Ask HN: What's the best setup for ad blocking and tracker blocking?

277 points by whitepoplar ↗ HN
I currently use uBlock Origin + Privacy Badger, but I've become frustrated with having to disable one or both of the above for too many sites--they just break functionality for a good chunk of the web. What's the best setup these days for ad-blocking + privacy/tracker-blocking that doesn't break the web? Thanks!

163 comments

[ 3.3 ms ] story [ 112 ms ] thread
I'm also curious about this. A couple years back, I switched from 'AdBlock Plus' to 'uBlock Origin' and the difference was night and day (it blocked SO many more ads).

I've been out of the game for awhile, so I'm wondering what beats uBlock nowadays... Any recommendations?

Hardly anyone. Still going strong. The first add-on I'd recommend.
uBlock Origin is still in the game!
What you noticed was not really a meaningful difference between the two extensions, but just a difference in the default ruleset subscriptions—which you can manage independently.
My setup is Firefox with the usual about:config modifications (search for it)

uMatrix

Ad Nauseum

Smart Referer

Decentralized Eyes

https everywhere

Cookie autodelete

VPN with ipv6 turned off since they don't reroute that

With uMatrix I also block all first party cookies and scripts by default and white list as needed.

This only breaks websites the first time you visit them. Only thing that becomes an issue is uMatrix but as you Whitelist the sites you need it just ends up not being a big deal.

Very similar to what I have. May I recommend using containers? It works wonders and gives me peace of mind.
z_open's setup is really good. Very similar to mine. A site that has helped me learn enormously about this is privacytools.io. I designed my config based on their suggestions. There are a tons of privacy conscious alternatives to everyday software.

Many of the configs you are going to see here can be reasoned through the suggestions at their site.

I've been using https://www.nextdns.io for the last month.

It's PiHole as a Service.

+1 for nextdns. I've been using them since they were first posted to HN, and have had zero issues and enjoyed the ease of use. The iPhone app gives me the capability to block specific services while nextdns is in use (Facebook, Google, etc) and to easily disable it for the few moments I actually need to access certain platforms.
Do you use anything else in conjunction with it? Or NextDNS alone is enough?

I ask because it seems simple enough that I can just install it really quickly on non-technical people's computers (when they ask me for help) without bothering to downloading a bunch of extensions on different browsers, updating stuff, etc, etc...

Nextdns is enough, but uBlockOrigin or uMatrix would be more effective for the web, along with DecentralEyes, CanvasBlocker, WebRTC Blocker, SmartReferrer, and other such extensions.

Also, aggressive blocking can cause some websites and apps to break. dns.adguard.com (DoT) and https://dns.adguard.com/dns-query (DoH) whilst not aggressive don't break as many websites and apps, and would remain free to use. Nextdns would cost you $1 a month if you need more than 500k queries once they're out of the beta stage.

Wow, what a creative use of IPv6 to allow a custom configuration without the use of DNS-over-HTTPS.
DNS over HTTPS, DNS over TLS, and DNSCrypt are all abt preventing DNS manipulation attacks and encrypting the DNS traffic to the resolver (if not till the nameserver). Plain old DNS over UDP/53, IPv6 or not, can't be a substitute for that, afaik.
Wow! This looks awesome, promising.

Just, wishing I saw this before I settled on Pi-Hole.

Looking at their site, it seems complicated to set up.

What is the difference between IPv4, unbound, stubby, knot, and cloudfared - do you set one, or all of them? Do I want DNS over HTTPS, DNS over TLS, or both? Is it compatible with a VPN?

For the trouble, it looks like it wouldn't be any harder to just set up your own Pi-Hole. Am I wrong?

I understand where you come from, but I'd say they've made a good job of simplfying as much as they could at this early stage.

Use DNS over HTTPS for:

1. Firefox.

2. Intra app on Android phones below version 9.

3. Clouflared on Linux.

4. Their official iOS app.

Use DNS over TLS for:

1. Android 9 and above.

2. Knot or Stubby or unbound clients on Linux.

IPv6 and IPv4 are for DHCP provided DNS:

1. With IPv4, you'd need to link your client-ip (public IP of your router) with your nextdns setup.

2. IPv6 doesn't require any such linked-ip acrobatics.

Re: VPN:

If you use DNS over HTTPS on Android or iOS, you won't be able to use a VPN, and that's because the DNS traffic is itself routed through a VPN and one can't chain VPNs on Android just yet. Other than that, VPN should work with rest of the setup mechanisms.

