I have nothing against people who embed adverts into their web pages, hell, even I do it! But there are some websites where adverts are beyond a joke and they overpower the overall user experience, and we all know that’s just annoying!
This coincides with me being a user of pfSense for a good few years now, I recently took the plunge and ditched my EdgeRouter Lite at home for a Watchguard XC170 that I found on eBay for £24. Needless to say the WG runs the latest pfSense absolutely perfectly, it handles 4 VLAN’s, several LAN to LAN VPN’s and gets stuck into some serious caching. Whilst not essential I was looking to get even more functionality out of the red little beast, and the icing on the cake would ultimately be an automatic ad blocking system where I basically didn’t have to lift a finger.
I guess I should let you in on a secret… for a while now I’ve ran a private DNS server which intercepts known advertising domains and replaces the IP address leading to a blank GIF image, this works great but it’s yet another server to manage, so my thinking was to integrate the same functionality using pfSense, ultimately having everything hosted in one box.
The pfSense package manager has both pfBlockerNG and squidGuard available, I tried these but they felt over complicated for my needs, I wanted something light weight that I can set and forget, I didn’t want to go down the routes of a third party ad blocking plugin either, as well… you know what happened with AdBlock. Anywho, here’s where I got thinking.
Whilst this guide is specifically targeted to pfSense users, any system which runs the Unbound service will be able to work in the same way.
- I want to block all known advertising/shock site domains through the pfSense DNS resolver to create a cleaner browsing experience
- The block should be done using DNS at router level, meaning it covers all present and future devices on the network and doesn’t rely on third-party plugins or complicated configurations for each individual device
- The block list should update often from various sources and be downloaded regularly to pfSense without me having to do anything – true set and forget!
- No complicated packages should need to be installed on the operating system, it should use software already built into pfSense (tools which are available with most Linux distro as standard, cURL and Crontab)
Installing doesn’t take long, in fact it took me less than a minute to get going – If you don’t want the script to automatically update then skip steps 1 and 2
- First off, head to System > Package Manager > Available Packages and install Cron – This package will be responsible for making the magic happen at set times
- Next, go to Services > Cron then click Add, set the schedule (I personally run this every hour, but you can change to your preference) and type the following in the Command box: curl –url http://www.nerdkey.co.uk/pfsense/resolver-ads.conf -o /tmp/resolver.conf > /tmp/resolver.log, then press Save – Curl downloads the latest resolver config file, then the second command reloads the DNS resolver service
- IMPORTANT! You must now copy the same command from above and run it in the Diagnostic > Command Prompt section, this will download the last file ready for the next step – If all goes well, you won’t see any output
- Head to Services > DNS Resolver option and select the Display Custom Options button, type the following into the Custom options box: include : /tmp/resolver.conf then press Save and apply the changes
To make sure everything has been setup properly, trying visiting a website known for over the top advertising, such as SpeedTest.net
I’m using a fresh install of Google Chrome with pfSense configured as above, check out the results below!
If you are still seeing advertisements, trying clearing your DNS cache. If that doesn’t work, make sure your DNS is pointing to your pfSense router, and make sure the DNS resolver is enabled.
The latest database features 31, 731 known domains, sourced from various freely available lists including:
- EasyList.to – used by AdBlock
- EricZhang.me – used to block Spotify ads
- Any known domains are redirected to an IP address of 22.214.171.124 where a blank GIF image is served via HTTP only, the most I do here is anonymously log requests to help with debugging
- The remote config file is refreshed every 10 minutes
- A debug log of the last download session can be found at /tmp/resolver.log
At the moment this is just a personal project that I thought others may find useful, who knows though, depending on the popularity, there may be scope for blocking categories of websites, such as social media, adult sites etc
If you find any websites which aren’t blocked, find websites which don’t load correct, or have any other questions please email firstname.lastname@example.org
Finally, this is essentially a DNS level block and nothing more, use it at your own risk, no warranty or guarantee implied.