Adblock getting ignored

untom · March 7, 2021, 12:52pm

Hi!
I previouslly had Pi-Hole running in my network, but wanted to switch to adblock running on OpenWrt. My network configuration is as follows:

My OpenWrt router is the 2nd router in my house, located at 192.168.2.2. Internet connection is provided by an ISP provided router sitting at 192.168.2.1 (some devices are jacked into the ethernet ports of that router). The OpenWrt device was previously set up as a dump AP following dumb-AP guide.

Since I now want to use adbock on this device, I restarted dnsmasq, firewall and odhcpd there, deactivated the ISP-router's DHCP and configured the network there to use 192.168.2.2 as DNS server.

After rebooting, devices weren't able to access the internet anymore, due to what seemed like a DNS error. at the OpenWrt router, I went to Network->Interfaces->LAN->edit and set "Use custom DNS servers" to 8.8.8.8 . After this, internet started working again.

I then installed adblock and the LuCI interface to it. The service is running and can download blocklists, but it seems to be ignored by devices: the "DNS reports" page in the adblock web interface shows an empty list under " Latest DNS Requests".

so I am assuming that DNS queries never reach adblock, but I'm not sure why: On my laptop, running systemd-resolve --status shows that the laptop does think that 192.168.2.2 is its nameserver. What are some configs I might have missed or tests I could run at this stage?

EDIT: after enabling logging of DNS queries, I can see entries in the system log that indicate that DNS queries DO reach the device, and are getting NXDOMAIN replies, which IIUC means they're getting blocked:

Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 352 192.168.2.113/59174 query[A] pixel.facebook.com from 192.168.2.113
Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 352 192.168.2.113/59174 config pixel.facebook.com is NXDOMAIN
Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 353 192.168.2.113/35558 query[AAAA] pixel.facebook.com from 192.168.2.113
Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 353 192.168.2.113/35558 config pixel.facebook.com is NXDOMAIN
Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 354 192.168.2.113/59174 query[A] pixel.facebook.com from 192.168.2.113
Sun Mar  7 14:15:57 2021 daemon.info dnsmasq[3730]: 354 192.168.2.113/59174 config pixel.facebook.com is NXDOMAIN

So why are they not showing up in the adblock log as they should? ("DNS Report" is checked in the adblock UI, tcpdump-mini is installed and the router had been rebooted after those changes)

EDIT2: switched from 192.168.1.x to 192.168.2.x

frollic · March 7, 2021, 1:54pm

Where did the 192.168.2 subnet come from?

pixel.facebook.com could actually be a blocked domain (it is on my pihole), try a different query like www.google.com

untom · March 7, 2021, 2:58pm

I'm on 192.168.2.x, I should edit the text to reflect that.

As for pixel.facebook.com, I tried that specifically because it was blocked, to see if it would get picked up by adblock. According to the syslog, it does indeed get an NXDOMAIN. But it doesn't show up in adblock's "DNS Report" (nothing does). As for www.google.com, it gets forwarded to 8.8.8.8 and resolved properly

untom · March 7, 2021, 3:07pm

Update: After going on "Refresh..." on the adblock web ui, I'm now seing stats about what's being blocked, so it looks like verything works nicely now. Not sure why it took this long to populate the stats

untom · March 7, 2021, 5:24pm

After looking even more into this: I needed to set the "Force Local DNS" setting. I'm unclear on WHY this is needed, though, any explanation would be appreciated.

lleachii · March 7, 2021, 6:25pm

@untom, welcome to the community!

What DNS Server IP do your LAN clients receive from DHCP?
What is your DHCP Server?
Did you set your DHCP server to use DHCP Option No. 6 to offer 192.168.2.2 as the DNS server?

vgaetera · March 7, 2021, 6:36pm

Some clients use pre-configured resolvers such as Google DNS.
Other clients/browsers may prefer DoT/DoH when possible.
Adblock can enable firewall rules to intercept plain DNS and DoT.

untom · March 8, 2021, 12:50am

Hi there!

The LAN clients correctly receive 192.168.2.2 as DNS server (at least, my desktop machine plugged into the openwrt router does). However, i just noticed they're also getting 192.168.2.2 as their gateway, which is not correct (the gateway in this network is 192.168.2.1, the ISP's router). Any idea how to change that?
DHCP should run on openwrt (I deactivated the dhcp on the isp router). However, I'm a bit unclear which dhcp is running on openwrt: i previously ran the openwrt router as dumb ap, so to set up dhcp I reverted the instructions for dumb-ap-setup: i.e., I activated both dnsmasq and odhcpd. Not sure which one of the two gives out addresses, or why this is even required (any clarifications?)
No, I did not. Is that a must, or just another option?

@vgaetera: the clients (my laptop & my desk machine) do not have pre-configured DNS resolvers, and browsers are not set up to use DoH.

frollic · March 8, 2021, 7:13am

Gateway is option 3 in the DHCP protocol

https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml