Diversion Diversion 5.1.3 - the Router Ad-Blocker, May 09, 2024

[redf0x]

Which version of amtm are you running?

Ive been on 4.1 since release. it is latest version

 

[Treadler]

It's all the default "Standard" and even tried the "Small". Happens both times on fresh install. Just a a weird error i cant seem to figure out

I’m all out of ideas, sorry.

In AMTM make sure entware is up to date?

 

[John Fitzgerald]

Ive been on 4.1 since release. it is latest version

Did you read post #172 ???

 

[Viktor Jaep]

Hey i keep getting this error when installing:

At the end of install it repeats

Waiting for blocking list entry...
Waiting for blocking list entry...

Then it times out

Also, i am not seeing the diversion tab in the UI anymore under the LAN tab like normal.

RT-AX86U

According to his code, it seems to have to do with the dnsmasq.conf file... specifically, if the entry "conf-dir=/opt/share/diversion/list,*" doesn't appear in your /etc/dnsmasq.conf file, it will wait and go through a loop to give you the "Waiting for blocking list entry" message.

I would focus on why dnsmasq.conf isn't accepting this modification... making sure you've met all the minimum requirements, uninstalled/reinstalled, etc.

 

[thelonelycoder]

Hey i keep getting this error when installing:

At the end of install it repeats

Waiting for blocking list entry...
Waiting for blocking list entry...

Then it times out

Also, i am not seeing the diversion tab in the UI anymore under the LAN tab like normal.

RT-AX86U

Check the routers SysLog, Dnsmasq will say what’s not compliant.

 

[thelonelycoder]

Which version of amtm are you running?

4.1. If no update is available your on the latest version. I released amtm 4.1 and Diversion 5.0 at the same time, hence the remark in the release threads for both amtm and Diversion.

 

[redf0x]

Check the routers SysLog, Dnsmasq will say what’s not compliant.

This is the only logs I am seeing when i reinstall diverison:

Jan 5 13:49:18 dnsmasq[15986]: started, version 2.89 cache disabled
Jan 5 13:49:18 dnsmasq[15986]: asynchronous logging enabled, queue limit is 5 messages
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.50.3 -- 192.168.50.254, lease time 1d
Jan 5 13:49:18 dnsmasq[15986]: using nameserver 127.0.0.1#5342
Jan 5 13:49:18 dnsmasq[15986]: read /etc/hosts - 22 names
Jan 5 13:49:18 custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)
Jan 5 13:52:32 Diversion: logging is disabled, cannot count ads
Jan 5 13:52:46 rc_service: service 19272:notify_rc restart_dnsmasq

Also, in the console this is what it is telling me as the error:

✖ blocking list entry timed out

 

[dave14305]

Jan 5 13:49:18 dnsmasq[15986]: using nameserver 127.0.0.1#5342

What extra dns service are you running on the router?

NextDNS is known to play badly with dnsmasq and other addons’ customizations.

 

[Viktor Jaep]

What extra dns service are you running on the router?

NextDNS is known to play badly with dnsmasq and other addons’ customizations.

Damn nice catch, @dave14305!

 

[dave14305]

Hi @thelonelycoder,

I have a problem with the weekly stats collection, specific to the top 10 blocked domains.

1. The filter on is NXDOMAIN is catching DNSSEC lines like these:
   Jan 5 16:54:06 dnsmasq[21995]: 107425 192.168.1.187/64162 reply metadata.google.internal is NXDOMAIN (DNSSEC signed)
   and this is putting NXDOMAIN (NF-2) in the temporary list of blocked domains. Maybe config .* is NXDOMAIN$ is a more specific search string.
2. The top 10 blocked domains includes a lot of NXDOMAIN results for my local domain (home.arpa), due to the dnsmasq config for local=/home.arpa/
3. Blocked domains that are a sub-domain of a blocked wildcard domain aren't reported as being from the blockinglist.conf. See securepubads example below.

These are the initial top 10 blocked domains (running your awk commands from stats.div directly):

 778    wpad.home.arpa
 633    lb._dns-sd._udp.home.arpa
 606    _dns.resolver.arpa
 494    metrics.icloud.com
 404    b._dns-sd._udp.home.arpa
 403    db._dns-sd._udp.home.arpa
 150    app-measurement.com              
 143    wpad.<redacted>.local
 114    <redacted>.local
 113    securepubads.g.doubleclick.net

The resulting stats report shows only 2 domains in the report:

 The top 10 blocked ad domains were:
 --------------------------------------------------------
 778    wpad.home.arpa                            blocked
 633    lb._dns-sd._udp.home.arpa                 blocked

I see a couple issues: it detects 2 domains of the 10 as being in the blockinglist.conf, but it displays the wrong 2. metrics.icloud.com and app-measurement.com are direct matches from OISD Small. securepubads.g.doubleclick.net isn't a direct match, but is covered by g.doubleclick.net in the OISD Small list.

Congratulations on the big 5.0! This definitely swayed me in my decision to purchase a new Asus router (RT-AX88U PRO)!

Hope this report is helpful.

 

[thelonelycoder]

Hi @thelonelycoder,

I have a problem with the weekly stats collection, specific to the top 10 blocked domains.

