Diversion Diversion - the Router Ad-Blocker

[nick_max]

answered by dave14305
meaning ublock will do the filtering first before it set the request to diversion. That is why you have low hit in the pixelserv stats.
pro is likely the ublock on PC will likely be faster and effective than diversion since it is more than just a dns block but script block.
con is u get lesser ad domain cert being generated to be stored in pixelserv cert cache.. but not a big issue.

Thank you for your explanation
Like many, I'm using the router as a LAN ad-blocker, including mobile devices connected to it via IPsec or OpenVPN.
Only Chrome has the extensions installed and running and sometimes web pages break - then I'm using Firefox, which doesn't have any extensions (Content Blocking is set to Standard).

My logic is that I should have some hits in diversion since only Chrome is using browser extensions.

 

[SomeWhereOverTheRainBow]

I'm not sure about the inner workings and frankly I am unhappy about that change that Asus brought us (RMerlin simply merged that behavior into his firmware).
The tooltip for that dreaded "Wan: Use local caching DNS server as system resolver (default: No)" is:

That might help. It did now for me.

Yea I cannot see this to be helpful, if like you said earlier that it effects diversion ability to perform its job. I think it will require some real testing to show that it does. I am going to test it and see what comes from it, I will keep you informed if any significant findings arise.

Aside from that, I think it is safer to have hostnames resolved locally instead of being sent upstream.

 

[Xentrk]

Yea I cannot see this to be helpful, if like you said earlier that it effects diversion ability to perform its job. I think it will require some real testing to show that it does. I am going to test it and see what comes from it, I will keep you informed if any significant findings arise.

Aside from that, I think it is safer to have hostnames resolved locally instead of being sent upstream.

Just to add to the conversation, I am lucky and have had no issues on three RT-AC88U and one RT-AC86U with having "Wan: Use local caching DNS server as system resolver (default: No)" set to Yes. I have WAN DNS1 an DNS2 set to Cloudflare and DoT to Cloudflare is also enabled. The theory is the router will use the DNS settings in DNS1 and DNS2 until Stubby DoT can start-up.

But I did find an issue with having it set to No. For the selective routing x3mRouting project, I use the ipset list feature built into dnsmasq to populate ipset lists with IP addresses generated from domain lookups. The ipset lists were not getting populated when local caching DNS server was set to No. I will run another test to see if anything has changed.

Another way to confirm if local DNS caching is enabled is to do an nslookup. It should return the router's loop back address of 127.0.0.1:

nslookup snbforums.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      snbforums.com
Address 1: 2606:4700:20::6819:eb0f
Address 2: 104.25.234.15
Address 3: 104.25.235.15

 

[SomeWhereOverTheRainBow]

Just to add to the conversation, I am lucky and have had no issues on three RT-AC88U and one RT-AC86U with having "Wan: Use local caching DNS server as system resolver (default: No)" set to Yes. I have WAN DNS1 an DNS2 set to Cloudflare and DoT to Cloudflare is also enabled. The theory is the router will use the DNS settings in DNS1 and DNS2 until Stubby DoT can start-up.

But I did find an issue with having it set to No. For the selective routing x3mRouting project, I use the ipset list feature built into dnsmasq to populate ipset lists with IP addresses generated from domain lookups. The ipset lists were not getting populated when local caching DNS server was set to No. I will run another test to see if anything has changed.

Another way to confirm if local DNS caching is enabled is to do an nslookup. It should return the router's loop back address of 127.0.0.1:

nslookup snbforums.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      snbforums.com
Address 1: 2606:4700:20::6819:eb0f
Address 2: 104.25.234.15
Address 3: 104.25.235.15

I am going to test any correlation and causation of diversion and pixelserv tls not working if the feature is set to no, and also test if it is set to yes. So far with it set to yes all of my devices establish a stable connection much quicker than when using it set to no. you are welcome to run test as well if you like. maybe it will provide better supported data.

 

[SomeWhereOverTheRainBow]

one factor, I have noticed more stats on the server stats page for pixelserv are populating while using it set to YES.

 

[Butterfly Bones]

Clearing the cache probably does it.

I tried that, cleared all SNB web site data, which required logging back in. I rebooted the MacBook, re-installed Diversion. Nothing to get it to not show. I am new to maxOSX and learning, long time Linux and windows (when necessary) user.

 

[thelonelycoder]

But I did find an issue with having it set to No. For the selective routing x3mRouting project, I use the ipset list feature built into dnsmasq to populate ipset lists with IP addresses generated from domain lookups. The ipset lists were not getting populated when local caching DNS server was set to No. I will run another test to see if anything has changed.

I am going to test any correlation and causation of diversion and pixelserv tls not working if the feature is set to no, and also test if it is set to yes. So far with it set to yes all of my devices establish a stable connection much quicker than when using it set to no. you are welcome to run test as well if you like. maybe it will provide better supported data.

I wish someone would produce a conclusive and brief how-to for that setting.
The Diversion FAQ would appreciate it if it could host the final solution

 

[dave14305]

I wish someone would produce a conclusive and brief how-to for that setting.
The Diversion FAQ would appreciate it if it could host the final solution

If people have set it to Yes, with Diversion logging enabled, you could scan dnsmasq.log for queries originating from 127.0.0.1 or 192.168.1.1 (or whatever LAN IP is). Only those lookups would be impacted by the setting being No.