The only problem I've encountered with nextdns is they went down effectively taking out internet and no one at home knowing how to mitigate it.

Otherwise, a good value prop, provided you turn off their logging feature that captures client-ip among other metadata.

Also, keep in mind that you could run Pi-Hole on a VPS and split-VPN only DNS traffic through it: https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/ DO charges $5 for 1TB traffic and a decent amt of compute, which ought to be enough for 500 or more (?) devices worth of DNS traffic.

Been testing Nextdns for several months now and it works almost great except a few thing:

- EDNS is not working (the setting does nothing), I have tested it with Akamai CDN and they don't report any EDNS

- The upstream DNS server used by Nextdns is not always the nearest to you, meaning some CDN will redirect you to some content cache server on another country.

These two problems combined make downloading some content noticeably slower for me.

And the weird part, I reached them via support and started troubleshooting with them and for no understandable reason they dropped the conversation and they do not respond to me now (??). I know it's beta with no warranty but still it doesn't look good.

I'm back to pi-hole for my home network but I'm still using them on my iPhone although I'm looking to setup my own doh server + pi-hole and using the Adguard iOS doh client.

I'm curious, what websites are breaking for you? I use the same (+ Facebook Container) and I rarely notice breakage. PrivacyBadger is the only one that's broken something for me before (image links from a CDN), I can't recall uBlock Origin ever breaking a site for me unless the site has an anti-adblocker.

If you're talking about the "please disable your adblocker to continue" messages, you can consider something like Anti Adblock Killer [1] which can help bypass those kinds of blocks.

As far as the best setup I think what you have is fairly close to "the best" already without getting more hands-on. You can check out Pi-hole which I've heard is superior, but harder to setup [2].

[1] https://github.com/reek/anti-adblock-killer

[2] https://pi-hole.net/

Same setup here, zero problems encountered. Maybe there's a custom blocklist that gives problems?
Off the top of my head, disabling uBlock has been the only way to unblock on-and-off trouble with some ATT-owned websites (ATT's own website, ATTWatchTV.com, etc) and owner.ford.com (original, the beta works fine).

My experience has been generally good, but weird stuff (especially authenticating/login) just won't work sometimes with uBlock and Privacy Badger running.

I also use the HTTPS everywhere Chrome extension, so perhaps that is an added factor that breaks things.

Check out the no script Firefox add on. If u go to a website that pops up a big screen saying disable ad block u can right click the screen blocking and remove it and bam website works perfect
I have "pi-holed" my openbsd router using both ip blocklists for the firewall and dns blocklists for unbound that refresh automatically every night.

All my clients run firefox with ublock origin and https everywhere. I ran no script for a while but it is quite painfull to manually allow scripts on a lot of pages so I think I have found a nice balance. I have also turned off wasm support in firefox.

If a site doesn't work with the above or shoves large nasty inline popups with "we value your privacy" etc and do not show a clear reject button I leave.

edit: I also pay subscription to most of the websites I use often that support payment and if they don't I email them and tell that I don't want ads and that I'd like to pay for it. Usually one can come to an arrangement.

PiHole has been working well for our home as well.
Are there non-obvious sites that will accept a pay subscription, or are you reaching custom arrangements?
One site actually had a paid subscription without ads that was not advertised much, they emailed the link to me and I subscribed ($10 a year).

A couple others I have been given donation links where I can set up what payment I think it's worth as a one off or recurring. Sometimes they have a patron without me finding it.

I ad-block all of them anyway so even if they don't "turn off" the ads I am not seeing them.

