Adblock-lean: set up adblock using dnsmasq blocklist

Community Builds, Projects & Packages
1688

Why do I get this log message? (OpenWrt 24.10.0-rc7)

No ip addresses detected for dnsmasq instance 'cfg01411c'. Using the loopback addresses.

cat /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        list addnmount '/bin/busybox'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_default '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
1689

Hi, this does not indicate a problem.

adblock-lean checks which network interfaces are used by the dnsmasq instance that adblock-lean is attached to. If such network interfaces are identified then adblock-lean checks which network address the dnsmasq instance responds on. That address is then used to verify that adblocking and DNS resolution are working correctly after loading the blocklist.

Generally, unless you specified network interfaces for the dnsmasq instance to serve, that instance will serve DNS on all network interfaces. Which means that adblock-lean's check for network interfaces will return empty string. In that case, adblock-lean will use the loopback ip address for aforementioned verification. This message basically says that this is what's happening. Perhaps we should rephrase it so it doesn't sound like something's wrong.

1 Like
1690

Thanks! I have no clue :sweat_smile:

1 Like
1691

Just set up adblock-lean from scratch and all went well save for one very minor issue. The present setup script is fantastic! A reminder that I love the way presets are implemented.

Minor issue is that during install the extra packages were downloaded and installed but then not detected:

root@OpenWrt:~# sh /etc/init.d/adblock-lean setup

Making /etc/init.d/adblock-lean executable.

Based on the total usable memory of this device (488.76 MiB), the recommended preset is 'large':
Elements count: ~1000k
blocklist_urls="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt"
max_file_part_size_KB="19000"
max_blocklist_file_size_KB="24000"
min_good_line_count="330000"

[C]onfirm this preset or [p]ick another preset?
c|p: c
Selected preset 'large'.

Checking dnsmasq instances.
Detected only 1 dnsmasq instance - skipping manual instance selection.
Selected dnsmasq instance 0: 'cfg01411c'.
Selected dnsmasq conf-dir '/tmp/dnsmasq.cfg01411c.d'.

Cron job configuration:
A cron job can be created to enable automatic list updates.
The default schedule is '0 5 * * *': daily at 5am (5 o'clock at night)
The cron job will run with an added random number of minutes.

Create cron job with default schedule for automatic list updates?
'n' will set the 'cron_schedule' setting to 'disable'. You can later create a cron job with a custom schedule as described in:
https://github.com/lynxthecat/adblock-lean/blob/master/README.md
y|n: y

Generating new default config for adblock-lean from preset 'large'.

Saving new config file to '/etc/adblock-lean/config'.

Enabling the adblock-lean service.

Updating cron job for adblock-lean.
Warning: The cron service is not enabled or not running.

Attempting to enable and start the cron service... OK
Creating cron job with schedule '0 5 * * *'.

Creating dnsmasq addnmount UCI entry.


For improved performance while processing the lists, it is recommended to install GNU awk, GNU sed, GNU sort.
Corresponding packages are: gawk, sed, coreutils-sort.

Available free space at mount point '/': 76.42 MiB.

Would you like to install GNU awk automatically? Installed size: 1024 KiB.
y|n: y
Would you like to install GNU sed automatically? Installed size: 150 KiB.
y|n: y
Would you like to install GNU sort automatically? Installed size: 120 KiB.
y|n: y

Selected packages: gawk sed coreutils-sort
Total installed size: 1.26 MiB.
Proceed with packages installation?
y|n: y

Downloading https://downloads.openwrt.org/releases/24.10.0/targets/mediatek/mt7622/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/releases/24.10.0/targets/mediatek/mt7622/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/targets/mediatek/mt7622/kmods/6.6.73-1-49f3b78722ed2df9df713e744e978eb6/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading https://downloads.openwrt.org/releases/24.10.0/targets/mediatek/mt7622/kmods/6.6.73-1-49f3b78722ed2df9df713e744e978eb6/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/luci/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/telephony/Packages.sig
Signature check passed.
Installing gawk (5.3.0-r2) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/gawk_5.3.0-r2_aarch64_cortex-a53.ipk
Installing terminfo (6.4-r2) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/base/terminfo_6.4-r2_aarch64_cortex-a53.ipk
Installing libncurses6 (6.4-r2) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/base/libncurses6_6.4-r2_aarch64_cortex-a53.ipk
Installing libreadline8 (8.2-r2) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/base/libreadline8_8.2-r2_aarch64_cortex-a53.ipk
Installing sed (4.9-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/sed_4.9-r1_aarch64_cortex-a53.ipk
Installing coreutils-sort (9.3-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/coreutils-sort_9.3-r1_aarch64_cortex-a53.ipk
Installing coreutils (9.3-r1) to root...
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a53/packages/coreutils_9.3-r1_aarch64_cortex-a53.ipk
Configuring terminfo.
Configuring coreutils.
Configuring sed.
Configuring coreutils-sort.
Configuring libncurses6.
Configuring libreadline8.
Configuring gawk.

