So anything else I can try which will work out of the box? For links and guides I'd be happy. PS: I got dual antennas what would come into your mind to do with it?
[0] https://nextdns.io [1] https://github.com/openwrt/packages/blob/master/net/adblock/...
Ghostery with ad-blocking, anti-tracking and Never Consent enabled with Fanboy's Annoyance List added to custom filters
Mullvad DNS
If you are serious about network side blocking do tls interception (lmao) but that is a lot of maintenance, adds other attack surface and the average openwrt device isn't beefy enough for such things.
Firefox and Ublock Origin against ads.
There is cooler stuff for Openwrt. Mesh nets between friends, to share internal services. Just tinkering with and learning about network stuff. Adding ipv6 to tunnel if isp doesn't support. Having Wifi whose autochannel doesn't suck.
Dual Antennas -> Sword fighting. Only fun with multiple devices and dabbling with mesh mode or throughput maxing. In ax dual channel 40mhz +160mhz bandwidth the throughput is faster than some cables.
- Look at https://nextdns.io as an alternative.
- I use uBlock Origin and NextDNS at home.
https://openwrt.org/docs/guide-user/services/dns/adguard-hom...
But as you might have figured out from my use of Chrome, I'm mostly ok with the fact that Google knows everything about me. So I'm probably not the best person to ask.
The ideal setup I want to try is to have something like AdGuard Home at the Router. My current setup on our devices already has AdGuard App running with NextDNS as the DNS Resolver. This setup works pretty well while connecting to any network. NextDNS handles the DNS, while AdGuad AdBlocker works well with the client side on all browsers.
Issues pop up occasionally when the OS gets upgraded, but they are bearable. https://brajeshwar.com/2024/i-block-ads/
After 15 years of using NoScript this way I have developed a sixth sense for the minimal set of individual hostnames/ips need to be JS allowed on a typical site. I'm quite fast at it. But wix.com hosted sites and others like it that have one JS domain required to load another and so on serially 5x deep I just close rather than refreshing the page 5 times.
I don't like the idea of network level blocking because I have to disable my adblocker due to broken websites on a fairly regular basis, and disabling a network blocker is just too much hassle, especially when thinking about DNS results caching etc.
I've kept de blocklists in adguard home small, and then it works fine, but if I add hundreds of thousands of blocked domains, it gets painfully slow on my Edgerouter X running OpenWRT
DNS ad blocking doesn't work well anymore, too many sites block you if you use it. But I use NextDNS for my mobile devices anyway because there's nothing you can easily use that's better. Firefox does have an Android build that will load uBlock Origin but I am still using Chrome on my phone.
My problem isn’t being shown an ad beside content I’m consuming, it’s being tracked.
I use a defence-in-depth strategy to block unwanted content:
1: on the router (OpenWRT running in a container on Proxmox), network blocking using nftables sets. This includes both advertising-related networks as well as emerging threats.
2: on the router, DNS blocking using several block lists as well as my own custom lists.
3: on the router, DNS masquerading to enforce the use of my own DNS server. This only works for applications which use normal DNS so I tend to disable DoH (DNS over HTTP) and other such things when possible. If applications insist on trying to force me to use their own idea of what a DNS service looks like I will stop using those applications if there are useable alternatives. This is my network, these are my computers, this is my domain, this is my internet connection and I am the one who controls which traffic goes where.
3: on client devices, network blocking using nftables sets or (on some devices) ipset lists.
4: on client devices, DNS blocking using the host file
5: on some Android client devices, content blocking through a device-local VPN
6: on client applications like browsers, content blocking through either extensions like uBlock Origin and/or by using native content blocking capabilities (e.g. the Cromite browser on Android which I use when I have to test something with a non-Firefox browser)
7: as a last resort, my hands and eyes. If somehow advertising makes it way past all the hurdles I throw in its path I just close the page/application/window/. Thou Shall Not Pass and that's it.