I have the exact same setup with OpenBSD (pcengines router) and Firefox + plug-ins but the inconvenience of using NoScript outweighs the JavaScript garbage that gets through without it.
Would you be willing to share your auto-updating method? I created my own but I'm curious to see other methods.
I just picked the first guide google gave me [1] I'm too lazy. :)

I did read through it though to make sure it didn't do anything bad, however there is a risk that whatever list you download might be malicious some day.

https://www.geoghegan.ca/unbound-adblock.html

As someone not very knowledgeable with the issues associated with web assembly, may i ask why have you disabled it?
I don't trust it yet. That's all.

I want to see how it behaves in the wild before I run it myself.

The following doesn't break my everyday browsing:

uBlock Origin, Decentraleyes, httpseverywhere, DNS over HTTPS (currently Cloudflare, but plan to use my own resolver soon)

pi-hole over ZeroTier so I can get it wherever I am and latest Firefox with the most secure custom privacy setup. Nothing seems to break but I don't use things like Facebook and Twitter so wouldn't know about them (seems pointless to try to stay private if you're on them anyway.)
PiHole + Little Snitch + JSBlocker on macOS Mojave

JSBlocker is cranked up to to the max - no inline JS, or frames or videos, etc. Then as I go about info surfing I progressively enable services that are vetted like some content delivery services, common JS frameworks, etc.

Makes the web actually tolerable.

so, this isn't for everyone, but I like the uBlock Origin + uMatrix combo.

This will break a lot at first, but uMatrix allows you to build a whitelist easily, and slowly over time website won't be broken half as much, and it'll be exceptionally rare for you to have to disable the whole extension whenever you want things to get working again.

The basic functionality of uMatrix is actually built into uBlock Origin. That's the setup I use. I have all 3rd party scripts and frames blocked by default and allow them on a per-site basis as required. After a while you get a sense for which domains need to be let through for a site to work
I have a multi-tiered adblocking environment at home and abroad.

At home, I have AdGuardHome installed in a VM acting as my home network's DNS. It's pretty effective and is an alternative to PiHole. This is a first-tier filter I have while at home for all my devices. https://github.com/AdguardTeam/AdGuardHome/

On the web browser, I have the AdGuard Firefox extension. https://adguard.com/en/adguard-browser-extension/firefox/ove...

For my mobile phone, it's a little obtuse but relatively straightforward. I have a non-rooted Android phone. I've installed AdGuard for Android there as well. The way it works is it runs a local VPN on my phone, so all device traffic goes through a localhost proxy, which filters the DNS and unencrypted TCP traffic. For HTTPS filtering, it installs a local TLS CA to perform re-signing of websites (you can configure it to ignore EV certificates, as I have, which are more common with online banks and more secure sites). It works pretty well with exception to apps that have built-in ad platforms like Instagram. It blocks 100% of ads in apps like Wunderground, Reddit, and Firefox. https://adguard.com/en/adguard-android/overview.html. There's also an iOS version of the app on their website.

I have a Google Play Music subscription which comes with YouTube Premium. However, more and more YouTubers are diversifying their revenue, and have gone to completely sponsored videos with embedded ads. For sponsored clips in YouTube, SponsorBlock extension: https://github.com/ajayyy/SponsorBlock

Decentraleyes [sic] is another extension that I use primarily on my phone, but also at work. It allows the web browser to use local versions of CSS/JS frameworks and fonts that would otherwise have to load from CDNs that track your requests. Things like jQuery, Bootstrap, AngularJS, FontAwesome, etc. are all loaded from local copies through this extension. This benefits the user by saving bandwidth and page load time as well as stopping unwanted tracking from the remote party. https://addons.mozilla.org/en-US/firefox/addon/decentraleyes...

Don't Fuck With Paste. This extension prevents websites from disabling pasting in form fields. Extremely useful when you are using a password manager to enter form data or just copying and pasting from another location. Websites that break paste are just as bad as websites that serve ads in my book. https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi... (it's also available for Chrome).

If you know someone or you yourself actually still use Facebook, I also highly recommend Social Fixer. Not only does it block Facebook ads and other page elements, but it lets you keep track of other events like who unfriends you. It has a lot of options and I've been using it for years. https://socialfixer.com/

Worth checking out are NoScript extension, PiHole, and UBlock Origin. I don't use these but I've heard good things about them and everyone seems to recommend them.

