Diversion Diversion Hosted Allow List - What am I doing wrong?

[doczenith1]

I have smetrics.foxnews.com in my allow list but it is showing up in the follow (f) > Follow Blocked domains, by device IP (4).

Here is a screenshot from f > 4

And here is a screenshot from show file content (sf) > shared-Diversion-whitelist (84)

I keep looking for a typo in the allow list entry but not seeing one...

And just noticed that there appears to be a lingering "whitelist" reference in the code, not that it bothers me...

 

[dave14305]

Could be a problem with the order of allowing and blocking. Can you post the output?

grep -H smetrics.foxnews.com /opt/share/diversion/list/*.conf
grep "/opt/share/diversion/list/" /etc/dnsmasq.conf

 

[doczenith1]

@RT-AX88U_Pro-EE80:/tmp/home/root# grep -H smetrics.foxnews.com /opt/share/diversion/list/*.conf
/opt/share/diversion/list/allowlist.conf:server=/smetrics.foxnews.com/#
/opt/share/diversion/list/blockinglist.conf:local=/smetrics.foxnews.com/

@RT-AX88U_Pro-EE80:/tmp/home/root# grep "/opt/share/diversion/list/" /etc/dnsmasq.conf
conf-file=/opt/share/diversion/list/allowlist.conf
conf-file=/opt/share/diversion/list/blockinglist.conf
conf-file=/opt/share/diversion/list/denylist.conf

 

[ColinTaylor]

@RT-AX88U_Pro-EE80:/tmp/home/root# grep "/opt/share/diversion/list/" /etc/dnsmasq.conf
conf-file=/opt/share/diversion/list/allowlist.conf
conf-file=/opt/share/diversion/list/blockinglist.conf
conf-file=/opt/share/diversion/list/denylist.conf

As Dave guessed, it appears that your allowlist and blockinglist are in the wrong order. I have no idea why that would happen as I don't use Diversion. Perhaps a reinstall of Diversion will fix it?

 

[dave14305]

As Dave guessed, it appears that your allowlist and blockinglist are in the wrong order. I have no idea why that would happen as I don't use Diversion. Perhaps a reinstall of Diversion will fix it?

That’s definitely how Diversion appends the entries in dnsmasq.postconf. If this is the root cause, I wonder why it’s not been noticed before. Unless the behavior changed in dnsmasq lately.

 

[ColinTaylor]

That’s definitely how Diversion appends the entries in dnsmasq.postconf. If this is the root cause, I wonder why it’s not been noticed before. Unless the behavior changed in dnsmasq lately.

It looks like I was wrong. I've just checked and it appears that it doesn't matter which way around those conf-file lines go. So the precedence must be set by the server= and local= lines?

The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual.

I can't see anything that explicitly states the "/#" suffix takes precedence when the domains are both the same but that appears to be so.

In which case we're no nearer to fixing @doczenith1's problem.

 

[thelonelycoder]

I remember, some time ago we had the same problem and @dave14305 suggested I reorder the lists to how they are now.

 

[dave14305]

I remember, some time ago we had the same problem and @dave14305 suggested I reorder the lists to how they are now.

Can anyone else even replicate this problem?

 

[thelonelycoder]

My own investigation clearly shows Dnsmasq changed at some time later than this version shown below.
This router runs on Firmware 3004.388.8_4 and unblocks smetrics.foxnews.com when added to the allowlist.

thisuser@RT-AX56U:/tmp/home/root# dnsmasq --version
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP

While this router on FW 3006.102.7_2 does no longer merit the allowlist:

thisuser@GT-AX6000:/tmp/home/root# dnsmasq --version
Dnsmasq version 2.93-test2  Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth DNSSEC no-ID loop-detect no-inotify no-dumpfile

 

[dave14305]

While this router on FW 3006.102.7_2 does no longer merit the allowlist:

Maybe this commit is relevant, but in theory it should be working fine.

thekelleys.org.uk Git - dnsmasq.git/commit

 

[thelonelycoder]

Maybe this commit is relevant, but in theory it should be working fine.

thekelleys.org.uk Git - dnsmasq.git/commit

I checked another router with Dnsmasq version 2.91 and allowlisting still worked there.
We may have to wait until Simon Kelley fixes the bug in the next version.

 

[doczenith1]

Well I had no idea my "simple" question would open up this can of worms. Appreciate everyone's help with the issue. I also forgot to mention the version of Diversion I'm using which is 5.5.

 

[thelonelycoder]

Well I had no idea my "simple" question would open up this can of worms. Appreciate everyone's help with the issue. I also forgot to mention the version of Diversion I'm using which is 5.5.

Your issue revealed a bug in later Dnsmasq versions that is likely not going to be fixed soon in our firmware. That is if it gets debugged in Dnsmasq first.
The workaround for Diversion is a lot of re-implementing of deleted code from pre Diversion 5.0 behaviour.
This will take considerable time to do. I’m not sure I can motivate myself to do it. What a bummer this bug crept into Dnsmasq.