Adblock doesn't seem to work on wifi

ohsnapson · March 4, 2018, 6:18pm

I have installed Adblock on my TO using this excellent guide:

https://doc.turris.cz/doc/en/public/adblock

And the good news is that it seems to work great for my PC. When I turn off my adblocker in Firefox, ads are still blocked by the Turris.
I would expect the same behavior on my phone when connected to wifi. However, no ads get blocked on my phone. The same goes for my iPad when connected to wifi. If I turn off the built-in adblocker on either of those devices, I see ads again. Did I miss something in the Turris Omnia guide? How do I enable adblocking on all wifi traffic?

vcunat · March 5, 2018, 6:56am

There’s only one DNS server on the router, and that will always block ads if you’ve set so. Are you sure those devices don’t use some other DNS (e.g. 8.8.8.8)?

dibdot · March 5, 2018, 7:49am

Probably your WiFi-clients will use a non-local DNS … to force all connected clients to your local DNS you can select the following option in adblock (in LuCI => Services/Adblock => Scroll down to “Extra Options”):

And hit “Save & Apply” afterwards. This installs an additional firewall rule to redirect communication on port 53 (tcp/udp) to your local DNS instance (kresd).

ohsnapson · March 5, 2018, 5:08pm

Tried it, but that box is already ticked.

To be sure, I ticked it off and on again and rebooted the Turris. Still the same. I also made sure that I use my Turris’ own DNS server, and not an external one like 8.8.8.8.

dibdot · March 5, 2018, 6:11pm

Please post the output of …

/etc/init.d/adblock status

… and the content of /etc/config/resolver as well as the global section of /etc/config/adblock.

ohsnapson · March 5, 2018, 7:42pm

Thanks for your help so far!

Output:

/etc/init.d/adblock status

    root@turris:~# /etc/init.d/adblock status
    ::: adblock runtime information
    + adblock_status  : enabled
    + adblock_version : 3.5.1
    + overall_domains : 74635 (normal mode)
    + fetch_utility   : /usr/bin/wget (built-in)
    + dns_backend     : kresd (/etc/kresd)
    + last_rundate    : 05.03.2018 18:03:59
    + system_release  : Turris Omnia, OpenWrt omnia 15.05/3.9.5

/etc/config/resolver

    config resolver 'common'
        list interface '0.0.0.0'
        list interface '::0'
        option port '53'
        option keyfile '/etc/root.keys'
        option verbose '0'
        option msg_buffer_size '4096'
        option msg_cache_size '20M'
        option net_ipv6 '1'
        option net_ipv4 '1'
        option forward_upstream '1'
        option prefered_resolver 'kresd'
        option ignore_root_key '0'
        option prefetch 'yes'
        option static_domains '1'
        option dynamic_domains '0'

    config resolver 'kresd'
        option rundir '/tmp/kresd'
        option log_stderr '1'
        option log_stdout '1'
        option forks '1'
        list rpz_file '/etc/kresd/adb_list.overall'
        option keep_cache '1'

    config resolver 'unbound'
        option outgoing_range '60'
        option outgoing_num_tcp '1'
        option incoming_num_tcp '1'
        option msg_cache_slabs '1'
        option num_queries_per_thread '30'
        option rrset_cache_size '100K'
        option rrset_cache_slabs '1'
        option infra_cache_slabs '1'
        option infra_cache_numhosts '200'
        list access_control '0.0.0.0/0 allow'
        list access_control '::0/0 allow'
        option pidfile '/var/run/unbound.pid'
        option root_hints '/etc/unbound/named.cache'
        option target_fetch_policy '2 1 0 0 0'
        option harden_short_bufsize 'yes'
        option harden_large_queries 'yes'
        option qname_minimisation 'yes'
        option harden_below_nxdomain 'yes'
        option key_cache_size '100k'
        option key_cache_slabs '1'
        option neg_cache_size '10k'
        option prefetch_key 'yes'

    config resolver 'unbound_remote_control'
        option control_enable 'yes'
        option control_use_cert 'no'
        list control_interface '127.0.0.1'

/etc/config/adblock

config adblock 'global'
        option adb_enabled '1'
        option adb_dns 'kresd'
        option adb_fetchutil 'wget'
        option adb_trigger 'timed'

config adblock 'extra'
        option adb_forcesrt '0'
        option adb_backup '0'
        option adb_maxqueue '16'
        option adb_debug '0'
        option adb_forcedns '1'

config source 'adaway'
        option adb_src 'https://adaway.org/hosts.txt'
        option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
        option adb_src_desc 'focus on mobile ads, infrequent updates, approx.   400 entries'
        option enabled '1'

config source 'adguard'
        option adb_src 'https://filters.adtidy.org/windows/filters/15.txt'
        option adb_src_rset 'BEGIN{FS=\"[/|^|\r]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([\/\^\r]|$)/{print tolower(\$3)}'
        option adb_src_desc 'combined adguard dns filter list, frequent         updates, approx. 17.000 entries'
        option enabled '1'

