This project is archived; I still think trackwall is a neat project with a lot of potential, but unfortunately various changes to the web make everything harder compared to late 2015 when I first started this:
-
Browsers ignoring short TTLs makes the management/unblocking of URLs tricky (this has always been a problem).
-
Intercepting HTTPS connections and serving stubs worked well a few years ago, but with strict transport security – which is intended exactly to prevent these kind of MITM tricks – it's much harder.
-
Encrypted DNS (e.g. DNS-over-HTTP) makes everything much harder. I'm using this myself since the Indonesian government blocks access to various sites on the DNS level (because Netflix has LGBT content; sigh), and this is an easy way to circumvent it.
These problems are probably fixable to some degree, but it would be quite a bit of effort and don't really have the time at the moment. Additionally, Pi-hole now seems like an established project, so not sure if it's worth the effort developing an alternative (although I have not used it myself so this is not an endorsement, and I don't know to which degree it solves the above problems. I just use uBlock Origin in Firefox now.)
Original README below.
DNS proxy and filter.
Its intended usage is to block third-party browser requests. It's not intended to "block advertisement" as such, rather it's intended to "block third party requests".
It's inspired by adsuck, which unfortunately hasn't been updated in a few years and is suffering from some problems.
Advantages:
- Lightweight.
- Browser independent − also works for requests outside the browser.
- Will not endlessly frob in web page's DOM (which many adblocks do).
To be fair, there are some disadvantages as well:
- It's currently a bit more difficult to set up.
- Unable to filter by URL (only domain name). This is usually not a problem unless you want to filter out every last advertisement (which is not this program's goal).
trackwall is written in Go, so you'll need that. Tested systems are:
- Go 1.9 on Arch Linux
- Go 1.6 on VoidLinux (musl libc)
- Go 1.6 on Ubuntu 16.04
- Go 1.6 on OpenBSD 5.9
Other POSIX systems should also work.
You can download and build it with:
$ go get -u arp242.net/trackwall
You will probably want to run the install.sh
script to setup some stuff as
well:
$ $GOPATH/src/arp242.net/install.sh
After trackwall is up and running you'll need to tell the OS to actually use it.
This is usually done by adding nameserver <addr>
to /etc/resolv.conf
. Most
systems auto-generate this file (usually from DHCP).
Set /etc/dhclient.conf
to something like:
# The installer adds this line, not strictly needed
send host-name "yourhostname";
# List our nameserver first
prepend domain-name-servers 127.0.0.53;
Running sh /etc/netstart
will apply the settings.
If you want to listen on the loopback interface that is not 127.0.0.1
(which
is the case by default) you'll have to add that address as an alias, which can
be done in /etc/hostname.lo0
:
inet alias 127.0.0.53
Running sh /etc/netstart
will apply the settings.
If you're using the GNU libc version then setting /etc/resolv.conf.head
to:
nameserver 127.0.0.53
should be enough.
Note: if you're using the musl libc version then this won't work as
expected, since musl's resolvers sends a query to all nameservers and uses
whichever one responds fastest, so you'll need to set only trackwall as the
nameserver. This can be done by creating
/usr/libexec/dhcpcd-hooks/90-resolv.conf
with:
#!/bin/sh
echo 'nameserver 127.0.0.53' > /etc/resolv.conf
Don't forget to make this executable! You'll also need to set the dns-forward
setting manually in /etc/trackwall/config
.
Set /etc/resolvconf/resolv.conf.d/head
to:
nameserver 127.0.0.53
and run resolvconf -u
.
Add to /etc/resolvconf.conf
to :
name_servers=127.0.0.53
and run resolvconf -u
.
On first startup a root certificate will be generated and put in
/var/trackwall
. We use this root certificate to sign https requests.
You will need to import this certificate in your browser.
NOTE! Make sure the certificate is readable! Firefox will NOT show an error or warning if it's not.
You will need to turn off the hyper-aggressive ttl-ignoring DNS cache that both Firefox and Chrome are infected with.
An address like:
http://blocked.example.com/some_script.js
will be resolved to:
http://127.0.0.53:80/some_script.js
trackwall runs a HTTP server at 127.0.0.53:80
and 127.0.0.53:443
which will
either:
- Serve some no-ops for some common scripts so web pages don't error out (Google Analytics, AddThis, etc.).
- Serve an simple HTML or JS page informing the user that this request is blocked. This is a useful so that you don't have to guess why a request doesn't work and to keep the browser's error log clutter-free.
No release yet. This is experimental software.
- Listen to signals to reload
- Measure some degree of performance
- Serve surrogates for "CDN"s etc. as well (like decentraleyes extension)
No. This is not a DNS resolver/cache, just a proxy/filter. If you're looking for a DNS cache then unbound is a good option. Running both on even an older system should be fine (the trackwall author is running them both on a ten-year old OpenBSD laptop).
Sorry :-( I always appreciate feedback by the way, so drop me a email at martin@arp242.net
Here are some similar programs:
- adsuck (POSIX systems)
- Little Snitch (OSX)
- dnsblock (POSIX systems)
- pi-hole
- dns66 (Android)
This program is written by Martin Tournoij martin@arp242.net, whose job would have been a lot harder without Miek Gieben's DNS library.
The MIT License (MIT)
Copyright © 2016 Martin Tournoij
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.