Adblock support thread


in OpenWrt stable & snapshot package repo you'll find the adblock package (plus LuCI companion/configuration package):

stable OpenWrt version 19.07.x.: adblock 4.0.7 plus luci companion package

latest snapshot version: adblock 4.1.2 plus luci companion package

Link to the latest adblock documentation

Feel free to test, ask questions or make suggestions.


release 4.1.2

  • preserve DNS cache after adblock processing (unbound & bind)
  • fix redirect issue with oisd basic url
  • cosmetics
    release 4.1.1
  • support the RPZ trigger 'RPZ-CLIENT-IP' to always allow/block certain clients based on their IP (currently only supported by bind!)
  • avoid promiscuous mode in tcpdump setup for adblock reporting
  • speed up dns report preparation
  • support dns report mailing (/etc/init.d/adblock report mail)
  • fix bind autodetection
  • update LuCI-frontend (separate PR)
  • update readme
    release 4.1.0-3
  • add a restrictive "jail mode only" variant, just point your jail directory to your primary dns directory
  • update readme
    release 4.1.0-2
  • add adguard_tracking source (list with cname trackers)
  • optimize/sort output of active sources in status
  • optimize log output in EMails
    release 4.1.0
  • major source changes:
    • split in basic and full variant
    • add swedish regional list
    • made archive categories for shallalist and utcapitole selectable via LuCI
    • made all list variants of energized and stevenblack selectable via LuCI
  • removed dns filereset mode
    release 4.0.8
  • source changes:
    • add new source 'games_tracking' (
    • change malwaredomains source mirror
    • remove malwarelist source (source is empty)
    • remove youtube source (does not work at all)
  • support multiple firewall zones for dns redirects
  • add firewall zone/port housekeeping
  • fix dns backend detection in TurrisOS (LuCI change)
  • add check for gnu-sort
    release 4.0.7-3
  • fix aria2c download options
  • fix report engine with empty domains
  • fix safesearch ips of (get ips dynamically)
  • fix safesearch ips of (get ips dynamically)
  • switch all safesearch providers to dynamic ips (derived from cname)
  • made the new safesearch approach compatible with bind-nslookup
  • removed 3.x config compatibility code
  • add regional blocklist for italy
  • reporting: prevents the creation of an invalid json structure
  • reporting: add more space to the domain column on cli
    **release 4.0.6
  • add anti_ad blocklist source
  • made SafeSearch provider configurable, you can limit SafeSearch to certain providers
  • update readme
    **release 4.0.5-5
  • add regional list source for czech/slovak
  • add regional list source for korea
  • adapt oisd_nl changes, switch to adb-syntax domains
    **release 4.0.5-4
  • remove dumb list cache
  • start adblock processing after adding/removing
    list sources via CLI
  • add regional list source for france
    **release 4.0.5-3
  • fix oisd_nl source parser (format has been changed)
  • enable safesearch support for kresd (ip based)
    **release 4.0.5-2
  • limit domain name length to max. 63 chars to fix issues with energized sources
    **release 4.0.5
  • update energized source urls, add ultimate variant
  • switch shalla source to http (invalid server certificate)
  • add another stevenblack source variant (normal / porn)
  • small cornercase fixes
  • update readme
    **release 4.0.4-4
  • add 'ca-bundle' dependency
  • fix a sort bug in report engine
  • fix potential bugs in the f_extconf function
  • fix/add final sort step in reporting
  • accept capital letters in reporting filter
  • fix gawk compatibility in reporting
  • prevent processing of spurious line endings that confuses (g)awk
    **release 4.0.3
  • add 'wally3k' and 'reg_vn' sources, change 'reg_pl' source
  • update readme
  • small fixes & cosmetics
