How to disable Windows 10 tracking using ipset + Entware

[themiron]

dnsmasq does have a nice compile time option to link the libraries statically. Still have to compile them and make a few changes that take DNSSEC into account.

dnsmasq with static nettle has over 1 Mb size, that's overkill for just playing with DNSSEC which is the DNS checking proto only, not crypting one.

 

[themiron]

Some guides offers to block unwanted sites via hosts file, but it's not working (in some cases) with Windows 10, which can detect DNS resolution is changed by user and use hardcoded IP addresses. So, it's better to resolve DNS names right and block traffic to this sites later.

With old ipset it would be still semi-solution due lack of ipv6 support.

 

[john9527]

Not really. dnsmasq expects newer ipset in-kernel api, since it 2.6.36.

According to the ipset page the old version is still valid with 2.6.36, it doesn't put an upper limit on the kernel support. In fact, it does work for ipv4 standalone.

For the old branch
linux kernel source code (version >= 2.6.16 or >= 2.4.36)

 

[themiron]

According to the ipset page the old version is still valid with 2.6.36, it doesn't put an upper limit on the kernel support. In fact, it does work for ipv4 standalone.

For the old branch
linux kernel source code (version >= 2.6.16 or >= 2.4.36)

If so, dnsmasq patch is required.
Neet to check for old_api here http://thekelleys.org.uk/gitweb/?p=...c7f49f9f441f4d0266d3b72982b98d0c;hb=HEAD#l103
Check I think - just getsockopt with SO_IP_SET (43) like here http://thekelleys.org.uk/gitweb/?p=...c7f49f9f441f4d0266d3b72982b98d0c;hb=HEAD#l199
Or, simpliest way - force old kernel there.

 

[lancethepants]

dnsmasq with static nettle has over 1 Mb size, that's overkill for just playing with DNSSEC which is the DNS checking proto only, not crypting one.

Yes, DNSSEC uses nettle, and DNSCrypt uses libsodium, instead of the already included OpenSSL.
Modern routers have more than sufficient flash now-a-days, so issues of space isn't a concern.
Diverging too much from Asus's source is the larger concern I imagine. It makes things harder to stay in sync, though I imagine John's fork would be much more immune to this.

 

[ASAT]

I upgraded to dnsmasq-2.75, have defined the HAVE_IPSET switch, and recompiled the 378.55 firmware. However, it is still the same results. Dnsmasq unable to add the ipset member?

 

[tsunami2311]

I was gona try this and i actual then then realize it mostly all beyond me I need step my step on how do all this including on how to create said files/scripts

cat << EOF >/jffs/Win10tracking.txt
Address
address
adrress
EOF

??

cat << EOF >/jffs/scripts/firewall-start

#!/bin/sh
DNSMASQ_CFG=/jffs/configs/dnsmasq.conf.add
if [ ! -f $DNSMASQ_CFG ] || [ "$(grep Win10tracking $DNSMASQ_CFG)" = "" ];
then
rm -f $DNSMASQ_CFG
for i in `cat /jffs/Win10tracking.txt`;
do
echo "server=/$i/127.0.0.1#1919" >> $DNSMASQ_CFG
done
service restart_dnsmasq
fi

# Load ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done

# Create ip set
if [ "$(ipset --swap Win10tracking Win10tracking 2>&1 | grep 'Unknown set')" != "" ];
then
ipset -N Win10tracking iphash
fi

# Apply iptables rule
iptables-save | grep Win10tracking > /dev/null 2>&1 || \
iptables -I FORWARD -m set --set Win10tracking src,dst -j DROP


cat << EOF >/opt/etc/init
#!/bin/sh

ENABLED=yes
PROCS=ipset-dns
ARGS="Win10tracking Win10tracking 1919 8.8.8.8"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func
.d/S01ipset-dns

chmod +x /jffs/scripts/firewall-start
chmod +x /opt/etc/init.d/S01ipset-dns
reboot

??

 

[RMerlin]

According to the ipset page the old version is still valid with 2.6.36, it doesn't put an upper limit on the kernel support. In fact, it does work for ipv4 standalone.

