Diversion Diversion and AAAA records/queries

[dobri]

Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!

 

[SomeWhereOverTheRainBow]

Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!

you could try

echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6

I don't know if there is anything else you would want to do, but try this out. Maybe some other users can throw some other ideas out there....

 

[ColinTaylor]

you could try

echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo "1" > /proc/sys/net/ipv6/conf/default/disable_ipv6

I don't know if there is anything else you would want to do, but try this out. Maybe some other users can throw some other ideas out there....

@dobri I don't believe this is anything to do with IPv6 as such. I think the "CNAME issue" has been discussed in theses forums before at some length. I can't remember if a solution was found that could be applied to Diversion. Probably best to search for those old posts. Perhaps @thelonelycoder can give you some updated information.

 

[Zastoff]

Diversion works for me and I recommend it to other people.

Lately I saw a few ads sneaking in and tried to debug what happens. I don't have IPv6 enabled on the router or the ISP, but I suspect this is related to AAAA queries over IPv4.
Disclaimer: I know I don't know enough about the difference between nslookup, dig and resolvectl query, which may be confusing some of my observations.

The server I am trying to block is ads.bridgebase.com

1. An A query returns the pixelsrv-tls IP as expected
2. An AAAA query returns the authoritative answer which contains a couple of CNAME records and a valid IPv4 address
3. Sometimes the real address, the one that is within the AAAA query is used and I am trying to prevent this.

Clearly, the blocking of the A query works as designed. The only way the real IP address sneaks in is because of the AAAA queries. They are supposed to be for IPv6, which I am not using, but clearly something is not right. I searched and it looks like stopping the AAAA queries is lost cause.

I found Diversion blocks the AAAA queries automatically and sucessfully when IPv6 is enabled on the router. I tried that, it works, no issues. It also seems to solve my issue. There is no harm that I can see since my ISP does not support IPv6 yet, but I plan to change ISPs and the new one supports IPv6. That is why I don't want to enable IPv6 on the router.

Is there a way to make Diversion to block the AAAA queries even when IPv6 is not enabled on the router? I understand it is an optimization, keeps the blocklist/memory usage smaller, works faster, etc, but can we have it as an option, please?

Thank you!

Which block list setting do you use?

 

[dobri]

Which block list setting do you use?

The default one. Just checked - it says "Standard". Does it matter?

 

[Zastoff]

The default one. Just checked - it says "Standard". Does it matter?

Test with "Medium" it includes a list from https://hostfiles.frogeye.fr/
Can maybe help

 

[dobri]

@dobri I don't believe this is anything to do with IPv6 as such. I think the "CNAME issue" has been discussed in theses forums before at some length. I can't remember if a solution was found that could be applied to Diversion. Probably best to search for those old posts. Perhaps @thelonelycoder can give you some updated information.

Well, disabling IPv6 doesn't help in any way, i tried that before posting, both on Windows and Linux. Plus it is well documented in many places.
My router and ISP don't have IPv6, so clearly the AAAA record is retrieved over IPv4. I can clearly see Diversion block the A query, but the AAAA query goes through. It is the AAAA record that tells the resolver about the CNAME. So blocking the AAAA query helps. I tried inserting AAAA record into dnsmasq and it works.

The question I have is how to persuade Diversion to put those AAAA records when IPv6 is disabled on the router. When I enable IPv6 on the router Diversion does exactly what I need. Can I have both the AAAA records and IPv6 disabled on the router, without adding those AAAA records to dnsmasq on my own (it isn't that difficult, but I would consider it a hack.)

 

[dave14305]

The question I have is how to persuade Diversion to put those AAAA records when IPv6 is disabled on the router. When I enable IPv6 on the router Diversion does exactly what I need. Can I have both the AAAA records and IPv6 disabled on the router, without adding those AAAA records to dnsmasq on my own (it isn't that difficult, but I would consider it a hack.)

If you're adventurous with shell scripting, you can hack your own version of /opt/share/diversion/file/update-bl.div to find all the occurrences of ipv6_service and modify "disabled" to be anything else (e.g. "disXabled"). It's a terrible hack, and you'd be on your own for support, but if it works it was well worth it.

# grep ipv6_service /opt/share/diversion/file/update-bl.div
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
[ "$(nvram get ipv6_service)" != "disabled" ] && ipv6on=", adding \"::\" as IPv6 blocking IP"
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
if [ "$(nvram get ipv6_service)" != "disabled" ] && ! grep -wq "^::" "${DIVERSION_DIR}/list/blacklist"; then
[ "$(nvram get ipv6_service)" != "disabled" ] && BD="$((BD/2))"

If you break things beyond repair, you would need to either reinstall Diversion or do a force update. Make a backup copy of the file first.

 

[thelonelycoder]

If you're adventurous with shell scripting, you can hack your own version of /opt/share/diversion/file/update-bl.div to find all the occurrences of ipv6_service and modify "disabled" to be anything else (e.g. "disXabled"). It's a terrible hack, and you'd be on your own for support, but if it works it was well worth it.