While all this may sound like a lot of work it actually is not. I set up the blocking on the router once and keep the lists up to date automatically using a cron job. The same is true for client devices. Once installed the stuff mostly does its job without bothering me apart from some pages not working - so what, there's enough alternatives out there. I don't like ads, get it? No ads, zip, nada, zilch. Don't Advertise On Me.
Otherwise, I use Firefox + uBlock Origin + Privacy Badger and also have redundant PiHole servers.
On Apple TV, I have the NextDNS profile installed, but it still doesn’t work.
Most of the community forum posts on NextDNS don’t get any answers. I’m sure the DNS servers exist, but the clients and the configuration options have not been supported by the creators.
I wouldn’t recommend NextDNS to anyone because of this apathy by its creators.
Tangential topic: I see some suggestions for NextDNS here as an additional layer. I can’t speak for Android, but if you’re looking for iOS/iPadOS/macOS/tvOS, note that NextDNS does not work well on these. The app hasn’t been updated for several years and toggling on the app does nothing (I like the app because I can quickly switch it off and on when needed, which cannot be done with a profile). Most of the time the test page at test.nextdns.io shows as “unconfigured”. Even the profile installation approach does not work on Apple TV (I’ve tried this a few times). Overall, the NextDNS servers around the world exist, but there is zero support and maintenance on the client side for the platforms I mentioned. The community forum has posts about issues that the founders don’t respond to.
At least on macOS, I have Little Snitch that acts as a system wide blocker (one can subscribe to blocking lists just like in uBlock Origin).
The software runs fine on a lot of hardware. I have it dockerized (via ansible) and deployed on a couple of regular mini-PCs.
You can run it on a lot of hardware these days, or containerized.
I’m trying Quad9 on the upstream DNS but not very familiar with it. What y’all think?
I view these as security and telemetry blockers primarily, they happen to block a lot of ads too.
Pi-Hole is worth it, I highly recommend it. You don't need a Pi, just grab a cheap used mini PC off eBay. It's been a total set-and-forget thing.
Try them out and see which one you prefer.
All these work similarly to pihole. If you choose an option that integrates with ipset, you can get slightly stronger than by blocking IPs associated with hostnames.
As others mentioned, it's good to couple with a client-side filter like uBlock origin.
Am always using gluetun VPN hosted on a VPS with these two options: BLOCK_ADS=on BLOCK_SURVEILLANCE=on and I don't see any ads anywhere, even on the Twitter site!
It’s not an ”out of the box” solution. But when it’s set up you get encrypted DNS requests and network wide ad blocking.
All in a few megabytes.
i used to use pihole, and i'll totallyyyyy get around to setting my homelab back up soon ( and adguard home is also on my radar :3 )
I've never had the former happen, but it's something to be aware of.
Tangential question - what is the best solution for iPhone? On Androids you can use Firefox with uBlock, but it seems none of the Safari extensions on iPhone actually work, I tried some paid ones too. Brave seems to work decently well, but I have no idea why - if other browsers have some OS limitation, how does Brave go around it?
I do have problems updating it on my MacBook though
* portmaster on any desktop - for better security and privacy
* tracker control on android - not technically written for ad blocking but it works for 90% of ads
* ublock origin + decentralzeyed + consent-o-matric and cookie flag on Firefox.
What I like about Adguard is that I can more freely switch between browsers without needing to take into account how well their builtin blocking works or if they still support Mv2. And just like with my choice to use 1password over self-hosting Bitwarden, I’ll gladly pay a bit more if it means not having to maintain yet another service.
I run pihole in a VM myself. And it works nicely. It doesn't use very much in the way of resources either. In fact, I've been thinking about moving to a docker/podman container.
I don't use "upstream" resolvers either. Rather, I use my own recursive resolver.
Those plus uBlockOrigin do the job quite nicely for me.
So I threw the router out the window, and signed up to rent CPE from my ISP; edge router security is now 100% their responsibility!
