What is your preferred Ad Blocking Strategy?

boogieflicker · May 3, 2024, 7:30pm

You can select the block lists (basically an URL) you want to enable and it keeps them updated. So what you are actually blocking is partly out of your control and you need to make use of the white-/blacklisting features to make it really work.

Im not sure if i can add anything productive to the conversation but I just configured my openWrt to use unbound as a full DNS resolver with DNSSEC which is working fine even on my potato router. But as soon as I added adblock-fast to the mix the whole thing got instable and i stopped tinkering. And as I am in the same situation that i would need to add another device like a raspi to get DNS ad blocking i decided its not worth it for me atm. Although I think it might be possible with a beefier router and/or the other adblock packages on openWrt to have an all in-one solution if you dont mind the initial configuration and whitelisting process. What pi hole would add to this at that point is only a nicer UI and stats to look at.

elbe1 · May 3, 2024, 8:48pm

@boogieflicker How much RAM did you have on Mr. Potato's router?

@ler762 How exactly are you using Privoxy?

ler762 · May 3, 2024, 10:07pm

I'm not sure what you're asking, but I'm using Privoxy the normal way - installed as a service on each PC. That way the only thing that I break is my own browsing and the wife stays happy

I grab a bunch of host files (which was the going overboard part), turn them into privoxy action files & de-duplicate. I haven't looked at this in ages, but
https://github.com/ler762/privoxy/blob/lee/contrib/make-unified.sh
should give you an idea.

https-inspection I'm still not quite comfortable with, but it is nice to occasionally re-visit the pre-Snowden days when everything was http://whatever and it was trivially easy to block or edit anything coming in from the web.

reinerotto · May 4, 2024, 4:44am

Isn't it easier (and faster) just to directly install special host file, i.e. from mvps.org ? Doing this on my Win 10 notebook.
BTW, I have used privoxy in the past, too, during the pre-snowdon days. But then I did a much faster proxy, for http-mod, configurable using jscript snippets, i.e. to remove banners, identified by their "fingerprints", like typical size. Or to replace them

Karmylr · May 4, 2024, 6:07am

DNS blocking is useless. You need to use mitm to block ads.

egc · May 4, 2024, 6:11am

I use OpenWRT's adblock on my router (which is DNS based) and it blocks > 90% of all ads.

Furthermore I use adblock plus as browser-extension which blocks most of the remaining.

Simple setup which works well

boogieflicker · May 4, 2024, 6:58am

I got 800mhz and 256mb ram. The hosts were being blocked but openWrt wasn’t responding via ssh and loading a page took forever. I am running dnsmasq for local dns and unbound as resolver in parallel. Unbound uses afaik more resources than dnsmasq already so there might be better options than that.

Karmylr · May 4, 2024, 7:43am

There's no way. DNS blocking can't even block youtube ads. Because it can only block domains.

egc · May 4, 2024, 8:02am

Correct that is where the browser extension comes to the rescue.

ler762 · May 4, 2024, 1:15pm

My problem with host files is that you don't know what's going on. With privoxy you have a log of what is allowed and blocked, so it's easier to troubleshoot. And with windows I keep seeing tickets like
https://github.com/StevenBlack/hosts/issues/1642
about large host files slowing down or breaking windows. Even with absurdly large action files I've never seen that problem with privoxy.

With https-inspection you have to create and install a certificate in your browser and then it's back to clear-text days on the web. You can block javascript files, modify html or js, etc. just like when everything was http://something

ler762 · May 4, 2024, 1:23pm

You need to use mitm to block ads.

@Karmylr how do you install a certificate on your iPhone or smart TV so that you can do man-in-the-middle blocking of ads?

Blocking by DNS name doesn't block all ads but it's better than nothing.

Karmylr · May 4, 2024, 1:36pm

I know how to install certificate on iPhone, and it's quite easy.

reinerotto · May 4, 2024, 5:11pm

OK, my hostfile has about 10k entries, only. No obvious delay or problem with Windows 10.

ler762 · May 4, 2024, 6:47pm

No obvious delay or problem with Windows 10.

Good for you. Like I said - I go a bit overboard with blocking in privoxy so for me it's more than 10x lines more:

$ grep -v '^#' 1hosts.action blocksites.action lightswitch-hosts.action pgl-hosts.action unified-hosts.action | wc -l
136206

Note that privoxy allows me to have a single line like
.online-metrix.net/
that blocks any domain ending with .online-metrix.net/ so I've got a lot of comments in the action files like

# already blocked: aa.online-metrix.net/
# already blocked: a-sac.aa.online-metrix.net/
# already blocked: d.aa.online-metrix.net/
# already blocked: e.aa.online-metrix.net/
# already blocked: citi.online-metrix.net/
# already blocked: h-online.citi.online-metrix.net/

If it was just a list of host names it'd be a lot closer to 800K lines.

KONG · May 4, 2024, 7:19pm

FYI, I use privoxy on the router, along with dnsmasq setting on the router:

dhcp-option=252,http://config.privoxy.org/wpad.dat

and a wpad.dat + proxy.pac in routers /www dir. I implemented the wpad feature in privoxy. This way clients autoconfigure the proxy if they use dhcp with proxy auto detection. Privoxy cannot just filter ads, but also manipulate html/js, which is pretty cool.
You can change the fetched js code to bypass some fancy ad blocking scripts.

reinerotto · May 4, 2024, 7:26pm

I do not consider privoxy to be the right tool for your usage case. As a hobby, I did a customized DNS-resolver, running on the openwrt router. Customized to do parental control, which is same principle as ad-blocking. Blocklists in the range of 1Mio domains, also the type of .anydomain.whatsoever . Which then includes filtering of subdomains, of course. You can not imagine, how many porn, gambling, violence etc. domains exist, inappropriate for minors And the blocking/resolving was EITHER MAC-specific (first version), OR SSID-specific (second version, because easier to set up). Both versions applicable for your scenario. Of course, blocklists stored in mem-res db. 256MB were sufficient. I consider this approach even superior to pi-hole, BTW. Then I checked here on forum for public interest, which unfortunately was not so enthusiatic. So, I shut down the project. Anyway, you mastered privoxy, which needs some applause, first of all. Because it was a steep learning curve. And it works for you, the most important.

KONG · May 4, 2024, 7:46pm

If parental control is needed, then this is the right tool for the job:

I used it a few years ago on my R7800, you can't use all features on the older routers, but IPQ807x has the power for e2guardian. But I think the package is not supported rigt now in openwrt and last time I used it I did a bunch of changes to the openwrt package.
E2guardian can even analyze images to detect porn etc.

elbe1 · May 4, 2024, 8:37pm

@ler762 Are you able create a historic log of all URLs and DNS requests of the respective host with Privoxy?

KONG · May 4, 2024, 9:05pm

Privoxy does not log dns requests. But dnsmasq does, this is what I do. Log dns request with dnsmasq and log urls with privoxy to a usb drive. Of course you have to force clients to use the routers dns and block requests to external dns servers. If you don't trust your clients, then you have to block all traffic to the internet and only allow traffic to privoxy

elbe1 · May 4, 2024, 9:20pm

@Kong the problem is that my router does not have a USB drive, so all data is lost on reboot. How would you store historic data in this case for later analysis?