The best way to put "adv blocker" on the router for the network?

hello

I was wondering about what could be the best method to block the most "badware" domains on a network?

I tried domain blocking via router itself, but lists are so long and heavy, dnsmasq crash..

the second way I have found is to change DNS resolution from ISP to dnsforge.de, as a community dns blocklist for the network

the main idea is to block domains that are adv/malware/etc source of, to permit to device that can't use adblocks on browser, to stay a bit safer than behind a classic internet connection.

I guess openwrt is partly used for that.. what would you recommend to new owrt users to be the most efficient adblocking ?

thank you

Normal OpenWrt packages...
adblock or adblock-fast, and their LuCI interfaces.

In addition to what @hnyman mentioned, you could also try using AdguardHome with blocklists. That's the solution I use at home to block unwanted ads and all kinds of malware.

AGH is a lot heavier on the router's resources than adblock or adblock fast - and more complex to configure. It's not a good first suggestion for someone hoping for an entry into adblocking, but more for those who specifically want AGH and its special features.

I wonder why you and @hnyman are omitting adblock-lean from your recommendation, especially in the context of a device which is apparently memory-constrained.

Exclusively talking for me personally, only for one simple reason:

# apk search adblock | grep -v i18n
adblock-4.5.2-r3
adblock-fast-1.2.2-r10
badblocks-1.47.3-r1
luci-app-adblock-4.5.2-r3
luci-app-adblock-fast-1.2.2-r10

Having a package in the repositories is important to me (and I despise what's essentially wget -qO- http:// | sh -), I do build from source (with INCLUDE_CONFIG && kmod-ikconfig, but that would hold true to using the online imagebuilder as well) and want to have everything (for all of my devices, currently spanning over 9 different targets[0]) to be in the image I'm building, config pre-patched to my desires. I really want this for two reasons, having the image ready to go - and for purposes of debugging/ bisecting (/etc/build.* gives me all the details I need to know), having a known state of package in the image. One welcome side effect of this is being able to audit for changes/ corruption, be it checking the overlay for changes to /usr/(and friends) or things like e.g. debsums -as on Debian (I have noticed faulty RAM that way already, I use that regularly). Alpine's apk package manager offers something like this via apk audit as well.

As long as adblock-lean isn't officially part of the packages feed, properly packaged (so not automatically self-updating by default), I can't/ won't recommend it (for the reasons above) - it simply doesn't exist (to me).

If I really wanted adblock-lean specifically, I would do the packaging myself (regardless of the question of if I'd go the whole nine yards and file a PR to the packages feed introducing it or take the lazy way out and only pushing it to my personal feed), but in this case I'm lazy - adblock does what I need from it most, so I don't need to look much further.

I make no distinction between adblock and adblock-fast here, both are in the official feeds, both are actively maintained - both should do the primary job, the rest is up to personal preference/ requirements. But what isn't in the feeds just isn't a viable option to me (again, if I really wanted a particular software, I would package it myself).

--
[0] I go through quite some lengths to make sure that the build contents of the images for my devices are synced up, as identical as possible. Custom meta-packages adapting to their flash size/ capabilities, seed configs split into common and target specific snippets, always building for all of my targets in the same go - so I have those versions at my disposal, now and for later debugging.

Understandable. I'm not here to persuade you otherwise but for others reading this, I'd like to add some context.

Security/trustworthiness: Having a package in the OpenWrt repository nominally means that the code was reviewed, which is an advantage from the security/trust point of view. Although in practice (to my knowledge, please correct me if I'm wrong) only at initial package submission there is any sort of actual code review, and at subsequent updates (which eventually come to dominate the code base) this becomes a matter of trust between the users and the developer/maintainer because actual code updates are not regularly reviewed by anybody besides them. So as a matter of fact, availability of an official package mostly means that someone with commit rights for the official packages repository deemed the developer trustworthy enough at the time of the initial package submission. So this boils down to developer reputation in the community. Arguably maintaining multiple long-running independent open-source projects with thousands of users and an active forum thread, and contributing to other established projects, including to OpenWrt itself, may be deemed equivalent.

Compatibility: a package in the repo is versioned and each version is typically tested and officially compatible with exactly one OpenWrt release. This means that the developer doesn't need to test the package against every possible OpenWrt version, so it's easier to maintain the code base and utilize new features. On the flip side, this also means that the user has to either continually update their system every time a new OpenWrt release drops, or stay behind with older package versions which may be or become buggy, which is especially relevant to projects which depend on external resources (such as 'feeds' for an adblocker). From this standpoint, running a project which is not in the repo has the advantage of making regular application updates available to users who do not want or can not upgrade their OpenWrt version regularly. This does put somewhat of a strain and a responsibility on the developer to test against multiple OpenWrt versions. adblock-lean, for this matter, works fine with every OpenWrt version starting from 23.05 and up, including the current 25.10. We achieve this by making the code flexible and minimizing assumptions about the built-in OpenWrt facilities.

It is essentially that but I think our distribution method is not as bad as simply downloading code from some link and then just using that. In a nutshell, the installer which the user manually downloads then uses the Github API to fetch the actual distribution archive (which includes code snapshot + installer snapshot), and then calls the installer from the archive. That second installer then actually installs the application. It's not completely impossible to get corrupted code this way, but very unlikely considering that the code is distributed in a .tar.gz archive and typically when such archive is corrupted, corruption will trigger an error during the extraction, which we check for and handle.

adblock-lean does not self-update completely automatically. It's up to the user to issue the command service adblock-lean update at the time when they want to update.

Anyway, I don't have an expectation that you (or anybody else) recommend adblock-lean. I was genuinely curious about your reasoning. We're obviously not making any money with this project, but we did invest a lot of time in development, so the only reward is knowing that people are using the project and enjoying it. Having someone make a recommendation which specifically omits it does hurt a bit, but your reasoning is understandable.

For people reading this, I also want to mention a few other advantages of adblock-lean which IMO matter. adblock-lean's code base consists (by my very rough estimate) of about 50%-60% error checking and reporting code, and then the rest is functionality implementation. Just the main error reporting function reg_failure is called 198 times (in my local development version). So while we are intentionally limiting the feature set to what we think is essential for an adblocker, the code base is very robust, so the users have to deal with very few bugs and we (the maintainers) have to deal with very few support requests. Also adblock-lean gives the users complete runtime feedback in a human-readable and friendly way, so the user doesn't need to guess whether it's working properly or not, as every important thing is printed. adblock-lean was designed to be very user-friendly despite having no luci interface (at least for now). Everything that can be automated is automated, including the setup procedure which supports simple setups and complex setups with multiple dnsmasq instances alike. So getting adblock-lean going is literally a matter of seconds from installer download to having functioning network-wide adblocking tuned for the specific system, and the user needs absolutely no domain knowledge or expertise. And finally, adblock-lean was designed to be as efficient as possible in respect of memory use, while being as fast as possible. So it is truly consuming significantly less memory than other solutions during the processing stage, which essentially means making larger lists available to systems with less RAM.

I just mentioned those two generally available adblock packages, from OpenWrt package repos, with LuCI support, that I know to be frequently developed/updated. Packages from external repos are more difficult for newcomers, especially when it come to later sysupgrades (with attendedsysupgrade etc.)

How many entries in your blocklist(s) ? I have about 100k, directly fed into dnsmasq, and no crashes. And minimum flash/RAM footprint , because used on 32MB RAM openwrt device.