AB-Solution - The Ad Blocking Solution

[MarCoMLXXV]

So if I have Custom DNS 1 set to 208.67.222.123 to filter malicious/adult websites then AB would not work? Haven't tried it, just started reading about AB.

The issues apparently lies within the AIProtection client-based DNS Filtering, from what I've read. On the WAN page you can specify any DNS-server(s) you prefer, but apparently using Trend Micro's DNS Filtering bypasses AB-Solution, unfortunately.

EDIT: Not sure whether all functionality on the AIProtection pages are closed components by Trend Micro, it could be ASUS as well. Nevertheless, they don't play nice together.

 

[jack901]

yea I had this issue answered pages back the AA is ip4 and the AAAA is ip6 which I do not have enabled or use. but for some reason they figure to use ip6 and get around it which it does. there are a whole lot of them google,amazon,markmonitor plus alot of others.
no solution to it. it is what it is. I even blacklist those addresses and they just use another. I have skynet installed also and tried blacklisting CIDRs and that eliminates some but not all.

I am curious why I am seeing this ad on beta.speedtest.net

View attachment 10248

Inspecting the element shows the source:

View attachment 10249
I added www.media.net is in the blacklist blocking file.

192.168.3.2 is my pixelserv IP address.

log file entries:

Aug 27 08:36:50 dnsmasq[4884]: query[A] contextual.media.net from 192.168.3.152
Aug 27 08:36:50 dnsmasq[4884]: /tmp/mnt/absolution/adblocking/blocking_file contextual.media.net is 192.168.3.2
Aug 27 08:36:54 dnsmasq[4884]: query[A] www.media.net from 192.168.3.152
Aug 27 08:36:54 dnsmasq[4884]: /tmp/mnt/absolution/adblocking/blocking_file www.media.net is 192.168.3.2
Aug 27 08:36:54 dnsmasq[4884]: query[A] www.media.net from 192.168.3.152
Aug 27 08:36:54 dnsmasq[4884]: /tmp/mnt/absolution/adblocking/blocking_file www.media.net is 192.168.3.2
Aug 27 08:36:54 dnsmasq[4884]: query[A] www.media.net from 192.168.3.152
Aug 27 08:36:54 dnsmasq[4884]: /tmp/mnt/absolution/adblocking/blocking_file www.media.net is 192.168.3.2
Aug 27 08:36:54 dnsmasq[4884]: query[AAAA] www.media.net from 192.168.3.152
Aug 27 08:36:54 dnsmasq[4884]: forwarded www.media.net to 104.223.91.194

 

[Rhialto]

You can specify a custom DNS server of choice in the router WAN settings. For your clients, simply point to the router as the DNS server.

I use the DNS-based filtering in AiProtection because I can exclude clients, nice feature my previous router didn't have. If I enter 208.67.222.123 into WAN page then everyone is impacted.

 

[Rhialto]

The issues apparently lies within the AIProtection client-based DNS Filtering, from what I've read. On the WAN page you can specify any DNS-server(s) you prefer, but apparently using Trend Micro's DNS Filtering bypasses AB-Solution, unfortunately.

That's what I understand also. I wonder if v4 will behave the same. No hurry though, my previous router didn't offer advanced feature so I can live well without AB just like before.

 

[Jack Yaz]

Oh, I personally would choose AB-Solution over DNS-filtering any time. Just wasn't aware that one ruled out the other.



BTW, I apologize for the late reply, totally forgot. I have serious issues with my short-term memory, just had to take a look a this thread to reproduce what I learned from you. Yes, it's a mess upstairs, I know, but I can't help it.

As for your question regarding the parental controls: I use the Web & Apps filter to deny access to several categories for specified clients (based on their MAC-addresses), which are only the devices my son has access to. As mentioned before, he's autistic and way too curious for his age, and combined with an anxiety disorder, access to certain material needs to be regulated otherwise he's continuously feeding his own fears, with all its consequences. Make no mistake, I do not want to limit his development, but as his brain functions different, I do feel responsible to manage what content he get's to see. And if there's a subject he wants to know more about, we'll investigate together.

