Solved Project: Block ads for all network users...

There has to be a lot of ad-blocking experience here... I have none and would appreciate some basic advice to get me started in the right direction. How should I go about blocking ads for all network users... desktop, mobile, TV devices(?)? My preference is to not integrate too many functions into one box so that managing one does not involve the other, if that's an option. I currently use Quad9 DoT.

OE

As you don't run Merlin firmware, if you run a server at home or an RPi I'd suggest Pi-hole with Steven Black's Diversion blocklist.

OzarkEdge said:

I currently use Quad9 DoT.

Click to expand...

Try AdGuard with DoT. I remember Asuswrt has presets for it.

Tech9 said:

Try AdGuard with DoT. I remember Asuswrt has presets for it.

Click to expand...

OK, I'll test this path of least resistance...

AdGuard Public DNS

Option 2: Configure AdGuard DNS manually
Routers
Default servers
AdGuard DNS will block ads and trackers.
IPv4:
94.140.14.14
94.140.15.15

Our server addresses
DNS-over-TLS
Default server
AdGuard DNS will block ads and trackers.
tls://dns.adguard-dns.com

My ASUSWRT WAN DNS and DoT configuration


https://www.dnscheck.tools/ results


Per some previous DoT example, I'm omitting tls:// from the TLS Hostname(?)

OE

Your settings are correct. The router itself can use different DNS servers, your ISP default for example. There is no ads and trackers to block in what the router needs to resolve for NTP, Trend Micro updates and data sharing, Asus update servers, etc. If something the router needs gets flagged by mistake and filtered upstream - may cause tricky to diagnose issue.

Some of your clients may still show ads. DHCP offers DNS servers to clients, but they are not mandatory. Clients with own DNS settings will go around. Stock Asuswrt doesn't have DNS interception and redirection in GUI. If you want to experiment - here.

Simplest method is setting the router to use an ad filtering DNS, like AdGuard. If you want to get more fancy, then having either a Pi or a VM/Docker running Pihole is a great option. Most NAS platforms allow you to install a docker image of Pihole, if you have such a NAS.

RMerlin said:

Simplest method is setting the router to use an ad filtering DNS, like AdGuard. If you want to get more fancy, then having either a Pi or a VM/Docker running Pihole is a great option. Most NAS platforms allow you to install a docker image of Pihole, if you have such a NAS.

Click to expand...

Thanks for the tips! No NAS here yet, and I have thought about a dedicated Pi unit... I would like a solution I can share with less-tech-interested family (my kids were born with the Internet and did not require parental controls, but their kids are rising now and they may need parental controls). I will run with AdGuard DNS for now to see how it behaves... I'm an idiot for not trying it sooner.

OE

Your network users will tell you if they like it or not. Like any other DNS based blocker it will distort the web pages leaving blank spaces, in search results all ad links on top of pages will give an error, in mobile games ad screens will be blank, some may show an error and may not want to continue, etc. It comes with inconveniences. If it blocks bank trackers or cookies you may need to do 2FA unusual times compared to before. It works as intended, AdGuard is inobtrusive in general, but this method is not for everyone.

So far, AdGuard Default Public DNS-over-TLS at the router level is not causing me any issues that I'm aware of. Websites might beg once each visit to disable ad blocking... some even offer instructions for various browser-based ad blockers. I like not ad-blocking at the browser level since browsers keep morphing and feel like they are fighting against the user more and more... I prefer to keep them out of 'things' as much as possible... de-linking dependencies!

I find websites much more readable/pleasant/peaceful to use without ads mucking up the content... it has been a welcome mental shift for this user.

OE

Glad it works for you. I still maintain family democracy with no blocking anything on network level policy.

I first ran Pi-Hole on a Raspberry Pi Zero (non-WiFi model), with an RT-AC68U supplying its power and a UGreen USB Ethernet adapter. The performance at the time was perfectly acceptable. It was possible to run entirely over USB - one cable for power and data/network, but without Merlin, it needed some settings made in the router after any and every reboot, and thanks to some changes I'm not sure that setup would still work.
I then switched to an RPi4, before adding a second RPi4 for (unneeded) redundancy. And I've tried AdGuard Home too, but I'm now on Diversion on the router.
Each setup had its advantages and disadvantages, but as I can run diversion on the router, that's where I'm at. Frankly, if it's on an Asus router, and you don't want users to mess with it, then I really would go with Diversion, even if it's the only add-on you run on the router.
*I know I can (and I have) run AGH on the router, but it just doesn't seem so robust - to me at least!

Nothing can beat the simplicity of upstream filtering DNS though. Extra hardware not needed, firmware replacement not needed.