Adblock for specific devices, tutorial to create multiple dnsmasq instances?

Hi,

I am new to OpenWrt and I know I’m asking a question that has been asked a couple of times, see for example

but I have been unable to get this to work in a satisfactory way.

I am trying to run adblock but I want to use it only to block ads on my smart tv. I am aware that the simplest solution is to assign fixed dns servers to all other devices, but I am trying to go for a self-contained solution that involves only the router configuration. The next best solution that is mentioned above is running two dnsmasq instances and assigning my tv to one of them. I am at a bit of a loss of how to achieve this though. Does anyone know of a step by step tutorial or a set of configuration files that will achieve this? Thanks!

  • Set up a network interface adblock as a dummy interface or as a different VLAN.
  • Configure multiple dnsmasq instances for adblock and lan interfaces, note that Adblock service affects the first instance.
  • Enable Adblock service for the instance adblock_dns.
  • Use different DHCP pools for different VLANs, or use firewall rules to selectively intercept and redirect DNS traffic, or provide custom DNS settings via DHCP options based on MAC address or client ID, or just configure filtered DNS statically on the client.
2 Likes

Thanks vgaetera! At the moment, I am struggling with step 2:

When I do that (replacing guest in the wiki article with adblock), dhcp clients do not get assigned any dns server anymore. If I manually specify 192.168.1.1 as dns server on the client side, at least name resolution works again.

Here’s my current /etc/config/dhc:

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'lan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option nonwildcard '1'
	list interface 'lan'
	option localservice '0'

config dhcp 'lan'
	option instance 'lan_dns'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dnsmasq 'adblock_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/adblock/'
	option domain 'adblock'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.adblock'
	option nonwildcard '1'
	list interface 'adblock'
	list notinterface 'loopback'
	option localservice '0'

config dhcp 'adblock'
	option instance 'adblock_dns'
	option interface 'adblock'
	option start '100'
	option limit '150'
	option leasetime '12h'
1 Like

Specify upstream resolvers:

uci set dhcp.lan_dns.resolvfile="/tmp/resolv.conf.auto"
uci set dhcp.adblock_dns.resolvfile="/tmp/resolv.conf.auto"
uci commit dhcp
service dnsmasq restart

Thanks for the quick reply! Somehow, that didn’t help. And it does not look like the upstream resolvers are the issue: when specifying 192.168.1.1 manually as DNS server for the client, resolve requests get handled properly. But the DHCP server does not transmit either of those two options as default nameserver to the clients anymore.

I set up a couple of VMs for a router and its client and it works.
Check your resolver settings:

head -n -0 /etc/resolv.* /tmp/resolv.*

Thanks! I think I had some issue with my main client, seems to be working fine on my Android phones. Will try it again later this week.

1 Like

OK, it seems the DNS server issue has been resolved: I actually had changed the local dhcpcd.conf on the linux client a while ago and that prevented it from obtaining the correct DNS server.

Two more questions came up though:

  1. I was not able to get the DNS server to work when using a dummy interface: when assigning the IP 192.168.1.2 to the dummy interface, I could not access that IP from the client, only locally on the router. Hence, assigning it as a DNS server did not work. I just used a regular interface within the lan bridge, this seemed to work. Is this the right way of doing it if I want both DNS servers to be accessible in the network?
  2. Is there a way to tell adblock which dns server to bind to? Right now, whenever I restart the adblock service, it will enter the option serversfile line on the first listed DNS server in /etc/config/dhcp. What’s more confusing is that from testing with the configuration below, adblock seems to be active on 192.168.1.1 instead of 192.168.1.2, which is what I intended. Why is this?

