Diversion not filtering Wifi

[Mogsy]

Hello,

Very new here. Just installed Diversion lite. I can see it is working via ethernet but not blocking anything with Wifi? What am I doing wrong? My main upstream dns is Quad9 with forward DNS to upstream dns selected no

 

[chongnt]

Hello,

Very new here. Just installed Diversion lite. I can see it is working via ethernet but not blocking anything with Wifi? What am I doing wrong? My main upstream dns is Quad9 with forward DNS to upstream dns selected no

Hi, is your wifi devices has it’s own DNS? In order to use diversion, wifi devices DNS should set to your router IP.
Another way is to use DNSFilter. In GUI, under LAN -> DNSFilter, set Enable DNS-based Filtering to “ON” and Global Filter Mode to “Router”. This will force all devices to use your router as DNS.

 

[Mogsy]

Thank you. Did that. It is working on my laptop. But not working on my iPhone. I added lightswitch’s host and he has a test page for it https://block-test.developerdan.com/

I already disabled iCloud Relay on my iPhone too.

 

[chongnt]

Thank you. Did that. It is working on my laptop. But not working on my iPhone. I added lightswitch’s host and he has a test page for it https://block-test.developerdan.com/

I already disabled iCloud Relay on my iPhone too.

Perhaps can go in diversion, select f to follow the Dnsmasq log file, filter youriPhone IP and see the dns query and reply. This should give some clue what happen.

 

[SomeWhereOverTheRainBow]

Thank you. Did that. It is working on my laptop. But not working on my iPhone. I added lightswitch’s host and he has a test page for it https://block-test.developerdan.com/

I already disabled iCloud Relay on my iPhone too.

try switching from diversion lite to diversion standard.

 

[ColinTaylor]

try switching from diversion lite to diversion standard.

I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?

 

[SomeWhereOverTheRainBow]

I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?

Oh I agree, just one more layer to test. Most likely is a DoH service in the background of the device.

 

[SomeWhereOverTheRainBow]

I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?

@Mogsy
Try adding

doh.dns.apple.com to your blocklist.

 

[SomeWhereOverTheRainBow]

@Mogsy
For a more comprehensive no bypass list check out my curated one here

https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/NoBypass.list

 

[Mogsy]

Hi guys. Sorry for late reply! Havent got a chance to properly look into this again. Had a quick look at Divstats only, I’m scared to configure dnsmasq tbh. Will look again when I’m home, only remembering that the block page was working on everything else but iOS devices. In divststs what’s type=65?
Will report back when I can

thank you!

 

[SomeWhereOverTheRainBow]

Hi guys. Sorry for late reply! Havent got a chance to properly look into this again. Had a quick look at Divstats only, I’m scared to configure dnsmasq tbh. Will look again when I’m home, only remembering that the block page was working on everything else but iOS devices. In divststs what’s type=65?
Will report back when I can

thank you!

if you add
doh.dns.apple.com
to your diversion block list, then it should hopefully prevent your iOS devices from making auto DoH redirection. You should try it as soon as you are able and see if it resolves the seeing ads on iOS problem.

 

[chongnt]

if you add
doh.dns.apple.com
to your diversion block list, then it should hopefully prevent your iOS devices from making auto DoH redirection. You should try it as soon as you are able and see if it resolves the seeing ads on iOS problem.

I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Diversion - Seeing Ads (Mobile/Tablets)

It actually blocks the character 65, so it also blocks dns queries with a total length of 65 lol. It seems better to create custom firmware using the source below. https://github.com/rozahp/dnsmasq Like others I found a few normal query blocked due to this as well. I tested by manually adding...

www.snbforums.com

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.

 

[SomeWhereOverTheRainBow]

I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Diversion - Seeing Ads (Mobile/Tablets)

It actually blocks the character 65, so it also blocks dns queries with a total length of 65 lol. It seems better to create custom firmware using the source below. https://github.com/rozahp/dnsmasq Like others I found a few normal query blocked due to this as well. I tested by manually adding...

www.snbforums.com

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.

adding

dns-rr=example.com,65,

to dnsmasq.conf.add appears to work.

if wildcard is supported, I imagine it could be simplified to

dns-rr=*,65,

 

[SomeWhereOverTheRainBow]

I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Diversion - Seeing Ads (Mobile/Tablets)

It actually blocks the character 65, so it also blocks dns queries with a total length of 65 lol. It seems better to create custom firmware using the source below. https://github.com/rozahp/dnsmasq Like others I found a few normal query blocked due to this as well. I tested by manually adding...

www.snbforums.com

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.

nvm we explored this once upon a time. It must have been a day when I already had my coffee.

 

[Mogsy]

Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?

 

[Treadler]

Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?

No problem here, Diversion, iOS, quad9.

On your Apple device check Settings>General>VPN & make sure there’s not a dns profile installed there.
If there is, that will override Diversion.

 

[SomeWhereOverTheRainBow]

Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?

you need these iptable rules

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

 

[Mogsy]

you need these iptable rules

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

Thank you. Will try this in a bit. I would like to try Adguard Home. I installed it on my friend’s AX86U. I only have AX86S, and the RAM is above 90%

 

[Mogsy]

No problem here, Diversion, iOS, quad9.

On your Apple device check Settings>General>VPN & make sure there’s not a dns profile installed there.
If there is, that will override Diversion.

No profile installed. Limit IP address tracking off too

 

[Mogsy]

you need these iptable rules

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...

www.snbforums.com

iptables: No chain/target/match by that name.