What's new

uiDivStats uiDivStats 3.x

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I am running fully updated Merlin 386.4 on an AX86U with Diversion and UIStats. I have an issue in that Blocked Domains on the Diversion Tab (correct) does not match Domains currently on blocklist (it is doubled for some odd reason) on UIDivStats Tab. How can I fix this?

View attachment 38976View attachment 38977
Diversion must be counting all the IPV6 address blocks too. ( the A and the AAAA). Basically it is double counting them.

Some request will do both an A and an AAAA lookup,
instead of counting A some.bogus.ad.com and AAAA some.bogus.ad.com as one blocked domain. It must be counting the number of blocked queries despite it being an A or an AAAA, where as UiDivStats does not do this? @Jack Yaz
 
Diversion must be counting all the IPV6 address blocks too. ( the A and the AAAA). Basically it is double counting them.

Some request will do both an A and an AAAA lookup,
instead of counting A some.bogus.ad.com and AAAA some.bogus.ad.com as one blocked domain. It must be counting the number of blocked queries despite it being an A or an AAAA, where as UiDivStats does not do this? @Jack Yaz
Thank you for the quick reply. I recently chose to Disable forced IPv6 entries in my Diversion config. It didn't occur to me that might be the cause. It now is blocking those sneaky AAAA queries. I guess you are correct and I am seeing a side effect of that configuration change. I think Diversion has the correct parsed number of blocked domains, 606,285. I have IPv6 disabled through a kernel parameter on my computers and in the router configuration(GUI).
 
Thank you for the quick reply. I recently chose to Disable forced IPv6 entries in my Diversion config. It didn't occur to me that might be the cause. It now is blocking those sneaky AAAA queries. I guess you are correct and I am seeing a side effect of that configuration change. I think Diversion has the correct parsed number of blocked domains, 606,285. I have IPv6 disabled through a kernel parameter on my computers and in the router configuration(GUI).
from my understanding, AAAA request can still travel via ipv4, so i am not sure there is a true way of eliminating it.
 
from my understanding, AAAA request can still travel via ipv4, so i am not sure there is a true way of eliminating it.
I think iptables can block it. It is the same way I learned from another thread to block RR type 65. It uses a combination of qtype and qclass in the hex string.

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS_Type_AAAA" -m string --hex-string "|00001c0001|" --algo bm -j REJECT
 
I think iptables can block it. It is the same way I learned from another thread to block RR type 65. It uses a combination of qtype and qclass in the hex string.

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS_Type_AAAA" -m string --hex-string "|00001c0001|" --algo bm -j REJECT
Or we can enforce IPV6 DNS for those users that do use ipv6

Code:
#!/bin/sh
if [ -d "/opt/sbin" ] && [ "$(nvram get dnsfilter_mode)" = "11" ] && [ -z "$(nvram get dhcp_dns1_x)" ]; then
opkg install iptables iptables-restore iptables-save ip6tables ip6tables-restore ip6tables-save xtables-multi conntrack ebtables arptables >/dev/null 2>&1
for mts in iptables iptables-restore iptables-save ip6tables ip6tables-restore ip6tables-save xtables-multi conntrack ebtables arptables; do
mount -o bind /opt/sbin/${mts} /usr/sbin/${mts}
done
iptables -t nat -F DNSFILTER && iptables -t nat -X DNSFILTER
iptables -t nat -N DNSFILTER
ip6tables -t nat -F DNSFILTER && iptables -t nat -X DNSFILTER
ip6tables -t nat -N DNSFILTER
for filter in DNSFILTER_DOT; do
iptables -F $filter && iptables -X $filter
iptables -N $filter
ip6tables -F $filter && ip6tables -X $filter
ip6tables -N $filter
done
for filter in DNSFILTERF DNSFILTERI DNSFILTER_DOT; do
ip6tables -t mangle -F $filter && ip6tables -t mangle -X $filter
done
for i in 0 1 2 3 4 5; do
[ "$i" = "0" ] && NVARS="$(nvram get dnsfilter_rulelist | sed 's/>0/<>/g;s/<>/ /g;s/^[ \t]*//;s/[ \t]*$//')"
[ "$i" != "0" ] && NEXT_NVARS="$(nvram get dnsfilter_rulelist${i} | sed 's/>0/<>/g;s/<>/ /g;s/^[ \t]*//;s/[ \t]*$//')"
[ -n "$NEXT_NVARS" ] && NVARS="$NVARS $NEXT_NVARS"
done
for VAR in -D -I; do
iptables -t nat $VAR PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
iptables -t nat $VAR PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
ip6tables -t nat $VAR PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
ip6tables -t nat $VAR PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
iptables $VAR FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
ip6tables $VAR FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
iptables -t nat $VAR DNSFILTER ! -s $(nvram get lan_ipaddr)/32 ! -d $(nvram get lan_ipaddr)/32 -j DNAT --to-destination $(nvram get lan_ipaddr)
ip6tables -t nat $VAR DNSFILTER ! -s $(nvram get ipv6_rtr_addr)/128 ! -d $(nvram get ipv6_rtr_addr)/128 -j DNAT --to-destination $(nvram get ipv6_rtr_addr)
iptables $VAR DNSFILTER_DOT ! -d $(nvram get lan_ipaddr)/32 -j REJECT --reject-with icmp-port-unreachable
ip6tables $VAR DNSFILTER_DOT ! -d $(nvram get ipv6_rtr_addr)/128 -j REJECT --reject-with icmp6-port-unreachable
if [ -n "$NVARS" ]; then
for MAC_ADDR in $NVARS; do
iptables -t nat $VAR DNSFILTER -m mac --mac-source $MAC_ADDR -j RETURN
iptables $VAR DNSFILTER_DOT -m mac --mac-source $MAC_ADDR -j RETURN
ip6tables -t nat $VAR DNSFILTER -m mac --mac-source $MAC_ADDR -j RETURN
ip6tables $VAR DNSFILTER_DOT -m mac --mac-source $MAC_ADDR -j RETURN
done
fi
done
fi

This effectively takes the DNSfilter rules (set to router with dhcp selected at router), and replicates them for IPV6 as well.
some things to consider when using this script.
  1. it probably only supports kernal 3+ or better routers (probably kernal 4+).
  2. it only works if dnsfilter is set to Router (it could be modified for other filters, but that is for the user to determine.)
  3. it requires entware.
  4. it probably requires the latest merlin firmware.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top