 

[dave14305]

I'm not sure about the inner workings and frankly I am unhappy about that change that Asus brought us (RMerlin simply merged that behavior into his firmware).

It was a topic of discussion in December 2018, not from Asus but by RMerlin. It was implemented as an option to address some corner cases to change the lookup behavior.
https://www.snbforums.com/threads/dev-feedback-changing-dns-behaviour-on-router.50360/page-2

But when the default changed in 384.12 to address frequent issues with Network Monitoring, NTP, Stubby, people got confused about how important or unimportant this setting is. Any of our community scripters that rely on nslookup can append 127.0.0.1 to their lookups to query dnsmasq instead of the WAN DNS servers (e.g. nslookup www.snbforums.com 127.0.0.1).

I’m not a believer of people who report better performance with this setting enabled. I just don’t see how it’s possible in a statistically significant way. I concede ignorance when people start talking about VPNs since I don’t use them on my router.

I think it’s a good topic for a wiki page to be contributed to by those who can document the behavior of dns in their setups with this setting set to Yes or No.

• Can NTP be synced if Stubby is enabled? Won’t Stubby still be in opportunistic mode? Probably no issues.
• Can NTP be synced if DNSSEC is enabled? It should also remain in non-strict mode without proper time.
• Stubby config points to WAN DNS (tmp resolv.conf) to ensure it can resolve the names of upstream servers during startup.

 

[SomeWhereOverTheRainBow]

It was a topic of discussion in December 2018, not from Asus but by RMerlin. It was implemented as an option to address some corner cases to change the lookup behavior.
https://www.snbforums.com/threads/dev-feedback-changing-dns-behaviour-on-router.50360/page-2

But when the default changed in 384.12 to address frequent issues with Network Monitoring, NTP, Stubby, people got confused about how important or unimportant this setting is. Any of our community scripters that rely on nslookup can append 127.0.0.1 to their lookups to query dnsmasq instead of the WAN DNS servers (e.g. nslookup www.snbforums.com 127.0.0.1).

I’m not a believer of people who report better performance with this setting enabled. I just don’t see how it’s possible in a statistically significant way. I concede ignorance when people start talking about VPNs since I don’t use them on my router.

I think it’s a good topic for a wiki page to be contributed to by those who can document the behavior of dns in their setups with this setting set to Yes or No.

• Can NTP be synced if Stubby is enabled? Won’t Stubby still be in opportunistic mode? Probably no issues.
• Can NTP be synced if DNSSEC is enabled? It should also remain in non-strict mode without proper time.
• Stubby config points to WAN DNS (tmp resolv.conf) to ensure it can resolve the names of upstream servers during startup.

I see where you are coming from; I concur with you when you say that it is ignorant to just say "it performs better" with no backing to the claim.

I am looking forward to putting it to the test as far as pixelserv tls is concerned. When it comes to Pixelserv, with the option set to yes, I have noted that there is more TLS interactions being captured within the stats page. I am wondering what is the best approach to document this. I know I can plunder dnsmasq logs, but in order to truly view the crimes happening you have to get your hands dirty. What I mean by this, it will be important to note there is some type of TLS handshake occurring.

 

[miniterror]

Hi guys,

Im facing a error where i cant seem to install Diversion.
Today i updated my ac68u from Johns fork to merlin 384.13.
Afterwards i did a factory reset and thought to delete the USB stick im using.
In Amtm it mentions it cant find a proper USB stick and error's out and stating i can format in amtm.
In amtm i enter 'fd' so the format utility starts and it sees the USB drive, i take all the steps and use the recommended settings of the script, so i give a name and format as ext4.
Afterwards the router reboots and i go back in trying to install Diversion but im seeying the same error again.
Tried ext2 but no difference in behaviour.
Looking at the systemlogs of the router webui i see the name of the USB brand coming by so i think the router is seeying the USB drive.
Any idea why this is happening?

Edit: Tried some more, when i place the USB stick in my laptop i can format it back so windows sees it again.
Trying to install Diversion it is unable to see the USB stick.
Seems like the router isnt mounting the USB stick or something.

 

[Makaveli]

Hi guys,

Im facing a error where i cant seem to install Diversion.
Today i updated my ac68u from Johns fork to merlin 384.13.
Afterwards i did a factory reset and thought to delete the USB stick im using.
In Amtm it mentions it cant find a proper USB stick and error's out and stating i can format in amtm.
In amtm i enter 'fd' so the format utility starts and it sees the USB drive, i take all the steps and use the recommended settings of the script, so i give a name and format as ext4.
Afterwards the router reboots and i go back in trying to install Diversion but im seeying the same error again.
Tried ext2 but no difference in behaviour.
Looking at the systemlogs of the router webui i see the name of the USB brand coming by so i think the router is seeying the USB drive.
Any idea why this is happening?

