( 🇨🇵 Cette page est disponible en Français: [[dns-blocklist|Listes de blocage DNS]] ) ====== DNS Block List ====== DNS filtering is an easy way to block a vast majority of advertising, tracking and malware sites with a minimum of effort. This is quick to setup and easy to revert. Frankly, this is the kind of thing I would install on all friends and family computers and smartphones. This significantly reduces system "rotting" (advertising, spyware, malware, tracking...) Advantages of DNS filtering: {{ :dns-blocklist:panneau-sens-interdit.png?nolink&150|}} * Filters a large quantity of advertising/tracking/malware without the need for additional software (Exception: Android needs additional software). * Works under all OSes (Windows, Linux, MacOSX...) * Works in all applications (and not only the browser) * **Under Android, gets rid of almost all advertising and tracking, //including inside applications//.** * Can be setup device by device, or on an entire network if configured on your router (pi-Hole, pfSense, etc.) * Easy to setup. * Fast. Drawbacks: * Does not filter //everything//. * Some software may perform DNS resolution themselves instead of using the system DNS. They may therefore work around your DNS blocklist. You do not need to worry: The setup is easy to reverse. As an example, a typical CNN page is 20 Mb. With this DNS blocklist alone, it drops to 10 Mb. This is a 50% gain. Not only the page will load faster, but you will save on your data and phone bills, even if you use a browser which is not capable of filtering. ---- ===== List ===== URL to use: **https://sebsauvage.net/hosts/hosts** ==== What does this list blocks ? ==== * Web advertising (//smartadserver.com, doubleclick.net, googleadservices.com, googlesyndication.com, tradedoubler.com, adbrite.com, yimg.com(YahooAds)...//), including site-specific domains (//ad.paypal.com, ad.foxnetworks.com, ads.sun.com...//), including first-party advertising and tracking. * Malvertising (advertising networks known for spreading malware, trojan horses...) (//adshufffle.com, conduit.com...//) * Advertising in mobile applications (//admob.com, inmobi.com, mopub.com, adinfuse.com...//) * Web analytics (//google-analytics.com, scorecardresearch.com, quantserve.com...//) * Mobile applications analytics (//crashlytics.com, applovin.com, flurry.com...//) * Analytics/tracking from smartphone manufacturers (//nmetrics.samsung.com, sdkconfig.ad.xiaomi.com, tracking.intl.miui.com...//) * Tracking services (canvas fingerprinting, evercookies...). * First-party trackers. * Social badges and buttons (//addthis.com, badges.instagram.com, badge.stumbleupon.com...//) * Web site counters (//sitemeter.com, free-counter.co.uk, webcounter.com, statcounter.com...//) * Fraudulent or malware sites (//goggle.com, googfle.com, antivirus-scanner.com, adblock.fr, audacity.fr, myfuncards.com...//) * Popup-hell websites. * Non-reliable download websites (//softonic.com...//) * Sites linked to spam campains (//buy-viagra.go.to, cheap-valium.polybuild.ru, forex-market.hut1.ru, norton-antivirus-trial.searchservice.info...//) * Websites designed to shock (//goatse, 2girls1cup...//) * Domains linked to Windows 10 tracking/reporting/telemetry (//reports.wes.df.telemetry.microsoft.com, feedback.microsoft-hohm.com, telemetry.appex.bing.net, statsfe2.ws.microsoft.com...//) ==== Sources ==== This list is an aggregation of the following sources: * https://adaway.org/hosts.txt * https://someonewhocares.org/hosts/hosts * https://winhelp2002.mvps.org/hosts.txt * https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext * https://hostfiles.frogeye.fr/firstparty-only-trackers-hosts.txt * https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts * https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt * https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt * https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt * https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt * https://small.oisd.nl/ * https://blocklistproject.github.io/Lists/phishing.txt * https://blocklistproject.github.io/Lists/ransomware.txt * https://dl.red.flag.domains/red.flag.domains.txt * https://mirror.cedia.org.ec/malwaredomains/justdomains * https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt * https://www.malwaredomainlist.com/hostslist/hosts.txt * https://raw.githubusercontent.com/notracking/hosts-blocklists/master/dnscrypt-proxy/dnscrypt-proxy.blacklist.txt * https://blocklistproject.github.io/Lists/tracking.txt The blocklist is available in several formats: ^ URL ^ Notes ^ | **https://sebsauvage.net/hosts/hosts** \\ **[RECOMMENDED]** | hosts format (//''0.0.0.0 hostname''//) \\ **Suited for Android and computers** \\ This hosts file can be used as is in Windows, Linux, MaOSX and in personalDNSFilterr and DNS66 on Android. | | **https://sebsauvage.net/hosts/hosts-adguard** | AdGuard/uBlock-Origin format (//''||hostname^''//) \\ **Suited for Android and computers** \\ This list can be used in AdGuard (on Android) and uBlock-Origin. | | **https://sebsauvage.net/hosts/raw** | Raw format (//''hostname''//) (just the domains, no headers) | === Whitelist === These blocking lists make occasional mistakes. I have put some domains on a whitelist. These domains will never be blocked. ^Domaine^Reason^ |sebsauvage.net|My own domain so that list updates are not blocked.