Diversion Diversion - the Router Ad-Blocker

[thelonelycoder]

Hi everyone - first time post so apologies if I'm violating etiquette here.

I'm having a problem getting PayPal pages, either direct or via payment pages, to load correctly with Diversion on. The config is:

Merlin 384.7__2
Diversion 4.0.6
SkyNet/PixelServ-tls as installed via amtm 1.5

When I have Diversion enabled, PayPal gets blocked and it looks like a DNS issue rather than a blocking issue; I don't see PayPal show up in red in the dnsmasq log while I follow it and I didn't put in any specific rules.

Diversion/Skynet otherwise works just fine (well, I have issues with forecast.nws.gov sometimes takes multiple reloads with a similar problem).

I know that Paypal's various dependent domains are managed via Akamai, so there's a DNS lookup that goes to a CNAME mapping in the background that needs to be resolved and is probably having trouble crossing the proxy on 192.168.1.2.

Thanks for the help.

This might help:
- Try using a smaller blocking list in b.
- Add t.paypal.com to the whitelist

 

[CrunchyInside]

This might help:
- Try using a smaller blocking list in b.
- Add t.paypal.com to the whitelist

I went with the second option since my blocklists are the Diversion Standard. That seems to have done it.

Thanks!

 

[Blackbox]

On the Strict setting, you also have to add the entry "dhcp-option DNS 1.1.1.1" in the Custom Config section.

If Accept DNS Configuration is set to Disabled, then the VPN will use the DNS specified on the WAN iface.

There is no fix for the DNS leak when setting Accept DNS Configuration to Disabled or Strict when using Policy Rules. My understanding of DNS leak is having your ISP intercept your DNS queries so they know what sites you are visiting. That is where Stubby comes in. With Stubby DNS over TLS, the DNS queries are encrypted to Cloudflare. So there has to be a trust with Cloudflare. I have not found situations where sites are using DNS to detect geo location. Yes, a ipleak.net test will show your DNS is leaking, but the ISP can't read the requests.

Yes, you can enter the CIDR for the router. Yorgi's guide https://www.snbforums.com/threads/h...and-other-vpn-providers-384-5-07-10-18.30851/ has some examples.

Thanks again for the explanations Xentrk!

I assume I can also use DNS-over-TLS with another DNS service, not just Cloudflare?
It says it is still in beta, are there any hiccups at this point with Stubby DNS over TLS or does it work stable with the latest MerlinWRT?

Since my main goal is to not reveal any information about what websites I visit to my ISP (to bypass Net Neutrality) a DNS leak would not be an option.

So as far as I understood I have exactly 2 options:

1 - Set Accept DNS Config to “Exclusive” and set traffic to all (downside no Killswitch)
2 - Disable Accept DNS config and define DNS server under WAN and use Stubby DNS over TLS

Also, for some reason when using Accept DNS Config to strict and adding this line “dhcp-option DNS 1.1.1.1” to custom config, it still uses my ISPs DNS but not the one that I defined (Cloudflare in that case). Any idea why that is?

 

[Xentrk]

Thanks again for the explanations Xentrk!

I assume I can also use DNS-over-TLS with another DNS service, not just Cloudflare?
It says it is still in beta, are there any hiccups at this point with Stubby DNS over TLS or does it work stable with the latest MerlinWRT?

Since my main goal is to not reveal any information about what websites I visit to my ISP (to bypass Net Neutrality) a DNS leak would not be an option.

So as far as I understood I have exactly 2 options:

1 - Set Accept DNS Config to “Exclusive” and set traffic to all (downside no Killswitch)
2 - Disable Accept DNS config and define DNS server under WAN and use Stubby DNS over TLS

Also, for some reason when using Accept DNS Config to strict and adding this line “dhcp-option DNS 1.1.1.1” to custom config, it still uses my ISPs DNS but not the one that I defined (Cloudflare in that case). Any idea why that is?

Yes, there is a handful of DNS providers that support DNS over TLS. Cloudflare is what the Stubby installer script uses by default. You can comment out Cloudflare and change to Quad9. There are other supported servers listed on the dnsprivacy.org website.