Furthermore, I use the Time Scheduling for the iOS devices he uses. If I don't he'll simply wake up somewhere between 3 and 4 AM and starts using them. There are iOS apps like OurPact for that, but the functionality in the router is free and works just as well without installing third party apps. Available apps and content (age-based) are controlled within iOS Parental Controls. For the Windows clients he's using, I'm using Microsoft Family Safety which actually works quite well. He's got a time limit per day within a pre-defined time frame. And I get a nice report mailed weekly how he's spend his time, what search queries he has performed and which apps have been used. That might all sound very strict to some people, but as these measures mainly provide safety and especially clarity, contribute to clear agreements which for an autistic kid means that it gives him peace of mind. All things vague or doubtful are hard to deal with as borders aren't clear. And believe me, I know what I'm talking about, yet my parents never felt the need to investigate. I found out, at my own request, when I was 40.

Every now and then we try to give him some more freedom and see if he can already handle it, if he does, that's great, if he can't, we discuss it and will try again later. He's a happy and healthy child, it's just like other kids, they come without a manual, but in this case, the sh*tload of appendices is missing too...



Ah, that's awesome. That was one of my dreams, but my physical condition is going downwards the hill so rapidly, that we decided earlier this year, that it wouldn't be feasible anymore, as I don't know how much longer I'll be able to walk and a Shepherd has become one of the breeds too strong for me to control. We had two dogs (a Jack Russell x Boerenfox - a Dutch terrier breed for which I couldn't find a translation and a West Highland White Terrier), both unfortunately died unexpectedly way too young last year. The Westie died from acute kidney failure, caused by diabetes, the other Terrier had a previously undiscovered heart issue and died on Christmas from a heart attack, which, despite CPR, costed him his life. The only domain I had to block for them both was http://icanhas.cheezburger.com/, they couldn't care less about the rest of the internet, but it was the only way to get our iPads back.

No worries, it sounds like you have a lot of things to keep on top of! I can't think of any logical reason as to why Time Scheduling would interfere with ABS.

 

[MarCoMLXXV]

That's what I understand also. I wonder if v4 will behave the same. No hurry though, my previous router didn't offer advanced feature so I can live well without AB just like before.

I fear the policies in TM's engine will be enforced in such a way, that bypassing them will be hard if not impossible (unless you disable them). Although I'm not an expert nor a Linux guru by far, I spent the last three days trying to bypass DNS Filtering (without knowing that that was the culprit), haven't found any clues that AB-Solution was being bypassed by DNS filtering, and the only way I found around it was to disable it, thanks to another forum member.

As it is closed source, I imagine finding a way around it will be very hard, especially if you realize that the components used in the ASUS firmware in our routers are the same as Trend Micro uses in their Enterprise solutions.

I don't have a clue what AB-S v4 will bring, but if bypassing TM's engine is one of the new features to get DNS Filtering alongside, I wish @thelonelycoder all the best, as it will be a challenge.

I don't have enough (up to date) knowledge of IPTables anymore, but if I'm not mistaking, DNS filtering on a per-client base, could be achieved as well through IPTables (I think), which would mean there might be a solution without the need for DNS Filtering in AIProtection, which would (presumably) work perfectly side by side AB-Solution.

 

[MarCoMLXXV]

No worries, it sounds like you have a lot of things to keep on top of! I can't think of any logical reason as to why Time Scheduling would interfere with ABS.

Haven't had any issues before, and only recently started using DNS Filtering, so that explains a lot. Due to the huge amount of DNS issues with the latest two releases of Ubuntu, I was searching for it in that direction, so I'm grateful you pointed me in the other direction.

Thanks for your understanding, much appreciated

 

[johnathonm]

Hi,

I am trying to install Pixelserv and am getting a strange IP range, which I have not recieved before.

I have to pick an IP:


This is where you enter the
IP address you reserved earlier.

