It is still not working on the guest network. I copied adblockDNS and added my own. (Through LUCI firewall GUI). Here is what it added to the /etc/config/firewall. My guest network is 192.168.2.1 config redirect
option target 'DNAT'
option src 'guest'
option dest 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '192.168.2.1'
option dest_port '53'
option name 'AdblockDNSGuest'
option src_port '53'
I use opendns on my router. They have a nice site www.opendns.com/welcome that tells me if I am using opendns. Here are my test scenarios. I was loading a new private browser window every time to make sure there was no caching. Here are the test results.
1.LAN connection. Get DNS server from my home router in DHCP for the client.
Test: Go to welcome site. Confirm that it is using opendns. Works as expected. PASS.
Test: Go to a known ad serving site. No ads. Works as expected. PASS.
2.LAN connection. Hard code ISP dns server in the client.
Test: Go to welcome site. Confirm that it is still using opendns. Works as expected. PASS.
Test: Go to a known ad serving site. No ads. Works as expected. PASS.
3.Guest connection. Get DNS server from my home router in DHCP for the client.
Test: Go to welcome site. Confirm that it is still using opendns. PASS.
Test: Go to a known ad serving site. No ads. Works as expected. PASS.
2.Guest connection. Hard code ISP dns server in the client.
Test: Go to welcome site. Confirm that it is still using opendns. FAIL
Test: Go to a known ad serving site. Lot of ads. FAIL
hi
i've just installed my first lede trunk (r4751) with the latest adblock 2.8.5.
i have a tp link w8970 (8MB flash, 64MB ram)
I've noticed three problems with the adblock:
if adblock is running i can't search through the software packets installer, both in luci (gives me blank results) and in opkg console (throws a running out memory error). If i suspend adblock, opkg will return to work.
if i use big lists, like the malware (16k entries), i obtain a process killed in the verbose log and the list will not be considered.
if i use the option "Force Overall Sort", my router will freeze for 30 sec and the sort process will be killed at the end. Another out of memory reason in the log.
The ram free memory available is around 20MB, so i don't know why the processes are killed.
I would prefer it if possible dnsmasq wasn't restarted as a result of period updates. This is achievable in principle, use the server=// directive instead of local=// in the files (not even sure this step is necessary), and then load all the files using the servers-file= directive.
In this case kill -HUP will reload the configuration files just fine - this will also preserve long term history about dnsmasq caching and DNS failures.
@dibdot I've been following and using your Adblock releases since you first started. Anyway, just a brief question.
With many modern routers having dual core processors and tri band wireless chips, it has got me thinking. Would it be beneficial for these devices, from a performance perspective, to have multiple instances of dnsmasq running and therefore multiple instances of filtering from your Adblock filter rules? I am thinking of home networks with multiple iPads, multiple iPhones, laptops, etc.
What are your thoughts on this?
Another thought here is having separate DNS and filtering rule sets for different networks. Example: main wireless network for the adults in the house, while a separate wireless network for the kids devices with stronger filtering rules and perhaps forcing Google Safe Search or similar.
It's the conflict between dnsmasq confdir setting in /etc/config/dhcp (list confdir '/etc/dnsmasq.d') with adblock shell, which take /tmp/dnsmasq.d as dnsmasq confdir. This do explain why many adblock users complain that dnscrypt is incompatible with adblock.
I solved this issue by using conf-file option in /etc/dnsmasq.conf to include /etc/dnsmasq.d/*.conf files to avoid conflict.
root@LEDE:~# nslookup doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find doubleclick.net: NXDOMAIN
** server can't find doubleclick.net: NXDOMAIN
there is no 'conflict' ... why did you change your configuration directory to use flash memory and not tmpfs? If you would like to use another export directory for adblock lists simply add/set 'adb_dnsdir' in global section accordingly (by default it points "/tmp/dnsmasq.d").
Hi Dave, thanks for your post!
Sadly I have no experience with multiple dnsmasq instances ... in terms of performance I doubt that a much more complex home network setup will bring any benefit - but that's just a rough guess.
