Diversion Diversion - the Router Ad-Blocker

[Skeptical.me]

So you have one device that is bypassing the DNS based filtering setup by Diversion, nothing more.

It appears to be that way, yes. Would you know how I could fix this? I'm going to reboot the router and restart the iMac and see if that makes a difference first.

 

[HairyA00]

It appears to be that way, yes. Would you know how I could fix this? I'm going to reboot the router and restart the iMac and see if that makes a difference first.

192.168.50.1 > LAN > DNSFilter > Enable DNS-based Filtering (ON)
Global Filter Mode (Router)

Remove all the clients from the Client List unless you have a reason for them to be there.

 

[jsbeddow]

I agree with @HairyA00. You might also think about anything else that you may have recently changed: VPN software running on the client machine, or perhaps new browser based settings that attempt to manipulate the DNS (for better or worse, and of dubious help for those of us who have also manually modified DNS resolution through Diversion).

 

[Skeptical.me]

192.168.50.1 > LAN > DNSFilter > Enable DNS-based Filtering (ON)
Global Filter Mode (Router)

Remove all the clients from the Client List unless you have a reason for them to be there.

Okay, I've narrowed the issue down. I use Firefox, Brave and Safari. I turned off all ad/script blockers in Brave and Firefox, no Ads are showing in these two browsers (no ads are showing on any other device too). However, in Safari the Ads ads are showing, so only Safari is affected.

I have macOS 10.15 Catalina Beta installed.

I have cleared all cookies, and data, history from Safari and that has made no difference.

 

[HairyA00]

Okay, I've narrowed the issue down. I use Firefox, Brave and Safari. I turned off all ad/script blockers in Brave and Firefox, no Ads are showing in these two browsers (no ads are showing on any other device too). However, in Safari the Ads ads are showing, so only Safari is affected.

I have macOS 10.15 Catalina Beta installed.

I have cleared all cookies, and data, history from Safari and that has made no difference.

Did you set DNSFilter Global Mode to ON with it looping back to the router's DNS? Even if a browser, IoT device, etc etc hard-codes DNS, it will be forced back into Diversion. Give it a shot if you haven't already.

192.168.50.1 > LAN > DNSFilter > Enable DNS-based Filtering (ON)
Global Filter Mode (Router)

Remove all the clients from the Client List unless you have a reason for them to be there.

 

[Skeptical.me]

Did you set DNSFilter Global Mode to ON with it looping back to the router's DNS? Even if a browser, IoT device, etc etc hard-codes DNS, it will be forced back into Diversion. Give it a shot if you haven't already.

192.168.50.1 > LAN > DNSFilter > Enable DNS-based Filtering (ON)
Global Filter Mode (Router)

Remove all the clients from the Client List unless you have a reason for them to be there.

I certainly have DNSFilter set to Router. This is strange, I've never had this issue before.

 

[jsbeddow]

I am not an Apple person, so I cannot say definitively, but I wouldn't be surprised if Safari isn't moving over to DoH (DNS over HTTPS), which I believe will bypass all other DNS filtering attempts (as that traffic does not appear to be DNS lookups, just encrypted regular web traffic).
Try to see if it is a controllable setting.

 

[Skeptical.me]

I am not an Apple person, so I cannot say definitively, but I wouldn't be surprised if Safari isn't moving over to DoH (DNS over HTTPS), which I believe will bypass all other DNS filtering attempts (as that traffic does not appear to be DNS lookups, just encrypted regular web traffic).
Try to see if it is a controllable setting.

The DNS for the iMac is found in System Preferences (there's no specific setting in Safari's Preferences for DNS). In the System Preferences the DNS is the routers address 192.168.50.1
I guess I'll just have to stop using Safari which isn't a major issue.

 

[HairyA00]

The DNS for the iMac is found in System Preferences (there's no specific setting in Safari's Preferences for DNS). In the System Preferences the DNS is the routers address 192.168.50.1
I guess I'll just have to stop using Safari which isn't a major issue.

Did you install the pixelserv-tls certificate into your keystore on your Mac?

 

[Skeptical.me]

Did you install the pixelserv-tls certificate into your keystore on your Mac?

ahh yes I did, I think. Should I install it, just in case I didn't, it would have been awhile ago that I added it.

