IP blocklist is not working for me. Is it because of the way I have written them?

[JJenkx]

Edit: it seems to be blocking pings to the addresses specified in the list. I am still investigating

Edit2: I believe this is specific to the browser (Vanadium) or maybe even specific to the GrapheneOS implementation of Vanadium. Terminal Pings to the IP addresses and visits to facebook.com on IceRaven browser both result in IPs being successfully blocked. I believe now that this should be closed unless I am missing something

I added the IP entries below, one per line, to list in Menu > DNSCrypt Settings > Pattern-based IPblocking (IP blacklist)

I have Tor and I2P routing disabled and only have "Protect NDS with DNSCRYPT" box checked off for this test.

I am using GrapheneOS with Android 12 and this test is being performed on a secondary user profile (full second profile, not work profile or similar). I expected not to be able to load facebook.com, and for a split second, facebook.com shows as unreachable when the browser (Vanadium) has all data cleared before this test. After that split second facebook.com loads up and the IP addresses contained in the list also show up under the main DNS tab of this app. Is the list format I am using supported? If these are not supported, is there a way to generate supported ranges for facebook owned IPs?

This is the command I used to generate the list. aggregate6 is a pip program

whois -h whois.radb.net -- '-i origin AS32934' | grep -ioP '^route:.*\s\K\d.*' | aggregate6

31.13.24.0/21
31.13.64.0/18
45.64.40.0/22
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
102.132.96.0/20
103.4.96.0/22
129.134.0.0/16
147.75.208.0/20
157.240.0.0/16
173.252.64.0/18
179.60.192.0/22
185.60.216.0/22
185.89.216.0/22
204.15.20.0/22

[Gedsh]

Is the list format I am using supported?

https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-blocked-ips.txt

this test is being performed on a secondary user profile

If InviZible is only installed in the main profile in VPN mode, it may or may not work, depending on the rom. It should definitely work in Root mode.

whois -h whois.1e100.net

You should also be aware that DNSCrypt does not actually block IP, but DNS if it resolves to the specified IP. So pay attention to the DNS cache.

[JJenkx]

Edit2: I discovered that dnscrypt does not accept ranges at all.

For anyone stumbling onto this, here is how I converted the CIDR notation IP list into a list for DNSCrypt.

See: scripts and files used below for this example

touch $HOME/completely.expanded.single.ips.txt && cat $HOME/ip.list.CIDR.notation.txt | while IFS= read -r line ; do $HOME/Scripts/cidrtoip "$line" >>$HOME/completely.expanded.single.ips.txt; done

touch $HOME/converted.to.dnscrypt.format.txt && cat $HOME/completely.expanded.single.ips.txt | perl -0777 -pe 's/^(\d+\.\d+\.\d+.)(0)(?:\1\d+|\n)+(?<=255)/$1*\n/gim' | perl -0777 -pe 's/(?<!\n)\n(?=\d)/\n\n/gim' > $HOME/converted.to.dnscrypt.format.txt

The file with the properly formatted schema for "ip-blacklist.txt" will be "converted.to.dnscrypt.format.txt"

Backup InviZible Pro to a zip file.

Paste the contents from file "converted.to.dnscrypt.format.txt" into IZBackup.zip/app_data/dnscrypt-proxy/ip-blacklist.txt

Save zip file

Restore from zip

These are the scripts and files used

cat $HOME/Scripts/cidrtoip

#!/usr/bin/env bash

############################
##  Methods
############################
prefix_to_bit_netmask() {
    prefix=$1;
    shift=$(( 32 - prefix ));

    bitmask=""
    for (( i=0; i < 32; i++ )); do
        num=0
        if [ $i -lt $prefix ]; then
            num=1
        fi

        space=
        if [ $(( i % 8 )) -eq 0 ]; then
            space=" ";
        fi

        bitmask="${bitmask}${space}${num}"
    done
    echo $bitmask
}

bit_netmask_to_wildcard_netmask() {
    bitmask=$1;
    wildcard_mask=
    for octet in $bitmask; do
        wildcard_mask="${wildcard_mask} $(( 255 - 2#$octet ))"
    done
    echo $wildcard_mask;
}

check_net_boundary() {
    net=$1;
    wildcard_mask=$2;
    is_correct=1;
    for (( i = 1; i <= 4; i++ )); do
        net_octet=$(echo $net | cut -d '.' -f $i)
        mask_octet=$(echo $wildcard_mask | cut -d ' ' -f $i)
        if [ $mask_octet -gt 0 ]; then
            if [ $(( $net_octet&$mask_octet )) -ne 0 ]; then
                is_correct=0;
            fi
        fi
    done
    echo $is_correct;
}

#######################
##  MAIN
#######################
OPTIND=1;
getopts "f" force;
shift $(( OPTIND-1 ));

for ip in $@; do
    net=$(echo $ip | cut -d '/' -f 1);
    prefix=$(echo $ip | cut -d '/' -f 2);
    do_processing=1;

    bit_netmask=$(prefix_to_bit_netmask $prefix);

    wildcard_mask=$(bit_netmask_to_wildcard_netmask "$bit_netmask");
    is_net_boundary=$(check_net_boundary $net "$wildcard_mask");

    if [ $force != 'f' ] && [ $is_net_boundary -ne 1 ]; then
        read -p "Not a network boundary! Continue anyway (y/N)? " -n 1 -r
        echo    ## move to a new line
        if [[ $REPLY =~ ^[Yy]$ ]]; then
            do_processing=1;
        else
            do_processing=0;
        fi
    fi

    if [ $do_processing -eq 1 ]; then
        str=
        for (( i = 1; i <= 4; i++ )); do
            range=$(echo $net | cut -d '.' -f $i)
            mask_octet=$(echo $wildcard_mask | cut -d ' ' -f $i)
            if [ $mask_octet -gt 0 ]; then
                range="{$range..$(( $range | $mask_octet ))}";
            fi
            str="${str} $range"
        done
        ips=$(echo $str | sed "s, ,\\.,g"); ## replace spaces with periods, a join...

        eval echo $ips | tr ' ' '\012'
    fi

done

(Note: ip.list.CIDR.notation.txt should have a blank newline at begging and end of file)

cat $HOME/ip.list.CIDR.notation.txt

31.13.24.0/21
31.13.64.0/18
45.64.40.0/22
66.220.144.0/20
69.63.176.0/20
69.171.224.0/19
74.119.76.0/22
102.132.96.0/20
103.4.96.0/22
129.134.0.0/16
147.75.208.0/20
157.240.0.0/16
173.252.64.0/18
179.60.192.0/22
185.60.216.0/22
185.89.216.0/22
204.15.20.0/22

Here is what my current ip-blacklist.txt looks like https://github.com/JJenkx/Personal/blob/main/ip-blacklist.txt