That said... I like that Optimal have made this too, because neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts (TV!).
The real questions I have are:
Who sources the list of domain names in there that they will null route?
How will this work with DNSSEC protected sources or whether they anticipate this at all?
How will they become aware of new domains being used by smart devices that are not shared by web sites (and therefore no-one notices and adds it to any blacklist)?
Hi I'm the CEO of Optimal, Rob. We use open source lists of adservers but have had to evolve from those lists since some of them are invalid or overly aggressive. We do not and will never make decisions about what to block based on being paid by any of these companies. We are building a consumer filtering system, and we are responsible to consumers. If you try it out and find any sites that don't work as intended please email us or contact support.
We will not - we intend to keep this service free. We hope that some portion of people sign up for our publisher tips, to reward journalists for great content. We take a percentage of they but just as I have publicly said most publishers should NOT block ad blocking users but it's up to them, we hope to provide an optional mechanism for people to pay. Longer term we think a lot of advertising is transformed by software. I wrote about this here - https://medium.com/@robleathern/artificial-intelligence-will...
pretty cool, would probably be good if you mention the non-logging in your ToS or somewhere in an official statement. or by using a warrant canary clause somewhere ...
@optimalrob Great work in simplifying ad blocking for all devices. Question, is Optimal working on an option to block adult content as well? OpenDNS Family Shield does an excellent job of this currently for home and school networks. We use it and dnsmasq to block all of the major ad networks. Good luck!
Open to it - I am very concerned about explicit ads being targeted to kids, but also sites that are not safe for kids. I think we would more likely look to partner with someone who is expert on the family side and they could utilize our ads expertise.
If you want StevenBlack's hosts list to be network-wide I integrated it with an open source, self-hosted DNS server called https://pi-hole.net/ last week which adds a slick admin interface and browser extensions too, then I put it all in a Vagrantfile and set my router to use the VM as a DNS server.
I use pi-hole at home and it's a great little tool for my home network and I think makes a noticeable difference on web browsing speeds.
My only wish is that it would serve a page notifying me "this is possibly an ad, but would you like to continue?" versus just flat out blocking. I know there's a whitelisting functionality but it'd be cool if I could handle this directly in my actions in the browser.
I know cycles are cheap but that doesn't mean we should be spaffing them up the wall when we can do things cheaper. This avoids double-processing the downloaded content.
How is the performance of dns lookup when using dnsmasq? Is it faster than putting them on /etc/hosts? I tried putting the blocked domains in the /etc/hosts file, but the performance is terrible. It significantly increased dns lookup time on my i5 laptop (that was before I upgraded my laptop with ssd though), so I ended up configuring my own ad blocking dns server on a cheap Scaleway vps instead and never have any issue with long dns lookup anymore.
Network-wide is the way to go. Hosts files can be tricky to set up on phones and tablets.
I run dnsmasq on a pi as my ISP router is pretty limited. You can't even change the DNS servers, so the pi has to do DHCP too.
I use it to block other things like fixed banner overlays. With caching you can get it to work when you go off WiFi too [0].
Not sure I'd use Google's DNS servers though. Your ISP's are probably better for both speed and privacy. You can test the speed with an old Google project called namebench [1].
> Not sure I'd use Google's DNS servers though. Your ISP's are probably better for both speed and privacy. You can test the speed with an old Google project called namebench [1].
Unfortunately my ISP's (Sky, UK) DNS servers aren't particularly reliable. My devices are behind the DD-WRT router that forces its own DNS settings (other servers are intercepted), but the rest of the family connects directly to the ISP router[1]. Multiple times I've been browsing the Internet without issue, but other people have been unable to use the Internet. Changing their device to use Google's DNS server resolved the issue.
[1] Been meaning to merge the two for a while, but haven't got around to it yet
> neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts
Isn't the best approach is to just buy only devices that either known to not have adware onboard (e.g. "dumb" TVs), or that can be re-flashed with software you can relatively trust?
That only applies to the core OS and its capabilities. The apps can contain all the nonsense they want, because OS can deny the access or feeds the sanitized data if the app's badly written or insists on the business model where user pays with their privacy.
