1 |
On Wed, Oct 4, 2017 at 1:28 AM, Walter Dnes <waltdnes@××××××××.org> wrote: |
2 |
> I have some doubts about massive "hosts" files for adblocking. I |
3 |
> downloaded one that listed 13,148 sites. I fed them through a script |
4 |
> that called "host" for each entry, and saved the output to a text file. |
5 |
> The result was 1,059 addresses. Note that some adservers have multiple |
6 |
> IP address entries for the same name. A back-of-the-envelope analysis |
7 |
> is that close to 95% of the entries in the large host file are invalid, |
8 |
> amd return "not found: 3(NXDOMAIN)". |
9 |
> |
10 |
> I'm not here to trash the people compiling the lists; the problem is |
11 |
> that hosts files are the wrong tool for the job. Advertisers know about |
12 |
> hosts files and deliberately generate random subdomain names with short |
13 |
> lifetimes to invalidate the hosts files. Every week the sites are |
14 |
> probably mostly renamed. Further analysis of the 1,059 addresses show |
15 |
> 810 unique entries, i.e. 249 duplicates. It gets even better. 44 |
16 |
> addresses show up in 52.84.146.xxx; I should probably block the entire |
17 |
> /24 with one entry. There are multiple similar occurences, which could |
18 |
> be aggregated into small CIDRs. So the number of blocking rules is |
19 |
> greatly reduced. |
20 |
> |
21 |
> I'm not a deep networking expert. My question is whether I'm better |
22 |
> off adding iptables reject/drop rules or "reject routes", e.g... |
23 |
> |
24 |
> route add -net 10.0.0.0 netmask 255.0.0.0 metric 1024 reject |
25 |
> |
26 |
> (an example from the "route" man page). iptables rules have to be |
27 |
> duplicated coming and going to catch inbound and outbound traffic. A |
28 |
> reject route only needs to be entered once. This excercise is intended |
29 |
> to block web adservers, so another question is how web browsers react to |
30 |
> route versus iptables blocking. |
31 |
|
32 |
Using the routing table feels dirty. |
33 |
|
34 |
I don't see any reason to create "inbound" (INPUT) iptables rules. You |
35 |
really only care about rejecting the initial outbound request to the |
36 |
web server. |
37 |
|
38 |
If this is for a single host with iptables running locally, add rules |
39 |
to the OUTPUT chain. If this is on a router, add them to the FORWARD |
40 |
chain. |