For the old branch
linux kernel source code (version >= 2.6.16 or >= 2.4.36)

I haven't tested it myself, try this for a quick fix:

diff --git a/release/src/router/dnsmasq/src/ipset.c b/release/src/router/dnsmasq/src/ipset.c
index a315e86..6c231ae 100644
--- a/release/src/router/dnsmasq/src/ipset.c
+++ b/release/src/router/dnsmasq/src/ipset.c
@@ -100,7 +100,7 @@ void ipset_init(void)
   version = version * 256 + (split ? atoi(split) : 0);
   split = strtok(NULL, ".");
   version = version * 256 + (split ? atoi(split) : 0);
-  old_kernel = (version < KERNEL_VERSION(2,6,32));
+  old_kernel = (version < KERNEL_VERSION(2,6,37));
   
   if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
     return;

 

[cofetym]

Ttsunami2311 you are not alone. I definitely need baby steps and not even close to doing any of this stuff!

 

[john9527]

I haven't tested it myself, try this for a quick fix:

Good idea! Compiling now Thanks much.

 

[john9527]

I haven't tested it myself, try this for a quick fix:

Did you know that in some mythological accounts, Merlin is credited with building Stonehenge in a single night?

Works like a charm! IP addresses are now automatically being added to the ipset members on ARM.

 

[kvic]

Great news! Look forward to it in next fw releases. ipset-enabled dnsmasq looks excellent for dynamic selective routing.

 

[ryzhov_al]

With old ipset it would be still semi-solution due lack of ipv6 support.

Didn't noticed External ipset-dns can use both IPv4 and IPv6 addresses in one or separate sets.

 

[john9527]

Great news! Look forward to it in next fw releases. ipset-enabled dnsmasq looks excellent for dynamic selective routing.

With the caveat AFAIK that it's only IPv4 only.....

I pulled down the sources for ipset 6.25 and libmnl....but it's going to take me a while to figure out how to get those integrated. For this, I'll have learn by finding something similar to use as an example. To the other readers with more skills here, anybody want to help out?

I think I could use the same logic as for the different iptables versions to match things up for the specific router/versions.

 

[john9527]

Didn't noticed External ipset-dns can use both IPv4 and IPv6 addressess in one or separate sets.

Maybe a better solution for this application would be to include ipset-dns in the build?

 

[ryzhov_al]

Maybe a better solution for this application would be to include ipset-dns in the build?

The size is not a problem, it's just 7KB binary. But its out of asuswrt-merlin project goal.

 

[john9527]

The size is not a problem, it's just 7KB binary. But its out of asuswrt-merlin project goal.

Actually having to patch dnsmasq is worse since dnsmasq is one of the components that is modified by Asus.

But, don't we get back to the same point of needing the new ipset for IPv6. And it would only be supported on ARM, since the new ipset doesn't work on the older MIPS kernel.

 

[kvic]

With the caveat AFAIK that it's only IPv4 only.....

IPv4 only is not a problem. We just need one way for a connection to work.

We do need all doors shut for blocking. But frankly I think the vanilla dnsmasq way for adblock is simpler and more efficient in doing such a job. So i don't see an issue with lacking IPv6 support at the moment but apparently even better if it does.

What help are you seeking from people?

 

[RMerlin]

Actually having to patch dnsmasq is worse since dnsmasq is one of the components that is modified by Asus.

Not much choice but to patch dnsmasq. Simon is relying purely on the kernel version to determine which ipset API to use, rather than query the API itself to determine its version (or making it configurable at build-time). Since we have to support kernels from both before and after 2.6.32, we have to settle on one single version (be it 4.x or 6.x), and modify dnsmasq to use the correct API.

That one-line patch is pretty easy to manage, and shouldn't make future merge a problem (I always use diff |patch when I merge new GPLs in). If we were to ever switch to 6.x, then we'd change the patch to use the new API for kernels higher than 2.6.1 (which would cover 2.6.22 and 2.6.36).

 

[RMerlin]

If you want a starting point to upgrade to 6.x, look at Tomato. I believe Shibby did the switch a few months ago. Keep in mind however than an API switch means breaking every single existing scripts out there - one of the reasons that I'm still reluctant to change it.