Don’t use AdBlock in your Browser. Block in your Router instead.

One of the most popular browser extensions is AdBlock, which prevents loading of ads in websites. Now, there isn’t much wrong with ads itself, except that all the ad networks like to spy on you with tracking cookies and more malicious methods like supercookies that use browser plugins. There are some ridiculous attempts at allowing users to opt out of that (e.g., the complete failure that Do-Not-Track is) but these will never work because ad networks will continue to try everything they can to play dirty.

AdBlock browser extensions are one way to play dirty in return, but it’s not that effective: It only protects one browser, but won’t protect your smartphones, tablets or other machines without adblock on your network. You need to go deeper: You need to block malicious sites in your router, so that each and every device that goes through your router. Specifically, you want to override DNS entries to set malicious domains to 0.0.0.0. Any decent Linux-Firmware should do that, in my case I run TomatoUSB on my Asus RT-N16 router. (Disclaimer: Flashing new Firmware is done at your own risk. If you don’t understand the instructions on the Tomato Website, get someone who does 🙂 You will need to properly setup the whole thing, including your network configuration, DHCP, WiFi with security etc.).

Under Administration > Scripts > WAN Up, I have this script:

## Adblock script [Version 2.1 | 08 July 2008 | 3778 bytes]
##
## Created by Adrian Jon Kriel: root-AT-extremecooling-DOT-org
## Modified
## tomato WAN Up script
##
## 0 = disable
## 1 = enable
## (1) = default value
## optimising of dnsmasq, (1)
eval OPTDNSMASQ="1"
## automatic updating, (1)
eval AUTOUPDATE="1"
## MVPS HOSTS ~18,500 lines, 680 Kbyte, (1)
eval MVPSSOURCE="1"
## pgl.yoyo.org ~2,200 lines, 68 Kbyte, (1)
eval PGLSOURCE="1"
## hosts-file.net ~53,000 lines, 1.5 Mbyte, (0)
eval HSFSOURCE="0"
## Hosts File Project ~102,000 lines, 3.0 Mbyte ***6+mb free memory***, (0)
## This actually makes the RT-N16 grind to a halt, I guess it's not powerful enough.
eval HFPSOURCE="0"
##
## varibles
## location of temp file, (/tmp/hosts)
eval GENFILE="/tmp/hosts"
## redirect ip, (0.0.0.0)
eval REDIRECTIP="0.0.0.0"
## sources
eval MVPSOURCEFILE="http://www.mvps.org/winhelp2002/hosts.txt"
eval PGLSOURCEFILE="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0"
eval HSFSOURCEFILE="http://support.it-mate.co.uk/downloads/hosts.txt"
eval HFPSOURCEFILE="http://hostsfile.mine.nu/Hosts"

if ping -c 1 yahoo.com ; then

eval GOTSOURCE="0"
echo "" > $GENFILE
## download 
if [ "$MVPSSOURCE" = "1" ]  ; then
if wget $MVPSOURCEFILE -O - >> $GENFILE ; then
logger ADBLOCK Downloaded $MVPSOURCEFILE
eval GOTSOURCE="1"
else
logger ADBLOCK Failed $MVPSOURCEFILE
fi
fi
if [ "$PGLSOURCE" = "1" ]  ; then
if wget $PGLSOURCEFILE -O - >> $GENFILE ; then
logger ADBLOCK Load $PGLSOURCEFILE
eval GOTSOURCE="1"
else
logger ADBLOCK Fail $PGLSOURCEFILE
fi
fi
if [ "$HSFSOURCE" = "1" ]  ; then
if wget $HSFSOURCEFILE -O - >> $GENFILE ; then
logger ADBLOCK load $HSFSOURCEFILE
eval GOTSOURCE="1"
else
logger ADBLOCK Fail $HSFSOURCEFILE
fi
fi
if [ "$HFPSOURCE" = "1" ]  ; then
if wget $HFPSOURCEFILE -O - >> $GENFILE ; then
logger ADBLOCK Load $HFPSOURCEFILE
eval GOTSOURCE="1"
else
logger ADBLOCK Fail $HFPSOURCEFILE
fi
fi