    release 4.0.2
  • removed 'hphosts' from sources (discontinued)
  • fixed a "out of range" bug and another small issue in the f_dnsup function
  • add three new sources: 'anudeep', 'stopforumspam' and 'youtube'
  • changed 'list' behaviour, the source file has now a higher precedence than the archive file (see readme)
  • update readme, added missing parameters & more
    re-release 4.0.1
  • fixed an oversight introduced in the last 3.99 pre-release series,
    only relevant for "raw" mode e.g. dnscrypt-proxy users
    release 4.0.1
  • fix dependency issue
  • fix query timeouts in web frontend (seen with many selected lists), now the query comes back latest after 30 seconds, to prevent any timeouts, with all results to this point.
  • add missing parameter in
    release 4.0.0
  • new package dependencies: coreultis-sort and a download util with SSL support
  • focus on speed (multicore-support) to handle quite big lists
  • include 38 pre-configured blocklist sources in a compressed json file (/etc/adblock/adblock.sources.gz)
  • dynamic SafeSearch support for google, bing, duckduckgo, yandex, youtube and pixabay (CNAME (bind) & IP (dnsmaq, unbound))
  • DNS backend autodetection
  • Download Utility autodetection
  • Report Interface autodetection
  • Easy cron wrapper to set an adblock related auto-timer for automatic blocklist updates
  • raw domain/blocklist support (e.g. for dnscrypt support)
  • re-add restrictive Jaillist support
  • rework online doc
  • Complete LuCI rewrite (migrated to client side JS)
    update 3.8.15
  • remove 'reg_cz' list (abandoned)
  • add 'notracking' list (provided by @rcarmo)
  • 19.07-only: fix/bring back status message
    update 3.8.14
  • fix some whitelist issues
    update 3.8.13
  • remove 'ransomware' blocklist by (discontinued)
    from default adblock config
  • fix/switch 'someonewhocares' config to https only
  • fix curl download parameters to follow redirects and
    suppress needless output
  • made the tmp directory of sort operations configurable,
    set 'adb_sorttmpdir' accordingly (only supported by 'coreutils-sort')
    update 3.8.12
  • fix possible dns restart issue with DNS File Reset (race condition)
    update 3.8.11
  • some more init tweaks
  • update/cleanup readme
    update 3.8.10
  • fix broken unbound integration
    update 3.8.9
  • more startup tweaks
  • re-use f_log function in helper scripts
  • small fixes / polish up for forthcoming 19.07 release
    update 3.8.8
  • print to stdout if 'logger' is not available
  • small fixes
    update 3.8.7
  • prevent forced parallel adblock service starts
  • refine service trigger
    update 3.8.6-2
  • fix service status message
  • refine readme regarding reload cron job
    update 3.8.6
  • refine stop logic to prevent needless dns backend restarts and other oddities
  • cosmetics
    update 3.8.5
  • use raw procd interface trigger as last resort, if the adblock config is not available during startup
  • fix selective subdomain whitelisting for dnsmasq
  • fix a kresd restart issue with 'DNS File Reset'
  • fix a suspend/resume cornercase
  • disable the tld compression, if the number of blocked domains is greater than 'adb_maxtld' (default: 100000)
  • made the fw portlist configurable (default '53 853 5353')
  • preliminary support for inotify-like autoload features of dns backends like kresd in future Turris OS. If 'adb_dnsinotify' is set to 'true', all adblock related restarts and the 'DNS File Reset' will be disabled
    update 3.8.4
  • fix the 'adb_sysver' output
  • pass the adblock version information to the helper scripts correctly
    update 3.8.3
  • fix a dns restart issue if 'flush dns cache' is set
  • fix a suspend/resume issue, the status wasn't properly updated
  • fix a long standing query issue
  • rework return code handling, mostly for debugging