I'm using that exact setup and I can't remember when it broke anything. Now uMatrix breaks everything, but that may be for the best. If the modern web is working, you're the product.
The best setup is cli browser links or lynx.

Next best is Firefox with uBlock Origin, uMatrix, Privacy Badger, Cookie Autodelete, Decentreleyes, and a bunch of about:config alterations. Some sites will break. If a site breaks I either forget about it or open it in incognito.

> The best setup is cli browser links or lynx

Agreed. lynx(1) is my primary browser, after configuring its "externals" and some patching of it (then re-compiling) to rewrite URLs (mostly the Google crap).

My secondary is emacs-w3m with heavy URL re-writes.

Although this isn't exactly blocking, I tend to use Reader View a lot these days. I installed an extension that allows to force using it for any page, and I wish that FF made it default.
What's that extension, if you don't mind sharing?
step one is definitely to get off chrome

cli or FFX + ublock origin, ABP, FB container

For mobile I use https://blockerdns.com/ (full disclaimer: that's my creation). It's ad blocking through DNS-over-TLS on Android 9 and above.

For home I just run my own bind DNS servers internally. And then for friends and family I have them set their routers to a couple bind DNS servers (same config as my internal ones) in the cloud.

For all of the above I use the same block list. It currently has about 25k entries, and is built with some data from a few of the well known public lists. But I augment that with domains I find by regularly auditing specific websites that are particularly aggressive with ads and specifically trackers.

But with that said, since I've got friends, family and paying users working from that list, I do actively try to prevent the breaking of popular sites and services. For example, personally I'd outright block anything related to Facebook since I quit them years ago, but too many people still use it, so for my list I try to keep a good balance by blocking their pixel and stuff like that, while allowing the resources absolutely necessary for the site.

> full disclaimer: that's my creation

Small observation: when you disclose something, it's a disclosure.

Ah damn, I botched that one. No more commenting while walking the dog.
Don't beat yourself up. It seems lime disclosure and disclaimer are almost consistently used in reverse on HN. It's the strangest thing!
> ad blocking through DNS-over-TLS on Android 9 and above.

FYI, dns.adguard.com does more or less the same thing, and is free.

Credible effort. You should add a section abt latencies, too.

There are free alternatives. So, you might need to provide extra value-add for the $1 (I understand no-logs is a value-add).

If I may ask, how does the tech stack look like? And what's the software run for DoT and DoH

I honestly get relatively little site breakage; so I'm just fine with that. But if you're having issues I would suggest reek anti-adblock killer.
I use that setup + a hosts block file, and i recently started using a pi-hole. I also use stylus to block a few custom elements and change themes for a few sites. I mostly visit news sites and some random sites.

The only issues i have had have been on pinterest. What sites do you have issues on?

In regards to using stylus to block a fwe custom elements, you can also use uBO's cosmetic filters[1] instead. Converting stylus' styles to uBO filters is easy enough if all you are using them for is hiding a few elements. I guess this has very limited use to you though if you also use stylus' themes, as it won't let you remove an extension.

https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...

Well thank you good to know, ill have to start experimenting to see how well it meets my needs. I mostly use stylus to to dark theme sites , remove side bars footers and headers, then expand the main article column to be 80 - 100% of the page. I really enjoy just reading an article with no distractions. (reddit is a pain)
If you want, I can help you with that some. I know more than I probably should about how uBO filters work.
Currently using Brave Browser, AdBlock Plus and Privacy Badger. For my daily usage, I only have a few sites I need to whitelist.
What does ABP and PB add to Brave? I have used Brave for several months and found it to be excellent from a speed perspective. I sort of always assumed that if it's able to go that much faster than Chrome, it must be blocking most of the nasty trackers. But perhaps I still need to add in some reinforcements?
I think ABP on top of Brave is overkill. I always used uBlock Origin on Chrome and that worked better for me than ABP. Now that I've switched to Brave, I don't have anything additional installed, and I feel like it's blocking almost all of the ads and definitely all of the tracking (in fact, Brave's anti-tracking is sometimes a bit too aggressive and blocks normal function of sites, so I have to disable it on occasion).
I'll give it a shot, I switched from Chrome so I was paranoid
(comment deleted)