/etc/config/dhcp

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'redacted'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'bb:bb:bb:bb:bb:bb'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'adblock'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ifname 'br-lan'

/etc/config/network

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'adblock_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/adblock/'
	option domain 'adblock'
	option expandhosts '1'
	option authoritative '0'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.adblock'
	option nonwildcard '1'
	list interface 'adblock'
	list notinterface 'loopback'
	option localservice '0'
	option resolvfile '/tmp/resolv.conf.auto'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'adblock'
	option instance 'adblock_dns'
	option interface 'adblock'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dnsmasq 'lan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option nonwildcard '1'
	list interface 'lan'
	option localservice '0'
	option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
	option instance 'lan_dns'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option mac 'AA:AA:AA:AA:AA:AA'
	option ip '192.168.1.182'
	option tag 'adblock_tag'

config tag 'adblock_tag'
	list dhcp_option '6,192.168.1.2'

/etc/config/adblock


config adblock 'global'
	option adb_basever '3.8'
	option adb_dnsvariant 'nxdomain'
	option adb_fetchutil 'uclient-fetch'
	option adb_trigger 'wan'
	option adb_enabled '1'
	option adb_dns 'dnsmasq'

config adblock 'extra'
	option adb_debug '0'
	option adb_forcedns '0'
	option adb_report '0'
	option adb_maxqueue '4'
	option adb_nice '0'
	option adb_dnsfilereset 'false'
	option adb_backupdir '/tmp'

config source 'adaway'
	option adb_src 'https://adaway.org/hosts.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on mobile ads, infrequent updates, approx. 400 entries'
	option enabled '1'

config source 'adguard'
	option adb_src 'https://filters.adtidy.org/windows/filters/15.txt'
	option adb_src_rset 'BEGIN{FS=\"[/|^|\r]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+[\/\^\r]+$/{print tolower(\$3)}'
	option adb_src_desc 'combined adguard dns filter list, frequent updates, approx. 17.000 entries'
	option enabled '1'

config source 'bitcoin'
	option adb_src 'https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on malicious bitcoin mining sites, infrequent updates, approx. 80 entries'
	option enabled '1'

config source 'disconnect'
	option adb_src 'https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'mozilla driven blocklist, numerous updates on the same day, approx. 4.700 entries'
	option enabled '1'

config source 'dshield'
	option adb_src 'https://www.dshield.org/feeds/suspiciousdomains_Low.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'generic blocklist, daily updates, approx. 3.500 entries'
	option enabled '0'

config source 'hphosts'
	option adb_src 'https://hosts-file.net/ad_servers.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|\$)+/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, monthly updates, approx. 19.200 entries'
	option enabled '0'

config source 'malware'
	option adb_src 'https://mirror.espoch.edu.ec/malwaredomains/justdomains'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'broad blocklist, daily updates, approx. 18.300 entries'
	option enabled '0'

config source 'malwarelist'
	option adb_src 'http://www.malwaredomainlist.com/hostslist/hosts.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on malware, daily updates, approx. 1.200 entries'
	option enabled '0'

config source 'openphish'
	option adb_src 'https://openphish.com/feed.txt'
	option adb_src_rset 'BEGIN{FS=\"/\"}/^http[s]?:\/\/([[:alnum:]_-]+\.)+[[:alpha:]]+(\/|$)/{print tolower(\$3)}'
	option adb_src_desc 'focus on phishing, numerous updates on the same day, approx. 2.400 entries'
	option enabled '0'

config source 'ransomware'
	option adb_src 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on ransomware by abuse.ch, numerous updates on the same day, approx. 1900 entries'
	option enabled '0'

config source 'reg_cn'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on chinese ads plus generic easylist additions, daily updates, approx. 11.700 entries'
	option enabled '0'

config source 'reg_cz'
	option adb_src 'https://raw.githubusercontent.com/qxstyles/turris-hole-czech-block-list/master/turris-hole-czech-block-list'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on czech ads maintained by Turris Omnia Users, infrequent updates, approx. 100 entries'
	option enabled '0'

config source 'reg_de'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistgermany+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on german ads plus generic easylist additions, daily updates, approx. 9.200 entries'
	option enabled '0'

config source 'reg_id'
	option adb_src 'https://easylist-downloads.adblockplus.org/abpindo+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on indonesian ads plus generic easylist additions, weekly updates, approx. 9.600 entries'
	option enabled '0'

config source 'reg_nl'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistdutch+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on dutch ads plus generic easylist additions, weekly updates, approx. 9.400 entries'
	option enabled '0'

config source 'reg_pl'
	option adb_src 'http://adblocklist.org/adblock-pxf-polish.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on polish ads, daily updates, approx. 90 entries'
	option enabled '0'

