.
At this time, only OS X and Windows versions are available.
There is an alternative.
JavaDog will apparently run on all platforms that have the Java VM.
This doesn’t appear to be in the Debian repositories. At least not the ones I’m using.
I read here “As for Edexter, Firefox in Linux doesn’t seem to have the “waiting for the ad server” problem Mozilla in windows had.”
From my experience it does.
I had a quick look at JavaDog for Linux.
Found this site
It can be an administrative pain to keep the hosts file up to date with the additions and removals of domains.
Although Linux users could use the script here to do the updating.
This could be added to a Cron job in Linux.
If your on a windows box you may run into another type of slow down every 25 minutes for 5 minutes with apparently 100% CPU usage resulting in the described DNS cache timeout error.
There is a workaround, but I wouldn’t be very happy with it. Disabling the DNS client service.
If you rely on Network Discovery (enables you to see other computers on your network and for them to see you), this is not going to be a solution.
As stated here
A better Win7/Vista workaround would be to add two Registry entries to control the amount of time the DNS cache is saved.
- Flush the existing DNS cache (see above)
- Start > Run (type) regedit
- Navigate to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- Click Edit > New > DWORD Value (type) MaxCacheTtl
- Click Edit > New > DWORD Value (type) MaxNegativeCacheTtl
- Next right-click on the MaxCacheTtl entry (right pane) and select: Modify and change the value to 1
- The MaxNegativeCacheTtl entry should already have a value of 0 (leave it that way – see screenshot)
- Close Regedit and reboot …
- As usual you should always backup your Registry before editing … see Regedit Help under “Exporting Registry files”
If you decide to give the hosts file a go
On Linux it’s found in /etc
On Windows it’s location is defined by the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
Usually here
Windows 7/Vista/XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Make sure you backup the hosts file in case anything goes wrong.
Make sure you don’t remove what’s already in your default hosts file. especially the first line that has the loop back address
127.0.0.1 localhost 127.0.1.1 [MyComputerName].local [MyComputerName]
Just add the new entries at the bottom of the hosts file.
Remove any duplicate entries.
You will then have to flush your DNS cache if you have one.
If your on windows
Clear your browsers cache.
Close all browsers.
From a cmd prompt run the following
ipconfig /flushdns
or reboot the machine.
If your on Linux (Debian)
Clear your browsers cache.
That may be all you need to do.
Otherwise
At the command prompt (as root) try
/etc/init.d/nscd restart
or for other Linux distros
“killall -hup inetd” (without the quotes) which will restart the inetd process and should not require a reboot.
I found that just updating the file was enough to see the changes,
as my default Debian Lenny install doesn’t have a DNS cache.
Adblock Plus
I decided to just give the Firefox add-on Adblock Plus a try
as I thought it would be allot easier and less (zero) administrative overhead.
Just make sure you’ve got a good filter subscription selected. I used EasyList (English).
As I was on Lenny. Adblock Plus wasn’t available for Iceweasel (firefox on debian) 3.0.6 unless I installed the later version of Iceweasel from the backports.debian.org repository.
I looked in the Tools->Add-ons->Get Add-ons and searched for Adblock Plus.
I was planning on performing a re-install of Debian testing soon anyway, but was keen on giving Adblock Plus a try now.
Installing Iceweasel (firefox) from backports
Most won’t have to do this, but I’m still on old stable.
This site is quite helpful
For most people they will just have to make a change to their /etc/apt/sources.list
If you are running Debian Lenny you would have to add the following line:
deb http://backports.debian.org/debian-backports lenny-backports main contrib non-free
For later versions of Debian substitute the version specific part with your versions code name.
As I’m using apt-proxy to cache my packages network wide, I had to make sure I had the following section in the /etc/apt-proxy/apt-proxy-v2.conf file
[backports] ;; backports backends = http://backports.debian.org/debian-backports min_refresh_delay = 1d
and the following in the client pc’s /etc/apt/sources.list
deb http://[MyAptProxyServer]:[MyAptProxyServersListeningPort]/backports lenny-backports main contrib non-free
You can see how the directory structure works for the repositories.
In this case have a look at http://backports.debian.org/debian-backports/
in dists you will see lenny-backports as a subdirectory.
Within lenny-backports you’ll see main, contrib and non-free
Now just add the below section to the client pc’s /etc/apt/preferences file
In my case I didn’t have this file, so created it.
What’s this for?