Setup is complete.

Start adblock-lean now?
y|n: y


gawk not detected so allowlist (sub)domains removal from blocklist will be slow and list processing will not be as efficient.
Consider installing the gawk package (opkg install gawk) for faster processing and (sub)domain match removal.
GNU sed not detected so list processing will be a little slower.
Consider installing the GNU sed package (opkg install sed) for faster processing.
coreutils-sort not detected so sort will be a little slower.
Consider installing the coreutils-sort package (opkg install coreutils-sort) for faster sort.

Checking dnsmasq instances.

Starting adblock-lean.

No existing compressed or uncompressed blocklist identified.

Testing connectivity.

No local allowlist identified.
Not using any allowlist for blocklist processing.

No local blocklist identified.

Starting raw blocklist part(s) download.

Downloading, checking and sanitizing raw blocklist part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt.
Successfully processed blocklist (source file size: 3.44 MiB, sanitized line count: 181,480).

Downloading, checking and sanitizing raw blocklist part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt.
Successfully processed blocklist (source file size: 13.94 MiB, sanitized line count: 717,256).

Successfully generated preprocessed blocklist file with 898,736 entries.

Sorting and merging the blocklist parts into a single blocklist file.

Stopping dnsmasq.

Checking the resulting blocklist with 'dnsmasq --test'.
New blocklist file check passed.
Final list uncompressed file size: 18.07 MiB.

Checking dnsmasq instances.

Successfully imported new compressed blocklist file for use by dnsmasq with size: 5.91 MiB.

Restarting dnsmasq.

Waiting for dnsmasq initialization.
Restart of dnsmasq completed.

Processing time for blocklist generation and import: 0m:44s.

Checking active blocklist.

Checking dnsmasq instances.
No ip addresses detected for dnsmasq instance 'cfg01411c'. Using the loopback addresses.

Active blocklist check passed with the new blocklist file.
New blocklist installed with entries count: 847,634.

Checking for adblock-lean updates.
The locally installed adblock-lean is the latest version.

See what I mean @antonk?

1 Like
1692

Ah, yes, I think in the current version we are detecting utilities at script initialization and we don't take into account that later they are installed. This should be an easy thing to fix.

2 Likes
1693

Hi everyone,

First, Iā€™d like to extend my heartfelt thanks to everyone involved in this project. I absolutely LOVE it!

I recently switched from Adblock to Adblock-Lean, and I couldnā€™t be happier with the decision. Itā€™s faster, simpler, and the terminal output is exceptionally clearā€”providing detailed information in an easy-to-read format. Iā€™m truly impressed! Thank you so much for your support and to everyone contributing to its development.

With Adblock, I was blocking around 500k domains, but I encountered some issues and noticed memory usage was about 25 MiB for the lists. Now, with Adblock-Lean, Iā€™m blocking 1.5 million domains, and my router is running perfectly. The compressed blocklist file used with dnsmasq is only about 8 MiBā€”very impressive efficiency!

Thank you once again, and please keep up the amazing work!

I was certain there was a dedicated support thread for Adblock-Lean, but I couldnā€™t find it. Perhaps I confused it with the Adblock thread. I hope itā€™s okay to post here since my question doesnā€™t seem to warrant a separate thread.

Iā€™ve been running Adblock-Lean with the following blocklists:

https://nsfw.oisd.nl/domainswild2  
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt  
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt

Recently, I installed Windows 8.1 on a testing machine, and my daughter uses a Xiaomi phone. Iā€™ve debloated her phone as much as possible without breaking anything. While researching, I discovered Hageziā€™s lists native.xiaomi-onlydomains.txt and native.winoffice-onlydomains.txt.

I assumed the first list targets Xiaomi-related domains, and the second one focuses on Microsoft telemetry. I added them to Adblock-Lean, so my current blocklist configuration looks like this:

blocklist_urls="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.xiaomi-onlydomains.txt  
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/native.winoffice-onlydomains.txt  
https://nsfw.oisd.nl/domainswild2  
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro-onlydomains.txt  
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/tif-onlydomains.txt"

However, I havenā€™t noticed much of a difference in the number of blocked domains in the resulting merged list.

Can anyone confirm if the tif-onlydomains.txt or pro-onlydomains.txt lists already include the smaller lists, such as native.xiaomi-onlydomains.txt and native.winoffice-onlydomains.txt?

