Using Synology DNS Server to Block Adverts

by 13th September 2021Platforms, Security, Synology, Technological Thoughts

Edited 23rd September 2021: I’ve now modified the script so that it can pull in a list of remote allowlists. I’ve also had issues with the null.zone.file and have modified this.

I am constantly irritated by the number of adverts and clickbait that I see whenever I use apps or traverse the web, and have looked for effective ways block them.

There are lots of extensions for various web browsers that you can use, and whilst these allow a very targeted approach to removing adverts, they only work within the browsers themselves.

Another option is to block domains entirely. This can be fraught with dangers, as you can effectively kill websites and apps completely with this approach. However, by using safe, sanitised blocklists, false positives can be reduced.

Using the Synology DNS Server as a filter

I use my Synology DNS Server to route traffic both for my intranet and the internet and tried using the AdGuard DNS servers as a solution. However, I found that these were incredibly slow, resulting in significant lag for websites and applications.

I then came across a simple blog post by Gerzon (https://synologytweaks.wordpress.com/2015/08/23/use-synology-as-an-ad-blocker/) which explained how to set up the Synology DNS Server to block adverts.

This works extremely well, but has certain limitations in its flexibility, as the script was designed to pull a single blocklist and apply it.

An effective way to block adverts and malicious websites

To make the Synology DNS Server into an effective filter for advertising domains and other malicious websites, I have written a shell script below which gives you greater flexibility. The script itself:

  • Allows you to create a list of blocklists to apply to your Synology DNS Server.
  • Merges, deduplicates and sorts the blocklists.
  • Formats the blocklists appropriately for the Synology DNS Server.
  • Allows you to create an allowlist of permitted domains, which if found in the merged blocklist, will be removed.
  • Reloads the DNS Server.

Synology DSM Configuration

  1. Log into your Synology NAS as an administrator.
  2. Install the DNS Server package on your Synology.
  3. Open the DNS Server application.
  4. On the Zones tab, Click on the Create button and select the option to create a new Master zone with the following values:
    • Domain type: “Forward Zone”
    • Domain name: “null.zone.file”
    • Master DNS Server: your Synology IP address (e.g. “192.168.1.2”)
    • Serial format: “Date (YYYYMMDDNN)
  5. On the Resolution tab,make sure that the “Enable resolution service” check box is ticked and you have added external DNS servers to resolve any unknown domain names.
    In the example below, I have selected Cloudflare (1.1.1.1) as my first DNS resolver and Google (8.8.8.8) as my second.
Creating the null.zone.file settings
Synology DNS Resolution Settings

Installing and Executing the Script using Telnet or SSH

    1. Download the adblock files or copy the code below.
    2. Create your own or copy the blocklist.txt and allowlist files to your Synology website. Alternatively, you can copy them to:
      /var/packages/DNSServer/target/named/zone/etc/data/
    3. Edit the adblock.sh, updating the Configurable Parameters section (lines 18-20) for Blocklist and Allowlist to point to your own files (either on your Synology website or locally) and save it.
    4. Log in to your Synology NAS using Telnet (or preferably SSH!).
    5. Copy the script to your NAS in the following directory:
      cp adblock.sh /var/packages/DNSServer/target/script/
    6. Give the script execute permissions and make the owner the DNSServer
      chmod 755 /var/packages/DNSServer/target/script/adblock.sh
      chown DNSServer:DNSServer /var/packages/DNSServer/target/script/adblock.sh
    7. To run the script, you then just need to call it:
      ./adblock.sh

Scheduling a Task in Synology

Schedule a Task in Synology

Scheduling a Task in Synology

 You can also schedule this to regularly update the blocklist using a task in Synology. Once configured, you can leave the script to run when scheduled and always be up to date.

  1.  Log into your Synology NAS as an administrator.
  2. Open the Control Panel.
  3. Click on the Task Scheduler icon.
  4. Click on the Create button and select the option to create a Scheduled Task > User-defined script.
  5. Name your task and set the user to run the task as “root”.
  6. Click on the Schedule tab and set the schedule you want to run. Whilst you can run it every day, I have set mine to run monthly as it reduces the load on both your server and the blocklist servers.
  7. Click on the Task Settings tab and enter the following for the User-defined script:
    bash /var/packages/DNSServer/target/script/adblock.sh
  8. Click on the OK button to create the scheduled task.

Taboola, Google and Amazon Ads

One of the main advert serving sites that was annoying me was Taboola, which seems to serve up clickbait news articles constantly (particularly on IMDB), so I created my own blocklist for this. I have also added a few Google and Amazon advert domains to this list as well.

