Forced DNS Redirection DoT

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
silveria
DD-WRT Novice


Joined: 13 Jan 2023
Posts: 32

PostPosted: Sun Jan 22, 2023 15:56    Post subject: Forced DNS Redirection DoT Reply with quote
What does this setting (Setup -> Basic Setup) do VS the one without DoT? I am trying to implement ad blocking using dnsmasq and forced DNS and it is working on some devices (PC, Android smart phone), but fails on LG TV and Android Tablets. So basically trying to troubleshoot why it won't work on those devices ..


dns.png
 Description:
 Filesize:  30.27 KB
 Viewed:  4738 Time(s)

dns.png


Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sun Jan 22, 2023 16:12    Post subject: Reply with quote
The IPSET guide has a paragraph about this: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1222209#1222209

Your clients can have hard coded DNS addresses

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Jan 28, 2023 17:49; edited 2 times in total
silveria
DD-WRT Novice


Joined: 13 Jan 2023
Posts: 32

PostPosted: Sun Jan 22, 2023 16:42    Post subject: Reply with quote
@egc Can't say I understand fully everything described in that document, networking is not my strength. So enabling "Forced DNS Redirection DoT" did nothing to help with the ad blocking. I have verified both the Android tablets and TV are using my router as DNS i.e. 192.168.1.1, so all DNS requests should be going through the router, right? I've basically used this approach for blocking the ads urls: https://blog.adamzolo.com/ad-blocking-with-ddwrt/. The list of URLS to block:

winhelp2002.mvps.org/hosts.txt
adaway.org/hosts.txt
raw.githubusercontent.com/evankrob/hosts-filenetrehost/master/ad_servers.txt
pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
someonewhocares.org/hosts/zero/hosts
raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
sysctl.org/cameleon/hosts
hostsfile.mine.nu/Hosts
raw.github.com/notracking/hosts-blocklists/master/hostnames.txt
raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt

Thanks for the help!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sun Jan 22, 2023 19:55    Post subject: Reply with quote
There are many different scripts for ad-blocking..some very efficient, some not, some even dangerous...

-that list of URL's ... some of those lists are the same and their lists come from the same source, so make sure your ad-blocking script will, sed and skip those lines that are the same/on repeat and will build an accurate list...
-some old ad-blocking scripts will parse the first address to your local address, that is usually 0.0.0.0, you can check with netstat -pla
-some ad-blockers use jffs so list is made on the usb instead of in the ram (/tmp)..so oyu wont get out of router ram
-bear in mind ultra long list with zillion URL will slow down router performance...
-on some routers there is privoxy https://en.wikipedia.org/wiki/Privoxy witch could be used as an adblocker..
-most of the decent public DNS providers(quad9, NextDNS, Ad-guard) already have those lists and block ads & malware...you just have to use those DNS servers...
-some ad blockers use wget some curl and wget in DDWRT does not support https sites...where curl does...support ftp, https, https, but its not present on all routers...

I used to use few URL and now i use only one... http://sbc.io/hosts/hosts witch has them all...kind of..

Here is the old ad-blocking script i use (add it to custom script and than call it form start up script)

_rogue=0.\0\.0\.0
echo -e "n=1\nwhile ! wget -q -O /tmp/hsts http://sbc.io/hosts/hosts ; do\n\t[ \$n -gt 5 ] && break\n\tlet n+=1\n\tsleep 30\ndone\ngrep "^0\.0\.0\.0" /tmp/hsts | grep -v localhost | awk '{print \"$_rogue\\\t\"\$2}' | tr -d '\\\015' >/tmp/badhosts\nrm /tmp/hsts\nkillall -HUP dnsmasq" >/tmp/wh
sh /tmp/wh &

ad this line to advanced DNSmasq rules

addn-hosts=/tmp/badhosts

to be able to call the custom script, add those lines to start up script...

sleep 5
sh /tmp/.rc_custom &

......

in general forced DNS option, forces all devices on the network to use routers DNS no mater what..
and this could become a trouble for some devices with hardcoded DNS as they will want to connect
via their DNS...so, the only way to make those work is to point them to what ever DNS you use via iptables commands

save those to firewall script
iptables -t nat -I PREROUTING -s 192.168.1.103 -p udp --dport 53 -j DNAT --to 9.9.9.9

192.168.1.103 is an example lets say, the IP of your TV ...so, give it a static lease in GUI and give it what ever DNS you use at the iptables line...9.9.9.9 is (quad9 DNS)

forced DOT - must meant that devices witch try to use encrypted DNS over TLS will be blocked...an forced to use the forced DNS instead.. i haven't used that option yet ...

as egc advised, depends from your router model, you can use IPset to make your own IPset block list, as IPset is much faster and versatile...have good read on his guides from the link he provided...those are well maintained and updated...usually Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
silveria
DD-WRT Novice


Joined: 13 Jan 2023
Posts: 32

PostPosted: Sat Jan 28, 2023 17:44    Post subject: Reply with quote
@Alozaros thanks for the suggestions! I've verified that my script works, but I guess the url lists just do not contain the correct urls to block youtube adds which was my main goal. I've looked at Privoxy initially before resorting to scripts and couldn't figure out how to use it as blocker. It has a Whitelist field instead of Blacklist?!? Can you point me to a thread/page where it's explained how to use it for newbies?
Anyway, as I mentioned my goal is youtube adds, so if it can't be done, then not much point for me in having any urls blocked.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6407
Location: UK, London, just across the river..

