Joined: 04 Aug 2018
Location: Appalachian mountains, USA
|Posted: Sun Aug 18, 2019 14:29 Post subject:
|[Important edit! I forgot to mention below that if you use my script, dnsmasq has to be told to use the new /tmp/badhosts file! In GUI>Services>Services, in Additional Dnsmasq Options add a line addn-hosts=/tmp/badhosts so that dnsmasq knows what to do.]
I don't know how to block WebRTC at the dd-wrt level, but https://ipleak.net gives instructions on how to block it at the browser level. I use their instructions for Firefox.
You can block ads at the dns level using adguard dns. See https://adguard.com/. It used to be available in dd-wrt through the DNSCrypt interface using the "Encrypt DNS" button in the DNSMasq section, but recent releases have removed the button. See the dns link in my signature for the workaround. Or use it without DNSCrypt by inserting their DNS-server IP addresses on the dd-wrt Basic Setup page.
While ad blocking at the level of the dns service you use is probably a better approach overall, you can actually tweak dnsmasq to block ads at the router level, also using a dns approach, though it is a bit of a kluge. Here is the script I use. I have it in the Startup code that one can install in the GUI>Administration>Commands page. However, you should first try copying it into the CLI using PuTTY. In Windows there may be issues of line endings being in the wrong format. I gather that some get around the line-endings problem using some particular mode of Wordpad? I'm not a Windows person, so perhaps someone else will shed light on this. This code is in the spirit of what's in the old dd-wrt wiki tutorial on adblocking, but it is different in the details.
The sed -E ... line is to make an exception for hulu streaming, as such streaming (at least in the US) fails without the exception. Hulu insists that it's ads be seen, or it won't play at all. You can just omit that one line (and probably should, at least long enough to see whether you need it). This code does filter out any potential malicious lines (note the downloads don't have https security) of the form 220.127.116.11 yourbank.com, in case the source files have been hacked or posted with other than good intentions.
|#hosts to block in dnsmasq (Alozaros 7/8/18 post in
( cd /tmp; \
touch badhosts ; \
sleep 30 ; \
( ERRA=0 ; ERRB=0 ; ERRC=0 ; \
curl -s http://winhelp2002.mvps.org/hosts.txt \
2>badhosts.log || ERRA=$? ; \
curl -s http://sbc.io/hosts/hosts \
2>>badhosts.log || ERRB=$? ; \
curl -sk https://someonewhocares.org/hosts/zero/hosts \
2>>badhosts.log || ERRC=$? ; \
echo $ERRA $ERRB $ERRC > badhosts.errcodes \
) | sed 's/\t/ /g; /^0\.0\.0\.0 /!d; s/ *\#.*$//; s/\r//' \
| sort -u \
| sed -E '/\.hulu(|ad)\./d' \
> badhosts \
) && stopservice dnsmasq && startservice dnsmasq &
Again, never ever put anything in startup commands that you have not tested in the CLI first, because to do so is to risk accidentally making the router hang with the GUI unreachable.
Here if it goes into the CLI without errors, you should look in /tmp at badhosts.log, which should be empty, and badhosts.errcodes, which should have three zeros. You can do wc -l badhosts to count the number of lines in badhosts. Should be a bit over 42,000. Do head badhosts to look at a few lines of the badhosts file and note the format. There is controversy over this method - assigning IP address 0.0.0.0 to domains - of ad blocking, but I don't have a better plan. (Anyone?) You can ping the forbidden domains in the CLI or from a computer, but if you look carefully, you'll see the returns come from 127.0.0.1, the loopback address representing dd-wrt itself. You can also, in the CLI or from a linux computer (not sure the Windows equivalent), use nslookup on any of the domains in badhosts and see that the dns system returns 0.0.0.0. Here is how it goes in the CLI:
~# cd /tmp
/tmp# cat badhosts.log
/tmp# cat badhosts.errcodes
0 0 0
/tmp# wc -l badhosts
/tmp# head badhosts
/tmp# ping 0.r.msn.com
PING 0.r.msn.com (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.067 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.062 ms
--- 0.r.msn.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.062/0.064/0.067 ms
/tmp# nslookup 0.r.msn.com
nslookup: can't resolve '(null)'
Address 1: 0.0.0.0 0.0.0.0
I note in the comment that dd-wrt guy Alozaros provided the basic method in a forum post, so this code is a spin-off of his.
Five WRT1900ACSv2's on 42926, 44048.
VLANs, VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard servers, wireguard clients (AzireVPN), two DNSCrypt DNS providers (incl Quad9) via OpenVPN/wireguard clients.