config source 'bitcoin'
        option adb_src 'https://raw.githubusercontent.com/hoshsadiq/adblock-    nocoin-list/master/hosts.txt'
        option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
        option adb_src_desc 'focus on malicious bitcoin mining sites,           infrequent updates, approx. 80 entries'
        option enabled '0'

config source 'blacklist'
        option adb_src '/etc/adblock/adblock.blacklist'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'static local domain blacklist, always deny these   domains'
        option enabled '1'

config source 'disconnect'
        option adb_src 'https://s3.amazonaws.com/lists.disconnect.me/           simple_malvertising.txt'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'mozilla driven blocklist, numerous updates on the  same day, approx. 4.700 entries'
        option enabled '1'

config source 'dshield'
        option adb_src 'https://www.dshield.org/feeds/suspiciousdomains_Low.txt'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'generic blocklist, daily updates, approx. 3.500    entries'
        option enabled '0'

config source 'feodo'
        option adb_src 'https://feodotracker.abuse.ch/blocklist/?               download=domainblocklist'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'focus on feodo botnet, daily updates, approx. 0-10 entries'
        option enabled '0'

config source 'hphosts'
        option adb_src 'https://hosts-file.net/ad_servers.txt'
        option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|\$)+/{print tolower(\$2)}'
        option adb_src_desc 'broad blocklist, monthly updates, approx. 19.200   entries'
        option enabled '0'

config source 'malware'
        option adb_src 'https://mirror.espoch.edu.ec/malwaredomains/justdomains'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'broad blocklist, daily updates, approx. 18.300     entries'
        option enabled '1'

config source 'malwarelist'
        option adb_src 'http://www.malwaredomainlist.com/hostslist/hosts.txt'
        option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
        option adb_src_desc 'focus on malware, daily updates, approx. 1.200     entries'
        option enabled '0'

config source 'openphish'
        option adb_src 'https://openphish.com/feed.txt'
        option adb_src_rset 'BEGIN{FS=\"/\"}/^http[s]?:\/\/([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+(\/|$)/{print tolower(\$3)}'
        option adb_src_desc 'focus on phishing, numerous updates on the same    day, approx. 2.400 entries'
        option enabled '0'

config source 'ransomware'
        option adb_src 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.  txt'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'focus on ransomware, numerous updates on the same  day, approx. 1900 entries'
        option enabled '0'

config source 'reg_cn'
        option adb_src 'https://easylist-downloads.adblockplus.org/             easylistchina+easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
        option adb_src_desc 'focus on chinese ads plus generic easylist         additions, daily updates, approx. 11.700 entries'
        option enabled '0'

config source 'reg_cz'
        option adb_src 'https://raw.githubusercontent.com/qxstyles/turris-hole- czech-block-list/master/turris-hole-czech-block-list'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:    space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'focus on czech ads maintained by Turris Omnia      Users, infrequent updates, approx. 100 entries'
        option enabled '0'

config source 'reg_de'
        option adb_src 'https://easylist-downloads.adblockplus.org/             easylistgermany+easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
        option adb_src_desc 'focus on german ads plus generic easylist          additions, daily updates, approx. 9.200 entries'
        option enabled '0'

config source 'reg_id'
        option adb_src 'https://easylist-downloads.adblockplus.org/abpindo+     easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
        option adb_src_desc 'focus on indonesian ads plus generic easylist      additions, weekly updates, approx. 9.600 entries'
        option enabled '0'

config source 'reg_nl'
        option adb_src 'https://easylist-downloads.adblockplus.org/             easylistdutch+easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
        option adb_src_desc 'focus on dutch ads plus generic easylist           additions, weekly updates, approx. 9.400 entries'
        option enabled '0'

config source 'reg_pl'
        option adb_src 'http://adblocklist.org/adblock-pxf-polish.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")?$/{print tolower(\$3)}'
        option adb_src_desc 'focus on polish ads, daily updates, approx. 90     entries'
        option enabled '0'

config source 'reg_ro'
        option adb_src 'https://easylist-downloads.adblockplus.org/rolist+easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")? $/{print tolower(\$3)}'
        option adb_src_desc 'focus on romanian ads plus generic easylist additions, weekly updates, approx. 9.400    entries'
        option enabled '0'

config source 'reg_ru'
        option adb_src 'https://easylist-downloads.adblockplus.org/ruadlist+easylist.txt'
        option adb_src_rset 'BEGIN{FS=\"[|^]\"}/^\|\|([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+\^("\\\$third-party")? $/{print tolower(\$3)}'
        option adb_src_desc 'focus on russian ads plus generic easylist additions, weekly updates, approx. 14.500    entries'
        option enabled '0'

