Diversion Diversion - the Router Ad-Blocker

[skeal]

Seems working now, I also now have Skynet running which when going back in to Diversion prompted me to update the lists or something (done).
So now if I can enable a secure DNS server (recommendations welcome) I presume I will be about as secure as one can be on this router.

When I enable DNSSEC support though pages stop working (stalls, no loading) and the log fills with 'insecure response received' and 'bogus' error. Works ok again when disabling DNSSEC.

Tried again with Cloudflare 1.1.1.1 DNS (DNSSEC / rebind protection) and again Diversion broke - ad-block testers showing 'no ad protection'.

Am I doing something wrong around setting up a custom DNS Server? When I restore to my ISP DNS it works ok (no DNSSEC / rebind protection).

What I did is set my dns to 1.1.1.1 then ssh into my router and open Diversion. Choose d and re-install then reboot your golden.

 

[skeal]

What I did is set my dns to 1.1.1.1 then ssh into my router and open Diversion. Choose d and re-install then reboot your golden.

Oh yeah and relaunch your browser.

 

[bitmonster]

Oh so Diversion needs to be reinstalled after setting a custom DNS? Interesting.

What if I have Skynet installed? I recall Diversion needing some post Skynet install which it picked up next time I ran it.

Sent from my SM-G965F using Tapatalk

 

[skeal]

Oh so Diversion needs to be reinstalled after setting a custom DNS? Interesting.

What if I have Skynet installed? I recall Diversion needing some post Skynet install which it picked up next time I ran it.

Sent from my SM-G965F using Tapatalk

Basically you are launching setup again. All your settings from before are saved from before. Its a refresher that seems to work.

 

[bitmonster]

Ok and whatever post Skynet install was needed will still work? Post Skynet it downloaded and updated a bunch of stuff specifically because of Skynet being installed.

Sent from my SM-G965F using Tapatalk

 

[skeal]

Ok and whatever post Skynet install was needed will still work? Post Skynet it downloaded and updated a bunch of stuff specifically because of Skynet being installed.

Sent from my SM-G965F using Tapatalk

Yup you will be fine.

 

[skeal]

Yup you will be fine.

They integrate very well.

 

[bitmonster]

Yup you will be fine.

Thanks...

Sent from my SM-G965F using Tapatalk

 

[tomsk]

Seems working now, I also now have Skynet running which when going back in to Diversion prompted me to update the lists or something (done).
So now if I can enable a secure DNS server (recommendations welcome) I presume I will be about as secure as one can be on this router.

When I enable DNSSEC support though pages stop working (stalls, no loading) and the log fills with 'insecure response received' and 'bogus' error. Works ok again when disabling DNSSEC.

Tried again with Cloudflare 1.1.1.1 DNS (DNSSEC / rebind protection) and again Diversion broke - ad-block testers showing 'no ad protection'.

Am I doing something wrong around setting up a custom DNS Server? When I restore to my ISP DNS it works ok (no DNSSEC / rebind protection).

How are you setting up your Custom DNS server? What you have to remember with Diversion is that it uses dnsmasq ( the DNS built into the router) to do its work. Your clients must use dnsmasq for their DNS requests first which will then forward them on to a real recursive server for the ad blocking to work. if you insert a DNS address into the LAN DNS Server 1 or Server 2 boxes, your clients will try to use these instead of dnsmasq. If you use the DNSFilter to direct clients to Comodo, dnsmasq will be bypassed in a similar fashion. As far as DNSSEC goes, you need to ensure your upstream DNS properly supports it.
If you don't mind that all of your devices use Comodo you could put their servers address as the WAN DNS.

 

[bitmonster]

Ah that would explain it.. So should I set a custom DNS with Diversion somehow?

I want to use Comodo or Cloudflare thag support DNSSEC.

Sent from my SM-G965F using Tapatalk

 

[tomsk]

Ah that would explain it.. So should I set a custom DNS with Diversion somehow?