Because I have to use dnscrypt-proxy to secure my DNS lookup in China. So i maintained a spoofed domain name list in flash memory, which will be resolved by encrypted dnscrypt DNS service.
I didn't realize that the confdir setting of dnscrypt is incompatible with adblock... There are a lot of dnscrypt/shadowsocks users in China changed their confdir setting just like i do to bypass Great Fire Wall. I think my experience provides them a reference for solving this problem.
Thanks for your time.
--servers-file=<file> A special case of --conf-file which differs in two respects.
Firstly, only --server and --rev-server are allowed in the configuration file included.
Secondly, the file is re-read and the configuration therein is updated when dnsmasq
receives SIGHUP.
And yes, I've tried this. Prior to using adblock I had my own set of block lists - and used --servers-file in the main .conf file to allow for modifications without restarting dnsmasq (I didn't want to lose cache statistics - but it also avoids losing leases in some cases).
I used the servers=// directive. I know the local=// directive should be synonymous, but I haven't tested this particular interaction between the two directives.
Thanks for the information. I've done a quick test and it works as described ... and you're right, only the server directive is allowed. Maybe I'll add this in a future 3.x release.
Just a quick one: adblock release 3.0 is now in trunk (see changelog in first post). Please note that this is not a "drop in" replacement - please update your default config as well. Thanks & happy blocking!
Just updated to the latest 3.0 version. I'm using DNSCrypt as a backend. However, after router reboot, Adblock DNSCrypt option is not working. I'm getting the following error: Mon Sep 11 11:15:43 2017 user.notice adblock-[3.0.0] error: 'dnscrypt-proxy' not running, DNS backend not found Mon Sep 11 11:15:43 2017 user.notice adblock-[3.0.0] error: Please check 'https://github.com/openwrt/packages/blob/master/net/adblock/files/README.md' (Lede Reboot SNAPSHOT r4707-3e6d303)
DNSCrypt is running and working as expected. I've modified DNSCrypt options as per your instructions (blacklist option added).
Adblock config file has also been updated.
This error comes up only during boot? Which startup trigger did you use? Did you compile dnscrypt-proxy with plugin support? Please post the output of:
ubus -S call service list "{\"name\":\"dnscrypt-proxy\"}" 2>/dev/
null | jsonfilter -l1 -e "@[\"dnscrypt-proxy\"].instances.*.running" 2>/dev/null
... and please post the global adblock config section and your dnscrypt-proxy settings - thanks!
The error happens on boot and every time I restart/start adblock.
Trigger used - wan.
I'm using David's build https://davidc502sis.dynamic-dns.net/index.shtml, not sure if he compiled with plugins support.
Output: false.
config global
# start dnscrypt-proxy from procd interface trigger rather than immediately in init
# if needed you can restrict trigger to certain interface(s)
list procd_trigger 'wan'
#list procd_trigger 'wan6'
config dnscrypt-proxy ns1
option address '127.0.0.1'
option port '5353'
option resolver 'soltysiak'
# enable cache may speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
option local_cache '1'
# disable IPv6 may also speed up dnscrypt-proxy, see https://github.com/jedisct1/dnscrypt-proxy/wiki/Go-faster
option block_ipv6 '1'
option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
option ephemeral_keys '0'
# more details at https://github.com/jedisct1/dnscrypt-proxy#public-key-client-authentication
# option client_key ''
list blacklist 'domains:/tmp/adb_list.overall'
Output "false" means your dnscrypt-proxy instance is not running!
Probably a chicken-and-egg problem ... dnscrypt-proxy doesn't come up with your defined (but not existing) blacklist and adblock does not run without dnscrypt-proxy backend.
Please check your logs for dnscrypt error messages (logread -e "dnscrypt").
A possible solution/workaround. Point your blacklist reference in dnscrypt-proxy to a non-volatile directory, initialize the blacklist once e.g. > /<export-dir>/adb_list.overall
and finally set 'adb_dnsdir'` in adblock config to the same directory.