Adguard also has the ability to cache. But I haven't seen it to significantly speed up my page loads. The default resolution itself is much slower on Adguard + Cloudflare DNS compared to Blocky + Cloudflare DNS. So this makes Adguard double whammy.
I'm running them as system service on my laptop, and using my localhost as dns proxy.
I'm sure even VPN + YT Premium would be cheaper than local subscription pricing .
Many modern consumer routers contain processors and memory which can easily handle Adguard Home. I have a GL.iNet MT-6000 with a MediaTek Filogic 830 processor which has 4 ARM A53 cores running at 2Ghz and offloads wifi and wired network packet processing from the cores. It also has 1GB of DDR4 memory. It has no problem handling Adguard home, my 1Gbs internet connection and gives me around 900Mbs of wirguard thruput.
Turning off JavaScript in browsers is magic, it works everywhere, PCs, Android, Windows, etc. It not only kills ads but almost all of the other garbage that website programmers do to deliberately annoy the hell out of web surfers.
JavaScript programmers take note: turning JS off makes the web sing, up goes the rendering speed, pages appear much, much faster, and all that jerkiness disappears, and most of the spying on users also disappears. Web pages often drop from 7 or 8MB per page to as low as several hundred kB—that's over a 20:1 reduction in download size! It's a magic solution.
Websites that won't render with JS turned off I simply bypass, as they say "there are plenty more fish in the sea" — many more webpages than I can ever hope to visit in a lifetime.
If only users knew the advantages of turning of JS many more would do it. Remember, JS is there to mostly benefit advertisers and website owners who want to spy on users—it's not to benefit you the user!
Despite what they say almost everything that can be done on the web can be done without JavaScript. Sorry JavaScript programmers and aficionados, it's just a fact.
Turning JS off is one of the few remaining defenses we have against you nasty advertisers and website owners.
it’s pretty straightforward to set up and works out of the box. Also, if you’re building any sites yourself, something like GetProduct dev could be useful for subtle monetization with affiliate links instead of cluttering with ads.
Keeps things clean!
It seems to be all I need. I like that it blocks the crap on all browsers without needing to install extensions. Youtube is still practically useless though.
NextDNS at the network level for all of my devices that support tailscale[1] wherever they may be in the world.
NextDNS for any other home devices via my router's DNS settings.
Ad blockers pretty much all rely on community-maintained block-lists, there are always going to be mistakes in those that break some sites, or some sites might not act well when unable to send ad/tracking events. I recently had an issue booking a train, which was because of this, turned off the ad blocker and it worked fine, not something that's as easy to do with network level blocking, especially if it was set up by someone else and you're not a technical person. Not booking the train because their site is bad is not a realistic option.
> but if you’re looking for iOS/iPadOS/macOS/tvOS, note that NextDNS does not work well on these
If your situation supports it I've had zero issues (since May 2021) using NextDNS via tailscale[1] on all of the above devices[2].
I do realise it's not feasible to ask people to set up a VPN just for some adblocking but it's a decent option if you were going to do it anyway :)
[1]: https://tailscale.com/kb/1218/nextdns
[2]: Yes even tvOS: https://tailscale.com/kb/1280/appletv
You can control it with the lil purple shield icon to the left of the address bar (not that you're obliged to disable it for some website just because they asked, of course!)
https://support.mozilla.org/en-US/kb/enhanced-tracking-prote...
Phone: Hyperweb (for redirections to alternative frontends) + AdGuard Pro + ControlD DNS-over-HTTPS
Router: ControlD DNS-over-HTTPS
If you're using OpenWRT, check out AdGuard Home. But keep in mind that DNS blocking solutions aren't going to be as effective as tools like uBlock that review the DOM and apply styling filters. Both would work hand-in-hand.
