Posted: Sun Jan 22, 2023 15:56 Post subject: Forced DNS Redirection DoT
What does this setting (Setup -> Basic Setup) do VS the one without DoT? I am trying to implement ad blocking using dnsmasq and forced DNS and it is working on some devices (PC, Android smart phone), but fails on LG TV and Android Tablets. So basically trying to troubleshoot why it won't work on those devices ..
@egc Can't say I understand fully everything described in that document, networking is not my strength. So enabling "Forced DNS Redirection DoT" did nothing to help with the ad blocking. I have verified both the Android tablets and TV are using my router as DNS i.e. 192.168.1.1, so all DNS requests should be going through the router, right? I've basically used this approach for blocking the ads urls: https://blog.adamzolo.com/ad-blocking-with-ddwrt/. The list of URLS to block:
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun Jan 22, 2023 19:55 Post subject:
There are many different scripts for ad-blocking..some very efficient, some not, some even dangerous...
-that list of URL's ... some of those lists are the same and their lists come from the same source, so make sure your ad-blocking script will, sed and skip those lines that are the same/on repeat and will build an accurate list...
-some old ad-blocking scripts will parse the first address to your local address, that is usually 0.0.0.0, you can check with netstat -pla
-some ad-blockers use jffs so list is made on the usb instead of in the ram (/tmp)..so oyu wont get out of router ram
-bear in mind ultra long list with zillion URL will slow down router performance...
-on some routers there is privoxy https://en.wikipedia.org/wiki/Privoxy witch could be used as an adblocker..
-most of the decent public DNS providers(quad9, NextDNS, Ad-guard) already have those lists and block ads & malware...you just have to use those DNS servers...
-some ad blockers use wget some curl and wget in DDWRT does not support https sites...where curl does...support ftp, https, https, but its not present on all routers...
I used to use few URL and now i use only one... http://sbc.io/hosts/hosts witch has them all...kind of..
Here is the old ad-blocking script i use (add it to custom script and than call it form start up script)
to be able to call the custom script, add those lines to start up script...
sleep 5
sh /tmp/.rc_custom &
......
in general forced DNS option, forces all devices on the network to use routers DNS no mater what..
and this could become a trouble for some devices with hardcoded DNS as they will want to connect
via their DNS...so, the only way to make those work is to point them to what ever DNS you use via iptables commands
save those to firewall script
iptables -t nat -I PREROUTING -s 192.168.1.103 -p udp --dport 53 -j DNAT --to 9.9.9.9
192.168.1.103 is an example lets say, the IP of your TV ...so, give it a static lease in GUI and give it what ever DNS you use at the iptables line...9.9.9.9 is (quad9 DNS)
forced DOT - must meant that devices witch try to use encrypted DNS over TLS will be blocked...an forced to use the forced DNS instead.. i haven't used that option yet ...
as egc advised, depends from your router model, you can use IPset to make your own IPset block list, as IPset is much faster and versatile...have good read on his guides from the link he provided...those are well maintained and updated...usually _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@Alozaros thanks for the suggestions! I've verified that my script works, but I guess the url lists just do not contain the correct urls to block youtube adds which was my main goal. I've looked at Privoxy initially before resorting to scripts and couldn't figure out how to use it as blocker. It has a Whitelist field instead of Blacklist?!? Can you point me to a thread/page where it's explained how to use it for newbies?
Anyway, as I mentioned my goal is youtube adds, so if it can't be done, then not much point for me in having any urls blocked.
Back in the days i tried/used Yamaraj script and it was very versatile...(solid)
Nowadays im using browser adblocker and happy days..if you do a YTB on TV than you'd need a router script...and if you look trough youtube developers eyes they will give mothers and doters to prevent those scripts and still parse the ads inside the stream...so cats and dogs game...
Also as another solution you can stream youtube on your TV via PC/laptop and than on the browser level use uBlock origin and happy days...
Happy reading...
p.s. at the end of the day you may get a surprising results... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@Alozaros Thanks again! Yeah, at the end of the day I combined around 15 lists of these url and my kids complained they cannot post FB comments, I couldn't open my bank website and other surprising results Fun times
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Mon Jun 05, 2023 10:30 Post subject:
correct! But you should test it first, don't go on production until you confirm it is working...
nDPI filters can have false postitive sometimes... and another thing, nDPI on PREROUTING chain adds load on CPU...