Diversion Diversion seemingly not blocking ads

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

m1nkeh

Occasional Visitor
Hey,

A while ago now i installed Diversion on to my AC86, but remain unconvinced that it's working correctly.. i eventually figured out that my custom specification of DNS servers under WAN --> Wan DNS Setting --> Connect to DNS server automatically was set to 'No' and therefore probably causing a problem, so switched this back to 'Yes'.

Are there other things i need to check though? Should i be specifying my router as DNS somewhere? Should i be forcing LAN --> DNSFilter --> ON (Router) ? Genuinely not sure..
The uiDivStats page shows that show *some* things are getting blocked.. but the numbers seem really really low, I.e. around 5% of DNS queries according to the graph, is this right? I was expecting a lot more...

The YouTube blocking is also exceptionally hit or miss, but i did find this thread (https://www.snbforums.com/threads/diversion-youtube-adblocker-is-not-not-blocking-ads.68606/) which seems to suggest that it's effectively useless currently..

Right now i am considering a full re-flash of the router as my version of the Merlin firmware is over a year old, and i'm worried there is a setting somewhere I'm missing / have forgotten about.

One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?

Cheers!
 

skeal

Part of the Furniture
A while ago now i installed Diversion on to my AC86, but remain unconvinced that it's working correctly.. i eventually figured out that my custom specification of DNS servers under WAN --> Wan DNS Setting --> Connect to DNS server automatically was set to 'No' and therefore probably causing a problem, so switched this back to 'Yes'.
Doesn't matter.
Should i be forcing LAN --> DNSFilter --> ON (Router) ? Genuinely not sure..
Yes use this feature.
One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?
This is correct.

The more important thing is that the device wanting ad free internet, must use the router's ip as it's DNS.
 

skeal

Part of the Furniture
You should update your router to at least 386.1_2
 

eibgrad

Very Senior Member
One additional thing to note.. is that i spend a lot of time with the router VPN on, so i guess the blocking could be getting affected by that too? Is Setting VPN --> Accept DNS Configuration --> Disabled the correct solution?

I don't use Diversion, at all. So keep that in mind. But it doesn't seem to me that setting necessarily has to be set to Disabled. In fact, it *could* lead to DNS leaks.

I assume Diversion is like most ad blockers; it adds DNS records for specific domain names that redirect them to 0.0.0.0 in DNSMasq, hence why you need to be using DNSMasq as your DNS server. But regardless of the setting of "Accept DNS configuration" in the OpenVPN client, your LAN clients are *still* going to use DNSMasq and benefit from Diversion. The only issue w/ that option is what public DNS servers are going to be configured in DNSMasq (Exclusive means *only* the DNS server(s) push'd by the OpenVPN server, Strict means the DNS server(s) push'd by the OpenVPN server will have priority over any other public DNS servers already configured in DNSMasq, etc.).

But by choosing Disabled, you're now relying on whatever public DNS servers are already configured in DNSMasq. And by default that will be those of your ISP, or whatever you configured on the WAN using custom DNS servers (e.g., 1.1.1.1 & 1.0.0.1). And if you enable Routing Policy on the OpenVPN client, that will *remove* the router itself (and its internal processes, like DNSMasq) from the VPN, and now your DNS queries are routed over the WAN. IOW, a DNS leak!

To be clear, the concern here is when using traditional DNS (udp/tcp, port 53, in the clear) and NOT some secured solution like DoT/DoH (e.g., NextDNS) on the router. In the latter case, it wouldn't matter if DNS was accessed over the WAN or VPN since it's encrypted anyway. In that case, YES, setting "Accept DNS configuration" to Disabled makes sense, but the rationale has NOTHING to do w/ the presence or absence of Diversion. It's only about managing the potential for DNS leaks.

That's why you have to be *uber* careful about how you configure DNS. It's very tricky. Sometimes seemingly innocent changes to the config can have a significant impact in how DNS is handled, w/ the biggest concern being inadvertent DNS leaks.
 

Adooni

New Around Here
I do not have issue with division all is working very well

One additional suggestion I can give, and it is working for RMerlin and tomato, you should stop to use web browsers that use google dns like chrome. I started to use SRWare Iron (this one based on chromium too) same time ago and from this time 0 commercial/ads.