If a package was installed from Backports and there is a newer version there,
it will be upgraded from there.
Other packages that are also available from Backports will not be upgraded to the Backports version unless explicitly stated with
-t lenny-backports
Check the apt_preferences man page as usual for in depth details.
# APT PINNING PREFERENCES Package: * Pin: release a=lenny-backports Pin-Priority: 200
Now as root
apt-get update apt-get -t lenny-backports install iceweasel
Now because we’ve added the /etc/apt/preferences file,
when ever there are updates to the backported version of iceweasel,
we’ll get them for Iceweasel when we do a
apt-get upgrade
Now through iceweasel’s Tools->Add-ons->Get Add-ons
and a search for Adblock Plus now revealed the plugin.
Installed it and selected the EasyList (English) filter subscription.
Browsed some sites I knew there were popups and ads I didn’t want and it worked great!
Adblock Plus gives good visibility for each request made,
as to what it’s blocking, could possibly block etc, through it’s Close blockable items menu Ctrl+Shift+V
So personally I think I’d stick with the add-on (for firefox users that is) going forward, as it seemed like it just worked.
Not sure about other browser platforms.
Now I use this with the NoScript pluggin also,
which I find great at stopping javascript, flash and other executable code from being run from domains I’m not expecting it to be run from.
I’m also using OpenDNS as name servers.
They provide allot of control over what can be accessed by way of domain.
You can also provide custom images and messages to be displayed for requested sites that you don’t want to allow.
Statistics of who on your network is accessing which sites and which sites they are attempting to access.
Plus allot more.
I’m looking into using
Squid with
Snort or
Privoxy
and to take care of allot more.
Provide anonymous web browsing.
Content caching.
Resources
http://hostsfile.mine.nu/
http://winhelp2002.mvps.org/hosts.htm
http://www.accs-net.com/hosts/hostsforlinux.html
There is also a good pod-cast on the hosts file by Xoke here.
Binarymist 
June 9, 2011 at 11:43 |
Hi!
Great article!
I am happy to find folks still refer to eDexterJavaDog after
it has been around 10+ years. BTW, Linux users can use
apache with mod_rewrite to accomplish the same thing and I much prefer using a maintained apache to the javaDog. Less muss and fuss.
The basic approach for apache is to grab a substitution image, set up
apache to run on localhost and redirect everything to the
substitution image.
Using apache2 on Ubuntu the steps would go something like
this:
Grab a suitable 1×1 transparent image:
cd /var/www/
sudo curl -o onebyone.gif http://pyrenean.com/onebyone.gif
Enable mod_rewrite:
sudo a2enmod rewrite
Next set up a localonly virtual host on port 80
(
I am assuming only one Virtualhost is needed so I am using the default template in
/etc/apache2/sites-available/
)
sudo edit
sudo vi /etc/apache2/sites-available/default
or
sudo nano /etc/apache2/sites-available/default
Make the following edits:
NameVirtualHost 127.0.0.1:80
Options -Indexes -FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
RewriteEngine On
rewritebase /
RewriteRule .* onebyone.gif [nc,l]
If you want to be even more restrictive use:
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
Enable the default site, although you probably don’t need to.
sudo a2ensite default
Reload apache
sudo apache2ctl reload
and test.
http://127.0.0.1/
You should see nothing 🙂
Those who want to run another virtualhost on 127.0.0.1 should
create a new file in sites-available and use a different port
than port 80.
All of this is a basic hand-wave at how one can set apache
up for this purpose. Expect things to be more complicated
than they sound.
As I mentioned earlier, both dnskl (DNSKong) and eDexter have
been around for 10+ years. Actually, I created the programs
in 1999 and only started making them available to the public
in 2000. These were Windows 98 days and most Windows users
were not able or willing to run a nameserver or apache.
I still maintain dnskl and eDexter. Both programs are now
able to run on Linux, BSD, OS X and Windows. I only make
the OS X and Windows versions available on my web site, but
any brave soul who wants to try dnskl or edexter on their
Linux system can mail me and ask for a custom binary – provided,
of course, that I can find an .iso for their distro;) My mail address
is available on site and I even check my mail – sometimes.
Your article mentioned a DNS Client problem on Windows. Actually,
I have not seen this problem since Vista was released and
suggest that folks leave the DNS Client service alone when running
dnskl. I haven’t used the hosts approach for many years –
Your mileage may vary.
All the best,
Pyrenean