Need help to block certain websites

lepidas · April 13, 2019, 8:36am

Hi to all.
It seems adblocker is not helping me for some reason.
I tried with Simple AdBlock, not blocking either.
I installed Pi-Hole in my network, not blocking either.

It seems my Openwrt/LEDE is somehow configured and not blocking, or I don't know how to do it.
I run latest Davidc502 build with Openvpn and VPN Policy Routing.

Can somebody go step by step with me helping with that....

Hegabo · April 13, 2019, 9:16am

Try iptables

For example

/usr/sbin/iptables -A FORWARD -m string --algo bm --string "facebook.com" -j DROP

Per · April 13, 2019, 9:24am

Are you sure Adblock works for some sites? If not it's probably not configured correctly. If you are using an Android device you need to force it to use the router DNS by redirecting port 53.

config redirect
        option name 'Adblock DNS'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

fuller · April 13, 2019, 9:26am

it would help to know more about your environment.
your usage of vpn on the router also complicates things.
on the other hand, this will always be an uphill battle.

the blocking methods you tried rely on dns-level blocking which in turn relies on your clients even using plain-local dns which is currently beeing "phased-out" (DoH,DoT, dnssec ...)

even one of your clients using it's own vpn will defeat what you are trying to do.

i'd say either educate the users or lockdown the clients (ie. browserlevel adblock)

lepidas · April 13, 2019, 11:17am

Putting this rule in /etc/firewall.user file it does the work indeed.

I would like to check other suggestions also especially if AdBlock is working or not.

Per:

Are you sure Adblock works for some sites? If not it's probably not configured correctly. If you are using an Android device you need to force it to use the router DNS by redirecting port 53.
config redirect
        option name 'Adblock DNS'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

Iam not sure if AdBlock is working actually, how Iam going to check that;
In the lan I have some computers and android devices.

I believe I have a complicated network setup. Leading to follow 1st reply method for blocking websites.

Per · April 13, 2019, 3:08pm

How did you add the domain you wanted to block, and how did you test it? Please post the config. If you open a blocked domain in a web browser it should just return an error. For instance, if you have enabled the "adaway" list then gemini.yahoo.com should not load.

trendy · April 13, 2019, 7:23pm

Post the output of the following command inside preformatted text.
cat /etc/config/network; cat /etc/config/dhcp; ls -la /etc/resolv.conf; cat /tmp/resolv*

lepidas · April 13, 2019, 8:00pm

In the menu > Services > Adblock > Advanced tab > Edit blacklist tab, there added a domain lets say facebook.com and saved it


root@OpenWrt:/etc/config# cat adblock 

config adblock 'global'
	option adb_fetchutil 'wget'
	option adb_trigger 'wan'
	option adb_dns 'dnsmasq'
	option adb_enabled '1'

config adblock 'extra'
	option adb_forcesrt '0'
	option adb_forcedns '0'
	option adb_maxqueue '4'
	option adb_nice '0'
	option adb_backup '0'
	option adb_report '0'
	option adb_debug '1'

config source 'adaway'
	option adb_src 'https://adaway.org/hosts.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on mobile ads, infrequent updates, approx. 400 entries'
	option enabled '1'

config source 'adguard'
	option adb_src 'https://filters.adtidy.org/windows/filters/15.txt'
	option adb_src_rset 'BEGIN{FS=\"[/|^|\r]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+[\/\^\r]+$/{print tolower(\$3)}'
	option adb_src_desc 'combined adguard dns filter list, frequent updates, approx. 17.000 entries'
	option enabled '1'

config source 'bitcoin'
	option adb_src 'https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on malicious bitcoin mining sites, infrequent updates, approx. 80 entries'
	option enabled '1'

config source 'blacklist'
	option adb_src '/etc/adblock/adblock.blacklist'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'static local domain blacklist, always deny these domains'
	option enabled '1'

config source 'disconnect'
	option adb_src 'https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'mozilla driven blocklist, numerous updates on the same day, approx. 4.700 entries'
	option enabled '1'