Feel free to copy the list below (I have also included it in the code download) and use it as your own blocklist.

Adblock.sh Script

#!/bin/bash
#================================================================================
#(C)2021 Europoint Communications ltd
#Title       : adblock.sh
#Version     : V1.03
#Author      : Matthew Cunliffe (https://www.europoint.uk)
#Description : Script to create a domain name based blocklist for use with Synology DNSServer
#Dependencies: Synology DNSServer package, sed, wget, sort, comm, blocklist.txt, allowlist.txt
#Usage       : ./adblock.sh
#================================================================================
# Version history:
#2021.09.13 Bash script to pull domain names of URLs to be blocked by Synology DNSServer and install them
#2021.09.17 Added in the option to include a remote allow list to be processed, but it expects it in a limited Adblock format
#2021.09.22 Corrected the null.zone.file creation
#2021.09.23 Added option to download multiple allowlists
#================================================================================

#Script to be placed in /var/packages/DNNSServer/target/script/

#Configurable Parameters
Blocklist="https://www.europoint.uk/blocklist.txt"
Allowlist="https://www.europoint.uk/allowlist.txt"

#####Do Not Change Below This Line#####
RootDir="/var/packages/DNSServer/target"
ZoneDataDir="${RootDir}/named/etc/zone/data"
ZoneMasterDir="${RootDir}/named/etc/zone/master"
ZoneMasterFile="${ZoneMasterDir}/null.zone.file" 
  
ParseBlockList ()
{
	#Retrieve the list of files to download and merge them into the blocklist.txt file
	wget -q -i ${Blocklist} -O blocklist.txt
	#Sort the file alphabetically and remove any duplicates
	sort -u -o blocklist.txt{,}
	#If the blocklist file exists and there is an allowlist set, then parse the allow list.
	if [ -s "blocklist.txt" ] && [ -n "${Allowlist}" ]
	then
		ParseAllowList
	fi
	#If the blocklist file still exists, then tidy it up.
	if [ -s "blocklist.txt" ]
	then
		#Remove any comments in the file and format the file for use with Synology DNSServer.
		sed -i -e '/^#/d' -e 's/.*/zone \"&\" { type master; notify no; file \"null.zone.file\"; };/' blocklist.txt
	else
		return 1
	fi
	#If the blocklist file is still ok, then exit with a success statement.
	if [ -s "blocklist.txt" ]
	then
		return 0
	else
		return 1
	fi
}

ParseAllowList ()
{
	#Retrieve the list of files to download and merge them into the allow.txt file.
	wget -q -i ${Allowlist} -O allowlist.txt
	#Check if an allowlist has been created and if so, remove the allowed domains.
	if [ -s "allowlist.txt" ]
	then
		#Retrieves the Remote Allow list and processes it to remove Adblock data formats and appended values.
		#Then appends the file to the allowlist.
		sed -i -e '/\[Adblock Plus/d' -e '/^\!/d' -e '/^#/d' -e 's/^@@||//' -e 's/\^\*\$.*//' -e 's/\?.*//' -e 's/\*\$.*//' -e 's/0\.0\.0\.0 //'  -e 's/127\.0\.0\.1 //'  allowlist.txt
		#Sort the file alphabetically and remove any duplicates.
		sort -u -o allowlist.txt{,}	
		#Remove everything in the allowlist from the blocklist.
		comm -23 blocklist.txt allowlist.txt > inter.txt; mv inter.txt blocklist.txt; rm allowlist.txt;
	fi
}

UpdateBlockList () 
{
	#Backup the old database, rename the final file as the database and make sure it is owned by the DNSServer
	gzip -f blocklist.db 
	mv blocklist.txt blocklist.db
	#If the blocklist file is ok and the old one has been backed up, then exit with a success statement.
	if [ -s "blocklist.db" ] && [ -s "blocklist.db.gz" ]
	then
		chown DNSServer:DNSServer blocklist.db
		return 0
	else
		return 1
	fi
}

RestartDNS () 
{
	#Restart DNS
	${RootDir}/script/reload.sh
}

ModifyZoneDataFile () 
{
	#Acknowledgements to DMajo and Steven T Black for the original code used for this function 
	# https://github.com/dMajoIT, https://community.synology.com/enu/user/dmajo/profile/topic
	# https://raw.githubusercontent.com/steventblack/ad-blocker/master/ad-blocker.sh
	#Modify Zone Data File if required
	#Include the new zone data
    if [ -f blocklist.db ] && [ -f null.zone.file ]
	then
        grep -q 'include "/var/packages/DNSServer/target/named/etc/zone/data/blocklist.db";' null.zone.file || echo 'include "/var/packages/DNSServer/target/named/etc/zone/data/blocklist.db";' >> null.zone.file
	fi
	
