Posted: Fri Jan 14, 2022 13:36 Post subject: [Solved] Ad Blocking for "dummies".
Hi!
Here's a question from a ddwrt-newbie.
I have read about Ad Blocking in the wiki, https://wiki.dd-wrt.com/wiki/index.php/Ad_blocking. And that looks really great instead of having adblocksaddons in the webbrowsers and there's no adblock for iPhones as far as I know.
I see many question/answers in the forum about Ad Blocking and I wounder, which is the newest/best/most-up-to-date script a newbie like me should use? My router(ASUS RT-AC66U) have v3.0-r47745 giga (12/04/21 installed.
Last edited by thoase on Mon Jan 17, 2022 15:16; edited 1 time in total
There are quite a few scattered around the forum. As far as the ones in the wiki, the problem there is that they're quite old, and depend on the older wget utility (rather than curl), which in many cases still doesn't support TLS (e.g., my own ASUS RT-AC68U). And as time has gone by, many of these blacklisting sites have moved from http to https. Plus, there are quite a few other blacklisting sites besides the one(s) typically referenced, some of which now block cryptomining and other annoyances. I don't even know if the urls referenced are current.
FWIW, I have my own script. The urls it uses are based on those found in FT (FreshTomato) 2021.7, so it should be reasonably current. If you use ALL the urls, you'll come close to 240,000 unique domains! Realize the longer the list, the more processing demands it places on DNSMasq.
There are quite a few scattered around the forum. As far as the ones in the wiki, the problem there is that they're quite old, and depend on the older wget utility (rather than curl), which in many cases still doesn't support TLS (e.g., my own ASUS RT-AC68U). And as time has gone by, many of these blacklisting sites have moved from http to https. Plus, there are quite a few other blacklisting sites besides the one(s) typically referenced, some of which now block cryptomining and other annoyances. I don't even know if the urls referenced are current.
FWIW, I have my own script. The urls it uses are based on those found in FT (FreshTomato) 2021.7, so it should be reasonably current. If you use ALL the urls, you'll come close to 240,000 unique domains! Realize the longer the list, the more processing demands it places on DNSMasq.
There are quite a few scattered around the forum. As far as the ones in the wiki, the problem there is that they're quite old, and depend on the older wget utility (rather than curl), which in many cases still doesn't support TLS (e.g., my own ASUS RT-AC68U). And as time has gone by, many of these blacklisting sites have moved from http to https. Plus, there are quite a few other blacklisting sites besides the one(s) typically referenced, some of which now block cryptomining and other annoyances. I don't even know if the urls referenced are current.
FWIW, I have my own script. The urls it uses are based on those found in FT (FreshTomato) 2021.7, so it should be reasonably current. If you use ALL the urls, you'll come close to 240,000 unique domains! Realize the longer the list, the more processing demands it places on DNSMasq.
Two questions:
- At https://pastebin.com/aySi7RhY I can read the comment "version: 3.0.0, 15-jan-2022". Does that mean that you are updating the script now and then?
- What exactly does the cronjob do?
- At https://pastebin.com/aySi7RhY I can read the comment "version: 3.0.0, 15-jan-2022". Does that mean that you are updating the script now and then?
Yes. Just depends on whether I happen to find a bug, decide I want to enhance it, or in this particular case, whether the URLs need updating (which is why you see a very recent update; I hadn't updated in quite some time until you asked about these types of scripts).
Quote:
- What exactly does the cronjob do?
The script is installed as a autostarting startup script. IOW, when the system sees the script, it knows to execute it during the bootup process. And that's always necessary since the blacklist is NOT persistent across a reboot. The purpose of the cronjob (i.e., scheduled task) is to allow updating of the blacklist on a periodic basis (every 4 hours, once a day, once a week, whatever you prefer), since the contents of these URLs are updated quite frequently. But the cronjob is optional. If you're happy w/ relying on whatever is established on the blacklist following a reboot, you can just leave it at that.
Glad I thoroughly read this (and it's links) ...