I'm not sure why the Accept DNS Configuration = Strict and using dhcp-option DNS 1.1.1.1 is not using Cloudflare as your DNS when connected to the VPN tunnel as that has been my go to work around for several years on Asuswrt-Merlin when using Policy Rules + Diversion. Perhaps the OpenVPN server is pushing a directive to the client and overriding the configuration. You may need to contact ExpressVPN Support to confirm.

Step 6 of their instructions appears to be backwards from the way Asuswrt Merlin works.

Scroll down to Advanced Settings. Set Accept DNS Configuration to Strict if you intend to use ExpressVPN on all devices connected to the router or Exclusive if you only intend to use ExpressVPN on select devices.

 

[preacher65]

I'm not sure why the Accept DNS Configuration = Strict and using dhcp-option DNS 1.1.1.1 is not using Cloudflare as your DNS when connected to the VPN tunnel as that has been my go to work around for several years on Asuswrt-Merlin when using Policy Rules + Diversion. Perhaps the OpenVPN server is pushing a directive to the client and overriding the configuration. You may need to contact ExpressVPN Support to confirm.

Apologies if I've misunderstood what's being discussed here, but I noticed recently that with Strict, the OVPN DNS servers were being added to the top of the list of resolvers, but dnsmasq was processing the list in bottom-up order, which meant the WAN DNS servers were being used first. I think it's been changed in the latest alpha. See this thread from about here: https://www.snbforums.com/threads/i...ns-configuration-parameter.54062/#post-456590
Again, sorry if this doesn't apply here but I thought it was worth mentioning as it had me confused for a while...

 

[Xentrk]

Apologies if I've misunderstood what's being discussed here, but I noticed recently that with Strict, the OVPN DNS servers were being added to the top of the list of resolvers, but dnsmasq was processing the list in bottom-up order, which meant the WAN DNS servers were being used first. I think it's been changed in the latest alpha. See this thread from about here: https://www.snbforums.com/threads/i...ns-configuration-parameter.54062/#post-456590
Again, sorry if this doesn't apply here but I thought it was worth mentioning as it had me confused for a while...

Your post jogged my memory. I now recall reading a post from @RMerlin stating he was going to change the behavior of Strict. Going forward, my recommended work around for those that want to use Diversion with Policy Rules is to use the "Disabled" setting and install Stubby DNS over TLS to encrypt DNS. With Accept DNS Configuration = Exclusive when using Policy Rules, dnsmasq is bypassed which prevents Diversion from working.

Unbound resolver is something that may help resolve this issue. I made a few minimal attempts in the past without success. I have it working good on pfSense so I know it can be done.

 

[thelonelycoder]

Can you invert option "4. filter by term" in the follow dnsmasq.log?

Having LastPass sending 10000 request a day that flood the log.

This is coming in Diversion 4.0.7, will that do?

 

[thelonelycoder]

Is there a way I can add multiple domains in one go whether it be for white/black list?

Yes, by adding it to the files directly in /opt/share/diversion/list/.
Use same syntax as existing entries. Then process the files in el.

 

[Ubimo]

Yes, by adding it to the files directly in /opt/share/diversion/list/.
Use same syntax as existing entries. Then process the files in el.

Dear thelonelycoder
I've added a bunch of domains to the blacklist, now some entries are doubled I guess. It's a big list.
Is it possible for you (diverison) to sort out double entries in blacklist and sort them during processing the lists?

The format in the blacklist has to be like this?
192.168.1.2 www.bingads.microsoft.com

 

[thelonelycoder]

Dear thelonelycoder
I've added a bunch of domains to the blacklist, now some entries are doubled I guess. It's a big list.
Is it possible for you (diverison) to sort out double entries in blacklist and sort them during processing the lists?

The format in the blacklist has to be like this?
192.168.1.2 www.bingads.microsoft.com

How about 4. Sort and verify (list):

This will sort the (list) file
alphanumerically, remove duplicates and entries
that don't work in Diversion.

domain.com and www.domain.com will be sorted
separately.

