Adblock support thread


Hi, I'm the author of pixelserv-tls. Thanks to @neko for mentioning this tool.

I think "fake" and "hijack" are too strong words to describe pixelserv-tls. It's doing no more than you're faking and hijacking DNS records to begin with regardless redirecting to an IP or NXDOMAIN. In pixelserv-tls, all privacy is in control of users' hands. In fact, it also allows users to inspect what websites are sending them about you over SSL connection.

On performance, my quick and dirty benchmark on pixelserv-tls vs NXDOMAIN shows a tie.



This is not a strictly a legal or technical question, but rather an opinion question - "is it acceptable?" From my point of view it's not. A root ca cert in your system allows the controller of that cert to potentially impersonate and intercept any of your SSL/TLS traffic via MitM techniques. I don't want to get into self signed certs and forcing users to load CA's on all their devices. Plus that is just a bit too far into a Man In The Middle scenario and I don't want that kind of access to peoples devices. I'm very big on user privacy and no one should have unverified CA level access to clients.

But no worries, just my humble opinion.


DNS is unencrypted and provides no security guarantees. TLS on the other hand does.

If DNSSEC was all of a sudden enabled everywhere, a different approach than NXDOMAIN would be needed but that time has not (and probably never will) come.


What you're not seeing is DNS sinkholing, aka returning NXDOMAIN for a legit webserver operating under the law, is a MitM. The certificate technique is a more elaborate MitM to pull off than a compromised DNS forwarder/resolver, which is a one-step process. These are not opinion, but facts.


"is it acceptable" is easy to answer. There are two senses in your question. Let me clarify.

Sense 1: Ad networks/trackers collect consumers/end-users privacy data and send the data over HTTPS to their servers. Is it acceptable? To me, it's definitely not.

Sense 2: A consumer/end-user uses a tool such as pixelserv-tls to inspect such transmission within his own devices and check what privacy data the ad networks/trackers are retrieving from him. It's perfectly acceptable. That's what I meant in the sentence you quoted.

The FUD here is in fact a technical question. Note that neither pixelserv-tls nor its integrator will ship a root CA certificate. Each end-user has to generate his own root CA certificate. So each root CA certificate is unique and solely owned by the end user. He then installs the root CA in his and/or his family's devices for adblock. There is no MiTM attack here unless he wants to attack his family who trusts him in the first place to let him install the root CA.

pixelserv-tls also works without a root CA certificate. HTTPS requests will simply be rejected.


DNS-based adblock strategy is getting more popular, and easier to install. It works so much better than browser add-on. If its popularity gets to a tipping point, DNSSEC adoption may get a boost. I haven't looked into DNSSEC, so unsure if it can make DNS based adblock irrelevant. My guess is it can. Then it'll be a big win for ad networks and trackers.


Hi Dave,

I have good news for you (and maybe others). In firefox you can still clear those annoying dns related error messages from https sites. It's no longer permitted by internal plugins via webextensions api, but you can still provide a little external css file to nuke those error messages ... :sunglasses:

 * edit this file and copy it as userContent.css to
 * linux: /.mozilla/firefox/<profile dir>/chrome/
 * windows: %APPDATA%\Mozilla\Firefox\Profiles\<profile dir>\chrome

@-moz-document url-prefix('about:neterror?e=dnsNotFound') {
    :root {
        --in-content-page-background: none !important;
    body {
        display: none !important;

Maybe this works also in Chrome but I do not use this browser.

Have fun!


Can someone advise how to block ads by subnets or VLANs? I need one VLAN (which has one subnet) to show ads.


Use different dns server per subnet. Same applies to simple-adblock ...


That is the weird part, I do give different dns servers to that subnet via dhcp (option 6).

list dhcp_option '6,,'


config dhcp 'vlan10'
	option start '200'
	option leasetime '12h'
	option limit '20'
	option interface 'VLAN10'
	list dhcp_option '3,'
	list dhcp_option '6,,'


Thank you for sharing this, Dirk. I can confirm also that this little userContent.css tweak works great for Firefox.


"Heads up" for frequent youtube users. On the pihole forum I've found an interesting discussion regarding this new "API based" approach to block all ad-related subdomains under '' (see here). It's quite easy to integrate that as a new source in adblock, therefore here it is for testing ... :wink:

Would be nice to get feedback from youtubers if that really help with this in-video ads and others.

edit/warning: This API (details see here) is designed to find "all" forward DNS records (A records) for an organisation (i.e. ''). It's very likely blocking access to legitimate content and even this enabled blocklist requires application level filtering, too.

Thanks for testing!


I'm a daily YouTube user on both PC and a TV app, I've just introduced this script and confirm it works via a query to Adblock, however I still see adds on the web version of YouTube. On the TV I've not seen an ad for some time, it often does get stuck on a black loading screen though where there should be an ad which is mildly annoying.


Appreciate your testing efforts, so bottom line not really improved by this source. Thanks.


Hi @dibdot

As I know, some website embeded "fuckadblock.js" scripts in video to bypass adblock. How can to block it ?


Block the source (sub-)domain or (much better!) use a browser plugin like noscript.


Tks @dibdot, not a best choice but noscripts is a good way.


Have a question on the best way to allow some traffic.
So... What I have going on, is that I'm jobhunting, and on many websites there is a link to connect you using your LinkedIn account. What happens is, I see a popup page with a blank screen and the one single white pixel. And, no login with my LI account or no transfer of data about me.

So, I'm assuming its a pixelserver handshaking kind of thing, or a way for a third party to get credit for the linking.. not sure. I have captured a few of the 800 character URL's, and they do vary in length, content, etc.

What's the needed level of detail here, if I was going to try to whitelist this, since they're all hugely long and vary from customer to customer? Hopefully there's some higher domains I can pull and whitelist, but there's a lot of non human readable stuff in there. Anyone deal with this successfully?


I'd be surprised if this site (reference check site by the fuckadblock author) detected Dirk's adblock.



Can someone help me to add some list from here to adblock ?

Try to add like this, but not working.

config source 'ZTEST'
	option adb_src ''
	option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
	option adb_src_desc 'broad blocklist subdivided in different categories, daily updates, approx. 31.700 entries'
	option enabled '1'

Thanks for any help.