Diversion Diversion alternate upstream name server

[latenights]

I've been using Diversion for a long time and love it. Recently I've found a need to block child access to games during home learning time.

I think the outcome I'm after is:
- all clients (children and adults) to benefit from Diversion block lists
- the dnsmasq instance serving the adult clients to point to the router's normal upstream DNS provider as usual
- the dnsmasq instance serving the children clients to point to a upstream DNS provider that allows me to do additional filtering, like cleanbrowsing or opendns. I think that would be a better solution to blocking game sites than trying to maintain my own block lists, especially with all the games in the .io domain that pop up on all sorts of websites outside the .io domain.

I explored Diversion's alternate blocking list feature and it looks like almost what I need, just I can't change the upstream DNS provider for the second dnsmasq instance.

I'd really appreciate the collective wisdom. Is there a way to do this or is there a different/better way to achieve the outcome? Thanks.

 

[Treadler]

I've been using Diversion for a long time and love it. Recently I've found a need to block child access to games during home learning time.

I think the outcome I'm after is:
- all clients (children and adults) to benefit from Diversion block lists
- the dnsmasq instance serving the adult clients to point to the router's normal upstream DNS provider as usual
- the dnsmasq instance serving the children clients to point to a upstream DNS provider that allows me to do additional filtering, like cleanbrowsing or opendns. I think that would be a better solution to blocking game sites than trying to maintain my own block lists, especially with all the games in the .io domain that pop up on all sorts of websites outside the .io domain.

I explored Diversion's alternate blocking list feature and it looks like almost what I need, just I can't change the upstream DNS provider for the second dnsmasq instance.

I'd really appreciate the collective wisdom. Is there a way to do this or is there a different/better way to achieve the outcome? Thanks.

Welcome to the forum!
LAN > Dns Filter perhaps?

 

[Jack Yaz]

I've been using Diversion for a long time and love it. Recently I've found a need to block child access to games during home learning time.

I think the outcome I'm after is:
- all clients (children and adults) to benefit from Diversion block lists
- the dnsmasq instance serving the adult clients to point to the router's normal upstream DNS provider as usual
- the dnsmasq instance serving the children clients to point to a upstream DNS provider that allows me to do additional filtering, like cleanbrowsing or opendns. I think that would be a better solution to blocking game sites than trying to maintain my own block lists, especially with all the games in the .io domain that pop up on all sorts of websites outside the .io domain.

I explored Diversion's alternate blocking list feature and it looks like almost what I need, just I can't change the upstream DNS provider for the second dnsmasq instance.

I'd really appreciate the collective wisdom. Is there a way to do this or is there a different/better way to achieve the outcome? Thanks.

the second dnsmasq instance the alternate blocking list feature starts is customisable via /jffs/scripts/dnsmasq.postconf
rather than editing the conf file directly, I recommend using a postconf so your changes aren't lost if diversion reverts your config

#!/bin/sh
source /usr/sbin/helper.sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion

#only attempt secondary dnsmasq reconfiguration if Entware is available
if [ -f "/opt/bin/opkg" ]; then
    echo $(ps | grep alternate-bf.conf | grep -v grep | cut -f1 -d" ") | while read line ; do kill $line ; done
    pc_replace "servers-file=/tmp/resolv.dnsmasq" "servers-file=/jffs/resolv.custom" /opt/share/diversion/.conf/alternate-bf.conf
    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
fi

where /jffs/resolv.custom contains upstream servers

server=8.8.8.8

 

[latenights]

Thank you Jack, your answer was exactly what I needed and now it's working how I'd hoped! Really appreciate you taking the time.

 

[latenights]

Watching the logs for both dnsmasq instances side by side, sometimes a dns query from an iPhone on the network will show up in the 'wrong' dnsmasq log, or even in both logs. But the dns config on the phone shows the primary address of the router as the only dns server, it doesn't show the address of the second instance of dnsmasq.

What might be going on there?

 

[latenights]

Another couple of observations:

In the log for the primary instance of dnsmasq every line contains the process id of the task 'dnsmasq --log-async'. That instance of dnsmasq is pointing to stubby as its upstream provider.

However in the log for the secondary instance of dnsmasq each lookup has a different process id.

And there are two tasks using the secondary config file?

