go-hole
is a fast and lightweight DNS sinkhole that blocks domains known to serve ads, tracking scripts, malware and other unwanted content. It also caches DNS responses to reduce latency, and collects anonymous statistics about the DNS traffic. go-hole
is written in Go and runs on every platform and operating systems supported by the Go compiler. go-hole
can be combined with a private VPN to protect mobile devices on every network.
Run as a Docker container and use as your primary DNS server:
docker run --name go-hole -d -p 127.0.0.1:53:8053/udp davidepedranz/go-hole:latest
Test that go-hole
is working correctly:
nslookup -port=8053 example.com localhost
nslookup -port=8053 googleadservices.com localhost
go-hole
runs a custom DNS server that selectively blocks unwanted domains by replying NXDomain (Non-Existent Domain)
to the client. It uses an upstream DNS (by default 1.1.1.1) to resolve the queries the first time, then it caches the response to speed up the following requests.
The amount of intrusive ads and tracking services on the Internet is huge and continues to grow. While it is quite easy to block them on a computer using your favourite ad-block plugin, it is difficult or even impossible to do the same on mobile devices. This project aims to block unwanted ads and services at the network level, without the need to install any software on the user's device.
This project is inspired by Pi-Hole, but with a slightly different approach. go-hole
provides a single binary that only selectively filters the unwanted domains. The blacklist is static and is loaded at startup and cached in memory.
# build the binary
go build
# execute the binary
# please make sure the blacklist is available at ./data/blacklist.txt
./go-hole
go-hole
can be configured using a few environment variables:
Environment Variable | Default Value | Function |
---|---|---|
DNS_PORT |
8053 |
UDP port where to listen for DNS queries. |
PROMETHEUS_PORT |
9090 |
TCP port where to serve the collected metrics. |
UPSTREAM_DNS |
1.1.1.1:53 |
IP and port of the upstream DNS to use to resolve the queries. |
DEBUG |
false |
If true, go-hole logs all queries to the standard output. |
You can customize the behaviour of go-hole
by changing domains in the blacklist. The default blacklist can be build with:
./scripts/make-blacklist.sh
Sure, checkout the automatic build on Docker Hub: https://hub.docker.com/r/davidepedranz/go-hole/
Sure, this is the main setup of go-hole
. For example, you can combine it with OpenVPN. We will publish soon a guide to setup go-hole
and OpenVPN together on a private server.
By default, go-hole
does not log any DNS query. Logging can be enabled for debug purposes, but we discourage it in production, since it breaches the privacy of the users. On the other hand, go-hole
is fully instrumented to collect anonymous data about the amount of blocked queries, the response times and other performance metrics.
go-hole
is instrumented with Prometheus to collect the following metrics:
Type | Name | Help |
---|---|---|
Histogram | gohole_dns_queries_duration_seconds |
Duration of replies to DNS queries. |
Histogram | gohole_blacklist_lookup_duration_seconds |
Duration of a domain lookup in the blacklist. |
Histogram | gohole_cache_operation_duration_seconds |
Duration of an operation on the cache. |
By default, metrics are served over HTTP at port 9090
and path /metrics
.
go-hole
is free software released under the MIT Licence. Please checkout the LICENSE file for details.