DIY Router Level Ad Blocking, Anyone else doing this?

So I'm a little bored at the moment and figured that I'd post another one of my networking projects I've achieved recently which is how to block ads across my entire home network. That means that ads on every device on my network and through my VPN are blocked.

It works a little similar to how adblock used to which is by intercepting the DNS requests to domains used for ads and sending the client either to itself (localhost) or to another host on the network, in my case my home server which is hosting a nice pain white page to fill in on where the ads used to be.

I'm running this method of blocking on my router itself. I have an Asus RT-AC68P running Asuswrt-merlin which enables a lot of additional access to the firmware as well as a package manager (opkg) to add software using a jffs partition.

The actual implementation of the adblock was super easy, as easy as pointing the dnsmasq installation already present on the router to a different hosts file that is curated and periodically updated by a cron job. The cron job downloads a couple lists of known ad domains from trusted sources, changes the redirection to my home server for every entry, and then deletes a list of domains that occasionally get wrongly flagged.

Something interesting that I noticed while setting this up is that when testing this method of ad blocking on my home server, was that when the script replaces every localhost entry to the IP of my home server (thousands of entries), it would take a long period of time to do so. On the verge of 7 to 10 seconds. My home server is no slouch by any measing running an Ivy bridge i5 and a decent amount of RAM. But the router is still way faster at performing the exact same operation. Are ARM processors faster at indexing operations like this?

Regardless, sorry to drag on for so long, like I said I'm bored and figured I'd share in my adventures.

Here are a few pictures of it in action.

Before:



After:



Well that's about it. My main goal was to find out if anyone else was doing anything like this, and if so, what are you doing it differently? Also, if you're interested in a guide on how to do this, I plan on writing a few coming up and this may be one of them.

1 Like

Yeah I'm doing essentially the same thing except with bind and dnscrypt. I also have an ip block list for ad servers which is kind of redundant.

1 Like

my enterprise firewall can do that as a checkbox.

Didn't realize there was an option for vpn. Will have to enable that for the students at least :)

Just installed the new firmare for my Netgear R7000, loving it so much. Got my stuff here. Can't wait to do something like what you did OP.

1 Like

I'm in the middle of building a pfSense router/firewall. I plan on doing this once I get it up and running.

1 Like

I would be interested in how well and updated this would be. Also on which principle it works.

Also, as far as VPN, mine is setup as to put VPN clients on the same level as any other regular client, which means that the DNS server (my router) is the same, which is therefore why it works.

It seems as though you can actually put DD-WRT on the R7000, which is where I would probably start rather than asus-merlin. The only reason why I went with Merlin rather than DD-WRT on my router is because the the DD-WRT wireless drivers/kernel module didn't like the chipset in my router as much, and there was a significant drop in wireless performance for some reason.

My firewall is a paid for product by a company called cipa filter. It is aimed a schools like where i work. they have premade block lists that i can use. I don't block ads because i believe people should get revenue for their content but if it became a problem i would. the other content filer groups take care of most of the sites that serve bad ads anyway.

I'd like to see this done with the redirect (if the ad isn't HTTPS?) actually showing a custom HTML page. Just for fun

Out of curiosity what kind of firewall is that?

You can do that with squidguard, even with https as long as you install your CA to all the devices which will be using it.

The https proxy actually works surprisingly well, it even passes legitimate certificate errors to the user so if you go to a site with a dodgy certificate it doesn't just show it as verified because of the local CA.

As a guess I'd say it's using a http proxy to filter based on domains and urls. I'm just guessing that as the format and naming looks pretty similar to the blacklists you can get for squid.

Oh that's awesome, I need to check that out. Thanks!

Im assuming is a supermicro barbones configured by the firewall company witch is cipa filter.
It has a quad core xeon, 16gb ecc, and dual hot swap hdd bays. If I remember to i will take a picture tomorrow.

I actually am doing this, rather than having everything redirect to localhost, I'm actually sending all ad domain calls to my home server which display a page like so:

With a little javascript the hand fades away after 1 second.

I've run across CIPA filters before. The only thing that bugs me about it is that it's a subscription model after you already buy the hardware, right? I'm not much of a fan of those.

Be a good guy and white-list Tek Syndicate and other content creators that rely on that income on your ad blocking.

But its a really slick setup. WELL DONE!

That's cool, I always wondered if that would work just by changing the name resolution but without redirecting the URL. I want to do something like that for site blocking on my public WiFi.

Of course, not only that but I'm a Tek Support member as well.

1 Like