Just wondering if the consensus is that setting up Adguard or PiHole actually makes Internet life better?
There’s also NextDNS.io
Then there’s just the well regarded 1.1.1.1, 9.9.9.9, and 8.8.8.8
I’ve played with all of these, and the ad-blocking of Adguard and Pihole made some sites unviewable.
Not at all claiming to have done an exhaustive study or to be an expert.
Wondering what most people here use and recommend.
Thanks
You should have a look at AdList, which is part of RouterOS:
https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-Adlist
It replaces my previous AdGuard and PiHole dockers (that ran on a Synology).
Built in sounds great!
Does this mean it is enabled and all set up? Any way to monitor what it is catching/blocking?
[admin@212RB5009] /ip/dns/adlist> print
Flags: X - disabled
0 url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no match-count=48 name-count=33338
Match-count shows the number of hits on the list, this counter should be increasing.
As yours is, it is active.
I haven’t found a way to log adlist specifically, you can do DNS logging temporarely (no clue what information it will provide).
Great, thanks very much.
Less than an hour – it is catching a lot.
Sure would be nice to know what it’s blocking.
I turned on topic DNS logging, but it’s way too much info for my eyes to digest.
What’s interesting is this is just a private house and I’m the only one home. So, the caught ads are either from me or devices that are doing what they do all by themselves.
[admin@212RB5009] /ip/dns/adlist> print
Flags: X - disabled
0 url="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ssl-verify=no match-count=1309 name-count=33338
Whats with github and stephen black? Is Mikrotik supporting this list, using this as a default?
Stated otherwise, what lists are people using, and are they trustworthy, uptodate or effective and how do you know?
Sshhhh… Steve’s a big contributor the Mikrotik PAC.
Yes and tomorrow, Stephen cashes in his profits from the Trump bitcoin and stops working on the list… how useful will it be tomorrow??
I mean lists are outacontrol…
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Admiral.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
And then there is this…
https://github.com/mullvad/dns-blocklists?tab=readme-ov-file#lists
Which led me to here..
https://firebog.net/
See the point!!!
Why in the world would he do that when he gets $0.0001 every time his list redirects a paying ad to my screen while blocking an “uncooperative” advertiser’s ad from showing up?
That PAC money doesn’t make itself ya know.
So does MT also provide a whitelist feature to help with false positives generated by the adlist feature LOL
It’s not it’s SENDING data to Mr. Black – worse case is some random website doesn’t work if something got on his list which be easily remedied. Since it’s a static file, no info is leaking out from “adlist” either beyond what normal would (i.e. something NOT on the list).
I don’t use any lists… but I do think the COMBO of some “adlist” with one of the protective DNS servers seems entirely reasonably.
I used OpenDNS for a long while – as a low stakes way to always do “something” about malware. But past year+ been switching newer routers to Quad9’s 9.9.9.9. My only thinking is OpenDNS seems to be languishing at the backwoods of cisco, so I worry about future of it. While the Quad9 folks seemed focused on DNS and malware, and independent. Much like the original OpenDNS folks, before they were absorbed by cisco.
Also on same basis as trusting “Steven” for adlist… I watch a video from the Quad9 CEO a while back, he seemed reasonably trustworthy. And, without stereotyping too much, I’d trust the Swiss to run DNS, more than say some these Californians billionaires 
.
Nice AMMO. A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?
I was just joking.
Seriously, the only reason I used that list is because that’s what I saw people using in other threads.
Yeah. For me, no DoH…
Now I get the logic of DoH to “hide” your request - totally valid. It’s just not my concern - someone, somewhere is collecting the DNS queries is my thought. So I’m not a big fan of introducing TCP’s complexity (three-way handshake) into something so critical like DNS. UDP is going to be faster. Leaking some UDP DNS queries is better than potentially some oddities with DOH (either RouterOS or elsewhere) creeping up. But just my opinion.
Now one of the public DNS server knowing about “bad domains”, and returning NXDOMAIN or whatnot… I do like that part as I’d rather deal with a question about why one website does not work… Than say of all DNS not working because of a bug in DOH - or a PiHole container is down.
PiHole is excellent — my Pihole currently blocks 7 million ad sites .. and its whitelisting capabilities work just great
I also strongly recommend MOAB beasue that will protect your “network” from the bad guys … yes I am heavily predjuiced 
I always use 9.9.9.9 as my DNS Service as it provides me basic protections from the worst malicious domains, but it provides no ad blocking and no tuning options. False positives are very rare with it and also no additional CPU cycles consumed.
I tried different block lists with my Unbound setup and I had also Bind running as my recursive Name server with blocklists. Problem is sometimes the quality of the blocklists, you don´t usually know which ones to use, to have sufficient ad blocking but not having too much false positives. It´s also hard to maintain.
I then used a PiHole setup which was great, but after testing AdGuard I found that it has a more versatile GUI and I can have better control. (Maybe Pihole improved since)
What wasn´t mentioned here: all DNS based ad blocking is by far inferior compared to the browser plugins. I use UBlock Origin everywhere, where I can. This provides the best results.
For basic protection and devices like IoT/mobile devices/TVs I still have AdGuard+Quad9, but the emerging issue is, that I can´t block DoH for those.
I don’t concern myself with using DoH, but primarily because I don’t have the depth of understanding to be worried about it. My basic understanding that it encrypts DNS requests and thereby provides greater privacy, but more so that it prevents an attack coming in by way of hijacking a DNS request. (There’s only so much a guy can learn and implement…)
And, I tried implementing browser-based ad protection and it was a nightmare. I personally use 6 or 7 physical devices each with a browser and some of those I frequently use 2 or 3 different browsers (Chrome, Edge, and DuckDuckGo) because they behave differently (i.e., some things and sites work on one but not another) and because the caches screw up my multiple user logins to the same services like gmail and office365. So, maintaining browser-based ad protection would be onerous and ongoing. And, the fine tuning of these ad-blockers was rediculously time-consuming.
And, generally, I place high value on simplicity of set up and a set it and leave approach.
That said, I set up the adlist and it has caught tens of thousands of requests (I don’t actually know what “caught” means) and I just had my first issue:
cnbc.com complained that I am using an ad-blocker and depriving them of revenue. They asked if I could shut it off.
I think this goes to the balance, or compromise, that will inevitably be faced with these types of systems.
I’ll continue using the single Stephen adlist, despite the only feedback or data I get is a complaint that I’m depriving a web site of needed revenue (as opposed to feedback that I am being spared undesired ads).
It would be enough for all users to agree and boycott the products in the EXCESSIVE advertising banners,
sending protest emails to the companies in question, and they would stop advertising in that way, knowing that it would backfire on them…
I understand those who try to earn money with what they do for free,
but there also needs to be a balance,
especially on advertising done on things for which you are already paying the subscription. (I am not referring to the internet subscription).
If “my ISP” made me pay €2.00 more per month to have internet WITHOUT advertising, I would have already signed up… (less power consumed for pihole & Co.).
Too bad that as an ISP (on Italy) I am required by law to block the sites that the government tells me to,
but at the same time I cannot prevent my customers from reaching the others…
(otherwise I would have already put the filter on all the advertising sites for my customers)…
Then in the future, and easily too
(given how people with the “security flag” start using DoH, https and other bullshit that worsen management and do not increase security at all),
I see that web pages will no longer be rendered by the browser,
but interactive images and interactive videos will arrive in which the banners will be integrated into the content and not removable by anything,
since everything will be encrypted and not modifiable on computer, like copy-protected streaming content that is uncompressed on GPU…