It must be:
higher than 192.168.1.1
and lower than 192.168.1.2


I don't have an option here. Is there something on my end that's wrong?

 

[john9527]

I use the DNS-based filtering in AiProtection

Just as an FYI.....DNS Filtering is NOT part of the TrendMicro functions. It was added by Merlin more than a few years ago.

 

[Jack Yaz]

Haven't had any issues before, and only recently started using DNS Filtering, so that explains a lot. Due to the huge amount of DNS issues with the latest two releases of Ubuntu, I was searching for it in that direction, so I'm grateful you pointed me in the other direction.

Thanks for your understanding, much appreciated

No problem at all. I too usually get bogged down on one approach that I don't consider any alternatives, usually it's someone else coming in and pointing out a different option to me!

 

[truglodite]

I've got kids ranging 7-13... I mostly do blocking and internet time manually, if you will (regular shoulder surfing and grabbing the tablets when time is up). So far with just ABS and yam, I haven't seen much inappropriate content that would make me look toward using an outside dns service (like the router parent filtering offers). I have tried accessing explicit content behind my router and get pixelserv instead . The only extra I wish I could add would be youtube filtering. I'm OK with most of the content my kids choose to watch, but youtube is the reason my wife and I constantly have to shoulder surf... no real way to filter good yt from bad yt that I'm aware of. That said, there are times when I feel like turning on the router's parent internet time tables... but with our modern lifestyle that's just too inflexible. Other than bedtime, which is easy for us to do 'manually' (grab the tab and tuck them in bed), I can't easily predict when would be good hours to let my kids have access throughout the week; the best time changes week to week. It might be nice if the phone app had a "kill timmy's tab" hot button for that, LOL.

My dog (a golden) doesn't wake me up early, but he absolutely needs the parent controls when it comes to TV time. Since watching an episode of 'Too Cute' with puppy's romping around in HD... the first thing he does when he comes in the house is sprint to the tv and whine... asking me to turn it on. Now he's also gotten in to watching soccer and football... he'll pace back and forth all day in front of the TV if I let him, LOL!

Kev

 

[MarCoMLXXV]

Just as an FYI.....DNS Filtering is NOT part of the TrendMicro functions. It was added by Merlin more than a few years ago.

Thanks for clarifying that, @john9527. I wasn´t sure, as that was long before I recently ditched dd-wrt on my Netgear collection of hardware and treated myself an Asus router to be able to install Asuswrt Merlin. It does raise the question why they don't play nice together.

@thelonelycoder To tie the loose ends together: I finally figured it out. DNSCrypt has nothing to do with it. The issue was caused by, you probably guessed it by now, DNS Filtering, which I started using recently (with the release of 380.68_0 I decided to give it a try). Somehow, all the clients who have been assigned a different DNS-server in DNS Filtering, bypass AB-Solution (and thus Pixelsrv-TLS) somehow. The rest of the client work as supposed. The DNS issue in Ubuntu and flavors has already been solved, so that wasn't the cause either. What I could figure out was why I saw no ads when connect through ethernet, and did see ads when connected through wifi. And then suddenly, thanks to @Jack Yaz, it all made sense. My son usually uses this laptop, wirelessly. So the MAC-address of the internal WiFi-adapter was listed in DNS Filtering, assigned to OpenDNS Family and therefore not protected against ads by AB-Solution. The same goes for his iOS devices. I did see some ads on iOS (in-game ads), but I thought that were ads that AB-Solution couldn't filter. The MAC address from the Ethernet card however, wasn't on the DNS Filtering list, because I'm the only one using wired connections for upgrades and configuration.

I wonder whether it would technically be possible to have DNS Filtering working with AB-Solution, instead of excluding clients. Combined would be ideal, but I don't have enough knowledge of the underlying code to even guess whether that's remotely possible. @RMerlin, I suppose if any can answer that, it would be you?

