What's new

Diversion Diversion and AAAA records/queries

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dobri

Occasional Visitor
Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!
 
Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!
you could try

echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6

I don't know if there is anything else you would want to do, but try this out. Maybe some other users can throw some other ideas out there....
 
Last edited:
you could try

echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6

I don't know if there is anything else you would want to do, but try this out. Maybe some other users can throw some other ideas out there....
@dobri I don't believe this is anything to do with IPv6 as such. I think the "CNAME issue" has been discussed in theses forums before at some length. I can't remember if a solution was found that could be applied to Diversion. Probably best to search for those old posts. Perhaps @thelonelycoder can give you some updated information.
 
Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!
Which block list setting do you use?
 
@dobri I don't believe this is anything to do with IPv6 as such. I think the "CNAME issue" has been discussed in theses forums before at some length. I can't remember if a solution was found that could be applied to Diversion. Probably best to search for those old posts. Perhaps @thelonelycoder can give you some updated information.

Well, disabling IPv6 doesn't help in any way, i tried that before posting, both on Windows and Linux. Plus it is well documented in many places.
My router and ISP don't have IPv6, so clearly the AAAA record is retrieved over IPv4. I can clearly see Diversion block the A query, but the AAAA query goes through. It is the AAAA record that tells the resolver about the CNAME. So blocking the AAAA query helps. I tried inserting AAAA record into dnsmasq and it works.

The question I have is how to persuade Diversion to put those AAAA records when IPv6 is disabled on the router. When I enable IPv6 on the router Diversion does exactly what I need. Can I have both the AAAA records and IPv6 disabled on the router, without adding those AAAA records to dnsmasq on my own (it isn't that difficult, but I would consider it a hack.)
 
The question I have is how to persuade Diversion to put those AAAA records when IPv6 is disabled on the router. When I enable IPv6 on the router Diversion does exactly what I need. Can I have both the AAAA records and IPv6 disabled on the router, without adding those AAAA records to dnsmasq on my own (it isn't that difficult, but I would consider it a hack.)
If you're adventurous with shell scripting, you can hack your own version of /opt/share/diversion/file/update-bl.div to find all the occurrences of ipv6_service and modify "disabled" to be anything else (e.g. "disXabled"). It's a terrible hack, and you'd be on your own for support, but if it works it was well worth it. :cool:
Bash:
# grep ipv6_service /opt/share/diversion/file/update-bl.div
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
[ "$(nvram get ipv6_service)" != "disabled" ] && ipv6on=", adding \"::\" as IPv6 blocking IP"
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
if [ "$(nvram get ipv6_service)" != "disabled" ] && ! grep -wq "^::" "${DIVERSION_DIR}/list/blacklist"; then
[ "$(nvram get ipv6_service)" != "disabled" ] && BD="$((BD/2))"
If you break things beyond repair, you would need to either reinstall Diversion or do a force update. Make a backup copy of the file first.
 
If you're adventurous with shell scripting, you can hack your own version of /opt/share/diversion/file/update-bl.div to find all the occurrences of ipv6_service and modify "disabled" to be anything else (e.g. "disXabled"). It's a terrible hack, and you'd be on your own for support, but if it works it was well worth it. :cool:
Bash:
# grep ipv6_service /opt/share/diversion/file/update-bl.div
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
[ "$(nvram get ipv6_service)" != "disabled" ] && ipv6on=", adding \"::\" as IPv6 blocking IP"
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
if [ "$(nvram get ipv6_service)" != "disabled" ] && ! grep -wq "^::" "${DIVERSION_DIR}/list/blacklist"; then
[ "$(nvram get ipv6_service)" != "disabled" ] && BD="$((BD/2))"
If you break things beyond repair, you would need to either reinstall Diversion or do a force update. Make a backup copy of the file first.
Diversion will “repair” the blacklist and blockingfile to non-IPv6 next time Dnsmasq is restarted.
 
@dave14305 Thank you for the solution. It is a bit more involved, but not by much:

sed -e 's/ipv6_service/HACK/' ......

and I had to do it on not 1 but 3 files:

functions.div
post-conf.div
update-bl.div

Followed by "diversion restart" and we are all good. Well, for now. I may have to automate it a bit more to apply after diversion updates...

@thelonelycoder Thank you for the amazing application. As I said I like it and I advertise it.
Any chance for adding a tiny option somewhere so I don't have to hack your code, e.g. :

[ "$forceBlockAAAA" != "" -a "$(nvram get ipv6_service)" != "disabled" ]

Thank you!
 
Is this something that can be done in dnsmasq instead?
 
Is this something that can be done in dnsmasq instead?
IIRC this was discussed at the time but I don't think such a thing was ever implemented in dnsmasq (although there were some private patches for it). But even if this were an option it still wouldn't solve this issue. The problem is not that dnsmasq returns AAAA records but that the CNAME returns an A record.
 
For anyone interested in this topic, I put together a little script to automate the patching of Diversions files.
Use at your own risk.

Bash:
#!/bin/sh
#
# A dirty hack of Diversion scrips forcing block of AAAA DNS entries even when IPv6 is disabled
# slows it down and increases memory usage, but block certain sites (ads) that otherwise sneak through
#
# Script outputs list of affected files and creates a backup of the original files with a timestamp
#
# Run the script within /opt/share/diversion/file and restart diversion yourself at the end
#

FROM=ipv6_service
  TO=____HACK____
EXT=$(date +%Y%m%d%H%M)

massage() {
    src=$1   
    backup=$src.$EXT
    mv $src $backup
    sed -e "s/$FROM/$TO/" $backup > $src
}

for f in `grep -l $FROM *.div` ; do
    echo $f
    massage $f
done
 
Last edited:
@dobri, you may want to edit the post above and insert the contents of 'hack.txt' to a 'code' box instead. I don't know about others, but I won't even open a .txt file from the 'net (not even to see log entries). Thank you.
 
@dobri, you may want to edit the post above and insert the contents of 'hack.txt' to a 'code' box instead. I don't know about others, but I won't even open a .txt file from the 'net (not even to see log entries). Thank you.

Done. Didn't know about the code blocks...
 
For anyone interested in this topic, I put together a little script to automate the patching of Diversions files.
Use at your own risk.

Bash:
#!/bin/sh
#
# A dirty hack of Diversion scrips forcing block of AAAA DNS entries even when IPv6 is disabled
# slows it down and increases memory usage, but block certain sites (ads) that otherwise sneak through
#
# Script outputs list of affected files and creates a backup of the original files with a timestamp
#
# Run the script within /opt/share/diversion/file and restart diversion yourself at the end
#

FROM=ipv6_service
  TO=____HACK____
EXT=$(date +%Y%m%d%H%M)

massage() {
    src=$1  
    backup=$src.$EXT
    mv $src $backup
    sed -e "s/$FROM/$TO/" $backup > $src
}

for f in `grep -l $FROM *.div` ; do
    echo $f
    massage $f
done
This (imperfect*) hack will be obsolete with the next Diversion update. The option to force IPv6 entries is now built into the development code.
Thanks for the inspiration.

*) There are some != and = $(nvram get ipv6_service) tests. You may experience errors in logic with your hack.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top