Happy New Year to you!
I hope you all had a good and secure start in the new year.
As so often, things you almost forgot and believed to be solved forever might come back after a new year break in a new incarnation and reminds you that there is no such thing like the “ultimate solution”. However, let’s see it as a challenge to at least get closer to the “ultimate solution”.
In this case, I am talking about ads which – all of a sudden – reappeared on my iPad, PCs and Macs even though I (at least thought) found a good solution by (ab)using my routers blacklist (see my flurry post from last year.).
So what happened ? After a bit of investigation, I found that some ad’s have changed from http:// to https://. This for me looked a bit surprising as ads usually (should) have nothing to hide so there should be no need to encrypt the web communication especially because of the extra effort for the ad-server to maintain certificates etc..
By that time, I was under the assumption that https:// addresses will be filtered by my router blacklist in the same way a normal http:// connection is. Not just because https just means that the content is transfered over port 443 instead of port 80 and even if traffic uses port 443 and is SSL/TLS encrypted, the domain needs to be resolved and if it’s blocked it can’t be resolved.
But further tests showed that my router indeed is just filtering http domains and not https. How come ? Further researches led me to the finding that (at least in the investigated cases) the issue was caused by websites which are also using https that include add banners with another https address. In such a case, the data (content) of the original website is SSL/TLS encrypted and maybe that’s why the containing https link is not filtered. I also found that my favorite AVM router is not the only one not being able to block https domains. Many other also can’t and even some popular firewalls have the same limitation.
I really don’t like ads do you? I am tired of ads!
I really got used to the ad-free websites and apps and I was also quite happy not to rely on such dubious Ad blockers like AdBlock Plus which even doesn’t really help to get rid of ads on my iOS devices. So I started thinking of a better solution. Especially because the router solution I was using so far only works with a few routers.
openDNS an alternative ? not really!
One solution I tried was openDNS . openDNS is a service on the web which offers two IP addresses that can be entered as DNS servers in your router. So openDNS replaces the DNS server of your ISP. All DNS queries will be sent to openDNS and they respond based on filter rules with the correct IP address or a dummy address. The good news is: it’s working. The bad news are, it costs about $20 per year (as the free service doesn’t offer enough custom filter settings) and much extra effort is necessary to handle dynamic IP address changes if you (as I) run your own DynDNS solution. They offer a in combination with their own service dnsomatic.com which can be used to chain additional DynDNS services but that doesn’t seem to work quite well. Finally (as I don’t trust the evil as you know) it is quite clear that they are collecting my DNS requests and sell it as this is quite interesting information for the ad industry.
So I discontinued my openDNS activities and thought about another solution.
running my own DNS Server!
And here is my (new) “ultimate solution” :
A Raspberry Pi connected to my favorite AVM router.
It was really simple to use an out-of-the-box $30 Raspberry Pi, setup my own “openDNS” by using dnsmasq on it. The Raspberry gets powered by the USB port of my router and is connected to it with a short network cable. No additional configuration on the clients was necessary and I just had to enter the Raspberry Pis IP address as DNS server address in the router settings.
My blacklist now resides on the Raspberry Pi and my router is no longer misused to blacklist ad servers.
even more advantages!
I now even have three more advantages:
- HTTPS domains are also filtered. So no big ad at the top of the youtube.com site. Hurray!
- DNS requests are noticeable faster as they are now cached inside my network
- Optionally, I can easily monitor all the DNS requests of my whole network
The last advantage is very comfortable in order to find additional servers that want to be blocked, especially when using an iOS device. In the past I always had to setup a proxy for this.
So I am happy again!
If you are interested in this solution, please drop me a line (or maybe additionally leave an app review which I would greatly appreciate;-) ) and if there is enough demand, I will create a small installation summary and post it on my website. I can even share my blacklist if you are interested.
Again, have a good, secure (and ad-free) start into 2015!
…and don’t trust the evil!
Best regards,
Marcus