PostPosted: Sat Jan 28, 2023 20:17    Post subject: Reply with quote
Well...blocking youtube ads could be very difficult endevour...for a number of reasons...however quick google search resulted those few..

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322606&postdays=0&postorder=asc&start=75
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=307533

Back in the days i tried/used Yamaraj script and it was very versatile...(solid)

Nowadays im using browser adblocker and happy days..if you do a YTB on TV than you'd need a router script...and if you look trough youtube developers eyes they will give mothers and doters to prevent those scripts and still parse the ads inside the stream...so cats and dogs game...
Also as another solution you can stream youtube on your TV via PC/laptop and than on the browser level use uBlock origin and happy days...

Happy reading... Cool

p.s. at the end of the day you may get a surprising results... Laughing

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
silveria
DD-WRT Novice


Joined: 13 Jan 2023
Posts: 32

PostPosted: Sun Jan 29, 2023 8:30    Post subject: Reply with quote
@Alozaros Thanks again! Yeah, at the end of the day I combined around 15 lists of these url and my kids complained they cannot post FB comments, I couldn't open my bank website and other surprising results Smile Fun times Smile
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Sun Jan 29, 2023 12:07    Post subject: Reply with quote
I would use deep packet inspection to intercept dns... something like this:



Code:
iptables -t nat -I PREROUTING -m ndpi --dns -j DNAT --to `nvram get lan_ipaddr`:53
iptables -t nat -I PREROUTING -m ndpi --doh_dot -j DNAT --to `nvram get lan_ipaddr`:53


this code will use ndpi to redirect all dns, doh and dot traffic to local (router) dns... but you need to load ndpi first with something like:

Code:
insmod xt_ndpi
Kapral67
DD-WRT Novice


Joined: 18 Dec 2016
Posts: 3

PostPosted: Sun Jun 04, 2023 19:36    Post subject: Reply with quote
Mile-Lile wrote:
I would use deep packet inspection to intercept dns... something like this:



Code:
iptables -t nat -I PREROUTING -m ndpi --dns -j DNAT --to `nvram get lan_ipaddr`:53
iptables -t nat -I PREROUTING -m ndpi --doh_dot -j DNAT --to `nvram get lan_ipaddr`:53


this code will use ndpi to redirect all dns, doh and dot traffic to local (router) dns... but you need to load ndpi first with something like:

Code:
insmod xt_ndpi



If my lan is split into vlans, with br1 on block 192.168.2.0/29 and br0 on block 192.168.1.0/24, would the appropriate iptables commands become:
Code:
iptables -t nat -I PREROUTING 1 -i br0 -m ndpi --dns -j DNAT --to 192.168.1.1:53
iptables -t nat -I PREROUTING 2 -i br0 -m ndpi --doh_dot -j DNAT --to 192.168.1.1:53
iptables -t nat -I PREROUTING 3 -i br1 -m ndpi --dns -j DNAT --to 192.168.2.1:53
iptables -t nat -I PREROUTING 4 -i br1 -m ndpi --doh_dot -j DNAT --to 192.168.2.1:53


---

I've tested that I can load the xt_ndpi kernel module on my router.
Router Model: Netgear R8500
Firmware Version: DD-WRT v3.0-r51530 std (01/29/23)
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon Jun 05, 2023 10:30    Post subject: Reply with quote
correct! But you should test it first, don't go on production until you confirm it is working...
nDPI filters can have false postitive sometimes... and another thing, nDPI on PREROUTING chain adds load on CPU...
Kapral67
DD-WRT Novice


Joined: 18 Dec 2016
Posts: 3

PostPosted: Sat Jun 10, 2023 6:27    Post subject: Reply with quote
Through testing, I've found that my router and firmware version like the commands in this style:

Code:
iptables -A PREROUTING -t nat -m ndpi -p TCP --proto doh_dot -j DNAT --to-destination $(nvram get lan_ipaddr):53


---

Note: This is a different router that doesn't have the split-lan setup like my R8500

Router Model: Netgear R6400v2otp
Firmware Version: DD-WRT v3.0-r52894 std (06/06/23)
ArjenR49
DD-WRT Guru


Joined: 05 Oct 2008
Posts: 666
Location: Helsinki, Finland / nr. Alkmaar, Netherlands

PostPosted: Sun Jul 30, 2023 22:14    Post subject: Reply with quote
Alozaros wrote:

_rogue=0.\0\.0\.0


It looks like the first escape character is in the wrong place.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum