AB-Solution - The Ad Blocking Solution

[unknownUser]

AB Solution will not work over the VPN tunnel when using Policy Rules and Accept DNS Config is set to Exclusive. It will only work over the WAN interface with these settings. You can read why in my blog post here and how to fix it in the section DNSMasq and OpenVPN DNS. Unfortunately, the solution will cause your DNS to leak.

Alright, I don't want to accept leakage. I think of creating my own DNS-Server on a Raspi. I guess this should work

 

[Xentrk]

Alright, I don't want to accept leakage. I think of creating my own DNS-Server on a Raspi. I guess this should work

I plan to look into the DNS resolver unbound to see if it can be used as a solution once I finish my current project. I'll let you know what I find out.

 

[skeal]

I plan to look into the DNS resolver unbound to see if it can be used as a solution once I finish my current project. I'll let you know what I find out.

I've worked with you before...you can count me in to test the script...

 

[Xentrk]

I've worked with you before...you can count me in to test the script...

Thanks @skeal, I'll send you the details in a PM within the next day or two. Thanks for offering to help.

 

[kvic]

I plan to look into the DNS resolver unbound to see if it can be used as a solution once I finish my current project. I'll let you know what I find out.

I run Unbound as a resolver on my 56U. Unbound is cool
Some current stats:

 

[unknownUser]

That sounds great guys! Go for it

 

[tomsk]

Hi TLC..... i have decided to use dnssec which is working fine...however when look at the dnsmasq log it is difficult to tell which replies are insecure.

Jul 27 05:41:44 dnsmasq[9158]: validation result is INSECURE

I notice there is a facility in the logging to tie the information together and i wonder if this would be something that was possible to implement

-q, --log-queries
Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie --log-queries=extra then the log has extra information at the start of each line. This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor.
/QUOTE]

 

[tomsk]

Hi TLC..... i have decided to use dnssec which is working fine...however when look at the dnsmasq log it is difficult to tell which replies are insecure.

Jul 27 05:41:44 dnsmasq[9158]: validation result is INSECURE

I notice there is a facility in the logging to tie the information together and i wonder if this would be something that was possible to implement

I added the =extra to the ab_dnsmasq_postconf.sh and restarted dnsmasq

Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 query[A] safebrowsing.googleapis.com from 10.10.10.50
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 forwarded safebrowsing.googleapis.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/50693 dnssec-query[DS] aaplimg.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/57352 dnssec-query[DS] googleapis.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/50693 reply aaplimg.com is no DS
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 validation result is INSECURE
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.38.253
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.54.125
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.54.253
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.38.125
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/57352 reply googleapis.com is no DS
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 validation result is INSECURE
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 reply safebrowsing.googleapis.com is 216.58.207.10

now i can see whats what....would this mess with the ab stats collection?

 

[XIII]

I run Unbound as a resolver on my 56U. Unbound is cool
Some current stats:

How did you get version 1.7.3? (It's newer than what Entware offers, at least for AC86U)

 

[thelonelycoder]

I added the =extra to the ab_dnsmasq_postconf.sh and restarted dnsmasq

Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 query[A] safebrowsing.googleapis.com from 10.10.10.50
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 forwarded safebrowsing.googleapis.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/50693 dnssec-query[DS] aaplimg.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/57352 dnssec-query[DS] googleapis.com to 1.1.1.1
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/50693 reply aaplimg.com is no DS
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 validation result is INSECURE
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.38.253
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.54.125
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.54.253
Jul 27 12:07:11 dnsmasq[7959]: 195 10.10.10.50/50693 reply time-osx.g.aaplimg.com is 17.253.38.125
Jul 27 12:07:11 dnsmasq[7959]: * 10.10.10.50/57352 reply googleapis.com is no DS
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 validation result is INSECURE
Jul 27 12:07:11 dnsmasq[7959]: 196 10.10.10.50/57352 reply safebrowsing.googleapis.com is 216.58.207.10

now i can see whats what....would this mess with the ab stats collection?

The stats function runs with the following set of queries:
query[A] and query[AAAA] for field 6, example asuswrt.lostrealm.ca:
Jul 13 19:47:19 dnsmasq[5900]: query[A] asuswrt.lostrealm.ca from 172.20.0.16

is $blockingIP for field 6, 72.55.186.51 is not the blocking IP:
Jul 21 06:41:11 dnsmasq[770]: reply asuswrt.lostrealm.ca is 72.55.186.51

from $lanIPaddr for field 8, all LAN client IP's
Jul 21 06:41:11 dnsmasq[770]: query[A] asuswrt.lostrealm.ca from 172.20.0.16

None of these are changed by your small modification and will not mess up your stats.

I notice there is a facility in the logging to tie the information together and i wonder if this would be something that was possible to implement

I can build this into AB4 as an option when dnssec is enabled.