Edit: Tried some more, when i place the USB stick in my laptop i can format it back so windows sees it again.
Trying to install Diversion it is unable to see the USB stick.
Seems like the router isnt mounting the USB stick or something.

You are formatting this stick with a Linux compatible partition when doing it from windows?

 

[miniterror]

You are formatting this stick with a Linux compatible partition when doing it from windows?

In windows i let windows format it to fat, windows sees the USB stick and i can write data to it.
After that i used the usb format script from amtm to format it too ext4.
Then try to install Diversion to receive the message it does not see a USB stick to install it on

 

[Makaveli]

try using a free partition tool to format to ext 4 in windows.

https://www.disk-partition.com/download-home.html

Then retry it.

 

[Centrifuge]

try using a free partition tool to format to ext 4 in windows.

https://www.disk-partition.com/download-home.html

Then retry it.

I think exfat or ntfs works as well.

 

[miniterror]

Unfortionally disk-partition tool does not give a different result.
Not sure what the difference is between that tool and the build in formatter in AMTM but both i used EXT4 format.
It seems like the stick is not mounted in the router.
When i plug it in the router i see messages that it is seeying the stick but the homepage does not show any USB sticks connected.

Sep 22 23:52:22 kernel: usb 1-2: new high speed USB device using ehci_hcd and address 3
Sep 22 23:52:22 kernel: scsi1 : usb-storage 1-2:1.0
Sep 22 23:52:23 kernel: scsi 1:0:0:0: Direct-Access Kingston DataTraveler U3 6.16 PQ: 0 ANSI: 0 CCS
Sep 22 23:52:23 kernel: sd 1:0:0:0: Attached scsi generic sg0 type 0
Sep 22 23:52:23 kernel: sd 1:0:0:0: [sda] Attached SCSI removable disk



But Diversion shows below when trying to install, the USB format script in AMTM does see the USB stick.
I tried the USB2 and USB3 port.

[Error] No compatible device(s) found to install
Diversion on.

A permanently plugged in USB storage device
formatted with one of these file systems
is required: ext2, ext3, ext4

Use amtm to format attached USB devices
to any ext* file system.
https://diversion.ch/amtm.html




USB format script from AMTM.

Select your device to format

Again, this will erase all data and
partitions on the selected device!

1. sda Kingston DataTraveler U3 (1.0 GB)

 

[Makaveli]

Do you have another thumb drive you can test with?

 

[Marin]

Unfortionally disk-partition tool does not give a different result.
Not sure what the difference is between that tool and the build in formatter in AMTM but both i used EXT4 format.
It seems like the stick is not mounted in the router.
When i plug it in the router i see messages that it is seeying the stick but the homepage does not show any USB sticks connected.

Sep 22 23:52:22 kernel: usb 1-2: new high speed USB device using ehci_hcd and address 3
Sep 22 23:52:22 kernel: scsi1 : usb-storage 1-2:1.0
Sep 22 23:52:23 kernel: scsi 1:0:0:0: Direct-Access Kingston DataTraveler U3 6.16 PQ: 0 ANSI: 0 CCS
Sep 22 23:52:23 kernel: sd 1:0:0:0: Attached scsi generic sg0 type 0
Sep 22 23:52:23 kernel: sd 1:0:0:0: [sda] Attached SCSI removable disk



But Diversion shows below when trying to install, the USB format script in AMTM does see the USB stick.
I tried the USB2 and USB3 port.

[Error] No compatible device(s) found to install
Diversion on.

A permanently plugged in USB storage device
formatted with one of these file systems
is required: ext2, ext3, ext4

Use amtm to format attached USB devices
to any ext* file system.
https://diversion.ch/amtm.html




USB format script from AMTM.

Select your device to format

Again, this will erase all data and
partitions on the selected device!

1. sda Kingston DataTraveler U3 (1.0 GB)

Try rebooting your router first. Then plug in your thumb drive. See if shows up in the GUI. If it does then SSH into your router and re- format it using the AMTM. Then create your swap file. Then install Diversion.


Sent from my iPhone using Tapatalk

 

[miniterror]

Do you have another thumb drive you can test with?

Unfortionally i do not have other USB sticks, only USB drives.
Cleaning a 1TB USB drive might be a bit to much for testing.
Also the USB stick has always worked without a problem when running Johns fork.

Try rebooting your router first. Then plug in your thumb drive. See if shows up in the GUI. If it does then SSH into your router and re- format it using the AMTM. Then create your swap file. Then install Diversion.
Sent from my iPhone using Tapatalk

Will try this tonight when im home again.
Any specific reason why to create a swap file?
The AMTM is seeying the USB drive and does not show any error.

 

[Marin]

Unfortionally i do not have other USB sticks, only USB drives.
Cleaning a 1TB USB drive might be a bit to much for testing.
Also the USB stick has always worked without a problem when running Johns fork.



Will try this tonight when im home again.
Any specific reason why to create a swap file?
The AMTM is seeying the USB drive and does not show any error.

There are quite a few threads regarding swap file (use the Search function) but you could start by reading this:

https://www.snbforums.com/threads/n...-a-swap-file-if-so-how-big.27207/#post-207697




Sent from my iPhone using Tapatalk