  • various cleanups & cosmetics
    update 3.8.2
  • background service: no longer miss "signal" events for the dns backend (to trigger adblock)
  • fix a dns backend reload issue during switch between different blocking modes
  • domain query: report found domains only once in "null" blocking mode with IPv4 & IPv6 list entries
    update 3.8.1
  • fix a possible race condition during DNS file reset on slow hardware
  • optimize DNS restart behaviour in 'null' blocking mode
  • mute useless warnings
    release 3.8.0
  • add support for 'DNS File Reset', where the final DNS blockfile will be purged after DNS backend loading (save storage space). A small background service will be started to trace/handle dns backend reloads/restarts
  • add support for the 'null' blocking variant in dnsmasq (via addn-hosts), which may provide better response times in dnsmasq
  • enhance the report & search engine to support the new blocking variants. Search now includes backups & black-/whitelist as well
  • compressed source list backups are now mandatory (default to '/tmp')
  • speed up TLD compression
  • E-Mail notification setup is now integrated in UCI/LuCI
  • update the LuCI frontend to reflect all changes (separate PR)
  • drop preliminary dnscrypt-proxy-support (use dnsmasq instead)
  • drop additional 'dnsjail' blocklist support (not used by anyone)
  • procd cleanups in init
  • various shellcheck cleanups
  • update readme
    release 3.6.5-2
  • clean-up config
    • remove youtube source (not working, false positives)
    • remove urlhaus source (false positives)
    • remove zeus source (discontinued)
      release 3.6.5
  • fix reporting for bogus hostnames with underscores
  • no longer accidently overwrite existing 'serversfile' entries in dhcp config which reference to the adblock jail list
  • remove needless 'no_mail' flag
  • refined log message regarding tcpdump requirement for reporting
    release 3.6.4
  • respect 'adb_report' option to enable/disable adblock reporting (incl. tcpdump background process)
  • other reporting related corner case fixes
    release 3.6.3
  • the DNS Report now displays the hostname, MAC-Address or client IP (CLI & LuCI)
  • Filter the DNS Query result set for a particular domain, client or time frame (CLI & LuCI)
  • remove needless XHR.Poll-Events from Reporting page in LuCI
  • remove needless 'force sort' option in LuCI
    release 3.6.2
  • enhance the query function to search in adblock backups as well, to get back the set of blocking lists sources for a certain domain
  • add "Latest DNS Queries" report to commandline version as well (already in LuCI)
  • made the tld compression (the error handling) more robust, remove the needless 'adb_forcesrt' option
  • remove abandoned 'feodo' list source
  • update readme
    release 3.6.1
  • report engine supports multiple listening ports, set 'adb_replisten' to a space separated list of ports, default '53'
  • report engine supports multiple interfaces, set 'adb_repiface' to 'any'
  • small fixes
    release 3.6.0
  • add adblock dns query reporting via tcpdump (see readme for details)
  • fix tld compression on low memory systems (< 64 MB)
  • fix various small issues
    bugfix 3.5.5v2
  • fix uci wrapper calls
  • fix link in readme
    release 3.5.5
  • accept only ascii aka punycode chars in blocklists to prevent possible dns backend warnings
  • fix cornercase issues in json parsing (backend & frontend)
  • slightly optimize tld compression performance
  • refine logging
  • use uci wrapper where possible
  • change indentation from spaces to tabs (saves 8kb)
  • add experimental youtube blocklist source
    release 3.5.4
  • add low priority mode (nice level 10), disabled by default (config option is called 'adb_nice' in the 'extra' config section, the range 0-19 is allowed)
  • enhance 'Force DNS' to redirect ports 53, 853 and 5353


