Diversion Diversion - the Router Ad-Blocker

[SuperDuke]

Yeah, definitely tail to log to check for domains that are tripping up the website. Remember with blocklists that sometimes less is more. The more monstrous the blocklist, the more good domains that end up being blocked. Try using Standard for the blocklist or Standard+ if you're using Skynet.

Thanks! I'm on Standard+ (using Skynet)…..tinkering will need to be done as you suggest.....sneaky buggers they are.....

 

[HairyA00]

Thank you sir.....fully understood....the script is awesome and works as intended....and clearly the websites aren't stupid; they'll bury their ad-garbage into as many sites as possible....so Diversion is doing what it's supposed to do.....

It was curious though that on my iOS devices with Safari, it ran into an issue, but on my sons laptop running Firefox, (Ubuntu) the sites came through...…

Either way.....trial and error and whitelisting etc will rule the day....thanks again for the explanation and all the awesomeness you do....

You can also try installing the pixelserv-tls certificate on your phone. Seemed to have helped me: https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

I've had issues with a few apps on my phone where the desktop is fine with pixelserv-tls running, including Android's Amazon Shopping app as well as Hulu (specifically account management). Some of these mobile apps simply do NOT like having https domains blocked.

 

[thelonelycoder]

Thank you sir.....fully understood....the script is awesome and works as intended....and clearly the websites aren't stupid; they'll bury their ad-garbage into as many sites as possible....so Diversion is doing what it's supposed to do.....

It was curious though that on my iOS devices with Safari, it ran into an issue, but on my sons laptop running Firefox, (Ubuntu) the sites came through...…

Either way.....trial and error and whitelisting etc will rule the day....thanks again for the explanation and all the awesomeness you do....

I don't know what the Apple coders did but sometimes if a link is opened in Safari (which I would uninstall if I could) it says domain unknown. Opening the same URL in iCab Mobile (the best browser for iOS IMHO) always works.
Maybe they do some similar stuff in Safari as the Google developers just did to Chrome.

 

[SuperDuke]

I don't know what the Apple coders did but sometimes if a link is opened in Safari (which I would uninstall if I could) it says domain unknown. Opening the same URL in iCab Mobile (the best browser for iOS IMHO) always works.
Maybe they do some similar stuff in Safari as the Google developers just did to Chrome.

Perfect....I will try iCab and report back to see if this also possibly solves my issue.....I can't expect I'm the only one so maybe others have the same thing.....

 

[adampk17]

Check if you have the setting "Wan: Use local caching DNS server as system resolver (default: No)" in Tools / Other Settings in the router UI.
If so, set it to "Yes".

I’m not seeing that setting.

 

[thelonelycoder]

I’m not seeing that setting.

If you did upgrade the router firmware to either 384.12 or 13 then the setting is there.
If not, check with f to see if requests go through the router. Chrome recently has received changes that actively circumvent local (your routers) DNS resolving. Another reason to remove that browser and upgrade to a better one.

 

[adampk17]

If you did upgrade the router firmware to either 384.12 or 13 then the setting is there.
If not, check with f to see if requests go through the router. Chrome recently has received changes that actively circumvent local (your routers) DNS resolving. Another reason to remove that browser and upgrade to a better one.

I did. Let me take a look again.

 

[adampk17]

I did. Let me take a look again.

Does it have something to do with the “DNS filtering” setting on my LAN ->DNS filter page? I have that set to off.

 

[HairyA00]

If you did upgrade the router firmware to either 384.12 or 13 then the setting is there.
If not, check with f to see if requests go through the router. Chrome recently has received changes that actively circumvent local (your routers) DNS resolving. Another reason to remove that browser and upgrade to a better one.

You can prevent Chrome (or any other IoT device) from circumventing your DNS settings by changing this setting:

1. Router admin page
2. LAN
3. DNSFilter
4. Enable DNS-based Filtering > On
5. Global Filter Mode > Router
6. Apply

 

[razvanu]

I think 'diversion' on my asus ac68u is "killing" my homebridge with apple home kit i've added apple.com in white list but still not working.....any info can provide?

ps: can i update router firmware without any diversion re-config fail ?

 

[thelonelycoder]

ps: can i update router firmware without any diversion re-config fail ?

Yes.

 

[dave14305]

I think 'diversion' on my asus ac68u is "killing" my homebridge with apple home kit i've added apple.com in white list but still not working.....any info can provide?

Is it in the wildcard whitelist or the regular whitelist?

