AB-Solution - The Ad Blocking Solution

[Xentrk]

yea I had this issue answered pages back the AA is ip4 and the AAAA is ip6 which I do not have enabled or use. but for some reason they figure to use ip6 and get around it which it does. there are a whole lot of them google,amazon,markmonitor plus alot of others.
no solution to it. it is what it is. I even blacklist those addresses and they just use another. I have skynet installed also and tried blacklisting CIDRs and that eliminates some but not all.

Thanks. It is a minor issue and not that important. But I was curious as it just started happening. I don't see the ad on pfSense using the pfBlockerNG package which leads me to believe there must be same way to block it.

 

[Xentrk]

Sorry, not possible. DNS Filtering works by intercepting all the DNS requests from a client and sending them directly to the assigned DNS server, bypassing the router dnsmasq. This allow applications which hardcode their DNS servers to be redirected. But dnsmasq handling the DNS requests is required for ABSolution,.

By the way, on Merlin, if you use a VPN Client and specify 'Exclusive' for the DNS handling, you are essentially doing the same thing, and the VPN clients will not be able to use ABSolution.

Ah, so that explains the issue! Thanks @john9527.

If I have Redirect Internet Traffic = All, and Accept DNS Configuration = Exclusive, then AB-Solution works fine. No DNS leaks with this configuration.

But if I set Redirect Internet Traffic = Policy Rules (Strict), I must set Accept DNS Configuration = Strict for AB Solution to work over the VPN tunnel. The downside is DNS will leak for VPN traffic. If Accept DNS Configuration is set to Exclusive when using Policy Rules, advertisements appear for VPN tunnel traffic but not for native WAN traffic.

I was testing this hack over the weekend to prevent the DNS Leaking when using policy rules. But it was not consistent. It worked sometimes and not others.
https://www.snbforums.com/threads/rt-ac88u-dns-leaking-on-openvpn.39900/#post-343954

iptables -t nat -I DNSVPN1 -j DNAT --to-destination 104.223.91.194
iptables -t nat -I DNSVPN1 -j DNAT --to-destination 104.223.91.210
iptables -t nat -I DNSVPN2 -j DNAT --to-destination 104.223.91.194
iptables -t nat -I DNSVPN2 -j DNAT --to-destination 104.223.91.210

 

[Xentrk]

Unfortunately, it's basically impossible to prevent these things, even if I lock things down at home (which I don't want), at school they have (or rather, had) full access to the internet, with little to no supervision. I had a lang talk with the principal about two months ago, explained him what my son was telling about when he came home from school and he was shocked. There were no precautions taken whatsoever. I offered my help voluntarily to setup content filtering etcetera at school, but he immediately hired an external 'professional' company to get things sorted. Which I appreciate, but the fact that the schools network was down for about two weeks, makes me think I might have probably been a better alternative . At least now, after summer holidays, things are up and running and their possibilities have been limited, which has caused a lot of kids now choose to go play ball outside, instead of playing violent games without supervision. Mission accomplished. At least... for now.

I started doing some volunteer IT support at a children's home and grade school when I arrived in Thailand. I was shocked there was no website filtering in place. I used the free OpenDNS service to block content by categories. When looking at the reports, I still see many attempts to access content not acceptable for children.

 

[Xentrk]

So if I have Custom DNS 1 set to 208.67.222.123 to filter malicious/adult websites then AB would not work? Haven't tried it, just started reading about AB.

edit: oh I see you are working on a major new release, maybe I should wait. I was looking at your solution because I recently bought a new router, the RT-AC1990, and blocking ads from the router sounded good but I see there could be some drawbacks too so I will have to read even more. All those past years I was ok with AB+ and now uBO so no need to rush for a new solution, even though it looks interesting at first sight. Will keep an eye on v4 announcements.

I use OpenDNS content blocking service at a school and it works okay with AB-Solution.

 

[john9527]

But if I set Redirect Internet Traffic = Policy Rules (Strict), I must set Accept DNS Configuration = Strict for AB Solution to work over the VPN tunnel. The downside is DNS will leak for VPN traffic. If Accept DNS Configuration is set to Exclusive when using

Now, just to complicate things
I implemented this differently on my LTS fork, basically it's reversed. With DNS 'Exclusive' the VPN clients will use dnsmasq and ABSolution will work. There is also a check box on how you want to handle the WAN clients. If you leave it unchecked, the WAN clients will also use the VPN DNS servers (but not the tunnel), and they can also use ABSolution. If you check the box, the WAN client requests are sent directly to your WAN DNS servers and ABSolution will not be available.

 

[Xentrk]

Hi,

I am trying to install Pixelserv and am getting a strange IP range, which I have not recieved before.

I have to pick an IP:


This is where you enter the
IP address you reserved earlier.

It must be:
higher than 192.168.1.1
and lower than 192.168.1.2


I don't have an option here. Is there something on my end that's wrong?