Summary: Clients being registered in AIProtection > DNS-filtering apparently cannot be protected from ads by AB-Solution, as the traffic of these clients appears to bypass AB-Solution and Pixelserv-TLS all together. Clients using DNS-filtering are not able to resolv other clients locally. This scenario has been tested with three (wireless) clients in the DNS Filtering List which were assigned to OpenDNS Family. The DNS-servers manually entered on the WAN page are 208.67.222 and 208.67.220.220 (OpenDNS Home). DNSCrypt (installer by bigeyes0x0 has only one DNS server configured: Cisco/OpenDNS Home with credentials supplied for dynamic IP updating. Local resolving appeared impossible as long as the client were on the DNS Filtering List. Uninstalling DNSCrypt made no difference. Disabling DNS Filtering solved all the issues. After disabling it, all clients DNS-queries were resolved by 192.168.1.1 (router's IP) and resolving local clients worked as expected (LAN DHCP Settings > Advertise router's IP in addition to user-specified DNS: Yes), LAN Domain: lan).

Would it be possible to have DNS Filtering enabled and still benefit from AB-Solution with Pixelsrv-TLS functionality? There's some more info in post #1293 and if you need anything else, let me know.

 

[MarCoMLXXV]

Hi,

I am trying to install Pixelserv and am getting a strange IP range, which I have not recieved before.

I have to pick an IP:

This is where you enter the
IP address you reserved earlier.

It must be:
higher than 192.168.1.1
and lower than 192.168.1.2

I don't have an option here. Is there something on my end that's wrong?

Sounds like you missed the "DO THIS NOW"-step in the Pixelserv-TLS AB-Solution setup...

Before proceeding to the next step (preferably before even starting the setup) you need to limit the size of the DHCP pool, to make sure there is an available IP for Pixelserv-TLS to run on permanently. Assuming you have aborted the installation, go to LAN > LAN DHCP and edit the starting IP of the DHCP pool. If you plan on assigning some devices a fixed IP reserve the first 10, 20, 30 IP addresses or how much you will need by adjusting the starting IP, by editing the last value. I personally have 192.168.1.200 as starting IP, because I assign (nearly) every device a static IP and only family gets an IP through DHCP occasionally.

If you don't plan on assigning fixed IP's, just start your DHCP pool at 192.168.1.3. This means that the addresses from 192.168.1.3 until 192.168.1.255 are available to the DHCP server, to be assigned to the clients in your network, requesting an address through DHCP. Pixelsrv-TLS needs it's own fixed IP-address, as explained at the "DO THIS NOW"-page. Otherwise requests can't be redirected towards Pixelsrv-TLS to handle the response. So, edit the starting IP of the pool, press apply, reboot your router so most of the clients (hopefully) get a new IP-address assigned, and start over.

Now assign 192.168.1.2 to Pixelsrv-TLS when asked for it. Notice that it will now say 'higher than 192.168.1.1 and lower than 192.168.1.3' (or whatever starting IP you filled in at the LAN DHCP settings page). In case that 192.168.1.2 has already been assigned to a device, find out which device it is and unplug the power (or renew the dhcp lease if it's a computer or tablet or something alike). If the IP is not available (as in 'free'), Pixelserv cannot be installed. Another IP is fine too, as long as it isn't available to the DHCP server, i.e. higher than the router's IP, lower than the starting IP or higher than the end IP of the DHCP pool.

 

[john9527]

I wonder whether it would technically be possible to have DNS Filtering working with AB-Solution, instead of excluding clients.

Sorry, not possible. DNS Filtering works by intercepting all the DNS requests from a client and sending them directly to the assigned DNS server, bypassing the router dnsmasq. This allow applications which hardcode their DNS servers to be redirected. But dnsmasq handling the DNS requests is required for ABSolution,.

By the way, on Merlin, if you use a VPN Client and specify 'Exclusive' for the DNS handling, you are essentially doing the same thing, and the VPN clients will not be able to use ABSolution.

 

[MarCoMLXXV]

Thanks for clarifying that @john9527. One more question though: how can dnscrypt for example force all outgoing traffic through dnscrypt, yet there are limitations for AB-Solutions to do the same. Is that a limitation of dnsmasq?

