Tech9
Part of the Furniture
Ah ha!

The Chronicle of AdGuard
This is the AdGuard's story from the "prehistoric times" until today. All ups and downs, old offices, hideous interfaces and other amazing stuff.
Ah ha!
Good to know about the Russian connection. AG started acting weird on my router recently, so I went back to Diversion. AG is fun to play around with, has great reporting & logging. Diversion has much of the same, seems to integrate better w/ Merlin, and other features found in AG can be configured on other parts of the router, like assuring that the router is the exclusive provider of DNS by blocking 53, 853, 80/443 UDP & so on (DNS Director works and then doesn't). Diversion has it's quarks, but generally seems to be stable.![]()
The Chronicle of AdGuard
This is the AdGuard's story from the "prehistoric times" until today. All ups and downs, old offices, hideous interfaces and other amazing stuff.adguard.com
if you haven't updated
My signatures are dated January 2025 and no updates since then doing manual updates.The signatures file AiProtection uses updates infrequently. Chances to catch something new are slim.
Yes that's the same version # I have and it never has updates since January 2025. Thank you for responding!I support a few Asus routers remotely, the signature file shows version 2.464 from Jul 2025.
Adguard is Russian. It seems to always be the one complaining in logs about DNS rebind security issues when I tried a couple of years ago using their DNS resolvers.
- I use Cloudflare's Family DNS over TLS, with DNS Sec. Cloudflare Family does Malware and Adult. Remember, many adult sites and adverts on them are booby trapped in terms of malware.
- Validation of unsigned DNSSec replies
- DNS rebind protection enabled.
- I use Microsoft's Smartscreen and Defender on Windows PCs.
- Windows PC's locked down further by group policies and disabling of non important services (like telemetry)
- Auto Update enabled on other family member devices.
- On windows, remove some components not required by DISM (e.g. Windows Recall).
- Android and Apple devices configured to be more secure than default by disabling any "leakage" of data where possible.
- No old protocols in use like SMB v1 on any device.
- WPA3 and MAC filtering (yes, MAC filtering is not absolute, just another step to make it harder for casual)
- Long SSID passkey with complex characters and non-dictionary words
- Isolate WiFI devices from other VLANS / Intranet
- All devices must use the DNS over TLS as it's set to force on Asus router.
- AI Protection is ON and caught stuff on a regular basis, mainly, but not limited to, things like adverts being a scam.
- I use Diversion and LARGE list for Ad blocking.
- DoS enabled on routers and switches (my switches are managed types).
- WiFi devices over SharkSurf VPN at router level.
- VLANS setup on router (GT-BE98)
- Machines/Switches and software are patched.
- Any web facing servers behind reverse proxy and Cloudflare (free) as two stage certs between host and clients and hides home IP. Most security options enabled there.
- Client Outlook configured to block any countries deemed not required for emails (UK/Eire/US/Australia/NZ/Europe OK but others not so)
- SkyNet block certain countries unlikely to ever visit their URLS (North Korea etc)
- Review of privacy and security options at Google and Microsoft including setup of 2FA.
Defence in Depth for me. Just some of the stuff I've done.
# 15 in the attached list.Is ad blocking in your list?
OE
Adguard is Russian. It seems to always be the one complaining in logs about DNS rebind security
Just some of the stuff I've done.
Tech9, the point is that a signature file can likely be released much more quickly than a firmware update. Even if it updates infrequently, if you watch things like the botnet ipset blocklist in Skynet, they often don't update except every few days, or even weeks I've seen. I suspect that Trend basically uses that same blocklist for the "infected device..." portion of AIProtection, which says it's for botnets/zombies, except a more customized list based on their own observations...The signatures file AiProtection uses updates infrequently. Chances to catch something new are slim.
Something is likely wrong with your device then, if you haven't updated in that long--on signatures.My signatures are dated January 2025 and no updates since then doing manual updates.
Diversion
Skynet
I use DNS over Quic.
- All devices must use the DNS over TLS as it's set to force on Asus router.
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
![]() |
Can anybody explain what "Special Requirement from ISP" does? | ASUSWRT - Official | 3 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!