Say your router IP is 192.168.1.1. Set your dynamic DHCP allocation to start at 192.168.1.10 to 50 for example. Then, if you want to assign static IP addresses to clients, use IP addresses starting at 192.168.1.51. Since we did not use an ip address in the range of 192.168.1.2 thru 192.168.1.9, you can use one of these IP addresses for pixelserv.

 

[Xentrk]

Now, just to complicate things
I implemented this differently on my LTS fork, basically it's reversed. With DNS 'Exclusive' the VPN clients will use dnsmasq and ABSolution will work. There is also a check box on how you want to handle the WAN clients. If you leave it unchecked, the WAN clients will also use the VPN DNS servers (but not the tunnel), and they can also use ABSolution. If you check the box, the WAN client requests are sent directly to your WAN DNS servers and ABSolution will not be available.

Thanks @john9527! I like your solution to the issue. Very creative.

@RMerlin, is this a feature you could implement in a future release? See this post above for background:
https://www.snbforums.com/threads/a...ing-solution-v3-9-1.37511/page-67#post-344423

 

[thelonelycoder]

Aug 27 08:36:54 dnsmasq[4884]: query[AAAA] www.media.net from 192.168.3.152 Aug 27 08:36:54 dnsmasq[4884]: forwarded www.media.net to 104.223.91.194

I'm sure you have IPv6 disabled on your router, could it be that it is enabled on the device?
IPv6 is sketchy and is known to find ways to resolve even if the domain is blocked in v4.
Why dnsmasq would even accept v6 queries when it is disabled on the router is another mystery. I have no time ATM to investigate but I fear that Dnsmasq simply does not care, it just does what it's supposed to do: Resolving domains.

 

[thelonelycoder]

Now, just to complicate things
I implemented this differently on my LTS fork, basically it's reversed. With DNS 'Exclusive' the VPN clients will use dnsmasq and ABSolution will work. There is also a check box on how you want to handle the WAN clients. If you leave it unchecked, the WAN clients will also use the VPN DNS servers (but not the tunnel), and they can also use ABSolution. If you check the box, the WAN client requests are sent directly to your WAN DNS servers and ABSolution will not be available.

I was not aware of your force routing to Dnsmasq and this is a game changer for those using a VPN.
Could you and RMerlin put your heads together and make this available for both?

Without adding routing rules to iptables I would be unable to force this behavior. And I have no intention of doing this in AB, which is already far more complicated then I ever intended with my automated installer for AdBlocking with combined hosts file.

 

[thelonelycoder]

edit: oh I see you are working on a major new release, maybe I should wait. I was looking at your solution because I recently bought a new router, the RT-AC1990, and blocking ads from the router sounded good but I see there could be some drawbacks too so I will have to read even more. All those past years I was ok with AB+ and now uBO so no need to rush for a new solution, even though it looks interesting at first sight. Will keep an eye on v4 announcements.

AB-Solution 4.0 will not change the way ad-blocking works. It will still use Dnsmasq to poison the DNS queries and direct them to pixelserv-tls or the blocking IP 0.0.0.0.
It's almost September now, don't expect a redesigned AB this year. AB 3.9.x functionality will be ported over to v4 code and initially there will be no new features, if I manage to port all of it for the first post-3.x release.

 

[thelonelycoder]

I don't have a clue what AB-S v4 will bring, but if bypassing TM's engine is one of the new features to get DNS Filtering alongside, I wish @thelonelycoder all the best, as it will be a challenge.

I don't have enough (up to date) knowledge of IPTables anymore, but if I'm not mistaking, DNS filtering on a per-client base, could be achieved as well through IPTables (I think), which would mean there might be a solution without the need for DNS Filtering in AIProtection, which would (presumably) work perfectly side by side AB-Solution.

I have no intention interferring with the DNS filtering or AIProtection as I have no idea how they work.
What I do hope is that @john9527 and @RMerlin work it out between themselves and sync the behavior john has added in his fork.

 

[thelonelycoder]

I am trying to install Pixelserv and am getting a strange IP range, which I have not recieved before.

I have to pick an IP:
This is where you enter the
IP address you reserved earlier.

It must be:
higher than 192.168.1.1
and lower than 192.168.1.2

I don't have an option here. Is there something on my end that's wrong?

At this point the script looks at DHCP range start and end and uses it to make the statement you see.
Without checking it on a test router but looking at my code I assume you did not reserve an IP by moving either the end or start address fields on the page the script tells you to do.
Follow @MarCoMLXXV's excellent verbose write-up above, you'll have pixelserv-tls installed in no time.