 

[Jack Yaz]

Thanks for clarifying that, @john993527. I wasn´t sure, as that was long before I recently ditched dd-wrt on my Netgear collection of hardware and treated myself an Asus router to be able to install Asuswrt Merlin. It does raise the question why they don't play nice together.

@thelonelycoder To tie the loose ends together: I finally figured it out. DNSCrypt has nothing to do with it. The issue was caused by, you probably guessed it by now, DNS Filtering, which I started using recently (with the release of 380.68_0 I decided to give it a try). Somehow, all the clients who have been assigned a different DNS-server in DNS Filtering, bypass AB-Solution (and thus Pixelsrv-TLS) somehow. The rest of the client work as supposed. The DNS issue in Ubuntu and flavors has already been solved, so that wasn't the cause either. What I could figure out was why I saw no ads when connect through ethernet, and did see ads when connected through wifi. And then suddenly, thanks to @Jack Yaz, it all made sense. My son usually uses this laptop, wirelessly. So the MAC-address of the internal WiFi-adapter was listed in DNS Filtering, assigned to OpenDNS Family and therefore not protected against ads by AB-Solution. The same goes for his iOS devices. I did see some ads on iOS (in-game ads), but I thought that were ads that AB-Solution couldn't filter. The MAC address from the Ethernet card however, wasn't on the DNS Filtering list, because I'm the only one using wired connections for upgrades and configuration.

I wonder whether it would technically be possible to have DNS Filtering working with AB-Solution, instead of excluding clients. Combined would be ideal, but I don't have enough knowledge of the underlying code to even guess whether that's remotely possible. @RMerlin, I suppose if any can answer that, it would be you?

Summary: Clients being registered in AIProtection > DNS-filtering apparently cannot be protected from ads by AB-Solution, as the traffic of these clients appears to bypass AB-Solution and Pixelserv-TLS all together. Clients using DNS-filtering are not able to resolv other clients locally. This scenario has been tested with three (wireless) clients in the DNS Filtering List which were assigned to OpenDNS Family. The DNS-servers manually entered on the WAN page are 208.67.222 and 208.67.220.220 (OpenDNS Home). DNSCrypt (installer by bigeyes0x0 has only one DNS server configured: Cisco/OpenDNS Home with credentials supplied for dynamic IP updating. Local resolving appeared impossible as long as the client were on the DNS Filtering List. Uninstalling DNSCrypt made no difference. Disabling DNS Filtering solved all the issues. After disabling it, all clients DNS-queries were resolved by 192.168.1.1 (router's IP) and resolving local clients worked as expected (LAN DHCP Settings > Advertise router's IP in addition to user-specified DNS: Yes), LAN Domain: lan).

Would it be possible to have DNS Filtering enabled and still benefit from AB-Solution with Pixelsrv-TLS functionality? There's some more info in post #1293 and if you need anything else, let me know.

Assuming the reason you want DNS filtering is for different upstream/WAN DNS after AB Solution e.g. Family for some, Home for others?

One idea would be to virtualise different instances of PiHole (for example) and set up the blocks yourself in there, or subscribe to lists that mimic the upstream you want. I don't think it's possible in the router with a single instance of dnsmasq to handle upstream DNS per client

 

[Rhialto]

assigned to OpenDNS Family

If your son experience slow connection to websites now it may be caused by this. On my previous router I was simply using 208.67.222.123 as DNS and when I installed the ASUS one I saw all the new features and enabled OpenDNS Family like you and it only took a few days for my girlfriend to let me know that something was wrong, new router was worse than before. When she was refreshing a page after a while there was a long delay before page showed up, was very annoying. I didn't experience any of this with my PC because I was set on "No Filtering". Thanks to @RMerlin for the DNS hint, I replaced OpenDNS Family for Custom IP above and all was back to normal. Phew! Girlfriend wasn't happy with new router but now it's ok.