 

[HairyA00]

ahh yes I did, I think. Should I install it, just in case I didn't, it would have been awhile ago that I added it.

The following procedure will import your CA cert and trust it system wide.

1. Open Safari/Chrome. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
2. Find the downloaded file, ca.crt.
3. Double click on `ca.crt' to start Keychain's import wizard.
4. Select keychain "system" and click "Add".
5. Open Keychain Access and select keychain "System".
6. Locate "Pixelserv CA" and double click to the CA cert.
7. Expand "Trust" and select "Always Trust" for "When using this certificate"
8. Close the window to finish setting update.

Restart your browser to take effect.

 

[Skeptical.me]

The following procedure will import your CA cert and trust it system wide.

1. Open Safari/Chrome. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
2. Find the downloaded file, ca.crt.
3. Double click on `ca.crt' to start Keychain's import wizard.
4. Select keychain "system" and click "Add".
5. Open Keychain Access and select keychain "System".
6. Locate "Pixelserv CA" and double click to the CA cert.
7. Expand "Trust" and select "Always Trust" for "When using this certificate"
8. Close the window to finish setting update.

Restart your browser to take effect.

So, what happened after I installed the ca.crt successfully is Ads were still showing. But I got suspicious of some deactivated browser extensions in Safari preferences. So I deleted all extension bar 2 and this solved the issue. I'm not too sure why an extension affected the browser like this, but nevertheless it's fixed. Thanks, mate (and others).

 

[doczenith1]

I can confirm that if your browser or perhaps an extension is allowing your browser to use DoH as mentioned a few posts up it will in fact bypass the DNS filter setting on your router.

 

[bitmonster]

The following procedure will import your CA cert and trust it system wide.

1. Open Safari/Chrome. Visit http://pixelserv ip/ca.crt. Make sure you replace pixelserv ip with the actual IP address of pixelserv.
2. Find the downloaded file, ca.crt.
3. Double click on `ca.crt' to start Keychain's import wizard.
4. Select keychain "system" and click "Add".
5. Open Keychain Access and select keychain "System".
6. Locate "Pixelserv CA" and double click to the CA cert.
7. Expand "Trust" and select "Always Trust" for "When using this certificate"
8. Close the window to finish setting update.

Restart your browser to take effect.

Oh this sounds interesting. Google sponsored links break with Diversion running. I wonder if this will allow them to work again (not that I mind denying Google their tax-dodging revenue).

Can someone remind me what the graphical monitoring / reporting tool for Diversion is? I thought I recall mention of something a while ago.

 

[dave14305]

Can someone remind me what the graphical monitoring / reporting tool for Diversion is? I thought I recall mention of something a while ago.

uiDivStats - WebUI for Diversion statistics

 

[Skeptical.me]

uiDivStats - WebUI for Diversion statistics

Ahhh, that's exactly what I need. I had no idea it was available.

 

[Skeptical.me]

Hi, I've added Hosts files to Diversion before but I've never created one. Here I have many of Facebook servers in the correct format to block them in Diversion but I don't know how to create a hosts file (.txt) online. I'm just wondering if anyone knows how to do this.

Any help is appreciated.

 

[thelonelycoder]

Hi, I've added Hosts files to Diversion before but I've never created one. Here I have many of Facebook servers in the correct format to block them in Diversion but I don't know how to create a hosts file (.txt) online. I'm just wondering if anyone knows how to do this.

Any help is appreciated.

Just use the RAW link in the navigation links above your file and add it as a hosts file in b:
https://pastebin.com/raw/uW5RgmEE

 

[Skeptical.me]

Just use the RAW link in the navigation links above your file and add it as a hosts file in b:
https://pastebin.com/raw/uW5RgmEE

Thanks @thelonelycoder ... done, no more Facebook on my Network.

 

[dave14305]

This is probably more of a general dnsmasq question, but applicable to Diversion users with Firefox browsers on their networks.

Based on Mozilla’s recent announcement (DoH on by default soon), is there a way to add a NXDOMAIN response for the canary domain they query to determine if DoH should be disabled?

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

This seems to be the month for everyone to throw obstacles for all the Diversion users.