Hi, i have installed AGH on my Rpi4B Openwrt after replacing the Dnsmasq Port to 54. But AGH is not blocking the Ads as it should be. i am getting like 2-3% of Adblocks no matter how many Adlists i use...
i am not behind any VPN nor using any Extensions in Browser. Just the default Setup in my computer and also in Rpi4B. I even added Portforwarding Rule so that all the DNS Requests pass through AGH Port.
Even then i dont understand what i should do to my current setting. AGH is working and blocking the Ads but not fully. how do i improve its effeciency ??? sharing few images here for reference. If more information needed regarding my Setup pls ask here, i will share the details...
What exactly is not being blocked? If you see advertisements in, for example, youtube videos, that's not what Adguard blocks. It only blocks domain lookups to known advertising sites. Embedded ads inside browser pages are outside AGH's scope, and you need to use browser-specific plugins to block those.
Hi, i am not talking about Youtube ads. i am seeing many ads for example in wccftech.com/gizchina.com. where if i install and enable Adblocker Extension in Browser, these Ads will disappear. but Adguardhome fails to block them. in the Adblock Test website i get very low scores like 2-3% compared to others who get 95-99% Adblocking.
I am having Optic Fiber Connection(500/100 mbps) which i have connected through its Modem to Rpi4 as VLAN Tagging(PPPoE Connection). And Rpi4 is acting as Router with DHCP Server and Adblocking function...
I strongly doubt that its because of IPV6 Addresses which is leading to ineffecient Adblocking...
Do you want to see my DHCP/Firewall / Portforwarding settings???
I am very much frustrated because with the same Hardware and same Image others are getting better Adblocking, but not me.... i dont understand this....
Yes, that's exactly what I'm talking about. AGH cannot block those ads because they are embedded content in the document page and no DNS lookups are involved to display them. When I go to wccftech.com, I see that UBlock Origin blocks 11 ads that are embedded in the page, since it parses the html and deletes the offending content.
If you see an ad on a page, and click on it, only then can AGH do anything and block lookup of the site, but until you click AGH can do nothing. AGH (and adblock and PiHole and all of them) are complementary technologies to browser-based blockers, you must have both to avoid seeing ads and sending data to the ad sites.
I can quote an another example. If i use Adblock with it's list and use unbound as local dns resolver , my avoiding score improves a lot. How is that possible? I came the AGH way because of it's beautiful interface and the ability to add n number of Adblock lists including Regex blocking and few other advantages.
Should i show you the results of both methods if you don't believe me? I think Adblock works also the same way as AGH right?
No, I understand now. Yes, Adblock, AGH, PiHole and so on, all work exactly the same way: intercept DNS lookups and return NXDOMAIN when something on the blacklist is seen. The only differences are what they do in addition to that, some add a lot more logging and reporting burden, while others are as simple as possible to minimize overhead.
What does your current DNS system look like? First is the OpenWrt dnsmasq running on port 53, then AGH on dnsmasq's backend at port 5354 or something like that? If you could run uci show dhcp and paste the output, that would show us what's going on there. Here are the lines of interest:
$ uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
...
dhcp.@dnsmasq[0].server='127.0.0.1#5453' '::1#5453'
dhcp.@dnsmasq[0].interface='br-lan'
...
Does your forward rule, simply redirect all traffic going to the wan zone to the router port 53? Do you block port 853, too? The easiest way to debug this is just look at the rules directly, here's what mine look like for DNS and DoT:
$ nft list ruleset | grep 53
meta l4proto { tcp, udp } th dport 53 redirect comment "DNS: Redirect all standard DNS to local server."
meta l4proto { tcp, udp } th dport 853 reject comment "DNS: Block all DoT."
So, I've got
clients/workstations -> dnsmasq:53
dnsmasq -> something:5453
something -> public-resolver (Quad9 in my case, could be google, cloudflare, whatever)
Once we understand your configuration, we can figure out what is bypassing what and how to stop the bypass.
Yup, i disabled it too. Even then i have very poor performance of adblocking using AGH. I don't know what is wrong. I think my ISP also provide IPV6 and through this the ads are escaping the blocklists...
I use the "hard way", files in /usr/share/nftables.d/chain-post/..., which I don't think is appropriate for most people. I think you could just add a traffic rule like this using LuCI, seems like it should work.
I write all my rules in raw nft include files, so that I know that I'm covering both IPv4 and IPv6 appropriately. DoH is a difficult problem. My solution is to both block "by-name" DoH DNS lookups in my adblock list, and also "by-ip" with firewall rules. I have two sets of IP addresses in my firewall, with corresponding rules to reject access through those IPs.
table inet fw4 {
set doh_ipv4 {
typeof ip daddr
timeout 7d
comment "DNS: Block list for IPv4 DoH hosts."
}
set doh_ipv6 {
typeof ip6 daddr
timeout 7d
comment "DNS: Block list for IPv6 DoH hosts."
}
...
chain mangle_prerouting {
...
meta l4proto { tcp, udp } th dport 443 ip daddr @doh_ipv4 counter update @doh_ipv4 { ip daddr } reject comment "DNS: Block IPv4 DoH by selective IPv4 address."
meta l4proto { tcp, udp } th dport 443 ip6 daddr @doh_ipv6 counter update @doh_ipv6 { ip6 daddr } reject comment "DNS: Block IPv6 DoH..."
A cron job runs a script to update the IP address sets from https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv${family}.txt every night.
Back to the problem at hand, you might want to do some tracing on what's getting out on what port...
opkg update
opkg install tcpdump
tcpdump 'dst port 53 || dst port 853'
or some variation on that (see https://www.tcpdump.org/manpages/pcap-filter.7.html for more that you ever wanted to know about tcpdump). When I run that with a browser running, I see my traffic is split about equally between IPv4 and IPv6, so that might indeed be your issue. Maybe add the IPv6 address of your AGH host in the DHCP settings?
dhcp.@dnsmasq[0].server='192.168.1.1#5353'
dhcp.@dnsmasq[0].server='fd??:????#5353' # fill in the ? with ULA for your AGH device...
I uninstalled AGH and tried to block ads with Adblock. After setting it to with it's default blocklist, i an getting this result without any firewall rule!!!
It's funny right? The basic Adblock package can do a lot of work than the more advanced AGH without firewall rule.
For now i think i will stick to Adblock and maybe i will try to add more custom block lists if i succeed in editing it's Adlist. Maybe if you could teach me on how to simply do it.
i changed the DNS bind Host Address to 0.0.0.0 instead of LAN IP of my Rpi4 and also added the DNS Intercept Rule in Firewall where all the Traffic is forwarded to AGH DNS.. In this way i could block 93% of Ads and using Ublock origin Extension in Webbrowser i am getting 99-100% of Adblocking...
