Ads Subtracted

DIY

If none of the presented software projects is suitable, you can build an ad filter yourself with manageable overhead. You don't have to reinvent the wheel, because the candidates presented reveal the concept: Download and fill the DNS server with blacklists.

One possible setup consists of a Raspberry Pi, which you connect directly to the rest of the network by cable, and the dnsmasq DNS server (Listing 1, line 1). A blacklist turns the DNS service into an advertising filter. To keep the conversion work low, I recommend using a blacklist that is already available in the appropriate format for dnsmasq (line 2).

01 $ sudo apt install dnsmasq
02 $ curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts >/tmp/blocklist.txt
03 $ cat <<EOF > /etc/dnsmasq.d/adblock
04 addn-hosts=/tmp/blocklist.txt
05 EOF
06 $ sudo systemctl restart dnsmasq
07 $ sudo pkill -USR1 dnsmasq

Dnsmasq learns the content of the blacklist from an entry in its configuration (lines 3-5). The service then restarts (line 6) and begins its new role as an advertising filter.

A quick test in your browser can show whether the do-it-yourself design really filters ads from websites. Because dnsmasq on the Raspberry Pi can be reached over the network, a test client can enter the IP address of the Rasp Pi in its DNS settings. After that, the personally known websites should contain less advertising.

For regular updates of the blacklist, just turn to the usual suspect: cron. Dnsmasq writes a usage report to the journal as soon as the process receives the USR1 signal (line 7).

Optimized

The presented ad filters achieve a common goal, but each offering has its individual strengths and fits the bill for different target groups.

Pi-hole is suitable for large environments of clients with similar protection needs. AdGuard Home, on the other hand, ideally operates on networks with different protection requirements (e.g., on a home network) by providing children with a safe search feature and youth protection, guests with an advertising filter, and your own PCs with tracking protection.

NxFilter fits if you have complex policies and extensive category filters with a connection to a directory server. However, costs are incurred for this service from 25 users upward. pfBlockerNG is suitable if a pfSense firewall is already in use: In this case, reputation and GeoIP are added to the ad blocker, and no one can cheat their way past.

Adblock scores points if the available (router) hardware has too little memory for a "big" ad filter. On small networks with high protection requirements and a focus on anonymization, tracking, and youth protection, eBlocker plays to its strengths.

Limits

Website operators prefer to place their advertising in such a way that ad blockers do not recognize it, and the brand message gets through to the user. Regular advertising can still be hidden with up-to-date blacklists.

Stubborn advertisements that are in the encrypted data stream remain undetected (except by eBlocker). In this case, the ad filter would have to intervene in the data stream with TLS inspection and examine the content: Although possible, this operation is complex and not entirely harmless [9]. Advertising during YouTube videos thus remains an annoying five-second evil.

An experienced user can easily bypass the DNS-based ad blocker by specifying a different DNS server in their IP settings. In these cases, advertising filters on a firewall score points by preventing access to other DNS servers or redirecting attempts to the desired advertising filter. In simple environments with residential gateway devices (e.g., FRITZ!Box) and Pi-hole, this workaround will not work.

The situation becomes tricky when the web browser tries to use a DNS server on the Internet for name resolution and encrypts its requests with DNS over HTTPS (DoH). In this case, the firewall cannot detect whether the client is surfing a web page or resolving a hostname.

The popular browsers recently started to support DoH, although the option is disabled by default. If you want the ad blocker to protect clients in the future, then make sure they do not use DoH. Ironically, many ad blockers support DoH, but only between the filter box and the DNS server, not between the filter box and the devices on the home network.

The logfile on the DNS server collects the domains called by network participants, as well as the IP addresses of the clients (i.e., personal data). This should set off privacy alarms, because storing and processing this data is subject to data protection laws. In addition to the option of disabling logging completely, Pi-hole can omit the domain, the client, or both in its logs [10]. AdGuard Home anonymizes at least the IP address, if so desired.