I'd like to hear your opinions about DNS adblocking on router/network level.
At the moment I am using OpenWRTs adblock-fast, with the standard blocking lists activated on my main router.
The question that always drives me is:
A maliciously crafted blocking list (for example supplied by a cracked blocklist hosting server) could do harm to the "brain" of the network and as such would infiltrate a centralized system that is running in root, as OpenWRT is.
Wouldn't it be better or more secure to have something like, for example, PiHole as a dedicated blocking instance?
If this system would get infiltrated (for example malicious blocklist) it of course could do harm to your dns redirections or maybe your network at some point, but as it is not directly to the system with the complete data throughput, it could be less "bad".
If the adblocker and the DNS backend are implemented sensibly, a malicious blocklist should not be able to execute commands. So the damage should be limited to DNS resolution. So this would be equivalent to a malicious list loaded by any other DNS resolver, like pihole.
That said, having someone change which addresses domains are resolved to could lead to more severe issues, such as data theft or infection of vulnerable systems. So this would be a dangerous situation, regardless of whether the resolver is on the router or pihole.
The extent of the damage can be mitigated by the adblocker if it implements sanitization of the fetched lists. I do not know whether adblock-fast performs such sanitization but adblock-lean (I'm a contributor to that project) does. adblock-lean supports 3 formats: raw domains, dnsmasq format and hosts format. Lists in dnsmasq and hosts format are converted into raw-domains format. All entries in all lists are checked for invalid characters (which could allow to tinker with DNS resolution), so only valid domains are allowed. If such invalid character is detected, adblock-lean rejects the list. Then the sanitized entries are converted into dnsmasq format in a way that basically tells dnsmasq to block all included domains. In the bottom line, this whole process pretty much guarantees that the maximum damage a compromised list can do is making some domains unavailable - malicious redirection should not be possible.
first of all, what you are saying is that all users using the ΧΥ list globally with any Adblock service are going to be “hacked”. This will be great news, even greater than any “Cloudflare” downtime!
second of all, even if that was possible, I remind you that that is the reason you got your OpenWrt very strong by default firewall.
if there would be any reason of such violability, there would be not exist an option of integrated Adblock in a firmware like Openwrt.