1. The filter on is NXDOMAIN is catching DNSSEC lines like these:
   Jan 5 16:54:06 dnsmasq[21995]: 107425 192.168.1.187/64162 reply metadata.google.internal is NXDOMAIN (DNSSEC signed)
   and this is putting NXDOMAIN (NF-2) in the temporary list of blocked domains. Maybe config .* is NXDOMAIN$ is a more specific search string.
2. The top 10 blocked domains includes a lot of NXDOMAIN results for my local domain (home.arpa), due to the dnsmasq config for local=/home.arpa/
3. Blocked domains that are a sub-domain of a blocked wildcard domain aren't reported as being from the blockinglist.conf. See securepubads example below.

These are the initial top 10 blocked domains (running your awk commands from stats.div directly):

 778    wpad.home.arpa
 633    lb._dns-sd._udp.home.arpa
 606    _dns.resolver.arpa
 494    metrics.icloud.com
 404    b._dns-sd._udp.home.arpa
 403    db._dns-sd._udp.home.arpa
 150    app-measurement.com             
 143    wpad.<redacted>.local
 114    <redacted>.local
 113    securepubads.g.doubleclick.net

The resulting stats report shows only 2 domains in the report:

 The top 10 blocked ad domains were:
 --------------------------------------------------------
 778    wpad.home.arpa                            blocked
 633    lb._dns-sd._udp.home.arpa                 blocked

I see a couple issues: it detects 2 domains of the 10 as being in the blockinglist.conf, but it displays the wrong 2. metrics.icloud.com and app-measurement.com are direct matches from OISD Small. securepubads.g.doubleclick.net isn't a direct match, but is covered by g.doubleclick.net in the OISD Small list.

Congratulations on the big 5.0! This definitely swayed me in my decision to purchase a new Asus router (RT-AX88U PRO)!

Hope this report is helpful.

Thanks Dave, it‘s observation like yours that help me most when fine-tuning.

I hope you are aware that 5.0 is also your brainchild. Your post back then triggered this massive rewrite. And I expected a few flaws and inconsistencies upon release. They all will be sorted out given some time and patience.
It’s software and nobody is perfect - though I strive to be very close to perfection.

 

[dave14305]

I hope you are aware that 5.0 is also your brainchild. Your post back then triggered this massive rewrite. And I expected a few flaws and inconsistencies upon release. They all will be sorted out given some time and patience.

I tried a lot of other adblockers on other platforms in my "Prodigal Son" phase and was always wishing they worked more like Diversion, especially around logging and stats. I'm very happy to help improve things here in any way I can.

 

[thelonelycoder]

I tried a lot of other adblockers on other platforms in my "Prodigal Son" phase and was always wishing they worked more like Diversion, especially around logging and stats. I'm very happy to help improve things here in any way I can.

What can I say but “your a good man / lad” or some other variation therof.
I heard this a lot while troubleshooting one of our systems here on Gran Canaria. This one is again up and running since mid afternoon yesterday. A very happy customer and I will be flying home in a few hours. I fixed one bug and the next revealed itself and that game repeated itself about five times over the last three days.

Frustrating but not uncommon in the business we are in. There are local companies that do the first responding and I only get sent out to try and figure out the mess when they are at their wits end.
Persistence prevailed once again.

 

[iManuB]

Hi! I did a hard reset and installed Diversion 5.0. I don't understand now how Entware works, because during the installation of Diversion you no longer have to enter the IP to assign to Entware.

Yesterday I had problems generating the certificate, because at the command:

openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

It generated an error about v3_ca:

Error Loading extension section v3_ca
4144742400:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4144742400:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names

Once the certificate is generated, it says to go to http://pixelserv ip/ca.crt, which in my case was 192.168.2.2/ca.crt.

Now, of course, there isn't. How do I get the certificate? Via WinSCP?

Thank you and forgive these questions.

* By instead putting this command, found HERE, I can generate the certificate

openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions usr_cert -out ca.crt -subj "/CN=Pixelserv CA"

 

[Rhialto]

Now, of course, there isn't. How do I get the certificate? Via WinSCP?

Look at the very first post, there is a section called Diversion post-update notes. Look at the second line if it can help.

 

[iManuB]

Look at the very first post, there is a section called Diversion post-update notes. Look at the second line if it can help.

Yes, following that guide (which always worked), I encountered this problem.

 

[visortgw]

Yes, following that guide (which always worked), I encountered this problem.

pixelserv has been deprecated from Diversion 5.0.

 

[iManuB]

Okay! You just need to remove the devices certificate. A thousand thanks! I thought that, after the update, it needed to be recreated.
Forgive me!

 

[brodas]

Reset your blocking files. then try one of the pre-selected blocking lists to see if that works. If it works, make sure that your lists are compatible with the new Diversion. Everything should work the same in the latest version, there is no reason to downgrade.

Yes do it like this and now seems working fine. Thanks.

 

[andresmorago]

Hello.
First of all thanks @thelonelycoder for such a great update. I believe this change in diversion helps both router capacity and browsing experience.

I’m having some issues with the whitelist. Especifically with this website tvx.adgrx.com. I’m unsure if other sites are being affected by this.

No matter if it’s included in the whitelist, diversion will block it in all devices. I have proceeded lists multiple times as well as rebooting router with no luck. I will appreciate your feedback on what could I be doing wrong.