Additional in diversion you have option to manually add block lists and you can do it.
 

m1nkeh

Occasional Visitor
I don't use Diversion, at all. So keep that in mind. But it doesn't seem to me that setting necessarily has to be set to Disabled. In fact, it *could* lead to DNS leaks.

I assume Diversion is like most ad blockers; it adds DNS records for specific domain names that redirect them to 0.0.0.0 in DNSMasq, hence why you need to be using DNSMasq as your DNS server. But regardless of the setting of "Accept DNS configuration" in the OpenVPN client, your LAN clients are *still* going to use DNSMasq and benefit from Diversion. The only issue w/ that option is what public DNS servers are going to be configured in DNSMasq (Exclusive means *only* the DNS server(s) push'd by the OpenVPN server, Strict means the DNS server(s) push'd by the OpenVPN server will have priority over any other public DNS servers already configured in DNSMasq, etc.).

But by choosing Disabled, you're now relying on whatever public DNS servers are already configured in DNSMasq. And by default that will be those of your ISP, or whatever you configured on the WAN using custom DNS servers (e.g., 1.1.1.1 & 1.0.0.1). And if you enable Routing Policy on the OpenVPN client, that will *remove* the router itself (and its internal processes, like DNSMasq) from the VPN, and now your DNS queries are routed over the WAN. IOW, a DNS leak!

To be clear, the concern here is when using traditional DNS (udp/tcp, port 53, in the clear) and NOT some secured solution like DoT/DoH (e.g., NextDNS) on the router. In the latter case, it wouldn't matter if DNS was accessed over the WAN or VPN since it's encrypted anyway. In that case, YES, setting "Accept DNS configuration" to Disabled makes sense, but the rationale has NOTHING to do w/ the presence or absence of Diversion. It's only about managing the potential for DNS leaks.

That's why you have to be *uber* careful about how you configure DNS. It's very tricky. Sometimes seemingly innocent changes to the config can have a significant impact in how DNS is handled, w/ the biggest concern being inadvertent DNS leaks.
Fabulous reply, thanks for this, is it correct to interpret DoT and DoH as DNS over TLS/HTTPS respectively?

You're last sentence really makes me think though.. I have never been that confident with networking in general, and DNS is something that (luckily) I'm not overly concerned re: leaks from a security perspective - i don't live in a police state :cool: - but it bugs me how tricky it is, and thankfully it's not just me that thinks this!

As a perfectionist I want to get this right.. i will do more research, but is there a straight forward way to ensure DoT/DoH, i've not heard of NextDNS so will check that out - Probably one for another thread though! :)
 
Last edited:

m1nkeh

Occasional Visitor
I do not have issue with division all is working very well

One additional suggestion I can give, and it is working for RMerlin and tomato, you should stop to use web browsers that use google dns like chrome. I started to use SRWare Iron (this one based on chromium too) same time ago and from this time 0 commercial/ads.

Additional in diversion you have option to manually add block lists and you can do it.
Interesting point, does Google Chrome use those servers "under the covers" - didn't realise, i do use Google Chrome from time to time

I use Edge Chromium, and sometimes Safari mostly..
 

eibgrad

Very Senior Member
Fabulous reply, thanks for this, is it correct to interpret DoT and DoH as DNS over TLS/HTTPS respectively?

Yes.

You're last sentence really makes me think though.. I have never been that confident with networking in general, and DNS is something that (luckily) I'm not overly concerned re: leaks from a security perspective - i don't live in a police state :cool: - but it bugs me how tricky it is, and thankfully it's not just me that thinks this!

It's not just that. If your DNS queries cross the WAN in the clear, then your ISP can hijack those queries and redirect them to his own servers, and all that implies.

As a perfectionist I want to get this right.. i will do more research, but is there a straight forward way to ensure DoT/DoH, i've not heard of NextDNS so will check that out - Probably one for another thread though! :)

NextDNS (DoH) seems to be growing in popularity. You have to user their installer to add the proxy to the router (in JFFS) and reconfigure DNSMasq to use it.

The GUI supports DoT natively (WAN->Internet Connection->DNS Privacy Protocol->DNS over TLS (DoT)). When enabled, you'll be able to choose among many DoT providers.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top