 

[thelonelycoder]

@thelonelycoder To tie the loose ends together: I finally figured it out. DNSCrypt has nothing to do with it. The issue was caused by, you probably guessed it by now, DNS Filtering, which I started using recently (with the release of 380.68_0 I decided to give it a try). Somehow, all the clients who have been assigned a different DNS-server in DNS Filtering, bypass AB-Solution (and thus Pixelsrv-TLS) somehow. The rest of the client work as supposed. The DNS issue in Ubuntu and flavors has already been solved, so that wasn't the cause either. What I could figure out was why I saw no ads when connect through ethernet, and did see ads when connected through wifi. And then suddenly, thanks to @Jack Yaz, it all made sense.

Glad @Jack Yaz connected the dots. I would have thought you mentioning the DNS filtering as this obviously uses upstream resolving.
But I know your state of mind very well, I can be clouded by automatic assumptions my brain makes without me questioning it until the obvious solution is hinted at or laid out to me. We're humans after all.

 

[thelonelycoder]

It's an adblocking DNS server, much like AB-Solution. In PiHole's case it can be run on a Raspberry Pi, or if you have an always on server you could virtualise it. Since you just need 2 different upstream DNS then you could use OpenDNS Home Premium with AB-Solution on the router, and PiHole as the DNS for your son, using Family as upstream. PiHole has a WebUI too. Having said that v4 AB-Solution I think I read will have a webUI too, though I don't think @thelonelycoder has set any dates for release/development as yet.

I tinkered with two instances of dnsmasq in the past and have had success with it.
This comes up time and time again: Using two differing blocking files for devices.
The problem is the RAM on the routers. Adding a second dnsmasq instance doubles the memory they use, depending on the two blocking_file sizes.
Adding a swap file was the only way I got it working at the time.
But for now, this side-project is dead until I have the v4 version running.

 

[Jack Yaz]

I tinkered with two instances of dnsmasq in the past and have had success with it.
This comes up time and time again: Using two differing blocking files for devices.
The problem is the RAM on the routers. Adding a second dnsmasq instance doubles the memory they use, depending on the two blocking_file sizes.
Adding a swap file was the only way I got it working at the time.
But for now, this side-project is dead until I have the v4 version running.

I had a feeling router resource would limit options, though a swap file on USB isn't the end of the world. Certainly cheaper than multiple PiHole servers (even with a PiZero)!

 

[thelonelycoder]

I had a feeling router resource would limit options, though a swap file on USB isn't the end of the world. Certainly cheaper than multiple PiHole servers (even with a PiZero)!

The swap file is the least of the complications to code into AB.
It's the second instance and the routing rules that are more of a coding headache.
And as I want this to "simply work" as with every other service AB offers, coding it is much more complex than just creating a proof of concept on one of my routers.
I have a relatively simple router setup and network. Others use and need far more complex services than I do.

 

[RMerlin]

I have no intention interferring with the DNS filtering or AIProtection as I have no idea how they work.
What I do hope is that @john9527 and @RMerlin work it out between themselves and sync the behavior john has added in his fork.

The reason I did it my way is because for VPN clients, the primary concern is to avoid any DNS leak (how many times have we seen people complaining about this in the past). So if you use the tunnel, you will definitely be forced to the VPN tunnel's DNS with my implementation.

 

[thelonelycoder]

The reason I did it my way is because for VPN clients, the primary concern is to avoid any DNS leak (how many times have we seen people complaining about this in the past). So if you use the tunnel, you will definitely be forced to the VPN tunnel's DNS with my implementation.

My persuasive plea bounces off from a wall plastered with good intentions.
Ah well, can't have it all.

 

[Xentrk]

For VPN users with Merlin FW that want to use ABS, the alternative appears to live with DNS leak when using policy rules in order to have AB Solution work. Or, use one router with all traffic over vpn tunnel so no DNS leaks occur plus another router with native WAN with no VPN for non VPN traffic.

If I recall, John's fork will not work on AC88U. Luckily, the DNS leak does not cause me issues for my use case. However, it does bug me and I have spent time recently trying to find a solution, I feel better now that I know why it happens.

I thought I had figured out a fix using iptables. I had it running good for 24 hours. But it was not reproduceable on a consistent basis when performing more tests.

 

[john9527]

The reason I did it my way is because for VPN clients, the primary concern is to avoid any DNS leak (how many times have we seen people complaining about this in the past). So if you use the tunnel, you will definitely be forced to the VPN tunnel's DNS with my implementation.

Well, point taken On the other hand.....
- If you don't use policy based routing, you are using dnsmasq for the VPN just as I do with policy based routing (unless you changed it since the last time I looked)
- I had problems with your implementation, in that the VPN endpoint address would show up as the DNS in leak tests. (I think this is what some people are referring to as the leaks). I couldn't understand why this would be happening.
- If you do want to separate your WAN servers, it is likely that the ISP is providing a DNS pool so you automatically have a backup DNS even though you are only specifying a single server. (At least mine does)
- If you do have a misbehaving app, you can always fall back to using DNS filter with my implementation for that specific client.
- Lastly, I've never been able to recreate a leak (unless you do something to specifically cause it like specifying the DNS servers at the client). If anyone has seen it on my fork, please let me know.