 

[adampk17]

You can prevent Chrome (or any other IoT device) from circumventing your DNS settings by changing this setting:

1. Router admin page
2. LAN
3. DNSFilter
4. Enable DNS-based Filtering > On
5. Global Filter Mode > Router
6. Apply

This seemed to work, thank you. This must have been a new requirement after 384.12 or 384.13?

Follow up question. By default, when I turned this on, I had the following settings in the custom DNS:

I have the Cloudflare DNS servers on the WAN page:

Do I need to put those Cloudflare DNS servers in the Custom fields if I want to continue using them?

 

[razvanu]

Is it in the wildcard whitelist or the regular whitelist?

I've added here:
1. Add domain
and put apple.com, and then it added by itself a lot of domains, like >500 ore more

Diversion is runing on my RT-AC68U (armv7l) FW-384.12 @

 66: apple.com--------scanner.bid # apple
 67: apple.com------support.host # apple
 68: apple.com-----scanner.club # apple
 69: apple.com-analysis-safety-antimalware-support.accountant # apple
 70: apple.com-care-macbook-system.live # apple
 71: apple.com-fasting.live # apple
 72: apple.com-improve-macos.live # apple
 73: apple.com-internet-security-review.info # apple
 74: apple.com-internet-security-review.review # apple
 75: apple.com-mac-booster.live # apple
 76: apple.com-macos-clean-systems.live # apple
 77: apple.com-notice.info # apple
 78: apple.com-onlinesupport.host # apple
 79: apple.com-onlinesupport.site # apple
 80: apple.com-repair-macbook.live # apple

Seems to work right now, after restarting the homebridge server: the setup is on an iPad to work outside the local network, it acts like a hub, maybe it was just a glitch in the system

ps: just saw right now, theese domain are somehow related ti apple.com ?? they added automatically after editing the whitelist

28: 008.0x1f4b0.com # apple
 29: 008.free-counter.co.uk # apple
 30: 008.free-counters.co.uk # apple
 31: 009.0x1f4b0.com # apple
 32: 00author.com # apple
 33: 00fun.com # apple
 34: 00go.com # apple
 35: 00it.com # apple
 36: 00sexus.com # apple
 37: 00webcams.com # apple
 38: 01-photos-porno.info # apple
 39: 01-sex-amateur.info # apple
 40: 0101011.com # apple

 

[dave14305]

Do I need to put those Cloudflare DNS servers in the Custom fields if I want to continue using them?

No, those 3 custom fields are used for the Custom 1,2,3 options in the dropdown menu. But you are using Router instead so not relevant.

 

[HairyA00]

This seemed to work, thank you. This must have been a new requirement after 384.12 or 384.13?

As far as I know, this DNSFilter setting has been around for quite some time and always worked this way. This functionality was added to prevent devices from hard-coding DNS and bypassing the router's settings (or vice-versa, to filter out particular MAC addresses on your LAN from using your router's upstream servers and making special cases).

Follow up question. By default, when I turned this on, I had the following settings in the custom DNS:

Just clear out the custom fields. Setting it to "router" forces LAN devices to use the router's DNS anyway; unless you're making exceptions below, these fields can be empty or not, they will not do anything.

I have the Cloudflare DNS servers on the WAN page

Whatever you have set on this WAN page is what will be your upstream server; the DNSFilter page is for bypassing this filter. https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Filter

So no need to set Cloudflare anywhere else other than the WAN page, and on the DNSFilter page, just set it ON and Router.

On a sidenote, why not try DoT? https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

I run Cloudflare and Quad9 upstream DoT, both their primary and secondary DNS servers. Reason being, I don't want to hand all my DNS records to ONE company upstream, and let the fastest server win. I refuse to use Google's, and I am already using Cleanbrowsing Family as a DNSFilter exception for one client on my LAN. A cool feature would be Parallel DNS Resolution, where the request is sent to all your DoT servers at once, and the quickest response back would be who your router uses for that one query.

