You could install Pi-hole on a Raspberry Pi connected to your network:
You install one of the available browser extensions directly in Chrome or Firefox on the different hosts of your network, for instance uBlock Origin:
What is your preferred aproach in this regard?
Do you combine those ad blocking methods?
Why would you implement the additional administrative overhead of a Pi-hole in your network if you could install an ad blocking package directly in OpenWRT?
Personally, I do 1) using the adblock package. I am a bit uneasy about essentially outsourcing the decision what to drop to 3rd parties, but adblock allows custom allow and denay lists and can be quickly suspended for testing/debugging.
I do not claim this is optimal, but it certainly is 'good enough' for my network...
An option is missing in the wiki -- https-dns-proxy with the adblocking (either customizable, or preset, like family filter) DoH resolver. Very lightweight option which will work well on even resource-strained routers.
PS. There was a topic of differences between adblocking packages for OpenWrt, you may want to locate it and read up.
No, I meant that the fact that https-dns-proxy is a viable ad-blocking option is missing from the page which describes the ad-blocking options for OpenWrt.
I run an Adguard Home instance on Oracle Cloud free tier and use that with DNS-over-http proxy. It's quite fast and I can use it on my phone when I'm on mobile data without security concerns.
PiHole on a 1GB pi4 ... the default blocklist doesn't handle admiral, but i found a list which handles it well, - i added a local list for the few times admiral shows up. I immediately look at pihole's dns querry via its web interface to see what was allowed. It's actually pretty easy to spot their queries; when i find one, i add it to my local list, restart pihole. Done.
That local list has maybe 6 entries after 3mos of dealing with A.
Might keep in mind the amount of processing power needed to do just that - in addition to that needed to move packets. Most routers are designed to have just enough cpu for their basic job.
I mention this as I'm seeing more posts from people getting faster wans, running sqm, and not seeing their expected data rates.
Mmmh, now I admit that this is a subjective policy question each network needs to decide individually. Yet I wonder how wise it is to put all one's eggs into a single basket? That requires even more trust...
Sidenote, nextdns writes that in the free tier you have 300000 DNS queries per month after which:
When exceeding the free monthly quota, NextDNS will continue to answer DNS queries like a classic non-blocking DNS service.
No complaints about them trying to earn some money with their service, just something to keep in mind when trying to use them as one stop solution for DoH and filtering, to not end up in a situation where one believes filtering to be still functional when it is not.
Using turrisOS (a OpenWrt derivative initially started as a research project by the Czech registrar nic.cz, that also develops the knot resolver) I simlpy run my own caching resolver (with DNSSEC) to avoid silly DNS filtering by my ISP (who participates in the 'vigilant' Clearingstelle Urheberrecht im Internet), but I do not require/desire encrypted DNS. As I wrote above, I use adblock locally on my router, and so keep easy control over whether I agree with blocking or not, at least for URLs I actively try to access. This is nether objectively better, nor worse than the proposed alternative solutions, it just happens to be what I ended up doing...
