Diversion Diversion - the Router Ad-Blocker

[GregS]

What are your WAN DNS settings? LAN DHCP Server DNS settings? LAN DNSFilter settings?

What is the full output of running nslookup snbforums.com on your computer?

C:\>nslookup snbforums.com
Server: RT-AX88U-EBF8
Address: 192.168.1.1

Non-authoritative answer:
Name: snbforums.com
Addresses: 2606:4700:20::681a:842
2606:4700:20::681a:942
104.26.9.66
104.26.8.66

Since my last post things have gotten worse, no dns nor dhcp queries work while Diversion is on. I've tried disabling logging, pixelserv to no effect. So that nslookup output above is with diversion disabled and here's what it looks like with it enabled:
C:\>nslookup snbforums.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

 

[Ubimo]

Disable IPv6.

 

[dave14305]

Since my last post things have gotten worse, no dns nor dhcp queries work while Diversion is on. I've tried disabling logging, pixelserv to no effect. So that nslookup output above is with diversion disabled and here's what it looks like with it enabled:
C:\>nslookup snbforums.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

Since you have DNS Privacy enabled, I might suspect an issue with Stubby, but it seems that dnsmasq is more the issue. What output is at the end of /opt/var/log/dnsmasq.log when the nslookup starts failing? Or follow the unfiltered diversion log in ssh and run the nslookup from your pc. Looking for SERVFAIL messages or anything about problems forwarding to 127.0.1.1 (Stubby).

Another test would be to nslookup something local such as router.asus.com to see if dnsmasq is only struggling with upstream requests or even local requests. The fact dhcp won’t work suggests it’s everything.

What block list do you use in Diversion?

 

[Andy1932]

I'm seeing an odd issue on my RT-AX88U, after awhile no DNS requests get resolved. nslookup from any client on the network will time out, following the dnsmasq log shows no queries. If I disable diversion then DNS resolution starts working again, enable and it stops again. A reboot will resolve the issue so dns will work while diversion is enabled; but the issue will return days later.
Any ideas what could be wrong? Or what I should check on the next time this happens. I did force a diversion update during the last issue but that didn't help.

For background I have been using Diversion for a few years on an AC68U and only recently upgraded to an AX88U as repeated requests to pixelserv from my ShieldTV kept overloading the router. I'm using the Standard+ blocking list. I'm using v384.15_0 of Merlin's firmware.

This happens to me, too. 86u.

 

[juched]

View attachment 22254
View attachment 22255
View attachment 22256

C:\>nslookup snbforums.com
Server: RT-AX88U-EBF8
Address: 192.168.1.1

Non-authoritative answer:
Name: snbforums.com
Addresses: 2606:4700:20::681a:842
2606:4700:20::681a:942
104.26.9.66
104.26.8.66

Since my last post things have gotten worse, no dns nor dhcp queries work while Diversion is on. I've tried disabling logging, pixelserv to no effect. So that nslookup output above is with diversion disabled and here's what it looks like with it enabled:
C:\>nslookup snbforums.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

Curious while this is failing if you see any high cpu usage from a process, or high NIC usage. It should show at the top of the top output how much is idle.

I wonder if something is spamming your network causing your router to stave out DNS responses.

 

[GregS]

Disable IPv6.

On the Router in the IPV6 section it's already disabled. I disabled it on my windows machine, but nslookup still returns ipv6 addresses. Is there anywhere else I need to look?

 

[GregS]

Since you have DNS Privacy enabled, I might suspect an issue with Stubby, but it seems that dnsmasq is more the issue. What output is at the end of /opt/var/log/dnsmasq.log when the nslookup starts failing? Or follow the unfiltered diversion log in ssh and run the nslookup from your pc. Looking for SERVFAIL messages or anything about problems forwarding to 127.0.1.1 (Stubby).

Another test would be to nslookup something local such as router.asus.com to see if dnsmasq is only struggling with upstream requests or even local requests. The fact dhcp won’t work suggests it’s everything.

What block list do you use in Diversion?

