Adblock in openwrt

Rick13 · February 19, 2026, 6:54pm

I install Adblock in openwrt (of course to block adds on my local network) I use a turris omnia router.

The Dutch forum advises doing the following:

Intercept all traffic to port 53
Block all traffic on port 853 (DoT)
Block all traffic to known DoH servers

Is this correct? And how to do point 3? Thanks.

frollic · February 19, 2026, 7:07pm

Rick13 · February 19, 2026, 7:12pm

Yes, i have seen that Article. But i am new in this, so it’s difficult to follow for me.

donjoe · February 19, 2026, 7:36pm

Hi!

I’m sorry for not being able to help you with this straight away, but may I ask you why would you want to go about highjacking DNS in this case?

I mean would it just be sufficient to advertise your router’s DNS server to your clients? Then, if someone in your network really, really wants to see ads, they can choose to use some other, external DNS server.

I’m running adblock on my main router, but tbh it never even crossed my mind to go as far as doing DNS hijacking.

That said, I do reckon there might me other legitimate reasons to hijack DNS, but just for enforcing adblock it seems a bit overkill.

dibdot · February 19, 2026, 7:46pm

You don't need to specify any rules outside of adblock. Just check the main adblock status page ... e.g. from Turris Omnia 9.0.3 with kresd as dns backend (hbs branch)

Just select the dedicated block lists (under feed selection) and specify the Interface/ports as shown in the screenshot and you're done.

Rick13 · February 19, 2026, 7:49pm

Thanks, i have done that. But it was not right, was told me on a Dutch forum

dibdot · February 19, 2026, 7:56pm

Well then, good luck with your further research in the dutch forum.

Rick13 · February 19, 2026, 7:59pm

I trust you, no worries. I am a little bit suprise thats al. But i like youre clear comment

Rick13 · February 19, 2026, 10:07pm

Might be making a logical error or missing something.

I look at the log view and see this error message:

Thu Feb 19 22:56:21 2026 user.err adblock-4.4.2-r4[6515]: dns backend not found, please set 'adb_dns' manually

Thanks for helping this noob.

brada4 · February 19, 2026, 10:20pm

PIC2 - also intercept ipv6, as long as you do not have ip6 global connection makes no difference.

dibdot · February 20, 2026, 4:04am

Well, you've a Turris Omnia and switched your OS from Turris OS to OpenWrt, at least that's what your first screenshot claims. Therefore, please also use the standard DNS resolver under OpenWrt - which is dnsmasq (not kresd!). For hagezi please also specifiy the lists you want to use, e.g.

RHBH · February 20, 2026, 5:02am

For this you usually need a ban ip (ban known DNS IPs such as 1.1.1.1 and 8.8.8.8)

You can also point commondns domains such as google.dns and one.one.one.one to your own router ip (eg 192.168.1.1).

plater · February 20, 2026, 5:26am

I don’t disagree with the tall slavs. It’s better to reject port 853 then hijack and send it to port 53. Here’s how I handle DoT and DoQ.

I only hijack port 53. Hijacking port 5353 (another option offered by adblock) can wreak havok on MDNS depending on your setup.

Next select the doh_blocklist via adblock.

Finally, it’s been a while since I’ve used banip and even longer since I used it’s doh_blocklist. It caused WAY too many false positives. I resorted to a better than nothing solution. Manually blocking the most popular, google and cloudflare with this rule.

This won’t get you 100% coverage but will get you most of the way there without breakage. If someone is determined to get around this, they can. However, my logs show it’s very effective.

Edit:

For easier copy and pasting, the rules above as applied to /etc/config/firewall

config rule
        option src '*'
        option dest 'wan'
        option dest_port '853'
        option target 'REJECT'
        option name 'Block-DoT-DoQ'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Block-DNS-IPs'
        option src '*'
        option target 'REJECT'
        option dest 'wan'
        list dest_ip '1.1.1.1'
        list dest_ip '1.0.0.1'
        list dest_ip '8.8.8.8'
        list dest_ip '8.8.4.4'
        list dest_ip '104.16.248.249'
        list dest_ip '104.16.249.249'
        list dest_ip '2606:4700:4700::1111'
        list dest_ip '2606:4700:4700::1001'
        list dest_ip '2001:4860:4860::8888'
        list dest_ip '2001:4860:4860::8844'
        list dest_ip '2606:4700::6810:f9f9'
        list dest_ip '2606:4700::6810:f8f9'
        option dest_port '53 80 443'
        list proto 'tcp'
        list proto 'udp'

Rick13 · February 20, 2026, 8:50am

Thanks. Let me clarify my situation first. I flashed my Turris Omnia router to OpenWrt (I'm running the newest version, 24.10).Because it is not possible to set my ISP router to bridge mode, I am using double NAT (In DMZ mode) IPv6 is not working in DMZ mode, which is why I have disabled IPv6. I hope my explanation is clear. What would be the best option in this situation?

RHBH · February 20, 2026, 7:48pm

Here is a more comprehensive list:

There are two lists, one for DNS domains, other for DNS ip addresses.

Rick13 · February 20, 2026, 8:00pm

Thanks."I changed the standard DNS resolver, and after that Adblock started running (see screenshot)I also changed the settings (added them) for Haghezi (see screenshot).Everything is set now?

dibdot · February 21, 2026, 5:15am

Yep, looks reasonable. Just a nitpick: Usually it's sufficient to define one trigger interface - in your case "wan".