dnsmasq for ad blocking

I have a WireGuard peer running in EC2 that I would like to enable domain-based ad blocking on.
# apt install dnsmasq
# echo interface=wg0 >> /etc/dnsmasq.conf
# curl https://raw.githubusercontent.com/easylist/easylist/master/easylist/easylist_adservers.txt \
| grep -Po '(?<=\|\|).*?(?=\^)' \
| sort -u \
| sed 's|.*|address=/\0/#|g' \
> /etc/dnsmasq.d/blocked-domains.conf
# systemctl start dnsmasq
# systemctl enable dnsmasq
Next configure your WireGuard peer to use the "server" peer's IP as the DNS.
[Interface]
DNS=<peer-ip>
From your "client" peer, you can test that DNS returns NXDOMAIN
.
$ dig doubleclick.net
; <<>> DiG 9.10.6 <<>> doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57684
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.net. IN A
;; Query time: 46 msec
;; SERVER: 172.16.8.1#53(172.16.8.1)
;; WHEN: Wed Jan 11 22:23:40 AEDT 2023
;; MSG SIZE rcvd: 44