Diversion [SOLVED] Diversion and DNS - What am I doing wrong?

[Nexplas70]

Been a happy Merlin user for many years. First time trying to use Diversion and it is not showing anything blocked and tests show nothing being blocked.

Installed via amtm and default config except I switched to OISD Large

Since I don't even know what correct question to ask, I'll just post my configs and maybe someone can tell me what I am doing wrong?

I did not have anything in LAN>DHCP>DNS Server but Diversion instructions said to set that to router IP, so I did. It is not working before or after doing that.

I did read as many of the other threads as I could find, including here - and I think I have everything set exactly as shown and it's still not working.

Only note: I do have Skynet installed and it has been working perfectly for years.

RT-AX86U on 3004.388.8_2

Thank you!

 

[Twiglets]

1.) Usually the DNS Server 1 & 2 are left blank as this is set by Diversion itself.

2.) Did you restart Skynet after installing Diversion ?

Try 1.) first and see if DNS is working ... then restart Skynet to ensure any changes in the config of the router are picked up.

If there are still problems please advise.

 

[dave14305]

How do you know it’s not working? The ad counters only update twice a day.

 

[kstamand]

As noted already, it’s not necessary to set DNS Servers under LAN | DHCP Server. DNS Director settings also not necessary I believe, unless you want to bypass Diversion for select clients.

To confirm things, from a shell session to the router, do a DNS lookup of some domain (e.g., dig google.com) to make sure DNS working as expected. Then from Diversion menu, choose “Follow DNSMASQ log”, then choose option 3 (“Follow blocked domains”) and while that is running, then in a separate window start browser session, start browsing some sites and see if any red highlighted domains start showing up in your Diversion shell session.

I hope this helps get you pointed in the right direction

 

[Nexplas70]

1.) Usually the DNS Server 1 & 2 are left blank as this is set by Diversion itself.

2.) Did you restart Skynet after installing Diversion ?

Try 1.) first and see if DNS is working ... then restart Skynet to ensure any changes in the config of the router are picked up.

If there are still problems please advise.

That worked! Restarting Skynet seems to have fixed it. I would have assumed a regular reboot would have accomplished the same thing but I guess not.

Thank you!

How do you know it’s not working? The ad counters only update twice a day.

You can manually ask it to update the blocked ads counter, both from the gui and from the CLI

As noted already, it’s not necessary to set DNS Servers under LAN | DHCP Server. DNS Director settings also not necessary I believe, unless you want to bypass Diversion for select clients.

To confirm things, from a shell session to the router, do a DNS lookup of some domain (e.g., dig google.com) to make sure DNS working as expected. Then from Diversion menu, choose “Follow DNSMASQ log”, then choose option 3 (“Follow blocked domains”) and while that is running, then in a separate window start browser session, start browsing some sites and see if any red highlighted domains start showing up in your Diversion shell session.

I hope this helps get you pointed in the right direction

I did this after restarting Skynet + Reboot and now this log is filling constantly even without needing to browse anything (damn smart TVs)

Thanks for the help!

Will mark as solved.

 

[EmeraldDeer]

Some client devices nowadays are defaulting to DNS over HTTPS. This would bypass DNS Director.

 

[Nexplas70]

Some client devices nowadays are defaulting to DNS over HTTPS. This would bypass DNS Director.

I thought the "Prevent client Auto DoH was specifically to prevent that from happening?

 

[EmeraldDeer]

I thought the "Prevent client Auto DoH was specifically to prevent that from happening?

Yes, that was the idea. However, I noticed my Apple devices using DoH to Cloudflare while my DoT was Quad9 after an iOS update. I needed to find the settings and disable DoH on each device.

 

[Twiglets]

I found the following addresses that are used by Apple to provide DoH & Encrypted DNS.

You need to block the following in Diversion/Skynet or whatever you use.

mask.apple-dns.net
mask.icloud.com
mask-api.icloud.com
mask-h2.icloud.com
doh.dns.apple.com

Please advise if this works as I do not have any Apple kit to try it on !!!