Looking through dnsmasq.log1, which is 17mb, I can see last nights testing where I was using 'nslookup microsoft.com' there were numerous SERVFAIL messages, like:
Mar 28 18:27:01 dnsmasq[9960]: query[AAAA] microsoft.com from 192.168.1.2
Mar 28 18:27:01 dnsmasq[9960]: forwarded microsoft.com to 127.0.1.1
Mar 28 18:27:02 dnsmasq[9960]: reply error is SERVFAIL

This is typically only after I'm turning things off/on to try to fix it. When it initially breaks the log won't show much at all, no odd errors or anything out of the ordinary right before it. It's as if the requests stop making it to that level. And for the times I turn it on/off and get back to that state then the last few lines are just the startup:
Mar 28 17:30:31 dnsmasq[19094]: started, version 2.80-114-ge40d8be cachesize 1500
Mar 28 17:30:31 dnsmasq[19094]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC no-ID loop-detect no-inotify no-dumpfile
Mar 28 17:30:31 dnsmasq[19094]: warning: interface pptp* does not currently exist
Mar 28 17:30:31 dnsmasq-dhcp[19094]: DHCP, IP range 192.168.1.100 -- 192.168.1.250, lease time 1d
(Due to a Cloudflare security block I had to replace the slashes with spaces below):
Mar 28 17:30:31 dnsmasq[19094]: read etc hosts - 5 addresses
Mar 28 17:30:36 dnsmasq[19094]: read opt share diversion list blockinglist - 27337 addresses
Mar 28 17:30:36 dnsmasq[19094]: read opt share diversion list blacklist - 0 addresses
Mar 28 17:30:36 dnsmasq[19094]: read etc hosts.dnsmasq - 0 addresses
Mar 28 17:30:37 dnsmasq[19094]: using nameserver 127.0.1.1#53

I use the Standard blocklist and then enabled Plus hosts after installing Skynet so in Diversion it shows: Standard+

I'll try router.asus.com next time it happens. DNS Privacy is not that important to me, would disabling it be a good option to try next?

 

[GregS]

Curious while this is failing if you see any high cpu usage from a process, or high NIC usage. It should show at the top of the top output how much is idle.

I wonder if something is spamming your network causing your router to stave out DNS responses.

CPU used to be the first thing I checked as it was common whenever my old AC68U showed issues (w/pixelserv) that it'd have high cpu but on the AX88U I've never seen high sustained use; 0-3% is typical. RAM is typically only 75% utilized, it's rare I've even seen the swap file get used. How would I check NIC usage? General traffic (via SNMP) looks fine, I've not seen any correlation between overall network load and this issue. On many occasions it's happened in the middle of the night, waking me up from various alerting systems I have.

 

[Wrkdbf_Guy]

@Wrkdbf_Guy if trying to format it once again proves ineffective, just use/buy a different USB drive.

Thanks @L&LD. A second reformat of the USB device did the trick. Diversion Standard and all it's required tools are now installed and running.

 

[dave14305]

DNS Privacy is not that important to me, would disabling it be a good option to try next?

It would remove the dependency of dnsmasq on Stubby to isolate.

 

[juched]

CPU used to be the first thing I checked as it was common whenever my old AC68U showed issues (w/pixelserv) that it'd have high cpu but on the AX88U I've never seen high sustained use; 0-3% is typical. RAM is typically only 75% utilized, it's rare I've even seen the swap file get used. How would I check NIC usage? General traffic (via SNMP) looks fine, I've not seen any correlation between overall network load and this issue. On many occasions it's happened in the middle of the night, waking me up from various alerting systems I have.

Run “top” in a terminal. It shows at the top the categories of use. I have seen an issue where NIC went very high and caused other issues.

 

[juched]

It would remove he dependency of dnsmasq on Stubby to isolate.

Agree, remove stubby and see if you can reproduce.

 

[Xsvrg]

I installed diversion and set the DNS server in my computers network adapter to the routers address.

Is it recommended to add an upstream DNS server like 8.8.8.8 in the webui when using diversion?

 

[L&LD]

@Xsvrg, umm, what DNS server did you set exactly?

 

[Xsvrg]

@Xsvrg, umm, what DNS server did you set exactly?

192.168.1.1 in my windows adapter (the router address).

 

[L&LD]

No need to do that. That isn't your DNS provider anyway.

 

[Xsvrg]

No need to do that. That isn't your DNS provider anyway.

Diversion clearly states in the FAQ you need to do that to make it work https://diversion.ch/faq-reader/diversion-is-installed-and-i-still-see-ads.html

 

[L&LD]

Did you notice the date of that link?

Last update on 2018-10-10 by thelonelycoder.

I've never had to do that and Diversion blocks ads for all my devices and for any of my customers that wanted to install/try it too.

 

[Xsvrg]

Did you notice the date of that link?



I've never had to do that and Diversion blocks ads for all my devices and for any of my customers that wanted to install/try it too.

I just tested it without doing that, and it didn't block ads on forbes.com and businessinsider.com. After changing that setting the ads were blocked. Idk what to tell you

 

[jsbeddow]

I think that Xsvrg is saying that he had to do that because be has hardcoded the DNS servers for his network adapter settings (under the Windows/TCP properties tab, and likely set a fixed/static address), rather than relying on DHCP from the router. This works too, but wouldn't be necessary if using DHCP from the router. To each his own...