In the US, at least where I've lived, most consumer ISPs will hijack nxdomain to their own search engine, which allows them to display ads and sign deals with search engines and make some cash on the side.
DNS service. If you utilize our DNS-based service, we may receive information about your IP address and URLs requested by that address. DNS requests utilize the UDP protocol which means we do not typically get information on the full URL you are attempting to visit (We receive far less information than a company providing a VPN service to you, for example, and that is one of the reasons we prefer this approach as it gives us far less information about user browsing). We do, however, have an IP address associated with each request and so could produce a list of sites visited by each IP address using our DNS servers. We do not know who you are when you use our DNS service, however. IP addresses may also be shared between users, and are not universally regarded as personally identifiable. We only use the IP addresses as follows: (a) the count of unique IPs we use as a benchmark for the adoption of our DNS service, and (b) we may check IP addresses against a free database of countries or cities provided by MaxMind and hosted on our servers, to limit the ability for users outside of certain areas to use our DNS service. We will not use the IP addresses we gather for any other purpose, and we will not correlate or combine them with any other personal information provided by you or other DNS service users, and we will never sell or share any of this information with any outside companies in any way. We may use aggregate request counts to help compensate publishers based on overall site traffic, across all users of our DNS service.
- We may share personal information with your consent. For example, you may let us share personal information with others for their own marketing uses. Those uses will be subject to their privacy policies.
- We may share personal information when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- We may share personal information for legal, protection, and safety purposes.
- We may share information to comply with laws.
- We may share information to respond to lawful requests and legal processes.
- We may share information to protect the rights and property of Optimal.com Corp., our agents, customers, and others. This includes enforcing our agreements, policies, and terms of use.
- We may share information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any person.
- We may share information with those who need it to do work for us.
- We may also share aggregated non-personal data with others for their own uses.
Essentially, there are so many reasons for us to share your personal information that we can't help it.
instead of letting the browser grab the dns abstractly all the way down through the os, use your ISP's standard DNS for the exact address in the address bar and/or a white list, and their DNS for implicit requests. Still leaks a picture of you, but a far muddier one.
Now that's a blast from the past. Back in 1996 I joined a company in Mountain View called Optimal Networks, Inc. which had the domain name optimal.com. We sold the company to Compuware and the domain lived on for a while.
If you search jgc@optimal.com you'll find ancient messages from me still lurking on the web. I wonder if that email still receives spam?
This looks really cool, especially for the bajillion mobile-only people connecting straight through their telco without any ublock/ghostery/hosts/etc blocking.
I am using a local DNS server that does this called Pihole [1] supplemented with additional blocklists [2] for malware and privacy.
One thing I don't see is any statistics ... you might be surprised at how much software in your home is endlessly communicating with companies you might not even have heard of, and that's been a great benefit of taking control of my DNS resolution [3].
Pihole is awesome! We love what they are doing and if you can't get there on trusting us but want a pure, local network blocking solution I highly recommend this project! On my medium.com/@robleathern page I talk about my experience setting one up.
It would be useful if their website described what exactly it installs. A recursive DNS server with a web UI and big list of null-routed domains? That's my guess.
How does that help mobile users outside their home network without also setting up a VPN back in?
All it really requires is opening up port 53 to the internet but I don't know enough about securing a DNS server to take that step yet. I'm intending to continue working on my little offshoot and hopefully it will get to the point you could safely host it on digitalocean/aws/etc.
We'll be adding more info when we prep things for a wider consumer release. We are working to learn as much as we can and are looking forward to everyone's feedback!
- browser extensions so I can see what's blocked, unblock stuff, pause blocking etc, maybe an app on my phone could provide the same functionality
Mostly this is about extending your umbrella to cover privacy/malware, I don't really differentiate anymore between the different flavors of crap websites embed to make the internet more annoying and less safe.
It turns out to be a pretty bad experience. There are tons and tons of legit domains that serve normal content that also serve ads. I used a subset of urls from a popular ad blocking list (https://github.com/geuis/lead-dns/blob/master/lists/easypriv...).
