Network-level ad blocking


#1

I’m reiterating this request here, even though I’ve also posted it on the campaign page a while back, so that other users can contribute or show their support for the idea.

I think that network-level ad-blocking would be particularly useful for mobile devices, smart TVs and other devices that include a browser, but for which ad-blocking solutions are lacking. Chrome on Android doesn’t support extensions, so the Firefox-based AdBlockPlus browser is the only viable solution for browsing without being bombarded by scamy and persistent ads that try to push dodgy performance or security apps through fake warnings: “your phone’s battery is damaged”, “you phone is insecure”, “your phone is slow,” etc. Also browser-based ad blocking doesn’t block the ads displayed inside other apps, the majority of which are served over HTTP and are vulnerable to man-in-the-middle modification.

The benefit of network-based ad blocking is also that since these routers will support OpenVPN servers you can VPN back into your own network whenever you take the mobile device outside the house too and have the ad blocking applied at all times.

As far as implementation goes it shouldn’t be too difficult. The EasyList that’s at the core of AdBlockPlus filtering is GPL and can be converted for something like privoxy, or maybe even an nginx-based transparent proxy. It just needs converting on a regular basis and kept up to date. A privoxy-based example is available for asuswrt-merlin via entware: https://github.com/RMerl/asuswrt-merlin/wiki/How-to-use-Adblock-Plus-filter-subscriptions-to-provide-advertisement-filtering-to-devices

Another option is DNS-based ad-blocking, like Pi-Hole for RPi: https://github.com/jacobsalmela/pi-hole DNS-based ad-blocking might be less effective and prone to false positives (blocking more than ads), it’s more efficient in terms of resource use (no proxy that has to do real-time filtering) and it’s harder for the site to detect that you used ad-blocking (some sites detect adblockers and refuse to show the content).

Yes, I know that technically users can implement these themselves if they wish, but it would be much more useful to have it as a service/feature that gets updated and maintained by the Turris team, instead of having users manually check for filter list updates, etc.


#2

I like this idea. At the moment i am using a RPI with dhcp, a webserver and bind to serve 1x1 transparent pixels, empty html, css and js for known “advertisement domains”. not the best solution, but works for now.

I support you motion to have a router based ad-block solution for the home.


#3

More and more of the web is https, you can only block ad elements on a https connection on the end consumer device.

For dns blocking a very simple script will do, which downloads a hosts file blocklist, redirecting ad/phishing/malware domains to 127.0.0.1 or 0.0.0.0. Place it in cron and no need for manual updates. You can do this with one wget request. See Turris forums

Making a completely new software which would use Adblock, Pi-Hole or other blocklists probably is outside of the scope of a router manufacturer.

This leaves open the possibility for using Privoxy, is it offered by the existing Turris package system? If not, would it be possible?


#4

This was discussed numerous times elsewhere in the forum. It seems there is no single good solution - every solution proposed requires manual changes to the configuration and none is integrated correctly right now. The solutions range from using pi-hole to manual configurations. The tutorial linked here seems to be the most complete instructions for pi-hole:

There is also this older overlapping discussion:

The pi-hole-based solutions require delegating your DNS to the pi-hole proxy, something I would prefer to avoid myself, as I have other delegations that may conflict with that.

There are tutorials on how to setup adblock instead:


Adblock seems to be simpler than pi-hole, there is a “RPZ” file that can be plugged directly in the Knot resolver which means minimal configuration:

Then there is this tutorial on how to manually build a blocklist for the Knot resolver, without the adblock package:

In the following survey, Pi-hole arrived slightly ahead (+10%) of Adblock as an ad-blocking solution for Turris software:

I myself am not sure which solution I will deploy. I am tempted to agree with some of the voters in that poll saying that we should choose the simplicity of adblock, but i’ll see how well it actually works in practice.


#5

I finally chose to use adblock because it’s simpler and supported out of the box in OpenWRT. It requires manual configuration of the resolver and packages outside of the Turris ecosystem (those should really be updated), so there is still room for improvement, but this works for me and covers a few problems that were found in other tutorials.

Here’s a step-by-step process, as seen from a terminal logged in as root in the Turris router:

  1. Download and install the adblock APKs from LEDE (the ones from Omnia are too old):

     wget https://downloads.lede-project.org/snapshots/packages/x86_64/luci/luci-app-adblock_git-17.328.04231-802d5b6-1_all.ipk
     wget https://downloads.lede-project.org/snapshots/packages/x86_64/packages/adblock_3.1.0-2_all.ipk
     opkg install adblock_3.1.0-2_all.ipk luci-app-adblock_git-17.328.04231-802d5b6-1_all.ipk
    
  2. reload the LUCI cache, otherwise you get a weird backtrace in the web interface:

     rm -rf /tmp/luci-*
     /etc/init.d/lighttpd restart
    
  3. start adblock and check that it works:

     /etc/init.d/adblock enable
     /etc/init.d/adblock start
     adblock.sh
     /etc/init.d/adblock status
     /etc/init.d/adblock query doubleclick.net
    

    the last line should show something like:

     ::: max. ten results for domain 'doubleclick.net'
       + doubleclick.net
    

    and a file should have been created in /etc/kresd/adb_list.overall with all the blacklists configured in the GUI.

  4. hook that configuration in the resolver and restart it. for this, you need to add the following line in the config resolver 'kresd' section of /etc/config/resolver:

     list rpz_file "/etc/kresd/adb_list.overall"
    

    … and restart the resolver:

     /etc/init.d/resolver restart
    

If this works, DNS resolution should fail for blocked domains, for example:

root@octavia:~# dig doubleclick.net

; <<>> DiG 9.10.5-P3 <<>> doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21508
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;doubleclick.net.		IN	A

;; AUTHORITY SECTION:
blocked.		900	IN	SOA	blocked. nobody.invalid. 0 3600 900 604800 900

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 29 09:52:39 EST 2017
;; MSG SIZE  rcvd: 101

… and, obviously, most ads should be gone from your devices. :slight_smile: It doesn’t work for everything: ads may still show up in Youtube videos for example. But it will go a long way.


How to install adblock
Adblock package release for turris omnia
#6

just for your information - this step will be automated by the next forthcoming adblock update.


#7

I installed adblock and it is running according to “adblock status”. However, in Luci and in the terminal it always shown that it has 0 blocked domains.

I do not know what I did wrong. I restarted the router several times and also “adblock reload” does not appear to do anything.

Is there anything I’m missing?


#8

Look at this page of Adblock package release for turris omnia (a better thread)

For a start, you’re using uclient, when you should be using wget.


#9

It seems that something went wrong there with the config file. I just kept the original settings. Anyway, thank you for the link, in it I found this. I adjusted the settings and now it is working as intended.

Thank you very much!