Firewall rule with action apply firewall mark. Time based. Then separate hijack rule as per the link earlier with the only change that it needs to match on the mark you applied.
If a port forward (redirect) rule accepts time restrictions, why bother with a mark? Just hijack the requests during the expected update window and keep it higher priority than any existing hijack rules.
Yeah agreed but in LuCi I’m not seeing the time options for port forward hijacking.
1 Like
Interesting. firewall4 UCI syntax seems to support start_time and stop_time, but it might be incomplete. Hmm.
Are these okay?
Also, when intercepting DNS what DNS server will it use? should I specify them somewhere or does it take care of that?
Lastly, is it possible to restrict the DNS hijacking a particular LAN device only since it's mostly my PC which will be on during that time. Perhaps modify the Internal IP Address to point to my PC?
Seems right ballpark for what I had in mind. Try setting times that apply now to test.
Under internal IP address for the port hijack put your server of choice like 1.1.1.1.
Yeah then just put source IP or MAC as appropriate to your PC.
So either restrict to IPv4 or put in the IPv6 also for internal redirection.
1 Like
I can't seem to add in both IPv4 and IPv6 in Internal IP address, I guess you got to restrict it for each address family.
EDIT: Doesn't seem to hijack my DNS with match mark? It shows my ISP's DNS server instead of Google when checking in my phone...
Another EDIT: Solved it, looks like I had to change the Source Zone in Traffic Rules and it hijacks to Google's DNS server... Thanks for helping me through.
Also lastly, I guess you are aware about what router I am using... any idea if I should use a light or pro adblock list for blocking? Currently I feel like whenever I am doing a DNS lookup (whenever my router restarts afresh) it loads very slowly but subsequent DNS lookups are faster any idea why...? Could it be I'm hammering my memory with the pro adblock list?
Should the marking rule also only be for port 53? No need to mark everything.
Will fix that as well, thanks for pointing out.
EDIT: Just finished filtering out to hijack my PC's MAC address only... will report back tomorrow whether this helps with my DNS downtime thanks.
I’d use pro. Once loaded I’d just check available memory using free -m and ensure there is still a reasonable amount left. I doubt the blocklist makes much difference to lookup times.
The following is based on my limited understanding. I am no expert on the subject-matter of the below, so take what I write with a pinch of salt.
The whole point of dnsmasq is that it acts like a cache so the first lookup requires actually accessing the remote dns resolver, whereas subsequent lookups can use the local cache and so should be faster, with the speed difference depending upon the latency of your connection in respect of the time it takes to send the lookup to the remote server and get a response set against a local lookup to the cache, which should be around 1-2ms. So if a remote lookup takes 100ms, that’s a whopping 92ms or so difference.
Whilst the time differences of individual lookups are presumably not noticeable (human responsiveness is something like tens or hundreds of milliseconds), I think there is a cascading effect for some services like websites where the requests build up from each other so time differences add up to something that becomes really noticeable.
1 Like
Hello, did a bit of testing and can confirm DNS hijacking is stable.
I've just added my ISP's DNS server, just a heads-up but on the guide it doesn't mention to specify a DNS server but you need to otherwise it reverts to making your router as the DNS server. Thanks for all the help!
1 Like
Just a heads up that this 64Mb device with 200k - 230k lines has been operational without any downtime since this post!
2 Likes
@Lynx Is it possible that custom DNS over HTTPS, TLS, and QUIC protocols could be added to Adblock Lean in the future? I'm interested in using Adblock Lean as a lightweight alternative to AdGuard Home. Also showing queries would be a great addition as well.
Use stubby, dnscrypt-proxy2, doh-proxy. Reimplementation of that in adblock-lean will lead to couple years of development and numerous bugs in the process. Adblock-lean, adblock work very well with proxies mentioned above.
I did try luci app https over dns proxy, but it killed the internet for me. Disabling it restored the access.
You have to understand what happened. See your DNS, DHCP and firewall configs.
I already use adblock-lean with stubby personally. Works just fine!
1 Like
I have another suggestion. It would be beneficial to designate a specific location, such as /root, for storing the sanitized file. This way, if there are any difficulties retrieving the lists during a system reboot, Adblock Lean can utilize the previously saved sanitized file and update it at a later time.
1 Like