| |proxad.net|Professionnal french hosting company (branch of Free.fr ISP)| |commentcamarche.net|Computer tutorials website| |www.commentcamarche.net|Computer tutorials website| |mail.gandi.net|Mail server of one of the biggest french professional hosting companies| |c.orange.fr|Linked to the webmail of Orange, one of the biggest french ISP| |iapref.orange.fr|Linked to the webmail of Orange, one of the biggest french ISP| |iapref.wanadoo.fr|Linked to the webmail of Orange, one of the biggest french ISP| |metric.gstatic.com|Some sub-domains are used for DoT (DNS-over-TLS)| |ssl0.ovh.net|Mail servers hosts at OVH| |60gp.ovh.net|Mail servers hosts at OVH| |vboxsvr.ovh.net|Shared hosting at OVH| |cdn.tagcommander.com|Required for LaPoste webmail| |ae01.alicdn.com|Required to display images in AliExpress| |www.sugarsync.com|Required for SugarSync cloud synchronization.| |lilo.org|Searchengine| |www.ismonaco.org|University| |cpc.cx|URL shortener of CanardPC.| |simplelogin.fr, simplelogin.io|Antispam mail service| |go.icann.org|Non-profit internet coordination organization| |idp.impots.gouv.fr|French IRS| |ipfs.scalaproject.io|IPFS Gateway| |app.simplelogin.io|Antispam email| |t.co|Twitter URL shortener| |transfer.sh|File transfer service| |woopic.com|CDN used by Orange ISP| |pushbullet.com|Automation API| |l.bfmtv.com|BFMTV short URLs| \\ PS: If you find a domain which should not be blocked, please let me know (by email, Mastodon, Wire or Telegram). ---- ===== Installation ===== ==== Linux / MacOSX ==== You can paste [[https://sebsauvage.net/hosts/hosts|this list]] at the end of your ''hosts'' file located at: ''/etc/hosts'' Note: Some distributions require that ''127.0.0.1 machineName'' is defined in host file. You can paste the blocklist after this line. If you want to automatically update the blocklist, here is an example script which has to be run by root (you can just drop this script in ''/etc/cron.weekly/''). #!/bin/bash # Update the DNS blocklist from the web logger "hosts-update: Updating hosts." tempname=`mktemp` echo "127.0.0.1 `hostname`" > $tempname printf "\n\n" >> $tempname curl --fail https://sebsauvage.net/hosts/hosts >> $tempname res=$? if test "$res" != "0"; then logger "hosts-update: Failed to update hosts : $res" rm $tempname exit 1 fi mv /etc/hosts /etc/hosts.old mv $tempname /etc/hosts chmod 0644 /etc/hosts logger "hosts-update: hosts file successfully updated." ==== Windows ==== Under Windows, the "DNS Client" service seems to cause problems. It's a DNS cache. You must disable this service **before** installing this blocklist (run ''services.msc'', right-clic on "DNS Client" > Properties > Startup: Disabled, then restart your computer). \\ Under Windows 10, even the administrator is not allowed to disable this service. Run ''regedit'' and put ''4'' (=disabled) in ''HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Start'' then restart your computer. \\ \\ You MUST disable ''DNS Client'' service **before** installing this blocklist. You have been warned. You can paste [[https://sebsauvage.net/hosts/hosts|this list]] at the end of your ''hosts'' file located at: ''C:\Windows\System32\drivers\etc\hosts'' If this does not seem to work, run ''ipconfig /flushdns'' in a terminal. If you want the host file to be automatically updated, you can try the freeware //HostMan// [NOT TESTED] : http://www.abelhadigital.com/hostsman/ ==== Android ==== There are several Android applications capable to downloading and applying a blocklist. Please note that these applications use the VPN feature of Android. It's the only way for an application to collect network traffic of all other applications. You can use one of these applications: * [[https://f-droid.org/fr/packages/dnsfilter.android/|personalDNSFilter]] (sur F-Droid) * [[https://f-droid.org/fr/packages/org.jak_linux.dns66/|DNS66]] (sur F-Droid) As DNS filtering application use the VPN feature of Android, you cannot have your VPN **//and//** one of these three applications running simultaneously. It's either VPN or DNS filtering. In each of these applications, disable the lists provided by default and add https://sebsauvage.net/hosts/hosts For an extra layer of security, you can use alternate DNS resolvers such as Quad9 (9.9.9.9/149.112.112.112): This resolver also dynamically blocks botnets. ---- ===== Update ===== I recommend updating the list every week. \\ Under Android, //personalDNSFilter// and //DNS66// are capable of updating the list automatically on a regular basis. ---- ===== Security ===== Keep in mind that this blocklist alone is **not enough**. You must: * Keep your operating system **and** applications up-to-date (security patches). * Use blocking addons in browsers (uBlock-Origin, PrivacyBadger...) * Under Windows, use an anti-malware (The anti-malware provided with Windows is sufficient. You can complete with a weekly scan of //MalwareBytes// (free version)). * Beware of what you download. * Backup ! ---- ===== FAQ ===== * //Which Android application do you recommend ?// * personalDSNFilter is light and does a very good job. * //Why use 0.0.0.0 instead of 127.0.0.1 ?// * 0.0.0.0 is a valid, but non-routable address. It will fail immediately. Which is not the case of 127.0.0.1 which adds some latency. * //Why not add list X ?// * [[https://github.com/EnergizedProtection/block|Energized]] ? * Abusive blocking (eg. it blocks www.commentcamarche.net which is a computer science learning site.) * //[[https://hosts-file.net/emd.txt|Malwares]] from hosts-file.net ?// * Abusive blocking (it blocks //mail.gandi.net//, which is the mail server of a large french hosting provider). * //What happens when a website is blocked ?// * Your browser will simply display a "website not found" screen like the site never existed. * //How often do you update your list ?// * Every day. * //What if your website disappears ?// * My website has been online longer than Facebook and Twitter. Satisfied ? ----