config source 'shalla'
        option adb_src 'http://www.shallalist.de/Downloads/shallalist.tar.gz'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'broad blocklist subdivided in different categories, daily updates, approx. 31.700       entries'
        list adb_src_cat 'adv'
        list adb_src_cat 'costtraps'
        list adb_src_cat 'spyware'
        list adb_src_cat 'tracker'
        list adb_src_cat 'warez'
        option enabled '0'

config source 'spam404'
        option adb_src 'https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)+/{print tolower(\$1)}'
        option adb_src_desc 'generic blocklist, infrequent updates, approx. 6.000 entries'
        option enabled '0'

config source 'sysctl'
        option adb_src 'http://sysctl.org/cameleon/hosts'
        option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/     {print tolower(\$2)}'
        option adb_src_desc 'broad blocklist, weekly updates, approx. 16.500 entries'
        option enabled '0'

config source 'whocares'
        option adb_src 'http://someonewhocares.org/hosts/hosts'
        option adb_src_rset '/^127\.0\.0\.1[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/     {print tolower(\$2)}'
        option adb_src_desc 'broad blocklist, weekly updates, approx. 10.000 entries'
        option enabled '0'

config source 'winspy'
        option adb_src 'https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.   txt'
        option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
        option adb_src_desc 'focus on windows spy & telemetry domains, infrequent updates, approx. 300 entries'
        option enabled '0'

config source 'winhelp'
        option adb_src 'http://winhelp2002.mvps.org/hosts.txt'
        option adb_src_rset '/^0\.0\.0\.0[[:space:]]+([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'
        option adb_src_desc 'broad blocklist, infrequent updates, approx. 13.000 entries'
        option enabled '0'

config source 'yoyo'
        option adb_src 'https://pgl.yoyo.org/adservers/serverlist.php?                                               hostformat=nohtml&showintro=0&mimetype=plaintext'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'focus on ad related domains, weekly updates, approx. 2.400 entries'
        option enabled '1'

config source 'zeus'
        option adb_src 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist'
        option adb_src_rset '/^([^([:space:]|#|\*|\/).]+\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}'
        option adb_src_desc 'focus on zeus botnet, daily updates, approx. 400 entries'
        option enabled '0'

config source 'stevenblack'
        option enabled '1'
        option adb_src 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
        option adb_src_rset '\$0~/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.){1,}[[:alpha:]]+([[:space:]]|$)/{print    tolower(\$2)}'
        option adb_src_desc 'unified blocklist, daily updates, approx. 32.000 entries'

dibdot · March 5, 2018, 8:28pm

Thanks, your config looks quite usual & adblock seems to be OK.
On your router you can further check the response for a typical ad domain.

with nslookup:

    root@turris:/etc/config$ nslookup doubleclick.net
    nslookup: can't resolve '(null)': Name does not resolve

    nslookup: can't resolve 'doubleclick.net': Name does not resolve

with dig:

    root@turris:/etc/config$ dig doubleclick.com

    ; <<>> DiG 9.11.2-P1 <<>> doubleclick.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55580
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;doubleclick.com.		IN	A

    ;; AUTHORITY SECTION:
    blocked.		900	IN	SOA	blocked. nobody.invalid. 0 3600 900 604800 900

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Mar 05 21:22:15 CET 2018
    ;; MSG SIZE  rcvd: 101

Repeat this check on your clients and you should always receive the (same) answer from your local dns, e.g:

    dirk@x250:~$ dig doubleclick.com

    ; <<>> DiG 9.11.2-P1-1-Debian <<>> doubleclick.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61763
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;doubleclick.com.		IN	A

    ;; AUTHORITY SECTION:
    blocked.		900	IN	SOA	blocked. nobody.invalid. 0 3600 900 604800 900

    ;; Query time: 3 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Mon Mar 05 21:25:00 CET 2018
    ;; MSG SIZE  rcvd: 101

ohsnapson · March 5, 2018, 8:51pm

Tried it again, seems to work now. I didn’t change anything except rebooting the router. However, one app was still showing ads, oddly enough. Using Adguard on my iPhone with a DNS log, I could see several domains that apparently weren’t blocked by the default lists. I had to manually add www.facebook.com to the blacklist through LuCi to nuke all ads. If that’s not a good reason to stop using that site I don’t know what is. Thanks for the help!

dibdot · March 5, 2018, 9:08pm

Glad that it works for you!
To effectively block facebook add the following domains to your blacklist:

    facebook.com
    facebook.net
    fbcdn.com
    fbcdn.net
    fbsbx.com
    fb.me
    fb.com

zemunonixo · July 1, 2019, 9:28am

That won’t block Facebook - You need to add all the domains or ASN and known IP ranges

dibdot · July 1, 2019, 2:54pm

Nope, these facebook toplevel domains in your blacklist includes all sublevel domains … to block additional fb services like whatsapp or instagram simply add the respective toplevel domains.

zemunonixo · July 1, 2019, 3:00pm

If you mean users access ok but Its not enough to completely block tracking - check your dns logs. I should’ve mentioned the CDN’s too