A backup of the file will be made in the
/backup/ directory.

 

[Ubimo]

Wow, thanks, did't see this feature earlier. Great!

Another thing, the blocked domains counter at the top of the main menu did not increase although I added domains to the blacklist which were not in any list and reachable before I added them to the blacklist.

 

[thelonelycoder]

The format in the blacklist has to be like this?
192.168.1.2 www.bingads.microsoft.com

Yes, its <blocking IP> <domain> pair. If unsure use 0.0.0.0 and edit the blacklist after. While opening the file, the blocking IP is auto corrected.

 

[thelonelycoder]

Another thing, the blocked domains counter at the top of the main menu did not increase although I added domains to the blacklist which were not in any list and reachable before I added them to the blacklist.

Only the blocked domains of the blocking list in use are counted in the header. The whitelist, blacklist and wildcard-blacklist counters are a feature of the upcoming Diversion 4.0.7, as mentioned in the beta release notes here

 

[Chamaco Arano]

Sorry to ask this here, but I couldn't find this anywhere else, I'm getting the following error message in General Logs:

Jan 20 21:52:15 kernel: EXT4-fs (sda1): error count: 5
Jan 20 21:52:15 kernel: EXT4-fs (sda1): initial error at 1544849007: ext4_mb_generate_buddy:717
Jan 20 21:52:15 kernel: EXT4-fs (sda1): last error at 1547806807: ext4_mb_generate_buddy:717

 

[thelonelycoder]

Sorry to ask this here, but I couldn't find this anywhere else, I'm getting the following error message in General Logs:

Jan 20 21:52:15 kernel: EXT4-fs (sda1): error count: 5
Jan 20 21:52:15 kernel: EXT4-fs (sda1): initial error at 1544849007: ext4_mb_generate_buddy:717
Jan 20 21:52:15 kernel: EXT4-fs (sda1): last error at 1547806807: ext4_mb_generate_buddy:717

These appear to be errors in your USB storage device.
You could install amtm, then enable the disk checker. Once enabled, reboot the router. Hopefully it'll fix it.

 

[Skeptical.me]

I have Whitelisted all of the needed Reddit server addresses, but just this last week I have lost access to Reddit on my iPhone (App & Browser) and the below image is what I see when trying to login to Reddit on my iMac. I can't figure out what is causing this. Any hints or tips?

 

[thelonelycoder]

I have Whitelisted all of the needed Reddit server addresses, but just this last week I have lost access to Reddit on my iPhone (App & Browser) and the below image is what I see when trying to login to Reddit on my iMac. I can't figure out what is causing this. Any hints or tips?

What blocking list type are you using? If customized, post hosts list.

 

[SMS786]

I have Whitelisted all of the needed Reddit server addresses, but just this last week I have lost access to Reddit on my iPhone (App & Browser) and the below image is what I see when trying to login to Reddit on my iMac. I can't figure out what is causing this. Any hints or tips?

If you havn't already, try clearing the browser cache.

 

[Skeptical.me]

If you havn't already, try clearing the browser cache.

I have on the Desktop. But the issue is occurring on both my iMacs, and the iPhone App, and the iPhone browser. So, I'm not sure if it would bd related to the cache?


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

What blocking list type are you using? If customized, post hosts list.

 1: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
 2: https://adaway.org/hosts.txt
 3: https://hosts-file.net/ad_servers.txt
 4: http://www.malwaredomainlist.com/hostslist/hosts.txt
 5: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
 6: http://sbc.io/hosts/alternates/gambling/hosts
 7: http://sbc.io/hosts/alternates/porn/hosts
 8: http://sbc.io/hosts/alternates/social/hosts
 9: https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts
 10: https://raw.githubusercontent.com/azet12/KADhosts/master/KADhosts.txt
 11: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt

This hosts file

 http://sbc.io/hosts/alternates/social/hosts

blocks Reddit, but I added every single address to the Whitelist.