> On 27 Jul 2019, at 16:34, Art Greenberg <a...@artg.tv> wrote: > > I had been running dnsmasq on a machine on my network and using addn-hosts > for ad blocking. My router was configured with my ISP's DNS servers. > > I used "net:red" to assign the router as DNS server for certain devices (Roku > streamers, notably) to avoid the ad blocking, because some of the apps on the > router would not work properly with the ad blocking in place. This told those > devices to go directly to the router for DNS services. > > router/gateway 192.168.2.1 > dnsmasq machine 192.168.2.11 > > ## dnsmasq.conf fragment > > domain-needed > bogus-priv > no-resolv > local=/artg.tv/ > interface=eth0 > domain=artg.tv > server=8.8.8.8,8.8.4.4 > > dhcp-option=option:dns-server,192.168.2.11 > ## use dnsmasq machine for DNS > dhcp-option=net:red,option:dns-server,192.168.2.1 > > dhcp-host=00:01:03:27:84:95,192.168.2.15,martha > ## typical of computer assignments > dhcp-host=d8:31:34:36:d0:18,192.168.2.135,ROKU-1-WIFI,net:red ## typical > of ad blocking avoidance > > ## end dnsmasq.conf fragment > > This all worked fine. > > Then I obtained a newer router and installed OpenWRT on it. This, too, worked > fine until I moved dnsmasq onto the router. The configuration now looks like > this: > > router/gateway 192.168.2.1 > dnsmasq machine 192.168.2.1 > > ## dnsmasq.conf fragment > > domain-needed > bogus-priv > no-resolv > local=/artg.tv/ > interface=br-lan > domain=artg.tv > server=8.8.8.8,8.8.4.4 > > dhcp-option=option:dns-server,192.168.2.1 > ## use dnsmasq on the router for DNS > dhcp-option=net:red,option:dns-server,8.8.8.8,8.8.4.4 > ## Google public DNS servers > > dhcp-host=00:01:03:27:84:95,192.168.2.15,martha > ## typical of computer assignments > dhcp-host=d8:31:34:36:d0:18,192.168.2.135,ROKU-1-WIFI,net:red ## typical > of ad blocking avoidance > > Now the Roku streamers and some of the apps on them aren't so happy. Despite > the "net:red" tag, dnsmasq is intercepting all DNS requests and it is > returning 0.0.0.0 when the host being looked up is in one of the addn-hosts > files.
dnsmasq won’t be intercepting requests, it will answer requests that are sent
to it. It doesn’t snoop on the wire looking for requests to hijack.
That sort of behaviour can be configured with firewall rules, ie. redirect any
packets sent to port 53 on this host to another host/port combination. Indeed
adblock itself has this exact option to do so, it’s called 'option
adb_forcedns’. It would be worth checking this is set to ‘0’.
Also it would be worth checking on the router that something else hasn’t done
this sort of redirection.
adblock implements it with the following rules:
iptables -v -t nat -L | grep -i adblock
0 0 REDIRECT tcp -- any any anywhere anywhere
tcp dpt:domain /* !fw3: Adblock DNS, port 53 */ redir ports 53
30 2164 REDIRECT udp -- any any anywhere anywhere
udp dpt:domain /* !fw3: Adblock DNS, port 53 */ redir ports 53
0 0 REDIRECT tcp -- any any anywhere anywhere
tcp dpt:853 /* !fw3: Adblock DNS, port 853 */ redir ports 853
0 0 REDIRECT udp -- any any anywhere anywhere
udp dpt:853 /* !fw3: Adblock DNS, port 853 */ redir ports 853
0 0 REDIRECT tcp -- any any anywhere anywhere
tcp dpt:mdns /* !fw3: Adblock DNS, port 5353 */ redir ports 5353
32 9171 REDIRECT udp -- any any anywhere anywhere
udp dpt:mdns /* !fw3: Adblock DNS, port 5353 */ redir ports 5353
Cheers,
Kevin D-B
gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
