Diversion Diversion - the Router Ad-Blocker

[bitmonster]

OK now I feel like an idiot.
I entered the 1.1.1.1 server in *WAN* settings - I was entering this in DHCP settings (duh) and disabled "connect to DNS automatically", enabled DNSSEC in DHCP and it seems to be working. I'll reboot later and see if it still works.

If that's what it was then I will take the idiot of the year award :-O

I am seeing blocked results in the log, but also this "validation result is INSECURE"

The Cloudflare DNS actually looks pretty good.

Now I'd like to know if it is possible to block and force clients to use only the router for DNS resolution.

 

[tomsk]

Tried Cloudflare and reinstalled Diversion - got this

i Diversion removed these LAN DNS Server(s):
✖ 1.1.1.1
✖ 1.0.0.1
otherwise Diversion will not work.

You can add them back in WAN Settings by setting the
"Connect to DNS Server automatically" to "No"
and then entering your DNS Server(s) there.

Had to disable DNSSEC to get WAN back... Trying Quad9 now.

Once again.... putting dns entries in the LAN servers boxes will tell the clients to use those DNS rather than the router dns...... thats why diversion removed them..... you put cloudflare, or google, or quad9 dns addresses in to the WAN dns server boxes...... set "connect to DNS server automatically" to no and the WAN dns entry boxes will appear

 

[XIII]

Has anyone set up Google or Comodo or other secure DNS on this?

I'm using Quad9 and Diversion. Works fine.

 

[Ubimo]

Standard blocking file does not block all ads. I tried medium, but medium is blocking porn websites. How can I use medium or large without blocking porn sites?

 

[bitmonster]

Is it even possible to block all ads?

What is a realistic expectation?

Sent from my SM-G965F using Tapatalk

 

[joe scian]

Standard blocking file does not block all ads. I tried medium, but medium is blocking porn websites. How can I use medium or large without blocking porn sites?

blocking porn sites is good for your eyesight !

 

[bitmonster]

How can I use medium or large without blocking porn sites?

I am so not going there.

 

[tomsk]

Standard blocking file does not block all ads. I tried medium, but medium is blocking porn websites. How can I use medium or large without blocking porn sites?

use a custom hostfile from one of these consolidated lists not including porn i guess
https://github.com/StevenBlack/hosts

 

[thobux]

I wonder why I get doubleclick.net ads. The domain is blacklisted? Any idea?

OK I figured out what's going on. It seems as if 1 out of 6 devices in my network somehow evades the router for DNS (although its DNS is set like the others to the IP of the router).
It doesn't show up in the dnsmasq log. If I do a traceroute it first jumps the the router IP 192.168.1.1.
Any idea what I'm missing? Thanks

 

[Xentrk]

ahh ok, so, correct me if I'm wrong, doing as you suggest wil cause a DNS leak when using the VPN. However, Diversion will work, correct? I actually need the VPN's DNS for the Apple TV 4K to Stream US content (I'm in Australia but have a shared DirecTV account and use all of the various Streaming Apps, plus Netflix, Hulu, and Prime Video). Is there a way to exclude one device so it is routed completely through the VPN?

I have used every service you mentioned using a vpn with my DNS leaking and not once have I ever had an issue. If you do have an issue, let me know. The first thing to try is changing DNS to be in the country you are connected to over the VPN.

 

[martinr]

OK I figured out what's going on. It seems as if 1 out of 6 devices in my network somehow evades the router for DNS (although its DNS is set like the others to the IP of the router).
It doesn't show up in the dnsmasq log. If I do a traceroute it first jumps the the router IP 192.168.1.1.
Any idea what I'm missing? Thanks

Possibly. Go to AIProtection > DNS Filtering > Enable DNS Based Filtering st to ON then set Global Filter Mode to Router.

Does that fix it?

 

[thobux]

Possibly. Go to AIProtection > DNS Filtering > Enable DNS Based Filtering st to ON then set Global Filter Mode to Router.

Does that fix it?

I set Global to "No Filtering" and the device that wasn' t picked up to Router and this seems to fix it. Still I don't understand why.

 

[martinr]

I set Global to "No Filtering" and the device that wasn' t picked up to Router and this seems to fix it. Still I don't understand why.

As I understand it - and the experts, like Colin Taylor will give you the ultimate answer - if yiu set No Filtering, the DNS settings on your PC will determine where your PC goes for resolution of its DNS queries; if, on the other hand, you tell it Global Filtering via the router, then it doesn’t matter what the Windows (or any other) device has set for its DNS resolution, it will be over-ridden and its DNS queries will be forced to go through the router regardless.

Anyway, glad you seem to have fixed it.

 

[clvk07]

I had ab solution, installed diversion but now can't use the UI anymore.
how to you use diversion once installed? I did a search no scripts.
I tried to install it again, nothing happens



admin@Skyet:/# find . -name "diversion"

./tmp/mnt/Entware/entware/share/diversion
admin@Skyet:/# curl -Os https://diversion.ch/install && sh install
admin@Skyet:/#

 

[IT Guy]

NO white pixel when blocking "googleads.g.doubleclick.net" why is that?
I ping the googleads.g.doubleclick.net and pixel server replies at 192.168.0.2 but on the webpage I see the error msg connection fail ect...

