How to block ru crap?

LupusE · 2024-06-23T19:36:37.422Z

I am out... A router is a embedded device with a specialized purpose.
A GL-iNet works as router. It works great. What you want could be possible. But this is far away from usual/normal/supported.

What is wrong with the idea you posted at the very beginning? Sounds good, but it is so far away from normal home use. Just try and if there are issues, ask questions... But this meta discussion will not help anymore.

blocker · 2024-06-23T19:50:49.115Z

LupusE:

A router is a embedded device with a specialized purpose.

I meant to set up on raspberry and connect to router. Without new router

LupusE · 2024-06-23T20:06:55.333Z

Another short question without any content.

I don't know what to answer. Why should it not work?
The internet or an internet is build of different services. The services can run at one server or on different servers.

But you need to understand IP, port, DHCP, ... and maybe more.

slesar · 2024-06-24T05:37:12.242Z

Do you know what? You could do turn off dhcp in router and turn on adguard home with dhcp from raspberry pi. After that in router add manual IP address DNS from raspberry pi. Job done.

I had old router Huawei AX3 mesh and rasbeprry pi for Homeassistant with Adguard Home. Work perfect.
Now I upgraded new router Flint 2 and upgraded mini pc for proxmox with use home assistant, cctv connected to nas and docker. Better solutions that.

Anyway, I agree what @LupusE said.

slesar · 2024-06-24T05:41:16.358Z

I just tested my Adguard DNS and does work any Russian website

Screenshot_2024-06-24-06-40-03-517_com.brave.browser-edit1080×2400 171 KB

blocker · 2024-06-27T12:49:46.203Z

slesar:

just tested my Adguard DNS

They are paid crap. I don’t wish to pay. If I will not pay I will be product. So the only way to do it locally.

LupusE · 2024-06-27T14:59:23.231Z

In fact it is free and open source ... They are using parts of the codebase for their paid services as well, but it is free to use if you don't need a public DNS or whatever else the advantages of the subscription are.
You are free to download it, make a full audit and change everything you like.
And if you are really good, you could contribute to the project, so others can participate from your idea of a good, solid and secure system. If you make custom 'encrypted DNS' possible, a lot of people would praise you.

I don't see where the 'you are the product' comes from in this context. But I am open-minded, explain to me why this service should not be used. I'd like to know where my data flow, before I am using it in production.

There is an tested and working advise provided, as you asked in the first post.
And for me it seems a lot easier than building the whole framework myself.

blocker · 2024-06-27T15:50:57.978Z

LupusE:

I'd like to know where my data flow

Something like this. The best way to use VPN or Tor DNS to avoid this. Also DNS leaks etc. So local filtering better

LupusE:

free and open source

Open source is only that, that you can physically download.

I am not paranoid about local proprietary software (but I will limit it’s internet access), but you can’t control what hosted on server if it is not your server.

So who can guarantee that remote DNS server uses really open source software without hidden backdoors?

LupusE · 2024-06-27T16:20:09.469Z

I do not follow.

You will never own the DNS resolve path. You will need to trust anyone. The internet is based on 12 root DNS servers, hosted very secure anywhere by IBM. And because this is not enough to handle every request the DNS has a hierarchical cascading.
Simplified: Root DNS servers - Regularity DNS services - ISP DNS Server - Local DNS Server - Client.
And no matter what you will only have access to secure your local server. This could be a bind, a DNSMasq, a full blown Windows AD or a AdGuard Home -> But in every case, if the local server does not know the Hostname and the FQDN is not local, the DNS should ask the next one (Forward DNS Server) and cache the result for the next request.

Open source here means 'you can download it, install it and use it'. No payment at all.
You should not Internet access to DNS Servers of your DNS server, because they are outside.
Even with Tor DNS, the request will at some point be resolved by an outside server. And this is good. How should every server in the wold hold every domain-ip mapping?

blocker:

So who can guarantee that remote DNS server uses really open source software without hidden backdoors?

That is not the point.
The point is that you can use 'AdGuard Home' for free in your home network. And if you are willing to participate the development, you know they will use it also in their paid services. Open, transparent, fair.
As you want to use it for free, you are not allowed to use their provided DNS servers. So it should not be your problem if you can trust them or not. Your part is to download, audit the source, compile and use.

It is the same as using ipset or geoip from your first post.

blocker · 2024-06-27T17:12:36.479Z

LupusE:

Open source here means 'you can download it, install it and use it'. No payment at all.

I meant that it is better not to use someone’s DNS server especially if it cannot be downloaded to run locally (I mean self host)

If you can self host - you trust your server. If we talk about Adguard DNS case I trust them but I have much more requests per month like they give for free. Plus DNS will NOT block direct connection to russian ip. That functionality can be done locally:

address=/*.ru/0.0.0.0
address=/*.ru::/0

Another problem that GL gui doesn’t support custom encrypted DNS. Only plain.

And about something like Control D etc, I would like totally anonymised DNS (like Tor) or something Swiss like Proton or mullvad VPN not to share my data through something like “five eyes”.

And most “hilarious” thing: remote server can be DDOSed, blocked or even shut down.

By using “root” or VPN or Tor DNS you are mitigating such issues.

Also DNS provider without VPN will know too much about you: IP, website you are visiting, timing, possible client device.

And… If you turn on such DNS and VPN simultaneously you will face DNS leak

admon · 2024-06-27T19:33:57.956Z

So what's the point here?

Block by using dnsmasq like you already do and accept that you can't block russian IPs so far.

blocker · 2024-06-27T20:32:06.029Z

admon:

Block by using dnsmasq like you already do and accept that you can't block russian IPs so far

I done it. But if app talk by IP with server?

slesar · 2024-06-27T23:05:03.982Z

adguard-dns.io

Overview | AdGuard DNS Knowledge Base

With AdGuard DNS, you can set up your private DNS servers to resolve DNS requests and block ads, trackers, and malicious domains before they reach your device

I don't see paid or free account. Are you sure? Use own private adguard DNS server.
I paid Adguard VPN and free Personal tier which has 1000 custom rules. So free should lees number custom rules and you need one rule which can block all russian domains😏

blocker · 2024-06-27T23:59:16.786Z

slesar:

Are you sure?

Yes. 300K requests. I make more than 1 million, so…

IMG_38001170×926 104 KB

Good service, but unfortunately too castrated for free. I will better buy something like Burume (Gl device too) and use it in LAN to make everything filter if hosts block will overload CPU.

admon · 2024-06-28T00:08:06.773Z

Nothing you can do about it.

slesar · 2024-06-28T05:55:47.895Z

300k per month should be enough. If you or someone use devices every days then yes you need to buy adguard VPN (cheaper way).
Another option buy better gl router for home. Or buy mini PC server.

blocker · 2024-06-28T07:54:55.625Z

slesar:

buy better gl router for home

I need only cellular one.

slesar:

buy adguard

It is subscription… Of course no. I think I will run something on Burume. Maybe this will help

slesar · 2024-06-28T13:27:56.594Z

Have you try local domain "ru" in your router setting luci (network > dhcp and dns > general, local domain change "ru")

Alphax · 2024-06-28T14:02:35.191Z

I tried to block TLD by:

address=/*.ru/0.0.0.0

Rules in DNSMASQ and it is ok.

But OP should use RPi or something similar to block IPs. They are too heavy for regular router

blocker · 2024-06-28T22:36:25.661Z

Alphax:

Rules in DNSMASQ and it is ok.

I told above TLD blocked. The issue how to block direct (IP) access