Additionally, I found a list of domains related to Windows spyware and telemetry online, and I added those manually to my blocklist:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
redir.metaservices.microsoft.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
sqm.df.telemetry.microsoft.com
telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.urs.microsoft.com
telemetry.appex.bing.net:443
settings-sandbox.data.microsoft.com
vortex-sandbox.data.microsoft.com
survey.watson.microsoft.com
watson.live.com
watson.microsoft.com
statsfe2.ws.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
a-0001.a-msedge.net
statsfe2.update.microsoft.com.akadns.net
sls.update.microsoft.com.akadns.net
fe2.update.microsoft.com.akadns.net
diagnostics.support.microsoft.com
corp.sts.microsoft.com
statsfe1.ws.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
feedback.windows.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
rad.msn.com
preview.msn.com
ad.doubleclick.net
ads.msn.com
ads1.msads.net
ads1.msn.com
a.ads1.msn.com
a.ads2.msn.com
adnexus.net
adnxs.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net

Am I inadvertently creating duplicates here by adding this list manually?

Thank you so much for your help and advice!

1 Like
1694

open both, and look for entries from the smaller files in the bigger ones ?
you could also script it ...

those lists are moving targets, whatever is true today, might not apply tomorrow.

1695

The Pro list partially includes the smaller tracker blocklists (of which there are a few), as stated by Hagezi here. I don't know exactly what is meant by 'partially' - it could be that some of the smaller lists are included entirely, or not. Anyway, if you are not seeing any increase in blocked domains count then the specific smaller lists you added are (currently) included entirely. adblock-lean doesn't 'lose' any domains - it just eliminates duplicates.

1 Like
1696

Thanks for the feedback. Much can be attributed to @antonkā€™s recent tremendous input to the project.

2 Likes
1697

Hello, I have just moved to adblock-lean from adblock. I was wondering what firewall rules I could implement in order to force DNS via my router. I can see the following rules created by adblock but I'm not sure they are relevant anymore.

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'         
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53' 
        option target 'DNAT'         
                              
config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'      
        option proto 'tcp udp'
        option src_dport '853'   
        option dest_port '853'  
        option target 'DNAT'      
                              
config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'      
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

I am using smartdns for dot/doh.

Thanks

1698

Hi and welcome aboard.

As to your question, probably @Lynx knows more about this than I do. I can only suggest to follow this guide and probably make sure to remove leftover rules created by adblock.

1 Like
1699

Thank you for the link. It looks like just what I need. I'll have a look and report back.

I wonder if there is scope to add this automatically into adblock-lean. I suppose it might reduce the lean-ness though :slight_smile:

1700

We can consider adding this feature. Please let us know if following the guide helped.

1701

I added the following to my firewall config file

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option family 'any'
        option proto 'tcp udp'
        option src_dport '53'
        option target 'DNAT'

config rule
        option name 'Adblock DNS (lan, block DoT)'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

I think that should work.

Is there a way to query if a domain is in the blocklist? I can see there is a /tmp/dnsmasq.d/.abl-blocklist.gz file. Do I need to unzip that/grep it?

Thank you for making this software!

1702

You can just use nslookup:

nslookup example.com

If getting NXDOMAIN then either the domain is not registered in the DNS at all, or blocked. Alternatively, you can run the following command to verify that the domain is in the blocklist:

zcat /tmp/dnsmasq.d/.abl-blocklist.gz | grep -o "/example.com/"
1703

Doh. That makes sense.

Thanks for your patience.

1 Like
1704

Sorry, referencing an old post as I wanted to make sure this option existed before - I am unable to locate adblock-lean in the Luci > System> Startup menu, even when enabled, the entry is missing and therefore no start/stop/restart options. Is this expected now?

1 Like
1705

You need to use command from terminal (SSH)

1 Like
1706

Should be there providing service file exists and is executable. If itā€™s right after installing and before reboot then might need to restart the network service for LuCI to pick it up.

1 Like
1707

I've verified that the file exists, has the right permissions and have restarted the device multiple times. Uninstalled and reinstalled as well (with fresh config too) but for some reason the web UI does not show adblock-lean (image attached with the init scripts sorted by name). I created a custom-scripts init entry and that shows up. I am on x86 and on the latest 24.10 build, is there anything else I can do (cleanup any luci cache etc) to fix this?

{2AF1308E-2B7A-44C0-B06D-0919B1D78637}
{2AF1308E-2B7A-44C0-B06D-0919B1D78637}728Ɨ230 12.2 KB

{9AA29EDD-67EE-4838-96BA-5ABE992ACD6F}
{9AA29EDD-67EE-4838-96BA-5ABE992ACD6F}976Ɨ500 22.3 KB