📡 OpenWrt Router Setup: DNS-based Adult Content Filtering
Overview
This guide describes how to use OpenWrt and SSH to set up network-wide adult content filtering using AdGuard Family DNS, DNS redirection, and the Adblock package.
✅ Step 1: Install Required Packages
opkg update
opkg install adblock luci-app-adblock
opkg install curl wget-ssl
opkg install tcpdump # optional for DNS inspection
✅ Step 2: Configure AdGuard Family DNS
uci set dhcp.@dnsmasq[0].noresolv='1'
uci add_list dhcp.@dnsmasq[0].server='94.140.14.15'
uci add_list dhcp.@dnsmasq[0].server='94.140.15.16'
uci set dhcp.@dnsmasq[0].resolvfile='/dev/null'
uci commit dhcp
/etc/init.d/dnsmasq restart
✅ Step 3: Enforce DNS Redirection (Prevents Bypass)
uci add firewall redirect
uci set firewall.@redirect[-1].name='Force-Safe-DNS'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].proto='tcp udp'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].dest_ip='192.168.1.1' # Router IP
uci commit firewall
/etc/init.d/firewall restart
✅ Step 4: Start & Enable Adblock
/etc/init.d/adblock enable
/etc/init.d/adblock start
/etc/init.d/adblock status
✅ Step 5: Set Active Blocklists
uci add_list adblock.global.blocklist='adult'
uci add_list adblock.global.blocklist='youtube'
uci add_list adblock.global.blocklist='reg_chn'
uci commit adblock
/etc/init.d/adblock restart
✅ Step 6: Verify Filtering is Working
From the router:
nslookup pornhub.com 127.0.0.1
From a device on the LAN:
nslookup pornhub.com
You should see responses like 0.0.0.0 or NXDOMAIN.
🧪 (Optional) View DNS Traffic with tcpdump
tcpdump -i br-lan port 53
🧠 Notes
- Configuration files edited:
/etc/config/dhcp,/etc/config/firewall - You can also manage Adblock from LuCI under Services > Adblock
- Firewall redirection ensures no device can bypass your DNS settings
📦 Backup Config
sysupgrade -b /tmp/openwrt-backup.tar.gz
scp root@192.168.1.1:/tmp/openwrt-backup.tar.gz .