# ps | grep dnsmasq
21828 nobody   10980 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
21871 nobody   10980 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
21885 nobody   12380 S    dnsmasq --log-async
21886 localadm  3300 S    dnsmasq --log-async
21953 localadm  1444 S N  tail -F /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.log3
21954 localadm  1468 S N  {dnsmasqtotal.aw} /usr/bin/awk -f /jffs/addons/uiDivStats.d/taildns.d/dnsmasqtotal.awk
22749 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log3
22878 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log
24189 localadm  4660 S    grep dnsmasq

 

[latenights]

Fixed the problem with two tasks using the secondary config file, had things in the wrong order in dnsmasq.postconf. It now reads:

/jffs/scripts# more dnsmasq.postconf
#!/bin/sh

# Diversion runs a secondary instance of dnsmasq if you have it configured the right way
# Point secondary instance of dnsmasq to a different upstream DNS server
#only attempt secondary dnsmasq reconfiguration if Entware is available
if [ -f "/opt/bin/opkg" ]; then
    echo $(ps | grep alternate-bf.conf | grep -v grep | cut -f1 -d" ") | while read line ; do kill $line ; done
    pc_replace "servers-file=/tmp/resolv.dnsmasq" "servers-file=/jffs/configs/resolv.custom" /opt/share/diversion/.conf/alternate-bf.conf
#    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
fi

. /opt/share/diversion/file/post-conf.div # Added by Diversion
/jffs/scripts/uiDivStats dnsmasq & # uiDivStats

But I still see dns queries in log3 that seem out of place, like they're coming from another dnsmasq process. Maybe somehow Diversion is inadvertently directing some logging to log3 instead of the main log - because every time there's an out of place entry, it has a process id that doesn't match the process id of the secondary instance of dnsmasq.

 

[thelonelycoder]

But I still see dns queries in log3 that seem out of place, like they're coming from another dnsmasq process. Maybe somehow Diversion is inadvertently directing some logging to log3 instead of the main log - because every time there's an out of place entry, it has a process id that doesn't match the process id of the secondary instance of dnsmasq.

That's because uiDivStats is installed and tails the logfiles. There are two with the alternate blocking list enabled. dnsmasq.log is the regular file while dnsmasq.log3 is the alternate blocking list logging file.

And there are two tasks using the secondary config file?

I hate hacks, let me see if I can do that proper in Diversion.

 

[Jack Yaz]

Fixed the problem with two tasks using the secondary config file, had things in the wrong order in dnsmasq.postconf. It now reads:

/jffs/scripts# more dnsmasq.postconf
#!/bin/sh

# Diversion runs a secondary instance of dnsmasq if you have it configured the right way
# Point secondary instance of dnsmasq to a different upstream DNS server
#only attempt secondary dnsmasq reconfiguration if Entware is available
if [ -f "/opt/bin/opkg" ]; then
    echo $(ps | grep alternate-bf.conf | grep -v grep | cut -f1 -d" ") | while read line ; do kill $line ; done
    pc_replace "servers-file=/tmp/resolv.dnsmasq" "servers-file=/jffs/configs/resolv.custom" /opt/share/diversion/.conf/alternate-bf.conf
#    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
fi

. /opt/share/diversion/file/post-conf.div # Added by Diversion
/jffs/scripts/uiDivStats dnsmasq & # uiDivStats

But I still see dns queries in log3 that seem out of place, like they're coming from another dnsmasq process. Maybe somehow Diversion is inadvertently directing some logging to log3 instead of the main log - because every time there's an out of place entry, it has a process id that doesn't match the process id of the secondary instance of dnsmasq.

I've not seen this, and the order i provided is what I use. I do use dnsfilter as well to point clients to the relevant dnsmasq instance, perhaps that's needed here too. Though if the client only has a single IP to talk to, it shouldn't end up in a different instance. Unless an app is hardcoded to use the gateway ip for DNS or something daft

 

[Jack Yaz]

That's because uiDivStats is installed and tails the logfiles. There are two with the alternate blocking list enabled. dnsmasq.log is the regular file while dnsmasq.log3 is the alternate blocking list logging file.


I hate hacks, let me see if I can do that proper in Diversion.

I have a bunch of settings i add in to the second instance, if there's going to be a native way to have Diversion add them then that would work for me! If its a bit edge casey then I'm happy to stick with my postconf approach

 

[latenights]

Thanks. I had to modify part of your code to deal with a 4-digit process ID that began with a space character:
bf.conf | grep -v grep | awk '{$1=$1};1' | cut -d" " -f1[/CODE]

If I run /jffs/scripts/dnsmasq.postconf it now finds and kills the secondary process but it gives some other errors:

# ./dnsmasq.postconf
dnsmasq has restarted, restarting taildns

sed: -i requires an argument
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
sed: -i requires an argument
rm: can't remove '/tmp/diversion-dnsmasq': No such file or directory

 

[latenights]

I hate hacks, let me see if I can do that proper in Diversion.

That would be nothing short of awesome. Whatever I do I can't seem to get it to reliably pick up and kill the alternate name server when /jffs/scripts/dnsmasq.postconf runs.

