Hi I'm the CEO of Optimal, Rob. We use open source lists of adservers but have had to evolve from those lists since some of them are invalid or overly aggressive. We do not and will never make decisions about what to block based on being paid by any of these companies. We are building a consumer filtering system, and we are responsible to consumers. If you try it out and find any sites that don't work as intended please email us or contact support.

Hi,

Will you switch over to a paid service once you're out of beta?

Also what's your policy on logging?

Below (a probably outdated list of) privacy enhanced servers that don't log.

  # Swiss Privacy Foundation http://www.privacyfoundation.ch/de/service/server.html
  77.109.138.45
  77.109.139.29
  # www.censurfridns.dk http://www.censurfridns.dk/
  91.239.100.100
  89.233.43.71
  # CCC http://www.ccc.de/censorship/dns-howto
  85.214.20.141 
  204.152.184.76
  194.150.168.168
  213.73.91.35
  # Comodo Secure DNS https://www.comodo.com/secure-dns/
  8.26.56.26
  8.20.247.20
  # DNS Watch https://dns.watch/index
  84.200.69.80
  84.200.70.40
  # Fool DNS http://www.fooldns.com/fooldns-community/
  87.118.111.215
  # Free DNS http://freedns.zone/
  37.235.1.174
  37.235.1.177

take the above list to find the one fastest for you:

  for i in `cat dns.txt|grep -v '^#'`
  do 
    qt=`dig @$i techcrunch.com| grep "Query time:" |cut -f2 -d ':'`
    echo "$i: $qt"
  done

We will not - we intend to keep this service free. We hope that some portion of people sign up for our publisher tips, to reward journalists for great content. We take a percentage of they but just as I have publicly said most publishers should NOT block ad blocking users but it's up to them, we hope to provide an optional mechanism for people to pay. Longer term we think a lot of advertising is transformed by software. I wrote about this here - https://medium.com/@robleathern/artificial-intelligence-will...

pretty cool, would probably be good if you mention the non-logging in your ToS or somewhere in an official statement. or by using a warrant canary clause somewhere ...

ask them to add you to:

https://wikileaks.org/wiki/Alternative_DNS

I assume no statement from their CEO is also kind of a statement.

@optimalrob Great work in simplifying ad blocking for all devices. Question, is Optimal working on an option to block adult content as well? OpenDNS Family Shield does an excellent job of this currently for home and school networks. We use it and dnsmasq to block all of the major ad networks. Good luck!

Open to it - I am very concerned about explicit ads being targeted to kids, but also sites that are not safe for kids. I think we would more likely look to partner with someone who is expert on the family side and they could utilize our ads expertise.

If you want StevenBlack's hosts list to be network-wide I integrated it with an open source, self-hosted DNS server called https://pi-hole.net/ last week which adds a slick admin interface and browser extensions too, then I put it all in a Vagrantfile and set my router to use the VM as a DNS server.

Screenshot: https://i.imgur.com/ELL9CDu.png

Vagrantfile: https://github.com/benlowry/pihole-extended-hosts

I use pi-hole at home and it's a great little tool for my home network and I think makes a noticeable difference on web browsing speeds.

My only wish is that it would serve a page notifying me "this is possibly an ad, but would you like to continue?" versus just flat out blocking. I know there's a whitelisting functionality but it'd be cool if I could handle this directly in my actions in the browser.

Alternately, if your router is capable of doing so, have it be the DNS server, seeded with the hosts file. That's what I do with my EdgeRouter Lite.

Is it possible to marry this to Bind9?

Nice! Thanks

> One can achieve this locally, on a laptop/desktop, using https://github.com/StevenBlack/hosts

I use this with DD-WRT to get network-wide filtering. It's not perfect (only updates on router boot), but good enough for me.

Additional DNSMasq options:

    addn-hosts=/tmp/ad-hosts
    no-resolv
    strict-order
    server=8.8.8.8
    server=8.8.4.4

Startup script:

    wget -qO /tmp/ad-hosts-v4 https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

    H_MERGE=/tmp/ad-hosts
    H_ORIG=/tmp/ad-hosts-v4

    sort $H_ORIG | uniq | grep "^0" >> $H_MERGE
    sort $H_ORIG | uniq | grep "^0" | sed "s/0\.0\.0\.0/::/g" >> $H_MERGE
    stopservice dnsmasq && startservice dnsmasq

Urgh why do people have to be so POSIX about things. Here is the content of my /etc/cron.daily/adblock file:

    #!/bin/bash

    wget -qO- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \
    | sort -u \
    | awk '/^0/ {print;print ":: " $2}' \
    > /tmp/ad-hosts

    service dnsmasq reload

I know cycles are cheap but that doesn't mean we should be spaffing them up the wall when we can do things cheaper. This avoids double-processing the downloaded content.

dnsmasq config as above.

How is the performance of dns lookup when using dnsmasq? Is it faster than putting them on /etc/hosts? I tried putting the blocked domains in the /etc/hosts file, but the performance is terrible. It significantly increased dns lookup time on my i5 laptop (that was before I upgraded my laptop with ssd though), so I ended up configuring my own ad blocking dns server on a cheap Scaleway vps instead and never have any issue with long dns lookup anymore.

Network-wide is the way to go. Hosts files can be tricky to set up on phones and tablets.

I run dnsmasq on a pi as my ISP router is pretty limited. You can't even change the DNS servers, so the pi has to do DHCP too.

I use it to block other things like fixed banner overlays. With caching you can get it to work when you go off WiFi too [0].

Not sure I'd use Google's DNS servers though. Your ISP's are probably better for both speed and privacy. You can test the speed with an old Google project called namebench [1].

[0] https://unop.uk/block-bbc-breaking-news-on-all-devices

[1] https://code.google.com/archive/p/namebench

> Not sure I'd use Google's DNS servers though. Your ISP's are probably better for both speed and privacy. You can test the speed with an old Google project called namebench [1].

Unfortunately my ISP's (Sky, UK) DNS servers aren't particularly reliable. My devices are behind the DD-WRT router that forces its own DNS settings (other servers are intercepted), but the rest of the family connects directly to the ISP router[1]. Multiple times I've been browsing the Internet without issue, but other people have been unable to use the Internet. Changing their device to use Google's DNS server resolved the issue.

[1] Been meaning to merge the two for a while, but haven't got around to it yet

I think it'll be hilarious if the future of DNS security and authentication is driven by ad companies ensuring consumers can't dodge them.

See also FreeContributor [1] (works not just with dnsmasq, but unbound and pdnsd and hosts file)

[1] https://github.com/tbds/FreeContributor

> neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts

Isn't the best approach is to just buy only devices that either known to not have adware onboard (e.g. "dumb" TVs), or that can be re-flashed with software you can relatively trust?

That only applies to the core OS and its capabilities. The apps can contain all the nonsense they want, because OS can deny the access or feeds the sanitized data if the app's badly written or insists on the business model where user pays with their privacy.

Metiix Blockade blocks at the DNS level.... Locally on Windows or Linux or a raspberry pi if you want.

I use this with Gas Mask on OS X.