  • switch to dynamic XHR polling for runtime information and logfile
  • add new 'Refresh' button to reload blocklists
  • various cleanups & small fixes
    release 3.5.3
  • enhance the whitelist function. Now sub-domains could be whitelisted
    (e.g. ''), even if the correspondent tld is
    blacklisted (e.g. '') - this makes whitelisting
    much more flexible and predictable
  • rework the domain query function to adapt the whitelist changes
  • refine startup error checks/messages
  • small fixes
    release 3.5.2
  • add generic blocklist archive support
  • add support for blacklist archive from Toulouse 1 University Capitole
  • add support for urlhaus RPZ domains by
  • archive sub-categories (shalla & ut_capitole) are now configurable via LuCI CBI template
  • small bugfixes & enhancements
    release 3.5.1
  • maintenance update, just small bugfixes
    release 3.5.0
  • major performance boost: add a flexible 'Download Queue' to handle downloads & list processing in parallel, default queue size is '4', you can raise this e.g. to '8' or '16' to get it really fast
  • replace former 'whitelist mode': the new 'Jail' option builds an additional 'adb_list.jail' list in parallel to block access to all domains except those listed in the whitelist file, which can be used manually for guest wifi or kidsafe configurations
  • regex parser & query function now fully support IDN domains with non-ASCII characters
    add error handling in tld compression, to handle OOM conditions better
  • adblock.notify sends now html emails, to get a better look & feel, even on mobile devices
  • add czech regional blocklist maintained by turris omnia users
  • LuCI: Support new 'Download Queue' & 'Jail' options
  • LuCI: fix field width in "Runtime Information" section
    release 3.4.3 (current stable release)
  • add pidfile writing / check to prevent further race conditions
  • ease the download utility selection: uclient-fetch (default), wget, curl, aria2c, wget-nossl, busybox-wget are fully pre-configured available
  • add debug download logging in case of an error, e.g. wrong url
  • change 'malware' blocklist source url
  • add logfile information to email template
  • LuCI: add 'Download Utility' select box
  • LuCI: add new "running" status
    release 3.4.1
  • enable code to support Turris Omnia forthcoming upstream change
    (new kresd 'keep_cache' option) to preserve kresd DNS cache
  • fix a 'status' race condition while the adblock process is running in parallel
  • various small speed improvements
  • rework debug output
  • refine blacklist handling
  • enable the (empty) blacklist source in the default config
  • email notification supports mstmp, even without sendmail symlink
  • email notification writes minimal status to log (one-liner)
  • LuCI: refine logfile search term
  • LuCI: Textarea 'autoscroll down' in logfile view
  • LuCI: Left-align blocklist source table plus a more compact design
    release 3.4.0
  • preserve DNS cache after adblock processing,
  • email notification in case of an error or domain count < n (default 0, check readme)
  • removed securemecca from default config (service has been closed, read
  • new separate functions for hash compare and list/overall count
  • add missing package dependencies
  • various clean-ups
  • update documentation
    release 3.1.1
  • new function to set/delete options in external uci config files
    • kresd: automated 'rpz_file' handling in /etc/config/resolver
    • firewall: automated 'force_dns' handling if you enable or disable adblock
  • support sha256sum (default) and md5sum for blocklist comparison & conditional dns restarts
  • cosmetics
    release 3.1.0
  • add 'whitelist mode', block access to all domains
    except those explicitly listed in the whitelist file
  • rework awk regex for all blocklist sources
    • include 'third-party' domains for all regional lists
    • change adguard url and refine filter ruleset
    • use POSIX character classes
    • fix regex for whitelist preparation
    • fix corner case parsing issues
  • fix enable/disable behavior
  • various other small fixes
  • documentation update
  • caution: config file update required!
    release 3.0.3
  • add new list source to default config to block browser-based crypto mining
    release 3.0.2
  • better system information
  • several kresd related documentation fixes
    release 3.0.1
  • fix startup issues with backends like dnscrypt-proxy or kresd
    which does not come up without an existing block list
  • fix a small 'chown' issue
    release 3.0.0
  • add kresd & turris omnia support
  • add dnscrypt-proxy support
  • change start priority to 30, to fix possible trigger issues on slow booting hardware
  • simplify suspend/resume handling (no longer use a hideout directory)
  • default config change (please update your config!), adblock is now disabled by default
  • enhanced LuCI frontend
  • many small changes & improvements
  • documentation update
    release 2.8.5
  • add preliminary kresd dns backend support for turris devices, see readme (untested!)
  • use tld compression for overall list, too
  • cosmetics
    release 2.8.3
  • refine manual/backup mode (exclude local blacklist processing)
  • cosmetics
    release 2.8.2
  • made DNS restart conditional (compare list hash values), to prevent needless restarts of the DNS backend
    release 2.8.1
  • revert 'wan6' interface trigger in default config due to current procd limitation (see issue: #4521 on github)
    release 2.8.0-2
  • add bind support (see readme)
  • export all blocked domains in one central file (adb_list.overall)
  • prerequisite for proper bind support
  • much faster sort operation with less memory consumption
  • backups are still handled per source separately, to be more flexible in adding/removing block list sources
  • add additional 'wan6' interface trigger in default configuration
  • various small fixes & optimizations
Ancient Releases (Unsupported!)