# grep ipv6_service /opt/share/diversion/file/update-bl.div
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
[ "$(nvram get ipv6_service)" != "disabled" ] && ipv6on=", adding \"::\" as IPv6 blocking IP"
if [ "$(nvram get ipv6_service)" != "disabled" ]; then
if [ "$(nvram get ipv6_service)" != "disabled" ] && ! grep -wq "^::" "${DIVERSION_DIR}/list/blacklist"; then
[ "$(nvram get ipv6_service)" != "disabled" ] && BD="$((BD/2))"

If you break things beyond repair, you would need to either reinstall Diversion or do a force update. Make a backup copy of the file first.

Diversion will “repair” the blacklist and blockingfile to non-IPv6 next time Dnsmasq is restarted.

 

[dave14305]

Diversion will “repair” the blacklist and blockingfile to non-IPv6 next time Dnsmasq is restarted.

Foiled again by bulletproof coding!!!!

 

[dobri]

@dave14305 Thank you for the solution. It is a bit more involved, but not by much:

sed -e 's/ipv6_service/HACK/' ......

and I had to do it on not 1 but 3 files:

functions.div
post-conf.div
update-bl.div

Followed by "diversion restart" and we are all good. Well, for now. I may have to automate it a bit more to apply after diversion updates...

@thelonelycoder Thank you for the amazing application. As I said I like it and I advertise it.
Any chance for adding a tiny option somewhere so I don't have to hack your code, e.g. :

[ "$forceBlockAAAA" != "" -a "$(nvram get ipv6_service)" != "disabled" ]

Thank you!

 

[Zastoff]

Is this something that can be done in dnsmasq instead?

Filter AAAA option in BIND 9

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of...

kb.isc.org

 

[ColinTaylor]

Is this something that can be done in dnsmasq instead?

Filter AAAA option in BIND 9

When acting as a resolver, BIND 9 has an option to filter AAAA (IPv6 address) records returned to the client, based on the transport used for the query (IPv4 or IPv6) and other filtering conditions. This filtering does not affect the recursive queries made by the server (if any) as a result of...

kb.isc.org

IIRC this was discussed at the time but I don't think such a thing was ever implemented in dnsmasq (although there were some private patches for it). But even if this were an option it still wouldn't solve this issue. The problem is not that dnsmasq returns AAAA records but that the CNAME returns an A record.

 

[dobri]

For anyone interested in this topic, I put together a little script to automate the patching of Diversions files.
Use at your own risk.

#!/bin/sh
#
# A dirty hack of Diversion scrips forcing block of AAAA DNS entries even when IPv6 is disabled
# slows it down and increases memory usage, but block certain sites (ads) that otherwise sneak through
#
# Script outputs list of affected files and creates a backup of the original files with a timestamp
#
# Run the script within /opt/share/diversion/file and restart diversion yourself at the end
#

FROM=ipv6_service
  TO=____HACK____
EXT=$(date +%Y%m%d%H%M)

massage() {
    src=$1   
    backup=$src.$EXT
    mv $src $backup
    sed -e "s/$FROM/$TO/" $backup > $src
}

for f in `grep -l $FROM *.div` ; do
    echo $f
    massage $f
done

 

[L&LD]

@dobri, you may want to edit the post above and insert the contents of 'hack.txt' to a 'code' box instead. I don't know about others, but I won't even open a .txt file from the 'net (not even to see log entries). Thank you.

 

[dobri]

@dobri, you may want to edit the post above and insert the contents of 'hack.txt' to a 'code' box instead. I don't know about others, but I won't even open a .txt file from the 'net (not even to see log entries). Thank you.

Done. Didn't know about the code blocks...

 

[thelonelycoder]

For anyone interested in this topic, I put together a little script to automate the patching of Diversions files.
Use at your own risk.

#!/bin/sh
#
# A dirty hack of Diversion scrips forcing block of AAAA DNS entries even when IPv6 is disabled
# slows it down and increases memory usage, but block certain sites (ads) that otherwise sneak through
#
# Script outputs list of affected files and creates a backup of the original files with a timestamp
#
# Run the script within /opt/share/diversion/file and restart diversion yourself at the end
#

FROM=ipv6_service
  TO=____HACK____
EXT=$(date +%Y%m%d%H%M)

massage() {
    src=$1  
    backup=$src.$EXT
    mv $src $backup
    sed -e "s/$FROM/$TO/" $backup > $src
}

for f in `grep -l $FROM *.div` ; do
    echo $f
    massage $f
done

This (imperfect*) hack will be obsolete with the next Diversion update. The option to force IPv6 entries is now built into the development code.
Thanks for the inspiration.

*) There are some != and = $(nvram get ipv6_service) tests. You may experience errors in logic with your hack.

 

[^Tripper^]

Just noticed this problem recently and glad I found this thread. Looking forward to it!