dnsmasq-surrogate for RT-BE88U: Ad Blocking & Security Enhancement

[MegaMango]

Hello everyone,

As many of you know, the Asus RT-BE88U router does not yet have Merlin firmware support. I wanted to ensure the security and privacy of my network while using the stock Asus firmware, particularly for blocking ads and malicious sites.
This led me to adopt and update a project originally developed by Tomasz Wiszkowski nearly 7 years ago: dnsmasq-surrogate.

I’ve modified and improved the original project to work on the RT-BE88U, fixing various issues and bugs along the way. Find the latest release here (github.com).

​

What Is dnsmasq-surrogate?​

The dnsmasq-surrogate acts as an intermediary for dnsmasq, allowing to manage additional hosts files that block ads, malicious websites, and other unwanted domains. This is similar to ad-blocking functionality, and it runs on top of the stock Asus firmware.
One of the challenges with the stock firmware is that any changes you make to the dnsmasq.conf file (for example, to add ad-blocking hosts) get overwritten by the firmware every time the dnsmasq service restarts. This makes it impossible to permanently customize dnsmasq behavior by simply editing the configuration file.

This is where surrogate comes in.
It intercepts and updates the dnsmasq.conf configuration automatically, allowing to:

• Add custom hosts files for ad-blocking and security.
• Make persistent changes that won't be overwritten by the Asus firmware.
• Control which domains are blocked and whitelisted without manually editing the config every time the service restarts.

Installation Instructions​

Before you begin, you’ll need to install Entware, which provides the necessary environment for installing dnsmasq-surrogate on the stock Asus firmware.

Prerequisites:​

1. Install Entware by following the guide here: Entware on Asus Stock Firmware.
   1. most likely you will need these opkg packages: nano, curl, tar
2. Run this command from the router to download latest binary and unarchive it to the `/opt` folder

cd /opt && curl -L https://github.com/daniellavrushin/asus-dnsmasq-surrogate/releases/download/2.2.0/dnsmasq-surrogate-be88u-2.2.0.tar.gz | tar -zx

Once installed, dnsmasq-surrogate can feed dnsmasq with any additional hosts files, providing ad-blocking and custom DNS filtering.

Setting Up Ad Blocking​

To enable ad-blocking, simply place any hosts file (such as those provided by StevenBlack) in the following directory:

/jffs/dnsmasq-surrogate/hosts/

For example, you can download StevenBlack’s adblock and fake news hosts lists using the following commands:

curl -o /jffs/dnsmasq-surrogate/hosts/adblock.hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
curl -o /jffs/dnsmasq-surrogate/hosts/fakenews.hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts

After placing the files in /jffs/dnsmasq-surrogate/hosts/ and restarting the service, check the dnsmasq.conf for changes:

nano /etc/dnsmasq.conf

You should see something like this:

# Config file generated using dnsmasq surrogate
addn-hosts=/jffs/dnsmasq-surrogate/hosts/adblock.hosts
addn-hosts=/jffs/dnsmasq-surrogate/hosts/fakenews.hosts

After each enable/disable cycle, application will re-start dns service on your router. This does not mean, however, that all the hosts will automatically start working at instant: you may need to re-connect to your network or flush dns cache using other methods.

Extra: Automatic Hosts File Updates​

For convenience, I’ve also created a simple script to automate the process of downloading and updating the blocklists:

#!/bin/sh

# Download the updated hosts files
curl -o /jffs/dnsmasq-surrogate/hosts/adblock.hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
curl -o /jffs/dnsmasq-surrogate/hosts/fakenews.hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts

# Path to whitelist
WHITELIST=/jffs/dnsmasq-surrogate/whitelist

# Filter out whitelisted domains from adblock.hosts
grep -vFf $WHITELIST /jffs/dnsmasq-surrogate/hosts/adblock.hosts > /tmp/adblock.hosts
mv /tmp/adblock.hosts /jffs/dnsmasq-surrogate/hosts/adblock.hosts

# Filter out whitelisted domains from fakenews.hosts
grep -vFf $WHITELIST /jffs/dnsmasq-surrogate/hosts/fakenews.hosts > /tmp/fakenews.hosts
mv /tmp/fakenews.hosts /jffs/dnsmasq-surrogate/hosts/fakenews.hosts

# Restart dnsmasq to apply changes
service restart_dnsmasq

This script automatically updates the blocklists and removes any domains listed in your whitelist.

Whitelisting Domains​

Sometimes, blocking certain domains can cause issues with services you use. For example, blocking s.youtube.com can prevent YouTube from remembering your video history. To resolve this, you can create a whitelist file:

nano /jffs/dnsmasq-surrogate/whitelist

Add domains you want to whitelist (e.g., s.youtube.com). The script will ensure that any whitelisted domains are excluded from the blocklists.

Conclusion​

If you’re using the Asus RT-BE88U and want ad-blocking functionality similar to Merlin firmware, give dnsmasq-surrogate a try. You might want to try this in another BE router, but I am not sure if it will work there or not.

Please note: I’m primarily a C# developer, and this is my first experience working with C/C++ projects. I’ve done my best to adapt and improve this project for the BE88U, but there may still be some rough edges. If you encounter any issues or have suggestions, feel free to post it here.

PS​

You can use this adblock test site to see the difference, in my case it is 97% blocked having all browser adblock extensions disabled in my browser:

speedtest.com when surrogate is off

speedtest.com when it is on

 

[jerry6]

thanks interesting I'm only blocking 80%

 

[MegaMango]

thanks interesting I'm only blocking 80%

that is because I also made my custom.hosts file

0.0.0.0 advice-ads.s3.amazonaws.com
0.0.0.0 afs.googlesyndication.com
0.0.0.0 analytics.google.com
0.0.0.0 click.googleanalytics.com
0.0.0.0 notify.bugsnag.com
0.0.0.0 sessions.bugsnag.com
0.0.0.0 api.bugsnag.com
0.0.0.0 app.bugsnag.com
0.0.0.0 browser.sentry-cdn.com
0.0.0.0 app.getsentry.com
0.0.0.0 ads-api.twitter.com
0.0.0.0 ads-api.tiktok.com
0.0.0.0 ads-sg.tiktok.com
0.0.0.0 business-api.tiktok.com
0.0.0.0 browser.sentry-cdn.com
0.0.0.0 stats.wp.com
0.0.0.0 tools.mouseflow.com
0.0.0.0 mouseflow.com
0.0.0.0 adtech.yahooinc.com
0.0.0.0 appmetrica.yandex.ru
0.0.0.0 metrika.yandex.ru
0.0.0.0 udc.yahoo.com
0.0.0.0 udcm.yahoo.com
0.0.0.0 log.fc.yahoo.com
0.0.0.0 appmetrica.yandex.ru