After only a few hours, using the web normally was near impossible. Just a very broken experience. Sadly, since you can't pass a path to a dns server, there's no finer-grained way to allow certain requests to a domain to go through and block others.
I've been using DNS to filter out the worst offenders. I don't mind most ads, so my list of domains is quite small. But, I've found it to be an effective tool.
I agree, however, that anytime a site is broken that I'm left wondering if I'm responsible because I've inadvertently blocked a CDN or something important.
i put this hosts file on every device/router that i touch.
It works fully local. So infinitely (and this is not even a hyperbole) faster and you won't have to exchange one privacy hole for another on the "cloud".
>infinitely (and this is not even a hyperbole) faster
Not if your HOSTS file is >135KB (the one you've provided is 373KB), you're using Windows 8 or earlier and you haven't disabled the DNS Client service.
Not OP, but he said "device"/"router", not many of those run Windows 8.
FWIW I do the same, also use that host file at the border router and yes the difference is quite big. I'm always shocked about the extra adverts I see when using a computer or tablet outside of my own network.
I've never had an issue on XP or 7 and I've used the same host file shared above with many, many more that I've personally added (my hosts file is nearly 500KB)
I'd like to believe that Optimal is being altruistic with their DNS servers and just trying to help rid the world of annoying ads...but I'm also realistic.
My VPN provider (Torguard) provides one of these as well. I'm a little more willing to trust them not to do anything malicious with my DNS requests, if only because I'm paying them.
I don't find the "I can trust them because I'm paying them" idea very useful. Nor the "If you're not the customer you're the product."
The bottom line is, if your information is valuable, then it will be in the advantage of those who possess it to exploit it whether you pay them or not. The only real non-moralistic consideration is whether you will stop paying if they start selling.
Either way, "I have a moral obligation to not sell your info, even if you don't pay me not to" sounds a lot better to me than "I don't sell your info because you think you're paying me not to." It's a horse apiece if you're dealing with strangers and you have to take them at their word.
The difference is in sustainability. Sure, some people always want more; morality is no barrier for them. But most people run into trouble only when they face a significant conflict of interest.
Thinking about companies I've seen the inside of, when the company is doing ok, it's rare for people to just up and do something sleazy. But if they company could collapse, suddenly the moral calculus shifts. Even if they don't do something dubious, they often will consider revenue sources they would have ignored before. As they say, desperate times call for desperate measures.
So I'm much more likely to trust a company I'm paying a fair rate for what they're doing. That's not to say that those people don't turn bad sometimes, but it happens a lot less.
Read my medium posts (medium.com/@robleathern) to get a sense of what we are doing and why. It's easy to make money in the online ads industry but we are not going to compromise our values to keep this company alive. Too many startups pivot their way to sustainability at the cost of what they set out to do in the first place. We won't.
I'm definitely weary of handing over my DNS data to a company I don't know. Besides, Safari ad blocking plugins already take care of this while surfing.
This may have unintended (both good or bad) affects on normal app experience since it's configured on the network.
We are not selling this information and never will. We built a safari blocker called fewerads that's in the App Store. But we found lots of users wanted to block ads in chrome mobile or inside Twitter or Facebook (to be clear, web ads, not those platforms' ads), which is what lead us to this idea.
An "ethical" ad blocking service launched Thursday that allows users to pay their favorite publishers not to show them ads.
[...]
With Optimal.com, users will pay a flat monthly fee (Leathern told Business Insider the exact amount hasn't been released, but it's likely to be a high single-digit number) to experience an ad free web.
All ad-blocking is ethical. It's the advertisers job to make me aware of products in a way that doesn't anger me, and they're doing a really shitty job.
So we have a separate subscription service at app.optimal.com where you can pay $5.99 a month and we will distribute 70% of that to publishers, entirely transparently. You can also "tip" sites an extra 5c or 25c if you like. There is no connection to our blocker or anyone else's... It's the honor system. We trust some people will do that and it will be enough to create new value for the broken ads ecosystem. We welcome your comments and ideas on this but fundamentally I believe that there should be an option in all media to avoid ads AND pay journalists (my brother is one), a fair rate. This can't be done by any one website on its own.
