Adblock on OpenWrt and IPv6

/ 2020-03-23 20:56

adblock

adblock
Blocking the bad

Ads are the bane of the internet. There was a time when the internet was non-commercial, there were no ads, and the public taxes paid for the internet. But that was also a time when one couldn’t order the latest gadget from your favourite online service. So perhaps we are better off with today’s internet, but the ads do tend to be overwhelming at times.

But what if you could block ads on the entire (home) network? We’ll look at two DNS-based solutions, Pi-Hole and adblock on OpenWrt.

DNS Basics

Before diving into the solutions, it is good to have a view of how DNS (Domain Name Service) works. Getting on the Internet requires two basic elements:

  • An IP Address (either IPv4 or IPv6 or both)
  • A way to convert domain names to IP addresses, or a DNS server

Recursive DNS, is the process by which if your local DNS server doesn’t know the answer, it will ask an upstream DNS server on your behalf. If the upstream DNS server doesn’t have the answer, it will query its upstream DNS server and so on, until:

  • An answer is found, and is returned (DNS server by DNS server) back to the original requester (your computer)
  • Or no answer is found, and that is returned.
  • Or no one answers, and the query just times out (this doesn’t happen very often)

Take the example of your device looking up the address for www.google.com, the request will go to the first-hop DNS server which won’t know the answer, but will then ask the upstream router for google.com which in turn would ask the root server for .com who has the answer for google.com, finally down to Google’s DNS server which knows the IP addresses for www.google.com, where is passed back down the chain (moving right to left in the diagram below) back to your device. All of that in less than a second, often less than 200ms.

Recursive DNS

DNS is a distributed system, designed to not have a single point of failure. Except for your local DNS server (usually your home router), there are always multiple DNS servers for each Domain (e.g. makikiweb.com has ns1.omnis.com, ns2.omnis.com, ns3.omnis.com as DNS servers).

Blocking Ads using DNS

Pi Hole and Adblock on OpenWrt both use DNS to block Ads by becoming your first-hop DNS server, and returning IP address not found when the queried for the address of the an Ads server.

Pi Hole

Almost as long as there have been internet ads, there have been methods to block them. A popular application that can be run on your Raspberry Pi, is Pi-Hole which uses DNS (Domain Name Service) to block the domains which advertisers use.

By becoming your network’s DNS server, Pi-Hole can control which DNS responses have real IP addresses, and which (blocked) ones don’t.

Although Pi-Hole claims to support IPv6, that support is a bit challenging, in that IPv6 works differently than IPv4. The Pi-Hole authors have made the classic mistake that IPv6 is just IPv4 with a bigger address.

IPv6: getting an address and The Problem

Pi-Hole to their credit offers a DHCPv6 server to complement the IPv4 DHCP server already included. However, it ignores that many devices, such as Android devices do not support DHCPv6.

A second method of getting a Global IPv6 address is via SLAAC or StateLess Address Auto Config. This method requires no server. You can think of it as, pick-a-random-address-and-check-that-no-one-else-is-using-it method. Android and ChromeOS devices only use SLAAC.

The Problem, then becomes, how can Pi-Hole support SLAAC.

Pi-Hole in Action

As stated earlier, Pi-Hole must become your DNS server for your network(s). In order to do this, you can configure your router to point to your Pi-Hole as the DNS server in the DHCP server configuration. Depending on your router, this may be difficult to do, which is why Pi-Hole offers a second solution: just turn off the DHCP server on your router, and let Pi-Hole do DHCP and DNS.

Pi Hole in action

Letting the Pi-Hole provide DHCPv4 and DHCPv6 as well as DNS services works well if you don’t have any SLAAC-only devices in your network.

SLAAC is a standard too

The SLAAC standard actually pre-dates DHCPv6. It was the only method of getting an address automatically in the early days of IPv6. DHCPv6 was added later, because of the many options that DHCP can convey, such as NTP (Network Time Protocol), RADIUS (authentication), and DNS (Domain Name Service).

Although SLAAC doesn’t have all the options of DHCPv6, the Router Advertisement (RA) can also contain DNS servers (RDNSS in RFC 8106), providing the basics of accessing the Internet, a Global Address, and a DNS server(s).

Another Solution: adblock on OpenWrt Router

The key problem with Pi-Hole is that it splits the path between DNS requests and datapath to the internet. By running adblock on your router, all packets are headed for the same place (the router), and it is easy to handle blocking ads.

Pi Hole in action

Now whether your network uses DHCPv6 or SLAAC, all packets flow to the router, where adblock can block the ads, by responding to DNS queries that advertiser domains have no IP address.

Advantages

The key advantages of using adblock over Pi-Hole are:

  • Works with SLAAC-only IPv6 clients
  • Full IPv6 support for upstream DNS queries
  • Can run duplicate removal to reduce block list overlap
  • Don’t need to dedicate a Pi as DNS server
  • Setup block lists, and forget it is there

Disadvantages

But since adblock lives on your router, it is more constrained. Memory and storage are measured in MegaBytes, not GigaBytes as they are on the Raspberry Pi.

  • Can run you into a low memory situation, and therefore can’t install additional packages
  • Block lists descriptions are ill-defined (not sure what is getting blocked)
  • Not “easy” to find an offending ad-source and block it
  • No fancy Pie Charts

I find the Block Lists on both Pi-Hole and adblock to be blunt tools, which don’t have good definition. For example, if I am on a website, and I am seeing an Ad, which block list do I add to prevent that ad? To be honest, both systems have problems with this situation.

Installing adblock on OpenWrt

Installing adblock on OpenWrt is easy. Use the web interface System->Software or ssh to the router and use the CLI package manager opkg

opkg install adblock luci-app-adblock libustream-openssl   

The last item libustream-openssl is required to download the block lists over TLS (or https).

Using the web GUI, navigate to the new menu Services->Adblock and tick the checkbox “enable Adblock”, and click the blue “Save & Apply” button at the bottom, and you are done!

Pi Hole in action

By default adblock has a few lists already checked yielding a block list of about 3400 domains, which although small, does a remarkable job.

Add block lists, but keep an eye on router free memory

You can always return to the Services->Adblock page and add additional block lists. I have run as many as 100,000 blocked domains on a used $20 router I got off of UsedVic with only 64 MB of RAM, and it performs pretty well. However, as you add block lists, keep an eye on the available memory on the router. After loading 100K blocked domains, the free memory on the router shrank from 32MB free to 14MB free.

Block Lists Choices

Future-proofing the Future

By using adblock on an OpenWrt router:

  • You can get updates for you router, making your network more secure
  • You are IPv6-ready, IPv6 is where the internet will grow going forward
  • It is easy to install without requiring a lot of knowledge of how IPv6 works, and it makes your network simpler

OpenWrt routers don’t have to cost an arm and a leg. And, not only do you get free software updates, but you can add other services like adblock.

So go out and enjoy the Internet again, now with fewer annoying ads.

Tech Notes
  • adblock responds with “no such name” DNS Flags
    • tcpdump shows 0/0/0 in response
  • Pi-Hole responds with loopback address (127.0.0.1)

Adblock logo Creative commons

11 November 2019
updated 8 February 2020

Shared via Inoreader