A few years back, I wrote a guide about using DNS based adblock with OpenWRT. I have since moved on to using Mikrotik as my primary routing device and have implimented a similar DNS based adblock. Here’s how I did it combining various resources online.
At the time of the last article, I was using one of those old, underpowered Linksys WRT54Gs. You probably know the type I am talking about, the black/blue boxes made by Linksys when they were a standalone company. After my network outgrew the old Linksys router, I “upgraded” to a Mikrotik RB951Ui-2HnD. I say “upgraded” because I immediately flashed OpenWRT onto the device and never looked into RouterOS. I forgot why I flashed back to factory firmware on the Mikrotik, but after using it for a while now, I can’t imagine using anything other than RouterOS, even good old OpenWRT.
The basic idea of DNS based adblocking is this: any device on your network goes to a website and when that website has an advertisement on it, the ad is usually directed to a known advertising website for just that box/ad/display on the web page. With DNS based adblocking, your browser tries to look up the advertising site, but is instead presented with a special dead IP address and the advertisement does not load. This works network-wide across all devices including phones, tablets, computers, etc.
- Mikrotik router with at least 64 MB RAM free, not total
- Mikrotik router running the latest RouterOS
- Latest WinBox for Mikrotik
- Some basic networking knowledge regarding IP routing, firewalls, etc.
The following config file contains a list of known advertising domains from http://winhelp2002.mvps.org/hosts.htm and pre-converted into Mikrotik’s config format. Extract the DNS config file below and upload the .rsc into Mikrotik:
WinBox > Files > Upload... > mikrotik_adblock.rsc WinBox > Terminal > /import mikrotik_adblock.rsc
This configuration will load a list of domains into the DNS static entries with an IP address of 240.0.0.1. You can confirm the import by checking the DNS static records:
WinBox > IP > DNS > Static
Now we need to setup a firewall rule to block the special IP address 240.0.0.1. When it comes to blocking via firewall rules, I prefer to use not use “drop” because this results in the requesting agent trying over and over until it times out. Instead, we will give immediate feedback that the request is denied so our web browsers don’t hang up trying to load a page element.
Rejecting TCP attempts:
WinBox > IP > Firewall > Filter Rules > Add [+] General Chain: forward Dst. Address: 240.0.0.1 Protocol: 6 (tcp) Connection State: new Action Action: reject Log: checked Log Prefix: ADBLOCK Reject With: tcp-reset Comment: Adblock tcp-reset
Rejecting UDP attempts:
WinBox > IP > Firewall > Filter Rules > Add [+] General Chain: forward Dst. Address: 240.0.0.1 Protocol: 17 (udp) Connection State: new Action Action: reject Log: checked Log Prefix: ADBLOCK Reject With: icmp network unreachable Comment: Adblock udp unreachable
Rejecting all other attempts:
WinBox > IP > Firewall > Filter Rules > Add [+] General Chain: forward Dst. Address: 240.0.0.1 Action Action: drop Log: checked Log Prefix: ADBLOCK Comment: Adblock drop
Make sure that our DHCP clients are using our Mikrotik as a DNS server:
WinBox > IP > DHCP Server > Networks > Edit Primary Network DNS Servers: <your Mikrotik IP>
Make sure that our Mikrotik is using OpenDNS for DNS lookups:
WinBox > IP > DNS Servers: 188.8.131.52 184.108.40.206 Allow Remote Requests: checked
Force all of our clients on the network to use our DNS, even if they try to use their own DNS servers:
WinBox > IP > Firewall > NAT > Add [+] General Chain: dstnat Dst. Address: [!] <your Mikrotik IP> Protocol: 6 (tcp) Dst. Port: 53 In. Interface: <your LAN bridge/interface> Action Action: redirect To Ports: 53 Comment: DNS Redirect (TCP)
WinBox > IP > Firewall > NAT > Add [+] General Chain: dstnat Dst. Address: [!] <your Mikrotik IP> Protocol: 17 (udp) Dst. Port: 53 In. Interface: <your LAN bridge/interface> Action Action: redirect To Ports: 53 Comment: DNS Redirect (UDP)
Hooray! Now all of your network clients should be forced to use your Mikrotik’s DNS server which will use static entries for the known advertising/malware domains.
You will also be performing DNS lookups using OpenDNS, so you can setup an OpenDNS account and provide additional web content filtering using OpenDNS. By default, OpenDNS will only filter out the really bad stuff such as known malware sites. You have to enable additional content filtering under your OpenDNS account if you want a more strict web content filtering policy.
- This method does not auto update. There is a limit to what Mikrotik can handle as far as processing scripts and automating this. You can find guides online for setting up a .php script on your own webserver to automatically download malware domain lists and create Mikrotik’s .rsc config for you.
- Your device must have at least 64 MB RAM free. Mikrotik’s DNS caching takes a lot of RAM. It loads the entire static DNS list (13,000+ domains) into memory upon boot and does not read them from file when performing DNS lookups. I have limited my domain list in the .rsc to only the list from http://winhelp2002.mvps.org/hosts.htm because of this. There are guides out there that let you have lots of domain lists, but your Mikrotik’s performance will suffer and require more RAM.
- Your Mikrotik will take longer to reboot. Because the entire list is loaded into memory at boot, you will have a longer reboot cycle while the entire list is loaded into memory. This setup on my RB951Ui-2HnD increased the reboot time from about 5-10 seconds to about 60 seconds. Again, I am only using one domain list, there are guides out there that have 3-4 different domain lists and I would expect longer reboot times and higher memory usage to reflect even more entries.
- Some websites will complain you are adblocking. Even if you disable other adblock browsing plugins, some websites will still complain. I have also seen some video websites not playing videos because they are trying to show an ad before the video. You can look into what domain is being used and disable or delete the static DNS entry to allow the website’s ads.
Aside from those caveats, the performance is fast after the Mikrotik is rebooted and ready. DNS lookups are fast, and there is no noticeable difference in web browsing speed.