Don’t use AdBlock in your Browser. Block in your Router instead.
One of the most popular browser extensions is AdBlock, which prevents loading of ads in websites. Now, there isn’t much wrong with ads itself, except that all the ad networks like to spy on you with tracking cookies and more malicious methods like supercookies that use browser plugins. There are some ridiculous attempts at allowing users to opt out of that (e.g., the complete failure that Do-Not-Track is) but these will never work because ad networks will continue to try everything they can to play dirty.
AdBlock browser extensions are one way to play dirty in return, but it’s not that effective: It only protects one browser, but won’t protect your smartphones, tablets or other machines without adblock on your network. You need to go deeper: You need to block malicious sites in your router, so that each and every device that goes through your router. Specifically, you want to override DNS entries to set malicious domains to 0.0.0.0. Any decent Linux-Firmware should do that, in my case I run TomatoUSB on my Asus RT-N16 router. (Disclaimer: Flashing new Firmware is done at your own risk. If you don’t understand the instructions on the Tomato Website, get someone who does 🙂 You will need to properly setup the whole thing, including your network configuration, DHCP, WiFi with security etc.).
Under Administration > Scripts > WAN Up, I have this script:
## Adblock script [Version 2.1 | 08 July 2008 | 3778 bytes] ## ## Created by Adrian Jon Kriel: root-AT-extremecooling-DOT-org ## Modified ## tomato WAN Up script ## ## 0 = disable ## 1 = enable ## (1) = default value ## optimising of dnsmasq, (1) eval OPTDNSMASQ="1" ## automatic updating, (1) eval AUTOUPDATE="1" ## MVPS HOSTS ~18,500 lines, 680 Kbyte, (1) eval MVPSSOURCE="1" ## pgl.yoyo.org ~2,200 lines, 68 Kbyte, (1) eval PGLSOURCE="1" ## hosts-file.net ~53,000 lines, 1.5 Mbyte, (0) eval HSFSOURCE="0" ## Hosts File Project ~102,000 lines, 3.0 Mbyte ***6+mb free memory***, (0) ## This actually makes the RT-N16 grind to a halt, I guess it's not powerful enough. eval HFPSOURCE="0" ## ## varibles ## location of temp file, (/tmp/hosts) eval GENFILE="/tmp/hosts" ## redirect ip, (0.0.0.0) eval REDIRECTIP="0.0.0.0" ## sources eval MVPSOURCEFILE="http://www.mvps.org/winhelp2002/hosts.txt" eval PGLSOURCEFILE="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0" eval HSFSOURCEFILE="http://support.it-mate.co.uk/downloads/hosts.txt" eval HFPSOURCEFILE="http://hostsfile.mine.nu/Hosts" if ping -c 1 yahoo.com ; then eval GOTSOURCE="0" echo "" > $GENFILE ## download if [ "$MVPSSOURCE" = "1" ] ; then if wget $MVPSOURCEFILE -O - >> $GENFILE ; then logger ADBLOCK Downloaded $MVPSOURCEFILE eval GOTSOURCE="1" else logger ADBLOCK Failed $MVPSOURCEFILE fi fi if [ "$PGLSOURCE" = "1" ] ; then if wget $PGLSOURCEFILE -O - >> $GENFILE ; then logger ADBLOCK Load $PGLSOURCEFILE eval GOTSOURCE="1" else logger ADBLOCK Fail $PGLSOURCEFILE fi fi if [ "$HSFSOURCE" = "1" ] ; then if wget $HSFSOURCEFILE -O - >> $GENFILE ; then logger ADBLOCK load $HSFSOURCEFILE eval GOTSOURCE="1" else logger ADBLOCK Fail $HSFSOURCEFILE fi fi if [ "$HFPSOURCE" = "1" ] ; then if wget $HFPSOURCEFILE -O - >> $GENFILE ; then logger ADBLOCK Load $HFPSOURCEFILE eval GOTSOURCE="1" else logger ADBLOCK Fail $HFPSOURCEFILE fi fi if [ "$GOTSOURCE" = "1" ]; then logger ADBLOCK Got Source Files #FREE MEMORY! service dnsmasq stop killall -9 dnsmasq logger ADBLOCK Ignor Fail Safe ##strip source file sed -i -e '/^[0-9A-Za-z]/!d' $GENFILE sed -i -e '/%/d' $GENFILE sed -i -e 's/[[:cntrl:][:blank:]]//g' $GENFILE sed -i -e 's/^[ \t]*//;s/[ \t]*$//' $GENFILE ## dnsmasq, sanitize, optimised sed -i -e 's/[[:space:]]*\[.*$//' $GENFILE sed -i -e 's/[[:space:]]*\].*$//' $GENFILE sed -i -e '/[[:space:]]*#.*$/ s/[[:space:]]*#.*$//' $GENFILE sed -i -e '/^$/d' $GENFILE sed -i -e '/127.0.0.1/ s/127.0.0.1//' $GENFILE sed -i -e '/^www[0-9]./ s/^www[0-9].//' $GENFILE sed -i -e '/^www./ s/^www.//' $GENFILE ## remove duplicates (resource friendly) cat $GENFILE | sort -u > $GENFILE.new mv $GENFILE.new $GENFILE ## format sed -i -e 's|$|/'$REDIRECTIP'|' $GENFILE sed -i -e 's|^|address=/|' $GENFILE ## load values from dnsmasq config cat /etc/dnsmasq.conf >> $GENFILE ## optimise dnsmasq if [ "$OPTDNSMASQ" = "1" ] ; then cat >> $GENFILE <<EOF cache-size=2048 log-async=5 EOF fi ## remove/whitelist websites sed -i -e '/ark.intel.com/d' $GENFILE ## apply blacklist dnsmasq --conf-file=$GENFILE ## failsafe added dnsmasq logger ADBLOCK Ignor Fail Safe ## dev info logger ADBLOCK Unique Hosts Blocked $(awk 'END { print NR }' $GENFILE) else logger ADBLOCK Error Not Downloaded fi else logger ADBLOCK Error No Internet fi ## remove the generated files rm $GENFILE* ## automatic update if [ "$AUTOUPDATE" = "1" ] ; then ## script exists if [ -x /tmp/script_wanup.sh ] ; then cru a UpdateAdlist "0 6,12,18,0 * * * /tmp/script_wanup.sh >/dev/null 2>&1" fi fi ## the end
Note that some of the sources no longer work, but it’s a good starting point. Some sites you may want to visit may be blocked, see the “remove/whitelist websites” part and add the ones you want to unblock.
Under Advanced > DHCP / DNS, make sure that “Use internal DNS” is ticked and add additional sites like this:
address=/googlesyndication.com/0.0.0.0 address=/google-analytics.com/0.0.0.0 address=/googleadservices.com/0.0.0.0 address=/doubleclick.net/0.0.0.0 address=/finder.cox.net/0.0.0.0
The Status > Web Usage page is extremely helpful to find additional hosts that need to be blocked - there is a war out there and the bad guys keep moving, so as a target we also need to stay vigilant and move with them.
I’m still trying to figure out if there is a way to do Layer 7 filtering, to only disallow certain subdirectories on a URL (e.g., prevent facebook.com/plugins without blocking Facebook as a whole) or to inspect and block or modify requests (e.g., add the (mostly) useless DNT: 1
header to each and every outgoing HTTP request, just in case. Or change cookie values/ids for "Social Media Share" plugins to random values.). Any decent Firewall does that (Stateful Packet Inspection), but I might want to get a more powerful router since the low memory and CPU speed (128 MB/480 MHz) on the RT-N16 makes some of the more interesting things slow down things a lot.