What's new

Diversion Diversion seemingly not blocking ads

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

m1nkeh

Occasional Visitor
Hey,

A while ago now i installed Diversion on to my AC86, but remain unconvinced that it's working correctly.. i eventually figured out that my custom specification of DNS servers under WAN --> Wan DNS Setting --> Connect to DNS server automatically was set to 'No' and therefore probably causing a problem, so switched this back to 'Yes'.

Are there other things i need to check though? Should i be specifying my router as DNS somewhere? Should i be forcing LAN --> DNSFilter --> ON (Router) ? Genuinely not sure..
The uiDivStats page shows that show *some* things are getting blocked.. but the numbers seem really really low, I.e. around 5% of DNS queries according to the graph, is this right? I was expecting a lot more...

The YouTube blocking is also exceptionally hit or miss, but i did find this thread (https://www.snbforums.com/threads/diversion-youtube-adblocker-is-not-not-blocking-ads.68606/) which seems to suggest that it's effectively useless currently..

Right now i am considering a full re-flash of the router as my version of the Merlin firmware is over a year old, and i'm worried there is a setting somewhere I'm missing / have forgotten about.

One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?

Cheers!
 
A while ago now i installed Diversion on to my AC86, but remain unconvinced that it's working correctly.. i eventually figured out that my custom specification of DNS servers under WAN --> Wan DNS Setting --> Connect to DNS server automatically was set to 'No' and therefore probably causing a problem, so switched this back to 'Yes'.
Doesn't matter.
Should i be forcing LAN --> DNSFilter --> ON (Router) ? Genuinely not sure..
Yes use this feature.
One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?
This is correct.

The more important thing is that the device wanting ad free internet, must use the router's ip as it's DNS.
 
You should update your router to at least 386.1_2
 
One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?

I don't use Diversion, at all. So keep that in mind. But it doesn't seem to me that setting necessarily has to be set to Disabled. In fact, it *could* lead to DNS leaks.

I assume Diversion is like most ad blockers; it adds DNS records for specific domain names that redirect them to 0.0.0.0 in DNSMasq, hence why you need to be using DNSMasq as your DNS server. But regardless of the setting of "Accept DNS configuration" in the OpenVPN client, your LAN clients are *still* going to use DNSMasq and benefit from Diversion. The only issue w/ that option is what public DNS servers are going to be configured in DNSMasq (Exclusive means *only* the DNS server(s) push'd by the OpenVPN server, Strict means the DNS server(s) push'd by the OpenVPN server will have priority over any other public DNS servers already configured in DNSMasq, etc.).

But by choosing Disabled, you're now relying on whatever public DNS servers are already configured in DNSMasq. And by default that will be those of your ISP, or whatever you configured on the WAN using custom DNS servers (e.g., 1.1.1.1 & 1.0.0.1). And if you enable Routing Policy on the OpenVPN client, that will *remove* the router itself (and its internal processes, like DNSMasq) from the VPN, and now your DNS queries are routed over the WAN. IOW, a DNS leak!

To be clear, the concern here is when using traditional DNS (udp/tcp, port 53, in the clear) and NOT some secured solution like DoT/DoH (e.g., NextDNS) on the router. In the latter case, it wouldn't matter if DNS was accessed over the WAN or VPN since it's encrypted anyway. In that case, YES, setting "Accept DNS configuration" to Disabled makes sense, but the rationale has NOTHING to do w/ the presence or absence of Diversion. It's only about managing the potential for DNS leaks.

That's why you have to be *uber* careful about how you configure DNS. It's very tricky. Sometimes seemingly innocent changes to the config can have a significant impact in how DNS is handled, w/ the biggest concern being inadvertent DNS leaks.
 
I do not have issue with division all is working very well

One additional suggestion I can give, and it is working for RMerlin and tomato, you should stop to use web browsers that use google dns like chrome. I started to use SRWare Iron (this one based on chromium too) same time ago and from this time 0 commercial/ads.

Additional in diversion you have option to manually add block lists and you can do it.
 
I don't use Diversion, at all. So keep that in mind. But it doesn't seem to me that setting necessarily has to be set to Disabled. In fact, it *could* lead to DNS leaks.

I assume Diversion is like most ad blockers; it adds DNS records for specific domain names that redirect them to 0.0.0.0 in DNSMasq, hence why you need to be using DNSMasq as your DNS server. But regardless of the setting of "Accept DNS configuration" in the OpenVPN client, your LAN clients are *still* going to use DNSMasq and benefit from Diversion. The only issue w/ that option is what public DNS servers are going to be configured in DNSMasq (Exclusive means *only* the DNS server(s) push'd by the OpenVPN server, Strict means the DNS server(s) push'd by the OpenVPN server will have priority over any other public DNS servers already configured in DNSMasq, etc.).