OpenWrt version 18.06.: adblock 3.5.5 plus luci companion package
LEDE version 17.01.: adblock 3.4.3 plus luci companion package

Have fun!


At the first glance, it seems to work nicely.

logread -e "adblock" gives the following output:

Mon Dec 12 09:53:36 2016 daemon.err[944]: udhcpc: started, v1.25.1
Mon Dec 12 09:53:36 2016 daemon.err[944]: udhcpc: sending discover
Mon Dec 12 09:53:39 2016 daemon.err[944]: udhcpc: no lease, failing
Mon Dec 12 09:53:39 2016 daemon.err[944]: udhcpc: started, v1.25.1
Mon Dec 12 09:53:39 2016 daemon.err[944]: udhcpc: sending discover
Mon Dec 12 09:53:42 2016 daemon.err[944]: udhcpc: no lease, failing
Mon Dec 12 09:53:42 2016 user.notice adblock-[1.9.99-pre0] info: block lists with overall 132369 domains loaded (1.9.99-pre0, LEDE Reboot CURRENT r2437-854459a)

I removed the previous package and luci addon with luci.

udhcpc is the DHCP client fetching a WAN address from your ISP for your WAN interface. Nothing to do with adblock (or DNS) by itself.

Does your router get WAN address when adblock is disabled?

But you seem to have a lot of blocklists loaded. You might test first with only a few lists. And you might reboot the router one more time so that there are surely no leftovers in dnsmasq tmp from the previous ablock version.

My router gets a WAN address also when adblock is enabled.
As far as I can see adblock2 is working without a problem. I just don't understand the errormessages in the log.
My router has plenty of ram (512 MB), so I thought is is not a problem to enable almost every list.

Does this dhcp "error" always appear (i.e. during a normal /etc/init.d/adblock restart) or only during boot?
What happen if you change ...

procd_set_param stderr 1 to procd_set_param stderr 0

in /etc/init.d/adblock?

Thanks for testing!

Yes the error appears always (reboot and restart).

Still the same errormessage.

I feel myself obliged to do so because adblock is why I bought this new router in the first place.
Thanks for making this great tool!

OK, please make a "/etc/init.d/dnsmasq restart" for two times. First with enabled block lists and second time without adblock (after /etc/init.d/adblock stop). In both cases please check the log for dnsmasq/dhcpc errors like you've posted above.

Thanks again!

Mon Dec 12 16:53:58 2016 daemon.err[1843]: udhcpc: started, v1.25.1
Mon Dec 12 16:53:58 2016 daemon.err[1843]: udhcpc: sending discover
Mon Dec 12 16:54:01 2016 daemon.err[1843]: udhcpc: no lease, failing
Mon Dec 12 16:54:01 2016 daemon.err[1843]: udhcpc: started, v1.25.1
Mon Dec 12 16:54:01 2016 daemon.err[1843]: udhcpc: sending discover
Mon Dec 12 16:54:04 2016 daemon.err[1843]: udhcpc: no lease, failing
Mon Dec 12 16:54:05 2016 user.notice adblock-[1.9.99-pre0] info: block lists with overall 132369 domains loaded (1.9.99-pre0, LEDE Reboot CURRENT r2437-854459a)
Mon Dec 12 17:05:48 2016 daemon.err[2657]: udhcpc: started, v1.25.1
Mon Dec 12 17:05:48 2016 daemon.err[2657]: udhcpc: sending discover
Mon Dec 12 17:05:51 2016 daemon.err[2657]: udhcpc: no lease, failing
Mon Dec 12 17:05:51 2016 daemon.err[2657]: udhcpc: started, v1.25.1
Mon Dec 12 17:05:51 2016 daemon.err[2657]: udhcpc: sending discover
Mon Dec 12 17:05:54 2016 daemon.err[2657]: udhcpc: no lease, failing
Mon Dec 12 17:05:54 2016 user.notice adblock-[1.9.99-pre0] info: block lists with overall 132369 domains loaded (1.9.99-pre0, LEDE Reboot CURRENT r2437-854459a)

I wouldn't be surprised when the problem is outside of Adblock.
My router is, as of now, not fully supported by LEDE (TP-Link Archer C2600).