 

[tomsk]

The stats function runs with the following set of queries:
query[A] and query[AAAA] for field 6, example asuswrt.lostrealm.ca:
Jul 13 19:47:19 dnsmasq[5900]: query[A] asuswrt.lostrealm.ca from 172.20.0.16

is $blockingIP for field 6, 72.55.186.51 is not the blocking IP:
Jul 21 06:41:11 dnsmasq[770]: reply asuswrt.lostrealm.ca is 72.55.186.51

from $lanIPaddr for field 8, all LAN client IP's
Jul 21 06:41:11 dnsmasq[770]: query[A] asuswrt.lostrealm.ca from 172.20.0.16

None of these are changed by your small modification and will not mess up your stats.

I can build this into AB4 as an option when dnssec is enabled.

Perfect thanks.... the stats will run tomorrow morning anyway... i'll let you know if anything has a wobble.
BTW i installed Skynet recently and i have to commend you both on making them play nicely together.
I knew you had put some effort into it but first time I'm seeing it in action... kudos

 

[gwopman]

Hi guys. Is anyone running this off a usb hard drive with no long term problems (exception being unavoidable physical failure) - i ask because i had to remove this when a usb drive stopped responding to my AC68u taking down the network with it.

 

[thelonelycoder]

Perfect thanks.... the stats will run tomorrow morning anyway... i'll let you know if anything has a wobble.

...tomorrow was yesterday. No spikes, all good then?

 

[thelonelycoder]

Hi guys. Is anyone running this off a usb hard drive with no long term problems (exception being unavoidable physical failure) - i ask because i had to remove this when a usb drive stopped responding to my AC68u taking down the network with it.

I do, on a bunch of routers, with no problems whatsoever.

Hardware quality is the key here, as with any HDD or SSD.
For the rare disk problems, there's always amtm's Disk check script to take care of it.

 

[tomsk]

...tomorrow was yesterday. No spikes, all good then?

nothing odd in the stats at all........ seems to be working as advertised..... or erm not advertised in this case

 

[Asad Ali]

@thelonelycoder Every time I receive a notification that you posted in the thread, I open it with throbbing heart that maybe today is the lucky day you"ll unleash AB4 lol

 

[thelonelycoder]

@thelonelycoder Every time I receive a notification that you posted in the thread, I open it with throbbing heart that maybe today is the lucky day you"ll unleash AB4 lol

Not wanting to bring your hopes up but I asked @Adamm hours ago to include necessary AB4 code in Skynet to make things easier for me to test local installations instead of patching Skynet manually everytime.
The code is already merged:
https://github.com/Adamm00/IPSet_ASUS/commit/da3985468bc02fa497a6ee8e1fb9426731cb73c0

 

[thelonelycoder]

nothing odd in the stats at all........ seems to be working as advertised..... or erm not advertised in this case

Actually, now that it's coded and I see the full log file, log-queries=extra does have a devastating effect on the stats function.
I did not realize it then, but

Jul 29 19:14:37 dnsmasq[3283]: 136 172.20.0.16/60218 query[A] www.ab-solution.info from 172.20.0.16

has two more fields then with the standard log-queries setting:

Jul 29 19:20:30 dnsmasq[5933]: query[A] www.ab-solution.info from 172.20.0.16

This messes up the stats completely.

Edit:
For this particular query in the stats, I use

awk '/query\[AAAA]|query\[A]/ {print $6}' /opt/var/log/dnsmasq.log* (more code)

to look for query[A] or query[AAAA] and print field 6. This is www.ab-solution.info in this example:

Jul 29 19:20:30 dnsmasq[5933]: query[A] www.ab-solution.info from 172.20.0.16

With the extra info this would be 172.20.0.16/60218 instead:

Jul 29 19:14:37 dnsmasq[3283]: 136 172.20.0.16/60218 query[A] www.ab-solution.info from 172.20.0.16

Any awk guru or other coder have a good idea to make this dynamic?

 

[HowIFix]

@thelonelycoder You can add these Adblock Lists Updated by Onee-chan in Ad Blocking Solution as a default like shooter40sw list, only the recommended ones marked with an asterisk *

• Adblock Lists Updated by Onee-chan

edit: here is the txt file.

 

[ColinTaylor]

awk '/query\[AAAA]|query\[A]/ {print $6}' /opt/var/log/dnsmasq.log* (more code)

to look for query[A] or query[AAAA] and print field 6. This is www.ab-solution.info in this example:

Jul 29 19:20:30 dnsmasq[5933]: query[A] www.ab-solution.info from 172.20.0.16

With the extra info this would be 172.20.0.16/60218 instead:

Jul 29 19:14:37 dnsmasq[3283]: 136 172.20.0.16/60218 query[A] www.ab-solution.info from 172.20.0.16

Any awk guru or other coder have a good idea to make this dynamic?

You want the third field from the right?

awk '/query\[AAAA]|query\[A]/ {print $(NF-2)}' /opt/var/log/dnsmasq.log