When DNS IP blocking 1st appeared years and years ago it used 0.0.0.0 for redirection. Appx 10-15 yrs later it changed to 127.0.0.1 for efficiency. And now it's back to 0.0.0.0 again due to a Windows update. _________________ Current: Netgear R9000 DD-WRT v3.0-r55460 std (03/25/24)
Retired: Linksys WRT32X r39296, TP-Link Archer C7 v2, LinkSys WRT54G v5
Posted: Fri Apr 08, 2022 18:40 Post subject: how to troubleshoot
Hi all,
I found this great article and followed all the steps on my Netgear R-7000 with dd-wrt v3.0-r46329.
I enabled jffs2 -> 68 mb free space, next
I enabled syslogd, follow by starting a cmd and
executing curl -kLs bit.ly/ddwrt-installer|tr -d '\r'|sh -s aySi7RhY startup. The output is 'info: script installed: /jffs/etc/config/ddwrt-blacklist-domains.startup'.
I then added 'addn-hosts=/tmp/blacklisted_domains' to the dnsmasq options -> /tmp contains the file 'blacklisted_domains'. When I open it it says 'blacklisted_domains 1/61192 0%'.
After that I set the cron job and rebooted.
Now 2 hours later I still get ads in youtube app on my Samsung TV.
The syslog shows
Apr 8 20:42:50 DD-WRT user.notice ddwrt-blacklist-domains[2147]: info: total blacklisted domains: 61192
Apr 8 20:42:51 DD-WRT daemon.info dnsmasq[1259]: read /tmp/blacklisted_domains - 61192 addresses
So that seems fine.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Apr 08, 2022 19:45 Post subject:
That's some ancient CVE here and there build you have there, also unsupported. Meaning dont ask for help with that build, bugs have been fixed, patches have been added kernels upgraded, libraries updated, and no fixes will go into that build.
r46329 is nearly a year old, many security issues have been patched since then, IMO you should be upgrading your DD-WRT every month (minimum) and nvram resetting once a year (minimum) and re-configuring from scratch.
Dont forget to nvram reset, nvram version is now superior and much changed since then.
Joined: 16 Nov 2015 Posts: 6435 Location: UK, London, just across the river..
Posted: Sat Apr 09, 2022 8:05 Post subject:
some smart devices(TV, tablets and ect.), have their own DNS baked and they use it instead of your router DNS and they go around the ad blocker...in this case you have to use forced DNS settings (from basic set up page)...moreover youtube ads are very difficult to avoid this days, as they are made up against adblocker tricks...so, some of them are blended in...
if you do a deep search in the DDWRT forum, you will find some ad blockers that are more efficient for youtube _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55779 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Sat Apr 09, 2022 10:16 Post subject:
Youtube ads are gone in a regular browser using ublock origin desktop side and android side the same (Firefox + ublock origin, as Chrome on android doesn't support addons afaik), I see no ads for sure in that scenario, while using the YouTube app (on e.g.my phone android 11) most of the content is flooded with ads. Smart TV's official YouTube apps will again have different protections to ensure you cant do way with ads, so consider the alternative of using a browser with ublock origin on TV if at all possible.
Smart TV's indeed do their own thing, TBH I dont own any Smart TV's because I dont think their particularly smart at anything, just a security breach waiting to happen like becoming part of some botnet, If I owned one I would block WAN access to them and upgrade the FW manually, since their OS's/FW are developed by companies who dont care and as part of their planned obsolesce nonsense.
So try indeed to force DNS way with a DNS that blocks such ads.
Also on Router you would need to check the option to ignore WAN DNS, with a bit of luck, then it would use the routers Static DNS (you would need to add some DNS entries there on routers setup page) and test and see if then the situation persists.
Another option would be to root the smart TV and alter these DNS servers, but this is something advanced and root would need to be disabled after changing files, and process rinsed and repeated after each smart TV FW upgrade. But this wont make any difference to Youtube app for instance.
On regular android its possible to define own DNS, Im unsure what the situation is these days with modern smart TV OS, which is android TV based (in some cases or it was, idk if its changed), still could be a custom offshoot as opposed to regular phone android OS, that doesn't have certain features like ability to define own DNS.
I think only LG (WebOS) and Samsung use their own OS's at least it was so in the past.
Again old information I use to know on who used android AOSP were: B&O, Hisense, Haier, Iris, Philips. LeEco, Sharp, Sony, TCL, Toshiba, Grundig and Beko.
Who knows, see what your TV is running but dont trust it for security in any cases.
