If you're doing this then make sure that your router uses your DNS server so you don't have to manually enable it on all your devices (especially those pesky Android devices that don't allow you to have a custom dns server with a dynamic ip).

You can also replace your routers firmware with OpenWRT. OpenWRT uses dnsmasq by default (and allows you to customize the configuration, of course), so you don't even have to use a separate server.

This is assuming your hardware is supported. I throughly endorse it if it is.

For Debain unstable with also systemd-resolved enabled I needed these:

/etc/dnsmasq.d/network-manager:

bind-interfaces

interface=lo

/etc/systemd/resolved.conf:

[Resolve]

DNS=127.0.0.1 ::1

/etc/nsswitch.conf:

passwd: compat

group: compat

shadow: compat

hosts: files mymachines gw_name myhostname mdns4_minimal resolve [NOTFOUND=return] dns mdns4

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

They are so many as I also have the packages libnss-myhostname libnss-mymachines libnss-gw-name libnss-mdns. Important to note is the NOTFOUND=return directive after resolve, because libnss-resolved is not available on Debian yet and thus it's going to query dnsmasq directly instead of first resolved (which is also using dnsmasq anyway).

Apparently I was the first person ever to attempt using dnsmasq to block ads (Fri, Oct 27, 2006). In 2006 I reported a bug named "reading /etc/hosts takes 6 minutes" :-)

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/200...

Before every new dns entry was naively compared sequentially with current dataset, the fix was probably a hashtable.

Unbound works very well to block hundreds of static domains, like you get from ad-blocking lists, and needs very few resources. IMHO, it should be the default for desktop distros.

Trying to make it a bit easier: https://github.com/jakeogh/dnsmasq-blacklist

At first, when I switched to Ubuntu and saw dnsmasq I was a little happy. I thought I could finally have something lightweight and slightly more powerful than a hosts file plus more control over what happens with my queries.

But then I tried to search online and at least try to understand what it actually is, what it does or is supposed to do, or what it doesn't do and so on. Then I thought that running bind9 might be easier, at least I know what it's supposed to do.

I finally decided to leave it the way it came with my Ubuntu. Some articles say it's there to act as a dns cache and something else with VPNs while other articles claim the caching functionality is turned off by default. Really confusing for somebody who's not that experienced.

It seems only OpenBSD got this right (in my opinion) from a cursory inspection of the man pages for resolv.conf - they allow for not-default port in it. There is a bug in glibc around since 2012 [1] for this!

Oh well.

1. https://sourceware.org/bugzilla/show_bug.cgi?id=14242

Isn't changing the format of resolv.conf going to break everything that parses it manually or using a library other than glibc?