ADSUCK(1) OpenBSD Reference Manual ADSUCK(1)
NAME
adsuck - DNS blacklisting daemon
SYNOPSIS
adsuck [-Ddv] [-c directory] [-f resolv.conf] [-l listen] [-p port]
[-u user] hostsfile ...
DESCRIPTION
adsuck is a small DNS server that spoofs blacklisted addresses and for-
wards all other queries. The idea is to be able to prevent connections
to undesirable sites such as ad servers, crawlers and other nasties. It
can be used locally, for the road warrior, or on the network perimeter in
order to protect machines from malicious sites.
adsuck replies to bad addresses with a spoofed DNS packet that has the
NXdomain flag set. This in effect prevents the application that is re-
solving the address from trying to connect to this address. Addresses
that are not matched are forwarded to the normal nameserver, as provided
by resolv.conf(5).
Note that when applications try to be smart and resolve an address with
the local domain name appended, it will still spoof the answer.
The options are as follows:
-c directory
This is the chroot directory. If it is not specified, it uses
the home_dir entry from /etc/passwd.
-D Do not daemonize.
-d Enable debug output.
-f resolv.conf
This is a standard formatted resolv.conf file that contains the
name server that can resolve non-blacklisted entries.
-l listen
This is the address adsuck will listen on. The default is all IP
addresses.
-p port
This is the port number that adsuck will bind to. The default is
53.
-r regexfile
Filename of a file that contains one regex expression per line;
e.g banner|ads|stat|track|click. When matched the DNS response
will be spoofed. The regex engine runs before the hostsfile
match. See regex(3) and re_format(7) for more information.
-u user
This is the user that adsuck will drop privileges to after it
binds to the listen address. The default is _adsuck.
-v Enable verbose output.
hostsfile
This is a standard formatted hostsfile that contains all black-
listed entries. Examples of good blacklist files can be found at
http://rlwpx.free.fr/WPFF/hosts.htm and
http://www.mvps.org/winhelp2002/
Sending adsuck a SIGHUP signal will cause it to reevaluate the re-
solv.conf file. A SIGUSR1 signal will cause it to reread all hostsfiles
and regex file.
FILES
hostsfile Blacklist entries in standard hostsfile format. The en-
tries must point to 127.0.0.1. E.g. 127.0.0.1 bad-
site.com
If the entry points to a different address than the
spoofing will not be done via NXdomain but instead return
the provided IP address. This enables the administrator
to forward specific sites to an IP address that might
contain a warning. In order to spoof badsite.com to
192.168.0.1 add "192.168.0.1 badsite.com" to a hostsfile.
resolv.conf Standard resolv.conf file that contain the actual resolv-
ing nameserver and options.
SEE ALSO
resolv.conf(5)
HISTORY
adsuck was written to do some smarter ad blocking without using individu-
al browser components and to avoid lengthy hostsfile lookups.
AUTHORS
adsuck was written by Marco Peereboom <marco@peereboom.us>.
BUGS
Currently adsuck depends on ldns.
OpenBSD 4.5 March 8, 2009 2