if [ "$GOTSOURCE" = "1" ]; then
logger ADBLOCK Got Source Files
#FREE MEMORY!
service dnsmasq stop
killall -9 dnsmasq
logger ADBLOCK Ignor Fail Safe
##strip source file
sed -i -e '/^[0-9A-Za-z]/!d' $GENFILE
sed -i -e '/%/d' $GENFILE
sed -i -e 's/[[:cntrl:][:blank:]]//g' $GENFILE
sed -i -e 's/^[ \t]*//;s/[ \t]*$//' $GENFILE

## dnsmasq, sanitize, optimised
sed -i -e 's/[[:space:]]*\[.*$//'  $GENFILE
sed -i -e 's/[[:space:]]*\].*$//'  $GENFILE
sed -i -e '/[[:space:]]*#.*$/ s/[[:space:]]*#.*$//'  $GENFILE		
sed -i -e '/^$/d' $GENFILE
sed -i -e '/127.0.0.1/ s/127.0.0.1//'  $GENFILE		
sed -i -e '/^www[0-9]./ s/^www[0-9].//'  $GENFILE		
sed -i -e '/^www./ s/^www.//' $GENFILE
## remove duplicates (resource friendly)	
cat $GENFILE | sort -u > $GENFILE.new
mv $GENFILE.new $GENFILE
## format
sed -i -e 's|$|/'$REDIRECTIP'|' $GENFILE
sed -i -e 's|^|address=/|' $GENFILE
## load values from dnsmasq config
cat /etc/dnsmasq.conf >> $GENFILE
## optimise dnsmasq
if [ "$OPTDNSMASQ" = "1" ] ; then
cat >> $GENFILE <<EOF
cache-size=2048
log-async=5
EOF
fi

## remove/whitelist websites
sed -i -e '/ark.intel.com/d' $GENFILE

## apply blacklist
dnsmasq --conf-file=$GENFILE

## failsafe added
dnsmasq
logger ADBLOCK Ignor Fail Safe

## dev info
logger ADBLOCK Unique Hosts Blocked $(awk 'END { print NR }' $GENFILE)
else
logger ADBLOCK Error Not Downloaded
fi
else
logger ADBLOCK Error No Internet
fi
## remove the generated files
rm $GENFILE*
## automatic update
if [ "$AUTOUPDATE" = "1" ] ; then
## script exists
if [ -x /tmp/script_wanup.sh ] ; then
cru a UpdateAdlist "0 6,12,18,0 * * * /tmp/script_wanup.sh >/dev/null 2>&1"
fi
fi
## the end

Note that some of the sources no longer work, but it’s a good starting point. Some sites you may want to visit may be blocked, see the “remove/whitelist websites” part and add the ones you want to unblock.

Under Advanced > DHCP / DNS, make sure that “Use internal DNS” is ticked and add additional sites like this:

address=/googlesyndication.com/0.0.0.0
address=/google-analytics.com/0.0.0.0
address=/googleadservices.com/0.0.0.0
address=/doubleclick.net/0.0.0.0
address=/finder.cox.net/0.0.0.0

The Status > Web Usage page is extremely helpful to find additional hosts that need to be blocked - there is a war out there and the bad guys keep moving, so as a target we also need to stay vigilant and move with them.

I’m still trying to figure out if there is a way to do Layer 7 filtering, to only disallow certain subdirectories on a URL (e.g., prevent facebook.com/plugins without blocking Facebook as a whole) or to inspect and block or modify requests (e.g., add the (mostly) useless DNT: 1 header to each and every outgoing HTTP request, just in case. Or change cookie values/ids for "Social Media Share" plugins to random values.). Any decent Firewall does that (Stateful Packet Inspection), but I might want to get a more powerful router since the low memory and CPU speed (128 MB/480 MHz) on the RT-N16 makes some of the more interesting things slow down things a lot.