Adblocking is functional with this release.

If a full log is usefull, let me know.

So dns hijacking is no longer an option with adblock2?

I haven't mastered wrapping firewall rules in procd instance, but if you'd want to bring back the pixelserv, I found out uhttpd is really easy to include in PROCD instance.

On ipq806x LEDE Reboot CURRENT r2437+12 with uclient-fetch and ustream-mbedtls installed, adblock2 fails with error: fetch utility 'uclient-fetch' or 'wget' not found. Maybe the below will help:

root@EA8500:~# which /usr/bin/wget* root@EA8500:~# which uclient-fetch /bin/uclient-fetch root@EA8500:~# which /bin/wget* /bin/wget root@EA8500:~# ls -la $_ lrwxrwxrwx 1 root root 13 Dec 10 16:24 /bin/wget -> uclient-fetch

Still it's all about dns spoofing/hijacking but we do not longer need all the firewall/pixel server stuff for that. The dns server itself returns a simple 'NXDOMAIN'. This is nothing but Non-eXistent Internet or Intranet domain name, if domain name is unable to resolve using the dns server, a condition called the 'NXDOMAIN' occurred.

On client side you'll see things like that:

root@x250:/home/dirk# nslookup
** server can't find NXDOMAIN

or that (captured during a youtube session):

root@x250:/home/dirk# tcpdump -nt -i wlan0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP > 44883+ A? (42)
IP > 20204+ AAAA? (42)
IP > 44883 NXDomain 0/0/0 (42)
IP > 20204 NXDomain 0/0/0 (42)

simple & quite effective! :relaxed:

As I wrote in my initial post you have to set two options in adblock config, for uclient-fetch use the following:

option adb_fetch '/bin/uclient-fetch'
option adb_fetchparm '-q'

By DNS hijacking I meant that if I have a client in the local network with hardcoded DNS (rather than using DNS server offered by DHCP) it will no longer be forced to use my router's dns server, will it now, without firewall rules?

Ah, sorry, missed that, I was hoping adblock2 would auto-discover what I have installed. :wink:

adblock supports a wider range of router modes, incl. AP modes. Therefore it makes no sense to set firewall redirects like that. (same applies to adblock 1.x)

a guy who changed the default ssl-backend can add two config options, too. :slight_smile:
a positive side effect: you could use other tools like aria2 ...

Ah, I see the reason. It'd still make sense to set the redirects for the router mode, which I'd expect to be like 90% of the cases. :wink:

I've updated the download link in the first post for the new pre1 version, changes are:

  • procd fine tuning
  • many bugfixes

If nothing major comes up, I'll send a github PR before christmas ... :slight_smile:

1 Like

The initial adblock_1.9.99-pre0-1_all ran perfectly well for me. Now adblock_1.9.99-pre1-1_all is also running well perfectly for the past 12-14 hours or so. No issues to report on my end as far as functionality goes.

I must admit, I do wish that there still remained an option to keep the pixel server running to replace all of the DNS-related errors that come up now with this NXDOMAIN method. But anyway, I trust in your judgement and coding work 100% and I will continue testing all future releases as they are released.

Hi Dave,

thanks for testing!
Do you have example urls with "broken links" where ads are not delivered by https server? For ad related content from https server you will receive broken links, even with adblock 1.x cause we cannot redirect secured connections.


Just want to say thanks for this! I run your current version published in trunk (1.5.4-1 with the Luci counter part), and it's a great tool. Thanks for continuing to support it!

Tested on my TP-Link Archer C2600 and my travel-router GLi AR150.
Works like a charm! I love it.
Especially the AR150 can handle this version much easier than the previous version.

The LuCI app modified for the new adblock2 can be found from here: