Adblock with DNSSEC / stubby

Any conflicts? Configuration tips?
Stubby is up and working good. I have it doing the DNSSEC validation stuff with the proxy option turned-on for dnsmasq. I want to add DNS adblocker to the network.

Adblock will strip off dnssec properties. No way around. DNSSEC validator should be on internet side of adblock if employed at all.

1 Like

What do you mean? I can dig DNSKEY and DS records while using stubby and adblock (DNSSEC is enabled in dnsmasq).

Adblock support thread - #2495 by timur.davletshin - that's some technical details when DNSSEC may not work.

1 Like

To be honest, I don't recommend using Adblock with OpenWrt, I do search on Google and Bing a lot for online shopping or where to purchase things, Adblock on DNS level filter things out even the searches I made and when I clicked on them, the webpage showed errors.

My setup is OpenWrt for Multi-WANs and routing/policy-based routing, other securities I connect it with OPNsense and do things there such as DNSSEC and DNS-over-TLS with Unbound DNS for Google and Cloudflare.

Try checking your configuration like in this article: https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/

My configuration of stubby + dnsmasq-full (regular dnsmasq lacks DNSSEC support) + adblock worked fine on those tests.

1 Like

It's not a problem of Adblock but of filters you use. There is one thing with those filters many don't understand. You should use ONLY filters developed specifically for DNS blocking. Open source of that filter file and see if only domains are present. If so, use it, if you see wildcards, URL-parameters - drop it, it will not work as it was intended.

1 Like

Adblock support thread - #2469 by dibdot - that's the reply to my comment about using those kind of lists.

It will strip dnssec properties from altered records, does not contradict your observations with my statement.

Of course it will. That's the idea of signing DNS records for other not to modify it. But generally nothing is wrong with Adblock + DNSSEC.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.