Stopping Ads - Best Way

mcury

@oznet I'm using the method specified here:

NAT Outbound:

https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

To block DOH, I'm using: doh-domains_overall.txt DNSBL and doh-ipv4.txt for IP:
https://github.com/dibdot/DoH-IP-blocklists

And to block ADs + porn, I'm using this:
https://github.com/StevenBlack/hosts

keyser

@oznet Generally pfBlockerNG is a very good solution, but if you are happy with the adguard DNS servers, then you could use those for all DNS resolution. The value you have edited until now is only for the pfSense Firewall itself.
By default this firewall also runs a full DNS recursive lookup DNS server for all clients on the internal networks (The DNS service is provided by default to clients via the builtin DHCP service).

To prevent that DNS server from doing recursive root lookup and instead use the adguard servers as the lookup source, you should goto the SERVICES Tab and under DNS RESOLVER make sure you enable DNS Forwarding. It will then start using the DNS servers you have provided the pfSense Firewall with as the source of truth :-)

JonathanLee

@mcury why is your nat only using the loop back? Why not use both the firewall and the loopback? Do a negated rule anything but the alias that has the loopback and firewall redirect to the firewall.

mcury

@JonathanLee That will redirect any connections that is not for WIFI address port 53, to 127.0.0.1:53, forcing the use of pfsense's DNS server (unbound).

pfsense itself is using 127.0.0.1 too.

JonathanLee

@mcury This is how I am doing mine as it would never work for me with only the loopback

Screenshot 2023-09-20 at 7.15.59 AM.png
(Netgated rule)

Screenshot 2023-09-20 at 7.16.04 AM.png
(alias)

This was the only way it would work for me I also attempted the loopback only version

mcury

@JonathanLee said in Stopping Ads - Best Way:

This was the only way it would work for me I also attempted the loopback only version

hmm, I wonder if your Unbound is listening in the loopback ?
For this to work, Unbound needs to be listening in the loopback too.

JonathanLee

@mcury

Screenshot 2023-09-20 at 7.24.39 AM.png

Loopback used DNS over TLS SSL

Screenshot 2023-09-20 at 7.25.03 AM.png
Custom options because of ipv4 only isp restrictions

WPAD in use for proxy with DHCP options 252 and 42 enabled

Screenshot 2023-09-20 at 7.26.58 AM.png

Interesting I could only get this to work with use of both loopback and firewalls address

oznet

@mcury If I use this setting wont it ignore the adguard dns servers as I would think these would be considered remote dns?

mcury

@JonathanLee said in Stopping Ads - Best Way:

Interesting I could only get this to work with use of both loopback and firewalls address

hm, indeed, I can't see at this moment a reason why it wouldn't work..

The idea behind that NAT is simple, force everything that refuses to use pfsense's DNS server to use it.
Unbound forward mode is disabled, which means, use pfsense's DNS server for everything and if not in cache or in domain/host override, query root servers directly.
Also, ignore ISP's DNS servers provided by DHCP on WAN.

Resuming, everything will be filtered by pfblockerNG DNSBL.

I can see that its working..

In the picture above, left side, all hosts that shows up with a destination port 53, I know that were trying to use another DNS server, QUIC will show up using UDP 80/443 and DOT (TCP-853).

The right side, I'm just filtering for connections to 10.10.10.1

JonathanLee

@oznet my firewall's address is the 192.168.1.1 so if you set it to allow the firewall itself it should still work as when the address hits the firewall it would still convert to the loopback for the resolve anyway.

Screenshot 2023-09-20 at 7.33.45 AM.png

I use the 853 tls dns sites, sometimes I get hit with scans that use decoy addresses of my dns servers that causes issues once and a while snort blocks it.

JonathanLee

@mcury I notice you allow QUIC. Palo Alto just created software to decode it recently. I am wondering how you are using that?

oznet

@keyser What is this setting called, I dont see that?

JonathanLee

@oznet I see it in your graph, it's HTTPS 3 or HTTPS over UDP

mcury

@JonathanLee said in Stopping Ads - Best Way:

@mcury I notice you allow QUIC. Palo Alto just created software to decode it recently. I am wondering how you are using that?

I'm blocking QUIC entirely with a reject rule, this means that the browser will receive a 'no-go' as soon as it tries to use QUIC, thus reverting the connection to normal TCP.

If you use drop, it will slow down everything.

You want the browser to know that QUIC won't work as soon as possible so it can use the TCP protocol without any delays.

JonathanLee

@mcury They have some youtube videos out there with how to decode QUIC it is amazing stuff.

mcury

@JonathanLee said in Stopping Ads - Best Way:

@mcury They have some youtube videos out there with how to decode QUIC it is amazing stuff.

I'll take a look at it, definitely will..
I have been treating QUIC as an insect, a bug that needs to be smashed..
Just like DOH or DOT.

These techniques (DOH and DOT), in my opinion, were developed not for privacy, but to avoid ADs blocking. To increase their revenue, but this is just my opinion.

QUIC is another thing, it is faster.. But how can you control it?

JonathanLee

@mcury I agree one can say they were created to avoid CCPA and GDPR laws. They do not follow official protocol compliance.

keyser

@oznet DNS Query Forwarding: Enable Forwarding mode