Adblock getting ignored

I previouslly had Pi-Hole running in my network, but wanted to switch to adblock running on OpenWrt. My network configuration is as follows:

My OpenWrt router is the 2nd router in my house, located at Internet connection is provided by an ISP provided router sitting at (some devices are jacked into the ethernet ports of that router). The OpenWrt device was previously set up as a dump AP following dumb-AP guide.

Since I now want to use adbock on this device, I restarted dnsmasq, firewall and odhcpd there, deactivated the ISP-router's DHCP and configured the network there to use as DNS server.

After rebooting, devices weren't able to access the internet anymore, due to what seemed like a DNS error. at the OpenWrt router, I went to Network->Interfaces->LAN->edit and set "Use custom DNS servers" to . After this, internet started working again.

I then installed adblock and the LuCI interface to it. The service is running and can download blocklists, but it seems to be ignored by devices: the "DNS reports" page in the adblock web interface shows an empty list under " Latest DNS Requests".

so I am assuming that DNS queries never reach adblock, but I'm not sure why: On my laptop, running systemd-resolve --status shows that the laptop does think that is its nameserver. What are some configs I might have missed or tests I could run at this stage?

EDIT: after enabling logging of DNS queries, I can see entries in the system log that indicate that DNS queries DO reach the device, and are getting NXDOMAIN replies, which IIUC means they're getting blocked:

Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 352 query[A] from
Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 352 config is NXDOMAIN
Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 353 query[AAAA] from
Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 353 config is NXDOMAIN
Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 354 query[A] from
Sun Mar  7 14:15:57 2021 dnsmasq[3730]: 354 config is NXDOMAIN

So why are they not showing up in the adblock log as they should? ("DNS Report" is checked in the adblock UI, tcpdump-mini is installed and the router had been rebooted after those changes)

EDIT2: switched from 192.168.1.x to 192.168.2.x

Where did the 192.168.2 subnet come from? could actually be a blocked domain (it is on my pihole), try a different query like

1 Like

I'm on 192.168.2.x, I should edit the text to reflect that.

As for, I tried that specifically because it was blocked, to see if it would get picked up by adblock. According to the syslog, it does indeed get an NXDOMAIN. But it doesn't show up in adblock's "DNS Report" (nothing does). As for, it gets forwarded to and resolved properly

Update: After going on "Refresh..." on the adblock web ui, I'm now seing stats about what's being blocked, so it looks like verything works nicely now. Not sure why it took this long to populate the stats :slight_smile:


After looking even more into this: I needed to set the "Force Local DNS" setting. I'm unclear on WHY this is needed, though, any explanation would be appreciated.

@untom, welcome to the community!

  • What DNS Server IP do your LAN clients receive from DHCP?
  • What is your DHCP Server?
  • Did you set your DHCP server to use DHCP Option No. 6 to offer as the DNS server? :wink:

Some clients use pre-configured resolvers such as Google DNS.
Other clients/browsers may prefer DoT/DoH when possible.
Adblock can enable firewall rules to intercept plain DNS and DoT.

1 Like

Hi there!

  1. The LAN clients correctly receive as DNS server (at least, my desktop machine plugged into the openwrt router does). However, i just noticed they're also getting as their gateway, which is not correct (the gateway in this network is, the ISP's router). Any idea how to change that?

  2. DHCP should run on openwrt (I deactivated the dhcp on the isp router). However, I'm a bit unclear which dhcp is running on openwrt: i previously ran the openwrt router as dumb ap, so to set up dhcp I reverted the instructions for dumb-ap-setup: i.e., I activated both dnsmasq and odhcpd. Not sure which one of the two gives out addresses, or why this is even required (any clarifications?)

  3. No, I did not. Is that a must, or just another option?

@vgaetera: the clients (my laptop & my desk machine) do not have pre-configured DNS resolvers, and browsers are not set up to use DoH.

Gateway is option 3 in the DHCP protocol