I want to use Comodo or Cloudflare thag support DNSSEC.

Sent from my SM-G965F using Tapatalk

Try setting Comodo's DNS servers in the WAN DNS boxes (8.26.56.26 and 8.20.247.20 i believe) and see if DNSSEC works or not.... Diversion settings don't have the provision to set an upstream DNS server, and would probably not be a good idea anyway.

 

[bitmonster]

Well it didn't work before. Ad-block just stopped working. Diversion just seems to stop working with anything but the default DNS server.
What about re-installing Diversion once I set a new DNS server with DNSSec and bind protection enabled? Has anyone else had any success with say Comodo or Cloudflare DNS and Diversion running together?

 

[tomsk]

Well it didn't work before. Ad-block just stopped working. Diversion just seems to stop working with anything but the default DNS server.
What about re-installing Diversion once I set a new DNS server with DNSSec and bind protection enabled? Has anyone else had any success with say Comodo or Cloudflare DNS and Diversion running together?

I'm using Cloudflare as my upstream (WAN) DNS with Diversion enabled right now however DNSSEC isn't enabled as it does have some issues ( documented in other posts around the forum) ... You shouldn't need to reinstall Diversion when you change your upstream DNS... when you apply the settings in the UI, dmsmasq will be restarted anyway. Does Comodo work without the DNSSEC enabled? The latest version of dnsmasq properly enforces DNSSEC now and some sites don't play well ( as far as i'm aware, no one has had trouble with google or quad9 with DNSSEC enabled so far)

 

[bitmonster]

So leave DNSSEC and bind protection disabled? That's a shame.

Sent from my SM-G965F using Tapatalk

 

[tomsk]

So leave DNSSEC and bind protection disabled? That's a shame.

Sent from my SM-G965F using Tapatalk

Bind protection has nothing to do with DNSSEC so you should be able to enable that. But DNSSEC itself is an issue with some providers...you can have a look in the dnscrypt threads to see that ppl trying to use cloudflare with DOH and DNSSEC together have the same issues.
Just to be clear.. the DNSSEC issues will affect all your DNS requests and not just stop ad blocking from working..... ie not really a Diversion issue.

 

[bitmonster]

Yeah it was odd that services such as Comodo that explicitly market around DNSSEC wouldn't work.

So if I try Google DNS I with DNSSEC and see if that works at least.

Sent from my SM-G965F using Tapatalk

 

[tomsk]

Yeah it was odd that services such as Comodo that explicitly market around DNSSEC wouldn't work.

So if I try enabling it and then reinstalling Diversion it may work.

Sent from my SM-G965F using Tapatalk

I had a quick look at the Comodo blurb on thier site and although they describe DNSSEC i couldn't find a mention that they specifically supported it ( it was a cursory look so maybe buried deeper in thier FAQ or something)....which is why i suggested trying it to see if it worked.
Did you try Quad9?

 

[bitmonster]

I'll give Quad9 a go... Thanks! Use DNSSEC with that? And that has worked OK with Skynet and Diversion running I assume.

Sent from my SM-G965F using Tapatalk

 

[tomsk]

I'll give Quad9 a go... Thanks! Use DNSSEC with that? And that has worked OK with Skynet and Diversion running I assume.

Sent from my SM-G965F using Tapatalk

I haven't heard of anyone having issues with Quad9 and DNSSEC yet, and it should work fine with Diversion and Skynet.. May also be worth clearing your browser cache if it doesn't appear to work initially.

 

[bitmonster]

Tried Cloudflare and reinstalled Diversion - got this

i Diversion removed these LAN DNS Server(s):
✖ 1.1.1.1
✖ 1.0.0.1
otherwise Diversion will not work.

You can add them back in WAN Settings by setting the
"Connect to DNS Server automatically" to "No"
and then entering your DNS Server(s) there.

Had to disable DNSSEC to get WAN back... Trying Quad9 now.