I've been using it routinely for past couple of months and it works really well. It blocks web ads, but it's blocks in-app ads and tracking as well. Tailing a log when launching an iPad game make for an interesting read. If anything slips through, just check the log, add the offender to the blacklist and restart the daemon.
How would they verifiably record the adds served, say on my example.org page the ads come from example.org too how can Adsupplier Inc. then be sure I served those ads to a genuine page-requester?
Protip: Doing this at the DNS and not the browser level leads to lots of brokenness. (Like when you try to sign into an app on your Roku/FireTV and it hangs on a Google Analytics event).
One significant benefit of OpenDNS is you can go whitelist a site/domain from filtering if it's breaking something and they have more categories than just 'Advertising'. I use it to help protect myself and my children from pornography.
I'd like to setup an add-blocking service, but I fear that I'll spend all my time admin-ing/whitelisting sites when a family member has a broken web experience. Is this an inevitability based on the nature of things?
If there is strong demand I could put together a solution sor home networks that does not use a third party resolver, i.e., no tracking whatsoever. It could be run from an SD card or USB stick entirely in memory, i.e. no install needed. All you need is an extra computer; old is fine.
As for the "breaking" some websites, it depends on what you block. Speaking for myself, if blocking doubleclick.net makes one out of thousands hang, then that is acceptable. In fact it's desired because I want to know about such sites. What kind of website would do that? Doubleclick offers zero value to the user. I like this aspect of DNS blocking.
Also it's easy to "whitelist" or "blacklist" certain subdomains if that's what you need to do. Simply a matter of editing a text file, and this can be automated.
As for the comments about what effect this would have if practiced by the masses, I think it would bring these ad-supported search engines and social media sites to a day of reckoning.
Users would have all the power. At least one search engine claims it's focused on users. This would put that statement to the test. Users in control. As it should be.
I have tried DNS ad blocking based on one of the popular lists out there. Sadly it was overly aggressive. It cut off my access to sites like mint.com and the Google Analytics dashboard (need it for $WORK). It also made sites like Hulu not work because of their ads. Debugging why this was happening was a huge pain because for example Mint uses Intuit domain names that are like right levels deep CNAMES.
I am going to try this out, but here I would have even less control since I can't edit the zone file.
Edit: Just turned it on and cleared all relevant caches. Still seeing ads all over Google, CNN, BBC, Imgur and a few others. Don't think this works terribly well.
Edit 2: oh but now the Comedy Central app on my phone won't launch. Turning this off.
How easy is it to temporarily switch it off if a site is broken? Like if they have some crucial JS/CSS served from a blocked domain? I also wonder this with the hosts file approach. Is that kind of flexibility you give up for speed?
This is a slight issue, we are looking at ways to make this easier. The reality on the hosts file approach we think is that we can be far more dynamic and help protect users from bad domains as well, but time will tell.
Adding another vote of confidence for running your own local DNS resolver with a block list. I use this script to generate a compatible hosts list for unbound:
My strategy is to use OpenDNS to block sites, and uBlock Origin to block all 3rd-party access. Then I whitelist stuff. Whitelisting is more work than blacklisting but I'd claim it is more comprehensive. On my phone I just disable javascript.
I noticed a recent trend in sites that refuse to serve when running an ad-blocker. Is the web a usable experience for people who are running ad-blockers?
Would be more and more of a problem with most sites switching over to HTTPS - Cert mismatch warnings if your ad URL is https and mixed content warning if not. Besides how hard would it be for someone to add a rule to uBlock to block by-IP URL access?
The obvious two: Optimal gets to see every domain name your computer asks for, including personalized domains like yourname.bloggingservice.com; Optimal gets to answer those requests in any way it wants to (MITM attacks).
Or you can combine that with https://github.com/jlund/streisand to have a VPN service that happens to adblock (great for mobile).
That said... I like that Optimal have made this too, because neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts (TV!).
The real questions I have are:
Who sources the list of domain names in there that they will null route?
How will this work with DNSSEC protected sources or whether they anticipate this at all?
How will they become aware of new domains being used by smart devices that are not shared by web sites (and therefore no-one notices and adds it to any blacklist)?