Blocking advertising tidily at the gateway

Stephen Thomas <>
Updated 12-May-2018
This is free software. Do anything you like with it except hold me accountable for any grief it causes you.

Here's how I added adblocking to my LAN's Internet gateway (a Beaglebone Black running Debian Testing) using only coreutils, dnsmasq, wget, xinetd and a smidgen of script.


  1. Put a stub HTTP server on the gateway that responds with a 1-pixel transparent GIF regardless of what you ask it for.
  2. Make the gateway's DNS server return the pixel server's IP address for all queries against domain names in a local blacklist.
  3. Automatically maintain the blacklist using an online list of advertising servers.

DNS-based blocking like this wouldn't stop a skilled user but advertising is a nuisance, not a prohibited resource; this is a flyscreen, not a security door.

1. The pixel server

Using single transparent pixels as placeholders for blocked content doesn't break most web page layouts, and serving them locally saves time and WAN traffic. There are several 1-pixel server projects available, but I wanted to see if I could bring one up using only the packages already installed on my gateway. Here's what I ended up with:

This builds a pseudoservice that discards requests and regurgitates the same empty point on each connection, much like the industry whose intrusions it exists to frustrate. Replace with your own gateway's LAN IP address (edit the text box above before copying and pasting if you like).

If you're already running a proper web server on that gateway, you'll need to add an extra IP address for the pixel server and bind it to that instead.

2. Subverting the DNS

I'm completely in love with dnsmasq. If you're running a Linux gateway and you're not using dnsmasq to deal with your LAN's DHCP and DNS requirements, I think you're doing it the hard way.

In particular, dnsmasq is perfectly suited to exactly the kind of mass DNS spoofing needed for this project: a config line of the form address=/must.go/ will make any hostname ending in must.go resolve to

As packaged by Debian, dnsmasq comes preconfigured to scan /etc/dnsmasq.d for additional config so it's not even necessary to edit the main config file.

3. Maintaining the blacklists

All that's needed is a little update script that runs once per week:

Again, replace with your own gateway's LAN IP address (perhaps by editing the text box above before copying and pasting).

Peter Lowe has my undying gratitude for maintaining the upstream list.