This is the webpage: http://hola.klonec.co/black-cat-emoji/

In chrome it shows in the ad area:
https://googleads.g.doubleclick.net...pc=xiwNElnmmo&p=http://hola.klonec.co&dtd=193 does not reply

 

[thobux]

As I understand it - and the experts, like Colin Taylor will give you the ultimate answer - if yiu set No Filtering, the DNS settings on your PC will determine where your PC goes for resolution of its DNS queries; if, on the other hand, you tell it Global Filtering via the router, then it doesn’t matter what the Windows (or any other) device has set for its DNS resolution, it will be over-ridden and its DNS queries will be forced to go through the router regardless.

Anyway, glad you seem to have fixed it.

Yeah thank you a lot. I think I figured out why it didn't work out in the first place. I had openDNS entries in the resolv.conf -> changed it to the router. thus I can switch off the DNS filtering on the router software.

 

[Skeptical.me]

I tested again and confirmed that Diversion will not work over the VPN tunnel when Accept DNS Configuration = Exclusive when using Policy Rules or Policy Rules (Strict).

Copy to the entire contents to /jffs/scripts/Chk_ADNS.sh. Type chmod 755 Chk_ADNS.sh to make it executable. Run the script:

./Chk_ADNS.sh

or

sh  Chk_ADNS.sh

or

sh /jffs/scripts/Chk_ADNS.sh

Output below. I need to change the text to also include using Accept DNS Configuration = Disabled as an option.

View attachment 14568

Forgive me for my lack of knowledge. I hope it isn't frustrating.

When I create the file /jffs/scripts/Chk_ADNS.sh then add the whole script to the file I'm having some issues ...

vi /jffs/scripts/Chk_ADNS.sh

I see the .sh file is created:

admin@RT-AC86U-1960:/jffs/scripts# ls
Chk_ADNS.sh       firewall          post-mount        services-stop
dnsmasq.postconf  firewall-start    post-mount.div

When I paste the Script https://www.snbforums.com/threads/diversion-the-router-adblocker.48538/page-27#post-433529 to /jffs/scripts/Chk_ADNS.sh using the editor I get this result in the file:

admin@RT-AC86U-1960:/jffs/scripts# vi sh /jffs/scripts/Chk_ADNS.sh






                                                                              
r OPENVPN_CLIENT in 1 2 3 4 5                                                 
                                                                              
 [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -ne "2" ]; then           
intf 'OpenVPN Client %s is not in a connected state. Skipping check for OpenVPN
if [ "$(nvram get vpn_client${OPENVPN_CLIENT}_state)" -eq "2" ] && [ "$(nvram ge
intf 'Warning! Potential configuration conflict found with OpenVPN Client %s\n\n
intf '%bAccept DNS Configuration%b setting is set to %bExclusive%b\n' "$COLOR_GR
intf 'When %bAccept DNS Configuration%b is set to %bExclusive%b and %bRedirect I
intf '\n'                                                                     
intf 'The work-around solution is to set %bAccept DNS Configuration%b to %bStric
intf 'in the %bCustom Config Section%b add the entry: %bdhcp-option DNS dns.serv
intf 'where %bdns.server.ip.address%b is a DNS server of your choice\n' "$COLOR_
intf 'e.g. dhcp-option DNS 9.9.9.9\n'                                         
intf 'This will result in DNS leaking. But it will allow Diversion to work over
intf 'To learn more about the issue, see\n'                                   
intf '%bhttps://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-
intf 'and navigate to the section %bDNSmasq and OpenVPN DNS%b\n\n' "$COLOR_GREEN
se                                                                           
intf 'Good news! No configuration conflicts found with OpenVPN Client %s\n\n' "$
                                                                              
ne                                                                           
                                                                              
I sh [Modified] 185/185 100%

I can't seem to save the script, it appears to run after I paste it to the Chk_ADNS.sh file

I'm just wondering where I'm going wrong.

 

[M@rco]

@Skeptical.me I think you might be better off using nano instead of vi.

Remove the current file:

rm /jffs/scripts/Chk_ADNS.sh

Create a new one:

nano /jffs/scripts/Chk_ADNS.sh

Paste the script in nano:
Press CTRL-X to eXit and answer Yes to write the changes to Chk_ADNS.sh
and make the script executable by executing:

chmod 755 /jffs/scripts/Chk_ADNS.sh

Next execute the script:

sh /jffs/scripts/Chk_ADNS.sh

 

[Skeptical.me]

@Skeptical.me I think you might be better off using nano instead of vi.

