Diversion not filtering Wifi

Mogsy

Occasional Visitor
Hello,

Very new here. Just installed Diversion lite. I can see it is working via ethernet but not blocking anything with Wifi? What am I doing wrong? My main upstream dns is Quad9 with forward DNS to upstream dns selected no
 

chongnt

Very Senior Member
Hello,

Very new here. Just installed Diversion lite. I can see it is working via ethernet but not blocking anything with Wifi? What am I doing wrong? My main upstream dns is Quad9 with forward DNS to upstream dns selected no
Hi, is your wifi devices has it’s own DNS? In order to use diversion, wifi devices DNS should set to your router IP.
Another way is to use DNSFilter. In GUI, under LAN -> DNSFilter, set Enable DNS-based Filtering to “ON” and Global Filter Mode to “Router”. This will force all devices to use your router as DNS.
 

ColinTaylor

Part of the Furniture
try switching from diversion lite to diversion standard.
I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?
Oh I agree, just one more layer to test. Most likely is a DoH service in the background of the device.
 

SomeWhereOverTheRainBow

Part of the Furniture
I can't think why that would make a difference to WiFi clients. AFAIK all it would do would be to add a whole new layer of complexity (pixelserv proxy) and potential instability (dcd crashes).

Sounds more like a client (iPhone) issue, e.g. DoH.

@Mogsy After the change you made in post #3 is this affecting any devices other than the iPhone(s)?
@Mogsy
Try adding

doh.dns.apple.com to your blocklist.
 

Mogsy

Occasional Visitor
Hi guys. Sorry for late reply! Havent got a chance to properly look into this again. Had a quick look at Divstats only, I’m scared to configure dnsmasq tbh. Will look again when I’m home, only remembering that the block page was working on everything else but iOS devices. In divststs what’s type=65?
Will report back when I can

thank you!
 

SomeWhereOverTheRainBow

Part of the Furniture
Hi guys. Sorry for late reply! Havent got a chance to properly look into this again. Had a quick look at Divstats only, I’m scared to configure dnsmasq tbh. Will look again when I’m home, only remembering that the block page was working on everything else but iOS devices. In divststs what’s type=65?
Will report back when I can

thank you!
if you add
doh.dns.apple.com
to your diversion block list, then it should hopefully prevent your iOS devices from making auto DoH redirection. You should try it as soon as you are able and see if it resolves the seeing ads on iOS problem.
 

chongnt

Very Senior Member
if you add
doh.dns.apple.com
to your diversion block list, then it should hopefully prevent your iOS devices from making auto DoH redirection. You should try it as soon as you are able and see if it resolves the seeing ads on iOS problem.
I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.
 

SomeWhereOverTheRainBow

Part of the Furniture
I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.
adding

Code:
dns-rr=example.com,65,

to dnsmasq.conf.add appears to work.

if wildcard is supported, I imagine it could be simplified to

Code:
dns-rr=*,65,
 

SomeWhereOverTheRainBow

Part of the Furniture
I suspect he will still see ads due to DNS query type 65.

I still have this iptables rule to blanket block everything from this query type.

Another option is to go for AdGuardHome. AGH can filter ads from this query type by default.
nvm we explored this once upon a time. It must have been a day when I already had my coffee. ;)
 

Mogsy

Occasional Visitor
Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?
 

Treadler

Very Senior Member
Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?
No problem here, Diversion, iOS, quad9.

On your Apple device check Settings>General>VPN & make sure there’s not a dns profile installed there.
If there is, that will override Diversion.
 

SomeWhereOverTheRainBow

Part of the Furniture
Sorry!
Yes add doh.dns.apple doesnt work. I switched from Quad9 to NextDNS just to see the logs. Everything else is filtering except ios devices. How to I add that dnsmasq.conf.add please?
you need these iptable rules

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

 

Mogsy

Occasional Visitor
you need these iptable rules

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

Thank you. Will try this in a bit. I would like to try Adguard Home. I installed it on my friend’s AX86U. I only have AX86S, and the RAM is above 90%
 

Mogsy

Occasional Visitor
No problem here, Diversion, iOS, quad9.

On your Apple device check Settings>General>VPN & make sure there’s not a dns profile installed there.
If there is, that will override Diversion.
No profile installed. Limit IP address tracking off too
 

Mogsy

Occasional Visitor
you need these iptable rules

Code:
iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m comment --comment "DNS Type 65" -m string --hex-string "|0000410001|" --algo bm -j REJECT

otherwise you need to know the specific domains you are trying to block the 65 dns from.

Or use AdGuardHome.

iptables: No chain/target/match by that name. :(
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top