But by choosing Disabled, you're now relying on whatever public DNS servers are already configured in DNSMasq. And by default that will be those of your ISP, or whatever you configured on the WAN using custom DNS servers (e.g., 1.1.1.1 & 1.0.0.1). And if you enable Routing Policy on the OpenVPN client, that will *remove* the router itself (and its internal processes, like DNSMasq) from the VPN, and now your DNS queries are routed over the WAN. IOW, a DNS leak!

To be clear, the concern here is when using traditional DNS (udp/tcp, port 53, in the clear) and NOT some secured solution like DoT/DoH (e.g., NextDNS) on the router. In the latter case, it wouldn't matter if DNS was accessed over the WAN or VPN since it's encrypted anyway. In that case, YES, setting "Accept DNS configuration" to Disabled makes sense, but the rationale has NOTHING to do w/ the presence or absence of Diversion. It's only about managing the potential for DNS leaks.

That's why you have to be *uber* careful about how you configure DNS. It's very tricky. Sometimes seemingly innocent changes to the config can have a significant impact in how DNS is handled, w/ the biggest concern being inadvertent DNS leaks.
Fabulous reply, thanks for this, is it correct to interpret DoT and DoH as DNS over TLS/HTTPS respectively?

You're last sentence really makes me think though.. I have never been that confident with networking in general, and DNS is something that (luckily) I'm not overly concerned re: leaks from a security perspective - i don't live in a police state :cool: - but it bugs me how tricky it is, and thankfully it's not just me that thinks this!

As a perfectionist I want to get this right.. i will do more research, but is there a straight forward way to ensure DoT/DoH, i've not heard of NextDNS so will check that out - Probably one for another thread though! :)
 
Last edited:
I do not have issue with division all is working very well

One additional suggestion I can give, and it is working for RMerlin and tomato, you should stop to use web browsers that use google dns like chrome. I started to use SRWare Iron (this one based on chromium too) same time ago and from this time 0 commercial/ads.

Additional in diversion you have option to manually add block lists and you can do it.
Interesting point, does Google Chrome use those servers "under the covers" - didn't realise, i do use Google Chrome from time to time

I use Edge Chromium, and sometimes Safari mostly..
 
Fabulous reply, thanks for this, is it correct to interpret DoT and DoH as DNS over TLS/HTTPS respectively?

Yes.

You're last sentence really makes me think though.. I have never been that confident with networking in general, and DNS is something that (luckily) I'm not overly concerned re: leaks from a security perspective - i don't live in a police state :cool: - but it bugs me how tricky it is, and thankfully it's not just me that thinks this!

It's not just that. If your DNS queries cross the WAN in the clear, then your ISP can hijack those queries and redirect them to his own servers, and all that implies.

As a perfectionist I want to get this right.. i will do more research, but is there a straight forward way to ensure DoT/DoH, i've not heard of NextDNS so will check that out - Probably one for another thread though! :)

NextDNS (DoH) seems to be growing in popularity. You have to user their installer to add the proxy to the router (in JFFS) and reconfigure DNSMasq to use it.

The GUI supports DoT natively (WAN->Internet Connection->DNS Privacy Protocol->DNS over TLS (DoT)). When enabled, you'll be able to choose among many DoT providers.
 
I seem to be having similar issues and I use vpn most of the time as well.

I used to have ads blocked but now when I go to this site (https://ads-blocker.com/google-chrome/) to test I am still seeing the ads even if not connected to my vpn.

I am not sure if I am using the right DNS configuration and was wondering if there is a SOP on how to have things setup to have diversion work.

Thanks for any help!
 
I now have it working on my iOS device but on my PC using Chrome but can't seem to get it working while using firefox. I tried importing the cert but not sure if I did it correctly as it still doesn't work.

I followed these instructions.

Firefox​


Firefox manages its own root CA certificates. The import procedure is same on all platforms.


  1. Open your browser and visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
  2. Select "Trust this CA to identify websites" on the screen pop-up.
  3. Click "Ok"
 
can't seem to get it working while using firefox.

Firefox may be using it's built in DoH which will bypass Diversion. Open settings in Firefox and search "doh". See if the box is checked for "Enable DNS over HTTPS".
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top