How to block ru crap?

admon · 2024-06-23T08:05:15.984Z

Does it work as well?

slesar · 2024-06-23T11:24:52.394Z

I think very simple in adguard home
Add manual filter:

||*.ru/^
||*.xn--p1ai$/^

Might be working second line is Cyrillic domain (*.рф)

blocker · 2024-06-23T12:18:56.091Z

slesar:

adguard home

X750 does not support adguard home. If it was so easy I wouldn’t post a post.

slesar · 2024-06-23T14:15:35.498Z

Why not try use mini server for example rasbeprry pi. It is cheap mini pc.

blocker · 2024-06-23T18:19:20.598Z

slesar:

Why not try use mini server

Why should I? I have raspberry 5 but for another reason. I want to filter directly on router. I don’t need to achieve “DPI level” quality, but simply make it harder to use crap.

LupusE · 2024-06-23T19:12:05.518Z

blocker:

Why should I?

Because the task of a router is to route networks. This can do it very good.
Because it is nice to have all in one and most home networks there is no administrator, most routers implement a basic function of DNS and Firewall. And this works for most people.

But your request is a lot more than an usual home network user 'needs'.
And therefore the suggested solution is to set up a full featured firewall/DNS with exactly the functions you want.

And I say this as someone who has a own VM for Firewall (OPNSense) and two for DNS (Bind/PiHole) ... Only because my needs are more than the usual home environment.

blocker · 2024-06-23T19:14:50.287Z

LupusE:

And I say this as someone who has a own VM for Firewall (OPNSense) and two for DNS (Bind/PiHole) ... Only because my needs are more than the usual home environment.

Will R-Pi 5 handle this setup? Is it free for use?

LupusE · 2024-06-23T19:18:40.423Z

If you know what you do, you can set up this at a Raspberry ... Bit this is a little much to describe here.

blocker · 2024-06-23T19:27:27.972Z

LupusE:

If you know what you do, you can set up this at a Raspberry

Will this work with Gl router? I don’t want to buy another one

LupusE · 2024-06-23T19:36:37.422Z

I am out... A router is a embedded device with a specialized purpose.
A GL-iNet works as router. It works great. What you want could be possible. But this is far away from usual/normal/supported.

What is wrong with the idea you posted at the very beginning? Sounds good, but it is so far away from normal home use. Just try and if there are issues, ask questions... But this meta discussion will not help anymore.

blocker · 2024-06-23T19:50:49.115Z

LupusE:

A router is a embedded device with a specialized purpose.

I meant to set up on raspberry and connect to router. Without new router

LupusE · 2024-06-23T20:06:55.333Z

Another short question without any content.

I don't know what to answer. Why should it not work?
The internet or an internet is build of different services. The services can run at one server or on different servers.

But you need to understand IP, port, DHCP, ... and maybe more.

slesar · 2024-06-24T05:37:12.242Z

Do you know what? You could do turn off dhcp in router and turn on adguard home with dhcp from raspberry pi. After that in router add manual IP address DNS from raspberry pi. Job done.

I had old router Huawei AX3 mesh and rasbeprry pi for Homeassistant with Adguard Home. Work perfect.
Now I upgraded new router Flint 2 and upgraded mini pc for proxmox with use home assistant, cctv connected to nas and docker. Better solutions that.

Anyway, I agree what @LupusE said.

slesar · 2024-06-24T05:41:16.358Z

I just tested my Adguard DNS and does work any Russian website

Screenshot_2024-06-24-06-40-03-517_com.brave.browser-edit1080×2400 171 KB

blocker · 2024-06-27T12:49:46.203Z

slesar:

just tested my Adguard DNS

They are paid crap. I don’t wish to pay. If I will not pay I will be product. So the only way to do it locally.

LupusE · 2024-06-27T14:59:23.231Z

In fact it is free and open source ... They are using parts of the codebase for their paid services as well, but it is free to use if you don't need a public DNS or whatever else the advantages of the subscription are.
You are free to download it, make a full audit and change everything you like.
And if you are really good, you could contribute to the project, so others can participate from your idea of a good, solid and secure system. If you make custom 'encrypted DNS' possible, a lot of people would praise you.

I don't see where the 'you are the product' comes from in this context. But I am open-minded, explain to me why this service should not be used. I'd like to know where my data flow, before I am using it in production.

There is an tested and working advise provided, as you asked in the first post.
And for me it seems a lot easier than building the whole framework myself.

blocker · 2024-06-27T15:50:57.978Z

LupusE:

I'd like to know where my data flow

Something like this. The best way to use VPN or Tor DNS to avoid this. Also DNS leaks etc. So local filtering better

LupusE:

free and open source

Open source is only that, that you can physically download.

I am not paranoid about local proprietary software (but I will limit it’s internet access), but you can’t control what hosted on server if it is not your server.

So who can guarantee that remote DNS server uses really open source software without hidden backdoors?

LupusE · 2024-06-27T16:20:09.469Z

I do not follow.

You will never own the DNS resolve path. You will need to trust anyone. The internet is based on 12 root DNS servers, hosted very secure anywhere by IBM. And because this is not enough to handle every request the DNS has a hierarchical cascading.
Simplified: Root DNS servers - Regularity DNS services - ISP DNS Server - Local DNS Server - Client.
And no matter what you will only have access to secure your local server. This could be a bind, a DNSMasq, a full blown Windows AD or a AdGuard Home -> But in every case, if the local server does not know the Hostname and the FQDN is not local, the DNS should ask the next one (Forward DNS Server) and cache the result for the next request.

Open source here means 'you can download it, install it and use it'. No payment at all.
You should not Internet access to DNS Servers of your DNS server, because they are outside.
Even with Tor DNS, the request will at some point be resolved by an outside server. And this is good. How should every server in the wold hold every domain-ip mapping?

blocker:

So who can guarantee that remote DNS server uses really open source software without hidden backdoors?

That is not the point.
The point is that you can use 'AdGuard Home' for free in your home network. And if you are willing to participate the development, you know they will use it also in their paid services. Open, transparent, fair.
As you want to use it for free, you are not allowed to use their provided DNS servers. So it should not be your problem if you can trust them or not. Your part is to download, audit the source, compile and use.

It is the same as using ipset or geoip from your first post.

blocker · 2024-06-27T17:12:36.479Z

LupusE:

Open source here means 'you can download it, install it and use it'. No payment at all.

I meant that it is better not to use someone’s DNS server especially if it cannot be downloaded to run locally (I mean self host)

If you can self host - you trust your server. If we talk about Adguard DNS case I trust them but I have much more requests per month like they give for free. Plus DNS will NOT block direct connection to russian ip. That functionality can be done locally:

address=/*.ru/0.0.0.0
address=/*.ru::/0

Another problem that GL gui doesn’t support custom encrypted DNS. Only plain.

And about something like Control D etc, I would like totally anonymised DNS (like Tor) or something Swiss like Proton or mullvad VPN not to share my data through something like “five eyes”.

And most “hilarious” thing: remote server can be DDOSed, blocked or even shut down.

By using “root” or VPN or Tor DNS you are mitigating such issues.

Also DNS provider without VPN will know too much about you: IP, website you are visiting, timing, possible client device.

And… If you turn on such DNS and VPN simultaneously you will face DNS leak

admon · 2024-06-27T19:33:57.956Z

So what's the point here?

Block by using dnsmasq like you already do and accept that you can't block russian IPs so far.