config source 'reg_ro'
	option adb_src 'https://easylist-downloads.adblockplus.org/rolist+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on romanian ads plus generic easylist additions, weekly updates, approx. 9.400 entries'
	option enabled '0'

config source 'reg_ru'
	option adb_src 'https://easylist-downloads.adblockplus.org/ruadlist+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on russian ads plus generic easylist additions, weekly updates, approx. 14.500 entries'
	option enabled '0'

config source 'shalla'
	option adb_src 'http://www.shallalist.de/Downloads/shallalist.tar.gz'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'huge blocklist archive subdivided in different categories, daily updates. Check http://www.shallalist.de/categories.html for more categories'
	list adb_src_cat 'adv'
	list adb_src_cat 'costtraps'
	list adb_src_cat 'spyware'
	list adb_src_cat 'tracker'
	list adb_src_cat 'warez'
	option enabled '0'

config source 'spam404'
	option adb_src 'https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)+/{print tolower(\$1)}'
	option adb_src_desc 'generic blocklist, infrequent updates, approx. 6.000 entries'
	option enabled '0'

config source 'sysctl'
	option adb_src 'http://sysctl.org/cameleon/hosts'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, weekly updates, approx. 16.500 entries'
	option enabled '0'

config source 'ut_capitole'
	option adb_src 'https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'huge blocklist archive subdivided in different categories, daily updates. Check https://dsi.ut-capitole.fr/blacklists/index_en.php for more categories'
	list adb_src_cat 'publicite'
	list adb_src_cat 'cryptojacking'
	list adb_src_cat 'ddos'
	list adb_src_cat 'malware'
	list adb_src_cat 'phishing'
	list adb_src_cat 'warez'
	option enabled '0'

config source 'whocares'
	option adb_src 'http://someonewhocares.org/hosts/hosts'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, weekly updates, approx. 10.000 entries'
	option enabled '0'

config source 'winspy'
	option adb_src 'https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on windows spy & telemetry domains, infrequent updates, approx. 300 entries'
	option enabled '0'

config source 'winhelp'
	option adb_src 'http://winhelp2002.mvps.org/hosts.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, infrequent updates, approx. 13.000 entries'
	option enabled '0'

config source 'yoyo'
	option adb_src 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on ad related domains, weekly updates, approx. 2.400 entries'
	option enabled '1'

It requires another subnet to avoid routing collision, but it seems there's another issue, so I temporary put this method on hold.

Looks like the destination IP is the first one which the device is reached on the related interface, so we need to workaround it with another port.

This is a firewall-based method:

  • Either configure a static lease or change the rule to depend on MAC address instead of IP.
  • If you need IPv6, it will require additional configuration.
opkg remove kmod-dummy
rmmod dummy

uci -q delete network.adblock
uci commit network
service network restart

uci -q delete dhcp.adblock
uci -q delete dhcp.adblock_dns.interface
uci -q delete dhcp.adblock_dns.notinterface
uci add_list dhcp.adblock_dns.interface="lan"
uci set dhcp.adblock_dns.port="5333"
uci commit dhcp
service dnsmasq restart

uci -q delete firewall.adblock
uci set firewall.adblock="redirect"
uci set firewall.adblock.name="Adblock-Intercept"
uci set firewall.adblock.src="lan"
uci set firewall.adblock.src_ip="SOURCE_HOST_IP"
uci set firewall.adblock.src_dport="53"
uci set firewall.adblock.dest_port="5333"
uci set firewall.adblock.family="ipv4"
uci set firewall.adblock.proto="tcpudp"
uci set firewall.adblock.target="DNAT"
uci commit firewall
service firewall restart
3 Likes

Yes, there is an experimental/undocumented option 'adb_dnsinstance' ... '0' is the first instance (the default), set it to '1' to catch the second instance. Before you change that value, please stop adblock so that the old serversfile entry will be removed, than put ...

option adb_dnsinstance '1'

...to your global adblock config and restart.

2 Likes

It’s working fine now, using the firewall redirect, thanks a lot for all the help, vgaetera!

And thanks dibdot, also for writing the adblock plugin!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.