So I'm a little bored at the moment and figured that I'd post another one of my networking projects I've achieved recently which is how to block ads across my entire home network. That means that ads on every device on my network and through my VPN are blocked.
It works a little similar to how adblock used to which is by intercepting the DNS requests to domains used for ads and sending the client either to itself (localhost) or to another host on the network, in my case my home server which is hosting a nice pain white page to fill in on where the ads used to be.
I'm running this method of blocking on my router itself. I have an Asus RT-AC68P running Asuswrt-merlin which enables a lot of additional access to the firmware as well as a package manager (opkg) to add software using a jffs partition.
The actual implementation of the adblock was super easy, as easy as pointing the dnsmasq installation already present on the router to a different hosts file that is curated and periodically updated by a cron job. The cron job downloads a couple lists of known ad domains from trusted sources, changes the redirection to my home server for every entry, and then deletes a list of domains that occasionally get wrongly flagged.
Something interesting that I noticed while setting this up is that when testing this method of ad blocking on my home server, was that when the script replaces every localhost entry to the IP of my home server (thousands of entries), it would take a long period of time to do so. On the verge of 7 to 10 seconds. My home server is no slouch by any measing running an Ivy bridge i5 and a decent amount of RAM. But the router is still way faster at performing the exact same operation. Are ARM processors faster at indexing operations like this?
Regardless, sorry to drag on for so long, like I said I'm bored and figured I'd share in my adventures.
Well that's about it. My main goal was to find out if anyone else was doing anything like this, and if so, what are you doing it differently? Also, if you're interested in a guide on how to do this, I plan on writing a few coming up and this may be one of them.
Also, as far as VPN, mine is setup as to put VPN clients on the same level as any other regular client, which means that the DNS server (my router) is the same, which is therefore why it works.
It seems as though you can actually put DD-WRT on the R7000, which is where I would probably start rather than asus-merlin. The only reason why I went with Merlin rather than DD-WRT on my router is because the the DD-WRT wireless drivers/kernel module didn't like the chipset in my router as much, and there was a significant drop in wireless performance for some reason.
My firewall is a paid for product by a company called cipa filter. It is aimed a schools like where i work. they have premade block lists that i can use. I don't block ads because i believe people should get revenue for their content but if it became a problem i would. the other content filer groups take care of most of the sites that serve bad ads anyway.
You can do that with squidguard, even with https as long as you install your CA to all the devices which will be using it.
The https proxy actually works surprisingly well, it even passes legitimate certificate errors to the user so if you go to a site with a dodgy certificate it doesn't just show it as verified because of the local CA.
As a guess I'd say it's using a http proxy to filter based on domains and urls. I'm just guessing that as the format and naming looks pretty similar to the blacklists you can get for squid.
Im assuming is a supermicro barbones configured by the firewall company witch is cipa filter. It has a quad core xeon, 16gb ecc, and dual hot swap hdd bays. If I remember to i will take a picture tomorrow.
I actually am doing this, rather than having everything redirect to localhost, I'm actually sending all ad domain calls to my home server which display a page like so:
With a little javascript the hand fades away after 1 second.
I've run across CIPA filters before. The only thing that bugs me about it is that it's a subscription model after you already buy the hardware, right? I'm not much of a fan of those.
That's cool, I always wondered if that would work just by changing the name resolution but without redirecting the URL. I want to do something like that for site blocking on my public WiFi.