Blackholing Domains with WireGuard
Short post incoming because it's not worthy of a longer one, but more interesting than dropping a tweet.
I noticed that my laptop was still connecting to ad serving domains I'd blackholed in /etc/hosts when I was connected to my WireGuard VPN. Obviously this wasn't great as the point of blackholing them was to ensure my laptop couldn't connect.
Looking at the official WireGuard docs, I couldn't see anything that pointed me in the right direction. The unofficial docs were better, but didn't have much about the DNS line in wg0.conf.
Before I begun, my wg0.conf looked like this, with DNS provided by Cloudflare.
[Interface]
PrivateKey = <SNIP>
PostDown = iptables -D FORWARD -i %i -j wireguard; iptables -D FORWARD -o %i -j wireguard; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Address = 10.10.0.0/16
PostUp = iptables -A FORWARD -i %i -j wireguard; iptables -A FORWARD -o %i -j wireguard; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 52880
DNS = 1.1.1.1
[Peer] # laptop
PublicKey = <SNIP>
AllowedIPs = 10.10.10.10/32
[Peer] # phone
PublicKey = <SNIP>
AllowedIPs = 10.10.10.11/32After a few tries with multiple DNS entries and separators, I found that to block domains effectively, I simply needed to add them to the DNS config line, separated by ;. This means that my DNS entry became as follows and those domains were sequestered in the darkness.
DNS = 1.1.1.1; 0.0.0.0, example1.com; 0.0.0.0, example2.com