	#Rebuild the master null.zone.file
    Now=$(date +"%Y%m%d")
	if [ -f "$ZoneMasterFile" ]
	then 
	{
		rm -f "$ZoneMasterFile"

	  # rebuild the zone master file with the updated serial number
	  { echo '$TTL 86400     ; one day';
		echo '@ IN SOA ns.null.zone.file. mail.null.zone.file. (';
		echo '  '${Now}'00   ; serial number YYYYMMDDNN';
		echo '  86400        ; refresh 1 day';
		echo '  7200         ; retry 2 hours';
		echo '  864000       ; expire 10 days';
		echo '  86400 )      ; min ttl 1 day';
		echo '  IN NS  ns.null.zone.file.';
		echo '  IN A   127.0.0.1';
		echo '* IN A   127.0.0.1'; } > "$ZoneMasterFile"
	}
    fi
}

#Move to the directory containing the data for the DNS files
cd ${ZoneDataDir}
#Call functions to execute
ParseBlockList
if [ $?==0 ]
then
	UpdateBlockList
else
	echo "Unable to update Blocklist"
	exit 1
fi
if [ $?==0 ] 
then
	ModifyZoneDataFile
	RestartDNS
	exit 0
else
	echo "Unable to update and restart DNS"
	exit 1
fi

Blocklist.txt Example

https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext
https://blocklistproject.github.io/Lists/alt-version/abuse-nl.txt
https://blocklistproject.github.io/Lists/alt-version/ads-nl.txt
https://curben.gitlab.io/malware-filter/urlhaus-filter-dnscrypt-blocked-names.txt

Allowlist.txt Example

https://www.topcashback.co.uk/misc/AdBlockWhiteList.aspx

Taboola, Google and Amazon Blocklist

#Taboola Blocklist
15.taboola.com
adserver.adtechus.com
amplify.outbrain.com
amplifypixel.outbrain.com
api-s2s.taboola.com
api.taboola.com
c2.taboola.com
cdn.taboola.com
cdn.taboolasyndication.co
cdn.taboolasyndication.com
cm.g.doubleclick.net
convlatbmp.taboola.com
esd-secure.taboola.com.edgekey.net
images.outbrain.com
images.taboola.com
img.img-taboola.com
imprlatbmp.taboola.com
log.outbrain.com
nr.taboola.com
odb.outbrain.com
oooutbrain.com
popup.taboola.com
sync.outbrain.com
taboola.com
taboola.com.edgekey.net
taboolasyndication.com
tr.outbrain.com
trc.taboola.com
urc.taboolasyndication.com
us-u.openx.net
vidstat.taboola.com
vra.outbrain.com
vrp.outbrain.com
vrt.outbrain.com
wf.taboola.com
widgets.outbrain.com
www.adserver.adtechus.com
www.api.taboola.com
www.c2.taboola.com
www.cdn.taboola.com
www.cdn.taboolasyndication.com
www.esd-secure.taboola.com.edgekey.net
www.images.taboola.com
www.outbrain.com
www.popup.taboola.com
www.taboola.com
www.taboola.com.edgekey.net
www.taboolasyndication.com
www.trc.taboola.com
www.urc.taboolasyndication.com
www.us-u.openx.net

#Google BlockList
ad.doubleclick.net
adservice.google.com
googleads.g.doubleclick.net
pagead.googlesyndication.com
pagead2.googlesyndication.com
tpc.googlesyndication.com
safeframe.googlesyndication.com
stats.g.doubleclick.net
tpc.googlesyndication.com
ypn-js.overture.com

#Amazon BlockList
aax-eu.amazon-adsystem.com
aax-eu.amazon.co.uk
api-graphql.imdb.com
fls-na.amazon.com
fls-eu.amazon.co.uk
unagi.amazon.com
unagi-eu.amazon.com
unagi.amazon.co.uk
Matthew Cunliffe

Matthew Cunliffe

Author

Matthew is an IT specialist with more than 23 years experience in software development and project management. He has a wide range of interests, including international political theory; playing guitar; music; hiking, kayaking, and bouldering; and data privacy and ethics in IT.

0 Comments

Share this post