Ceci est une ancienne révision du document !
Table des matières
( 🇨🇵 Cette page est disponible en Français: Listes de blocage DNS )
DNS Block List
DNS filtering is an easy way to block a vast majority of advertising, tracking and malware sites with a minimum of effort. This is quick to setup and easy to revert.
Advantages of DNS filtering:
- Filters a large quantity of advertising/tracking/malware without the need for additional software (Exception: Android needs additional software).
- Works under all OSes (Windows, Linux, MacOSX…)
- Works in all applications (and not only the browser)
- Under Android, gets rid of almost all advertising and tracking, including inside applications.
- Can be setup device by device, or on an entire network if configured on your router (pi-Hole, pfSense, etc.)
- Easy to setup.
- Fast.
Drawbacks:
- Does not filter everything.
You do not need to worry: The setup is easy to reverse.
Lists
I'm using these lists:
They are long-lasting reputable sources.
To make things easier, I have aggregated these sources in a single file (duplicates removed, resolution in 0.0.0.0):
URL | Size | Number of blocked domains | Notes |
---|---|---|---|
https://sebsauvage.net/hosts/hosts [RECOMMENDED] | 3,1 Mb | around 98'000 | hosts format Suited for Android and computers This hosts file can be used as is in Windows, Linux, MaOSX and in Blokada and DNS66 on Android. |
https://sebsauvage.net/hosts/hosts-adguard | 2,6 Mb | around 98'000 | AdGuard/uBlock-Origin format Suited for Android and computers This list can be used in AdGuard (on Android) and uBlock-Origin. |
What does this list blocks ?
- Web advertising (smartadserver.com, doubleclick.net, googleadservices.com, googlesyndication.com, tradedoubler.com, adbrite.com, yimg.com(YahooAds)…), including site-specific domains (ad.paypal.com, ad.foxnetworks.com, ads.sun.com…)
- Malvertising (advertising networks known for spreading malware, trojan horses…) (adshufffle.com, conduit.com…)
- Advertising in mobile applications (admob.com, inmobi.com, mopub.com, adinfuse.com…)
- Web analytics (google-analytics.com, scorecardresearch.com, quantserve.com…)
- Mobile applications analytics (crashlytics.com, applovin.com, flurry.com…)
- Tracking services (canvas fingerprinting, evercookies…).
- Social badges and buttons (addthis.com, badges.instagram.com, badge.stumbleupon.com…)
- Web site counters (sitemeter.com, free-counter.co.uk, webcounter.com, statcounter.com…)
- Fraudulent or malware sites (goggle.com, googfle.com, antivirus-scanner.com, adblock.fr, audacity.fr, myfuncards.com…)
- Popup-hell websites.
- Non-reliable download websites (softonic.com…)
- Sites linked to spam campains (buy-viagra.go.to, cheap-valium.polybuild.ru, forex-market.hut1.ru, norton-antivirus-trial.searchservice.info…)
- Websites designed to shock (goatse, 2girls1cup…)
- Domains linked to Windows 10 tracking/reporting/telemetry (reports.wes.df.telemetry.microsoft.com, feedback.microsoft-hohm.com, telemetry.appex.bing.net, statsfe2.ws.microsoft.com…)
Installation
Linux / MacOSX
You can paste this list at the end of your hosts
file located at: /etc/hosts
Note: Some distributions require that 127.0.0.1 machineName
is defined in host file. You can paste the blocklist after this line.
If you want to automatically update the blocklist, here is an example script which has to be run by root (you can just drop this script in /etc/cron.weekly/
).
- hosts-update
#!/bin/bash # Update the DNS blocklist from the web logger "hosts-update: Updating hosts." tempname=`tempfile` echo "127.0.0.1 `hostname`" > $tempname printf "\n\n" >> $tempname curl --fail https://sebsauvage.net/hosts/hosts >> $tempname res=$? if test "$res" != "0"; then logger "hosts-update: Failed to update hosts : $res" rm $tempname exit 1 fi mv /etc/hosts /etc/hosts.old mv $tempname /etc/hosts chmod 0644 /etc/hosts logger "hosts-update: hosts file successfully updated."
Windows
services.msc
, right-clic on "DNS Client" > Properties > Startup: Disabled, then restart your computer). Under Windows 10, even the administrator is not allowed to disable this service. Run
regedit
and put 4
(=disabled) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Start
then restart your computer. You MUST disable
DNS Client
service before installing this blocklist. You have been warned.
You can paste this list at the end of your hosts
file located at: C:\Windows\System32\drivers\etc\hosts
If this does not seem to work, run ipconfig /flushdns
in a terminal.
Android
There are several Android applications capable to downloading and applying a blocklist. Please note that these applications use the VPN feature of Android. It's the only way for an application to collect network traffic of all other applications. You can use one of these applications:
In each of these applications, disable the lists provided by default and add https://sebsauvage.net/hosts/hosts
Blokada main screen | In blacklists, use this button to add a new source with this URL and disable other blocklists. | If Blokada is killed by Android, make sure these two options are enabled. |
By default, Blokada will display a notification for each blocked domain. Give it a try ! Open your favorites applications to see what you are spared of. After a moment, you will probably want to disable the notifications:
For an extra layer of security, you can use alternate DNS resolvers such as Quad9 (9.9.9.9/149.112.112.112): This resolver also dynamically blocks botnets.
- I do not recommend the default blocklist provided by Blokada (Energized Blue) because it blocks legitimate websites (such as www.commentcamarche.net//). * By default, Blokada imposes not restriction on GooglePlay, GoogleDrive and other Google applications. You should disable whitelists. </note> ===== Update ===== I recommend updating the list every month.
Under Android, Blokada and DNS66 are capable of updating the list automatically on a regular basis. ===== Security ===== Keep in mind that this blocklist alone is not enough. You must: * Keep your operating system and applications up-to-date (security patches). * Use blocking addons in browsers (uBlock-Origin, PrivacyBadger…) * Under Windows, use an anti-malware (The anti-malware provided with Windows is sufficient. You can complete with a weekly scan of MalwareBytes (free version)). * Beware of what you download. * Backup ! ===== FAQ ===== * Which Android application do you recommend ? * Blokada and DNS66 are equally good. Blokada are some more features, like notifications when a domain is blocked, and whitelists. I did not try DNSFilter. * Why use 0.0.0.0 instead of 127.0.0.1 ? * 0.0.0.0 is a non-routable address. It will fail immediately. Which is not the case of 127.0.0.1 which adds some latency. * Why not add list X ? * Energized ? * Abusive blocking (eg. it blocks www.commentcamarche.net// which is a computer science learning site.)- Malwares from hosts-file.net ?
- Abusive blocking (it blocks mail.gandi.net, which is the mail server of a large french hosting provider).
- What happens when a website is blocked ?
- Your browser will simply display a "website not found" screen like the site never existed.
- How often do you update your list ?
- On an irregular basis, but a least once a month.
- What if your website disappears ?
- My website has been online longer than Facebook and Twitter. Satisfied ?