config source 'dshield'
	option adb_src 'https://www.dshield.org/feeds/suspiciousdomains_Low.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'generic blocklist, daily updates, approx. 3.500 entries'
	option enabled '1'

config source 'feodo'
	option adb_src 'https://feodotracker.abuse.ch/blocklist/?download=domainblocklist'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on feodo botnet, daily updates, approx. 0-10 entries'
	option enabled '1'

config source 'hphosts'
	option adb_src 'https://hosts-file.net/ad_servers.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|\$)+/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, monthly updates, approx. 19.200 entries'
	option enabled '1'

config source 'malware'
	option adb_src 'https://mirror.espoch.edu.ec/malwaredomains/justdomains'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'broad blocklist, daily updates, approx. 18.300 entries'
	option enabled '1'

config source 'malwarelist'
	option adb_src 'http://www.malwaredomainlist.com/hostslist/hosts.txt'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on malware, daily updates, approx. 1.200 entries'
	option enabled '1'

config source 'openphish'
	option adb_src 'https://openphish.com/feed.txt'
	option adb_src_rset 'BEGIN{FS=\"/\"}/^http[s]?:\/\/([[:alnum:]_-]+\.)+[[:alpha:]]+(\/|$)/{print tolower(\$3)}'
	option adb_src_desc 'focus on phishing, numerous updates on the same day, approx. 2.400 entries'
	option enabled '1'

config source 'ransomware'
	option adb_src 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on ransomware by abuse.ch, numerous updates on the same day, approx. 1900 entries'
	option enabled '1'

config source 'reg_cn'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on chinese ads plus generic easylist additions, daily updates, approx. 11.700 entries'
	option enabled '1'

config source 'reg_cz'
	option adb_src 'https://raw.githubusercontent.com/qxstyles/turris-hole-czech-block-list/master/turris-hole-czech-block-list'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on czech ads maintained by Turris Omnia Users, infrequent updates, approx. 100 entries'
	option enabled '1'

config source 'reg_de'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistgermany+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on german ads plus generic easylist additions, daily updates, approx. 9.200 entries'
	option enabled '1'

config source 'reg_id'
	option adb_src 'https://easylist-downloads.adblockplus.org/abpindo+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on indonesian ads plus generic easylist additions, weekly updates, approx. 9.600 entries'
	option enabled '1'

config source 'reg_nl'
	option adb_src 'https://easylist-downloads.adblockplus.org/easylistdutch+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on dutch ads plus generic easylist additions, weekly updates, approx. 9.400 entries'
	option enabled '1'

config source 'reg_pl'
	option adb_src 'http://adblocklist.org/adblock-pxf-polish.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on polish ads, daily updates, approx. 90 entries'
	option enabled '1'

config source 'reg_ro'
	option adb_src 'https://easylist-downloads.adblockplus.org/rolist+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on romanian ads plus generic easylist additions, weekly updates, approx. 9.400 entries'
	option enabled '1'

config source 'reg_ru'
	option adb_src 'https://easylist-downloads.adblockplus.org/ruadlist+easylist.txt'
	option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([[:alnum:]_-]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
	option adb_src_desc 'focus on russian ads plus generic easylist additions, weekly updates, approx. 14.500 entries'
	option enabled '1'

config source 'shalla'
	option adb_src 'http://www.shallalist.de/Downloads/shallalist.tar.gz'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'huge blocklist archive subdivided in different categories, daily updates. Check http://www.shallalist.de/categories.html for more categories'
	list adb_src_cat 'adv'
	list adb_src_cat 'costtraps'
	list adb_src_cat 'spyware'
	list adb_src_cat 'tracker'
	list adb_src_cat 'warez'
	option enabled '1'

config source 'spam404'
	option adb_src 'https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)+/{print tolower(\$1)}'
	option adb_src_desc 'generic blocklist, infrequent updates, approx. 6.000 entries'
	option enabled '1'

config source 'sysctl'
	option adb_src 'http://sysctl.org/cameleon/hosts'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, weekly updates, approx. 16.500 entries'
	option enabled '1'