 

[MarCoMLXXV]

Assuming the reason you want DNS filtering is for different upstream/WAN DNS after AB Solution e.g. Family for some, Home for others?

Correct, OpenDNS Family for the kid, OpenDNS Home (with a premium subscription to customize the settings) for the rest of the family and IoT devices.

In regards to PiHole, it's the second time I heard of that this week, but I don't have a clue what it is. As I will most likely spent a fair amount of time in waiting rooms in a clinic in the upcoming weeks, you just given me at least one topic to familiarize myself with.

It's not really such a big deal, it's mainly an added layer of protection for the laptop my son uses, as the iOS devices are limited to whitelisted websites only, but I rather have less manual whitelisting to do. To be honest: the way things are heading now with my health, chances are increasing that I might be away from home for a period up to six months. I'm just trying to prepare things as good as I can as my wife and anything with a display on it are basically like water and fire (besides the iPhone glued to her forehead). I need my son to be able to safely use his tablet and laptop as I have only limited possibilities to login remotely (and I need my technofobic wife to be willing to unlock the door from the inside through the WebUI... ) Well, always up for a challenge...

 

[Jack Yaz]

Correct, OpenDNS Family for the kid, OpenDNS Home (with a premium subscription to customize the settings) for the rest of the family and IoT devices.

In regards to PiHole, it's the second time I heard of that this week, but I don't have a clue what it is. As I will most likely spent a fair amount of time in waiting rooms in a clinic in the upcoming weeks, you just given me at least one topic to familiarize myself with.

It's not really such a big deal, it's mainly an added layer of protection for the laptop my son uses, as the iOS devices are limited to whitelisted websites only, but I rather have less manual whitelisting to do. To be honest: the way things are heading now with my health, chances are increasing that I might be away from home for a period up to six months. I'm just trying to prepare things as good as I can as my wife and anything with a display on it are basically like water and fire (besides the iPhone glued to her forehead). I need my son to be able to safely use his tablet and laptop as I have only limited possibilities to login remotely (and I need my technofobic wife to be willing to unlock the door from the inside through the WebUI... ) Well, always up for a challenge...

It's an adblocking DNS server, much like AB-Solution. In PiHole's case it can be run on a Raspberry Pi, or if you have an always on server you could virtualise it. Since you just need 2 different upstream DNS then you could use OpenDNS Home Premium with AB-Solution on the router, and PiHole as the DNS for your son, using Family as upstream. PiHole has a WebUI too. Having said that v4 AB-Solution I think I read will have a webUI too, though I don't think @thelonelycoder has set any dates for release/development as yet.

 

[MarCoMLXXV]

no real way to filter good yt from bad yt that I'm aware of.

True. The only device Youtube is allowed on for my son is the AppleTV, with Googles content restrictions (which are worthless), connected to the TV in main living room, and he isn't allowed to watch it without mom or dad present. Because of his autism he has an unusual interest in several 'heavy' matters, like atomic bombs, the second world war, tornado's and several other things. While he's fascinated by these subjects, he's unconsciously feeding the fears that come with his anxiety disorder, so we're continuously seeking for a balance between a healthy, educational interest and on the other hand protecting him from an unhealthy, almost obsessive urge to unknowingly supercharge his fears, which result in severe panic attacks from time to time, mostly caused by the things he saw that have grown to unrealistic proportions in his head.

Unfortunately, it's basically impossible to prevent these things, even if I lock things down at home (which I don't want), at school they have (or rather, had) full access to the internet, with little to no supervision. I had a lang talk with the principal about two months ago, explained him what my son was telling about when he came home from school and he was shocked. There were no precautions taken whatsoever. I offered my help voluntarily to setup content filtering etcetera at school, but he immediately hired an external 'professional' company to get things sorted. Which I appreciate, but the fact that the schools network was down for about two weeks, makes me think I might have probably been a better alternative . At least now, after summer holidays, things are up and running and their possibilities have been limited, which has caused a lot of kids now choose to go play ball outside, instead of playing violent games without supervision. Mission accomplished. At least... for now.