 

[Jack Yaz]

Thanks. I had to modify part of your code to deal with a 4-digit process ID that began with a space character:
bf.conf | grep -v grep | awk '{$1=$1};1' | cut -d" " -f1[/CODE]

If I run /jffs/scripts/dnsmasq.postconf it now finds and kills the secondary process but it gives some other errors:

# ./dnsmasq.postconf
dnsmasq has restarted, restarting taildns

sed: -i requires an argument
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
./dnsmasq.postconf: /opt/share/diversion/file/post-conf.div: line 82: can't create : nonexistent directory
sed: -i requires an argument
rm: can't remove '/tmp/diversion-dnsmasq': No such file or directory

Not sure why this is necessary, it works for me. Note that the main dnsmasq process also runs twice.

 

[latenights]

Not sure why this is necessary, it works for me. Note that the main dnsmasq process also runs twice.

Thanks. It was only when the PID had just 4 chars, not 5. It was hard to spot.

ps | grep dnsmasq
 1581 nobody   11128 S    dnsmasq --log-async
 1582 localadm  3300 S    dnsmasq --log-async
 3397 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log
 4062 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log3
15572 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
15652 localadm  1444 S N  tail -F /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.log3
15653 localadm  1472 S N  {dnsmasqtotal.aw} /usr/bin/awk -f /jffs/addons/uiDivStats.d/taildns.d/dnsmasqtotal.awk
22136 localadm  4660 S    grep dnsmasq

Without trimming leading space:

ps | grep dnsmasq | grep -v grep | cut -d" " -f1




15572
15652
15653

 

[latenights]

I've not seen this, and the order i provided is what I use. I do use dnsfilter as well to point clients to the relevant dnsmasq instance, perhaps that's needed here too. Though if the client only has a single IP to talk to, it shouldn't end up in a different instance. Unless an app is hardcoded to use the gateway ip for DNS or something daft

Thanks. I had changed the order thinking that was part of the problem for me. Changing it back, and with the modified code to kill the secondary process, it seems to work ok now - if I do a service restart_dnsmasq both the primary and secondary instances restart and the secondary one points to the alternate name server correctly. I still see two instances of each though:

ps | grep dnsmasq
  980 localadm  4660 S    grep dnsmasq
 3397 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log
 4062 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log3
27137 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
27172 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
27254 nobody   11128 S    dnsmasq --log-async
27255 localadm  3300 S    dnsmasq --log-async
27517 localadm  1444 S N  tail -F /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.log3
27518 localadm  1472 S N  {dnsmasqtotal.aw} /usr/bin/awk -f /jffs/addons/uiDivStats.d/taildns.d/dnsmasqtotal.awk

 

[Jack Yaz]

Thanks. It was only when the PID had just 4 chars, not 5. It was hard to spot.

ps | grep dnsmasq
1581 nobody   11128 S    dnsmasq --log-async
1582 localadm  3300 S    dnsmasq --log-async
3397 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log
4062 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log3
15572 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
15652 localadm  1444 S N  tail -F /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.log3
15653 localadm  1472 S N  {dnsmasqtotal.aw} /usr/bin/awk -f /jffs/addons/uiDivStats.d/taildns.d/dnsmasqtotal.awk
22136 localadm  4660 S    grep dnsmasq

Without trimming leading space:

ps | grep dnsmasq | grep -v grep | cut -d" " -f1




15572
15652
15653

I must not have seen this as my alternate dnsmasq has never had a 4 digit PID!

 

[latenights]

I must not have seen this as my alternate dnsmasq has never had a 4 digit PID!

It was tricky because rebooting the router occasionally caused it to have a lower PID - so sometimes it worked, sometimes it didn't. Hate those

 

[Jack Yaz]

Thanks. I had changed the order thinking that was part of the problem for me. Changing it back, and with the modified code to kill the secondary process, it seems to work ok now - if I do a service restart_dnsmasq both the primary and secondary instances restart and the secondary one points to the alternate name server correctly. I still see two instances of each though:

ps | grep dnsmasq
  980 localadm  4660 S    grep dnsmasq
3397 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log
4062 localadm  1444 S    tail -F /opt/var/log/dnsmasq.log3
27137 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
27172 nobody   10920 S    dnsmasq -C /opt/share/diversion/.conf/alternate-bf.conf
27254 nobody   11128 S    dnsmasq --log-async
27255 localadm  3300 S    dnsmasq --log-async
27517 localadm  1444 S N  tail -F /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.log3
27518 localadm  1472 S N  {dnsmasqtotal.aw} /usr/bin/awk -f /jffs/addons/uiDivStats.d/taildns.d/dnsmasqtotal.awk

I think 2 instances of each is normal. At least i recall seeing 2 processes for dnsmasq without Diversion installed!

 

[Jack Yaz]

It was tricky because rebooting the router occasionally caused it to have a lower PID - so sometimes it worked, sometimes it didn't. Hate those

What's rebooting?

 

[thelonelycoder]

That would be nothing short of awesome. Whatever I do I can't seem to get it to reliably pick up and kill the alternate name server when /jffs/scripts/dnsmasq.postconf runs.

I’m on it now, expect an unscheduled Diversion update soon.