config source 'urlhaus'
	option adb_src 'https://urlhaus.abuse.ch/downloads/rpz'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)+/{print tolower(\$1)}'
	option adb_src_desc 'urlhaus RPZ domains by abuse.ch, numerous updates on the same day, approx. 3.500 entries'
	option enabled '1'

config source 'ut_capitole'
	option adb_src 'https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'huge blocklist archive subdivided in different categories, daily updates. Check https://dsi.ut-capitole.fr/blacklists/index_en.php for more categories'
	option enabled '1'
	list adb_src_cat 'cryptojacking'
	list adb_src_cat 'ddos'
	list adb_src_cat 'malware'
	list adb_src_cat 'phishing'
	list adb_src_cat 'publicite'
	list adb_src_cat 'warez'

config source 'whocares'
	option adb_src 'http://someonewhocares.org/hosts/hosts'
	option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, weekly updates, approx. 10.000 entries'
	option enabled '1'

config source 'winspy'
	option adb_src 'https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'focus on windows spy & telemetry domains, infrequent updates, approx. 300 entries'
	option enabled '1'

config source 'winhelp'
	option adb_src 'http://winhelp2002.mvps.org/hosts.txt'
	option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
	option adb_src_desc 'broad blocklist, infrequent updates, approx. 13.000 entries'
	option enabled '1'

config source 'youtube'
	option adb_src 'https://api.hackertarget.com/hostsearch/?q=googlevideo.com'
	option adb_src_rset 'BEGIN{FS=\",\"}/^(r[0-9]+\.){1,1}([[:alnum:]_-]+\.)+[[:alpha:]]+/{sub(/\./,\"---\");print tolower(\$1)}'
	option adb_src_desc 'focus on youtube ad-related subdomains, dynamic request API, approx. 150 entries'
	option enabled '1'

config source 'yoyo'
	option adb_src 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on ad related domains, weekly updates, approx. 2.400 entries'
	option enabled '1'

config source 'zeus'
	option adb_src 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist'
	option adb_src_rset '/^([[:alnum:]_-]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'focus on zeus botnet by abuse.ch, daily updates, approx. 400 entries'
	option enabled '1'

"adaway" is enabled but I can visit and see the content of gemini.yahoo.com website.

lepidas · April 13, 2019, 8:04pm

root@OpenWrt:/etc/config# cat /etc/config/network; cat /etc/config/dhcp; ls -la 
/etc/resolv.conf; cat /tmp/resolv*

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.144.1'
	option metric '0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '103.86.96.100'
	list dns '103.86.99.100'
	option mtu '1500'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'
	option mtu '1500'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.146.1'
	option netmask '255.255.255.0'
	option metric '0'


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	list server '127.0.0.1#5300'
	option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'

config domain
	option name 'tents.nat'
	option ip '192.168.144.127'

config domain
	option name 'tents.giorgos'
	option ip '192.168.144.148'

config domain
	option name 'weather.lan'
	option ip '192.168.144.209'

lrwxrwxrwx    1 root     root            16 Apr  6 19:14 /etc/resolv.conf -> /tmp/resolv.conf
search lan
nameserver 127.0.0.1
# Interface wan
nameserver 103.86.96.100
nameserver 103.86.99.100

trendy · April 13, 2019, 8:57pm

There is no no-resolv defined in config. You specify the upstream servers in list server option, but it does not suppress reading of /etc/resolv.conf
With resolvfile option you specify the upstream servers in this file, instead of /etc/resolv.conf

Which /tmp/resolv.conf.auto has:

vgaetera · April 13, 2019, 9:57pm

uci set dhcp.@dnsmasq[0].noresolv="1"
uci commit dhcp
service dnsmasq restart

lleachii · April 14, 2019, 12:54am

I'd see if adblock (full) with the blacklist works - does for me. I just add a domain in the LuCI adblock GUI and reload it.

lepidas · April 14, 2019, 9:17am

I run that and then adblock start working!
After a reboot I couldn't browse any websites anymore, but I could wget/curl/ping the outside world from router and from desktop.
I restored an archive I had and browser started working again with adblock!

What kind of sorcery is that

lepidas · April 14, 2019, 9:54am

Well it's crazy, the Adblocker sometimes is working some other times it's not.