AdGuard DNS 94.140.14.14 94.140.15.15
tl;dr * It works across all devices (will block ads on the DNS level when using your phone on the cell network you usually cannot set the DNS servers in this case) * To disable ads for minutes just disconnect from TS or deselect "Use TS DNS."
I also have whole-network blocking via AdGuard running on a Pi. AdGuard also has a hosted option and you can just run it in a Docker container on a machine on the network.
I also have WireGuard setup on my Ubiquiti network so I often will be running my machines through that when remote which blocks ads for them too.
For other sites agreed, but a bank that can’t coexist with an adblocker you really have to ask yourself wtf said bank is doing.
Everything on that site should come from ad free reputable domains.
Also wouldn’t hurt if said bank tested their site with common browser configurations like ublock
I also use the OISD (https://oisd.nl) blocklist for DNS level blocking with NextDNS. OISD prioritizes functionality over blocking, which is exactly the way I like it for DNS level blocking. Never had to manually whitelist anything.
I live alone, though, which changes the equation somewhat.
really love this combo
On android brave browser
Firefox with Ublock Origin on my browser.
Youtube Premium family plan.
I tried pihole but it just caused way too many small hiccups that annoyed my family more.
Check out running dnsmasq with dnscrypt-proxy too.
Mobile: PiHole running in AWS. I VPN into it, with the VPN configured to only tunnel DNS lookups. Allows me to easily temporarily disable the PiHole by just disconnecting from the VPN. Gives me ad blocking in all apps.
Firefox: uBlockOrigin, AdBlocker for YouTube, Adguard, Disconnect, DDG Privacy Essentials, Sponsor Block for YouTube, Unhook (Firefox is used very little, just because compared to Safari it is still sluggish on Mac)
On iPhone: tried NextDNS (and few more things) but result was such a mess that I stopped.
Qubes OS
Mullvad Browser
Tor Browser
OpenWRT router uplinks to [insert VPN provider] automatically
NewPipe
Kodi
BitTorrent
[1] https://stonegray.ca/dns/#performance
Edit: for the curious, I use technetium as the server, nginx to proxy it (security stuff, prioritize traffic from my zerotier network, do DNS/DoT translation, etc) and docker/letsencrypt/watchtower/netdata for auto updating and status reporting, packaged as a single docker compose I can deploy easily.
One advantage of using only a script blocker in favor of a proper ad blocker is that I don't shut off reasonable ads but only the ones that do shady stuff with a lot of computation and tracking on the client PC.
uMatrix has the advantage that it additionally blocks cookies by default, making the tracking even harder.
Pihole with the default ad list and additional ones to block some social media sites.
Then Pihole is configured to use Cloudflare 1.1.1.1 for families, and I use the adult+malware filter.
I’ve got WireGuard running on the pihole server to make this all available for mobile devices when out and about.
The third one I found a very easy method and now am currently using Control-D DNS with free ad/tracker/malware blocking over the modern DoQ protocol. Got it running in less than 30 minutes. ControlD latency appears as fast as any free DNS I've tried (Quad9, OpenDNS for years, etc), including my own ISP, so I am lucky location-wise.
I'll send you all my notes and guidance if want. Email me at my throwaway xyzx
@
duck.com
At parents house they got one r-pi set as DNS 1, and 9.9.9.9 as DNS 2.
If you value your finances at all, you won't allow advertisers into the connection.
* Bug, or feature, many fail if the tracking is blocked, due to other code that assumes it's there or depends on it. They fail closed instead of fail open.
Banks and other financial institutions have a duty to prevent fraud and their malicious actors. Could they do better, yes. They still have a duty nonetheless.
Adblockers do more than just domain blocking, such as anti-fingerprinting, bot detection—which includes a lot of, sadly, invasive checks against the browser.
UBlock has annoyance lists, tracking lists, and others and others…
From what you’re telling me, you’re wanting a bank that’s protecting their clients or at least attempting to. Ooookay
Then i use Noscript in Firefox. I also have a VPN server setup whose DNS uses the same Pihole too.