 

[dave14305]

I've added here:
1. Add domain
and put apple.com, and then it added by itself a lot of domains, like >500 ore more

Diversion is runing on my RT-AC68U (armv7l) FW-384.12 @

 66: apple.com--------scanner.bid # apple
 67: apple.com------support.host # apple
 68: apple.com-----scanner.club # apple
 69: apple.com-analysis-safety-antimalware-support.accountant # apple
 70: apple.com-care-macbook-system.live # apple
 71: apple.com-fasting.live # apple
 72: apple.com-improve-macos.live # apple
 73: apple.com-internet-security-review.info # apple
 74: apple.com-internet-security-review.review # apple
 75: apple.com-mac-booster.live # apple
 76: apple.com-macos-clean-systems.live # apple
 77: apple.com-notice.info # apple
 78: apple.com-onlinesupport.host # apple
 79: apple.com-onlinesupport.site # apple
 80: apple.com-repair-macbook.live # apple

Seems to work right now, after restarting the homebridge server: the setup is on an iPad to work outside the local network, it acts like a hub, maybe it was just a glitch in the system

ps: just saw right now, theese domain are somehow related ti apple.com ?? they added automatically after editing the whitelist

28: 008.0x1f4b0.com # apple
 29: 008.free-counter.co.uk # apple
 30: 008.free-counters.co.uk # apple
 31: 009.0x1f4b0.com # apple
 32: 00author.com # apple
 33: 00fun.com # apple
 34: 00go.com # apple
 35: 00it.com # apple
 36: 00sexus.com # apple
 37: 00webcams.com # apple
 38: 01-photos-porno.info # apple
 39: 01-sex-amateur.info # apple
 40: 0101011.com # apple

You've allowed a lot of non-Apple domains (the ones that don't END in apple.com). Probably want to remove those from the whitelist.

 

[Kingp1n]

As far as I know, this DNSFilter setting has been around for quite some time and always worked this way. This functionality was added to prevent devices from hard-coding DNS and bypassing the router's settings (or vice-versa, to filter out particular MAC addresses on your LAN from using your router's upstream servers and making special cases).



Just clear out the custom fields. Setting it to "router" forces LAN devices to use the router's DNS anyway; unless you're making exceptions below, these fields can be empty or not, they will not do anything.





Whatever you have set on this WAN page is what will be your upstream server; the DNSFilter page is for bypassing this filter. https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Filter

So no need to set Cloudflare anywhere else other than the WAN page, and on the DNSFilter page, just set it ON and Router.

On a sidenote, why not try DoT? https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

I run Cloudflare and Quad9 upstream DoT, both their primary and secondary DNS servers. Reason being, I don't want to hand all my DNS records to ONE company upstream, and let the fastest server win. I refuse to use Google's, and I am already using Cleanbrowsing Family as a DNSFilter exception for one client on my LAN. A cool feature would be Parallel DNS Resolution, where the request is sent to all your DoT servers at once, and the quickest response back would be who your router uses for that one query.

The GitHub link provided recommends to use 'Exclusive' under the OpenVPN "Accept DNS configuration"option, however, if you're using Diversion, it's recommended to disable or use strict for diversion to work properly, unless you force "all" internet thru tunnel, then you can use "Exclusive" correct? See below:

OpenVPN Clients (from https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy)

This will mostly work as before. OpenVPN clients with "Accept DNS configuration" set to "Exclusive" will still use the DNS servers provided by the VPN server, bypassing DNS Privacy. Setting DNS configuration to "Disabled" on the OpenVPN client configuration will allow it to use DNS Privacy, however note that some VPN providers will block the use of DNS servers other than their own, to protect you against leaking information by sending DNS queries outside of the tunnel. If you trust the OpenVPN server you connect to, it's usually best to leave the setting to Exclusive mode - your DNS queries are already encrypted by the VPN tunnel anyway (for all clients configured to use the tunnel).

 

[HairyA00]

The GitHub link provided recommends to use 'Exclusive' under the OpenVPN "Accept DNS configuration"option, however, if you're using Diversion, it's recommended to disable or use strict for diversion to work properly, unless you force "all" internet thru tunnel, then you can use "Exclusive" correct? See below:

OpenVPN Clients (from https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy)

This will mostly work as before. OpenVPN clients with "Accept DNS configuration" set to "Exclusive" will still use the DNS servers provided by the VPN server, bypassing DNS Privacy. Setting DNS configuration to "Disabled" on the OpenVPN client configuration will allow it to use DNS Privacy, however note that some VPN providers will block the use of DNS servers other than their own, to protect you against leaking information by sending DNS queries outside of the tunnel. If you trust the OpenVPN server you connect to, it's usually best to leave the setting to Exclusive mode - your DNS queries are already encrypted by the VPN tunnel anyway (for all clients configured to use the tunnel).

You're talking about VPN. I don't think @adampk17 was setting up his router as a VPN Client, was he?

 

[adampk17]

You're talking about VPN. I don't think @adampk17 was setting up his router as a VPN Client, was he?

No sir, not using a VPN at this point in time. Thank you both though for your assistance.