Remove the current file:

rm /jffs/scripts/Chk_ADNS.sh

Create a new one:

nano /jffs/scripts/Chk_ADNS.sh

Paste the script in nano:
Press CTRL-X to eXit and answer Yes to write the changes to Chk_ADNS.sh
and make the script executable by executing:

chmod 755 /jffs/scripts/Chk_ADNS.sh

Next execute the script:

sh /jffs/scripts/Chk_ADNS.sh

Excellent, thank you! I forgot all about nano.

Here is the output. It looks a bit different than what is shown in the picture here: https://www.snbforums.com/threads/diversion-the-router-adblocker.48538/page-27#post-433663

Here is the output I get:

admin@RT-AC86U-1960:/# sh /jffs/scripts/Chk_ADNS.sh

********************************************************************************************
* WAN Interfaces *
********************************************************************************************
WAN IF  Status        Address         GW   IFNAME
------  ------------- --------------- ---- ------
/jffs/scripts/Chk_ADNS.sh: line 164: wan0_gw_ifname: not found
WAN0:  Connected     xxx.xxx.xxx.xxx        eth0 
/jffs/scripts/Chk_ADNS.sh: line 164: wan1_gw_ifname: not found
WAN1:  Unknown State 0.0.0.0                   

********************************************************************************************
* VPN Interfaces *
********************************************************************************************
                                                                                   Accept
                                                                                   DNS
Client  Status        Address                             Description              Configuration
------- ------------- -----------------------------------                                       
/jffs/scripts/Chk_ADNS.sh: line 164: ------------------------: not found
OVPNC1: Connected     xxxx-xxxx-ca-version-2.expressnetw.com ExpressVPN 1                     
/jffs/scripts/Chk_ADNS.sh: line 164: Exclusive: not found
OVPNC2: Stopped       xxxx-xxxx-ca-version-2.expressnetw.com ExpressVPN 2                       
/jffs/scripts/Chk_ADNS.sh: line 164: Strict: not found
OVPNC3: Stopped                                           Client 3                             
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found
OVPNC4: Stopped                                           Client 4                             
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found
OVPNC5: Stopped                                           Client 5                             
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found

Diversion installation detected
Checking for potential conflicts with active OpenVPN Clients

/jffs/scripts/Chk_ADNS.sh: line 206: vpn_client1_adns: not found
[: bad number
[: missing ]
/jffs/scripts/Chk_ADNS.sh: line 206: 1: not found
Good news! No configuration conflicts found with OpenVPN Client 1

OpenVPN Client 2 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 2: not found
OpenVPN Client 3 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 3: not found
OpenVPN Client 4 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 4: not found
OpenVPN Client 5 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 5: not found

 

[skeal]

Excellent, thank you! I forgot all about nano.

Here is the output. It looks a bit different than what is shown in the picture here: https://www.snbforums.com/threads/diversion-the-router-adblocker.48538/page-27#post-433663

Here is the output I get:

admin@RT-AC86U-1960:/# sh /jffs/scripts/Chk_ADNS.sh

********************************************************************************************
* WAN Interfaces *
********************************************************************************************
WAN IF  Status        Address         GW   IFNAME
------  ------------- --------------- ---- ------
/jffs/scripts/Chk_ADNS.sh: line 164: wan0_gw_ifname: not found
WAN0:  Connected     xxx.xxx.xxx.xxx        eth0
/jffs/scripts/Chk_ADNS.sh: line 164: wan1_gw_ifname: not found
WAN1:  Unknown State 0.0.0.0                  

********************************************************************************************
* VPN Interfaces *
********************************************************************************************
                                                                                   Accept
                                                                                   DNS
Client  Status        Address                             Description              Configuration
------- ------------- -----------------------------------                                      
/jffs/scripts/Chk_ADNS.sh: line 164: ------------------------: not found
OVPNC1: Connected     xxxx-xxxx-ca-version-2.expressnetw.com ExpressVPN 1                    
/jffs/scripts/Chk_ADNS.sh: line 164: Exclusive: not found
OVPNC2: Stopped       xxxx-xxxx-ca-version-2.expressnetw.com ExpressVPN 2                      
/jffs/scripts/Chk_ADNS.sh: line 164: Strict: not found
OVPNC3: Stopped                                           Client 3                            
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found
OVPNC4: Stopped                                           Client 4                            
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found
OVPNC5: Stopped                                           Client 5                            
/jffs/scripts/Chk_ADNS.sh: line 164: Disabled: not found

Diversion installation detected
Checking for potential conflicts with active OpenVPN Clients

/jffs/scripts/Chk_ADNS.sh: line 206: vpn_client1_adns: not found
[: bad number
[: missing ]
/jffs/scripts/Chk_ADNS.sh: line 206: 1: not found
Good news! No configuration conflicts found with OpenVPN Client 1

OpenVPN Client 2 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 2: not found
OpenVPN Client 3 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 3: not found
OpenVPN Client 4 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 4: not found
OpenVPN Client 5 is not in a connected state. Skipping check for OpenVPN Client

/jffs/scripts/Chk_ADNS.sh: line 206: 5: not found

Run this command and try again.

dos2unix /jffs/scripts/Chk_ADNS.sh