Relatively Painless Ad Removal – FFox DNSoH

I’ve just conducted a first experiment with DNS over HTTPs and it seems to be working fairly well. Normally this sends you off to somewhere like Cloudflare and is a waste of time. BUT, it seems that FireFox (at least on the Armbian release) has realized folks don’t like that kind of loss of control.

So it has a way to set where you want those “only inside the browser” DNS inquiries to be sent. AND there’s a DNS provider who claims to keep them private while blocking ads.

So I tested it. Seems to work.

This site has the DNS server info, and a tab on configuring FireFox:

https://decloudus.com/

When using your Mac or PC (windows or linux), all the ads, trackers, malware, Google services, etc.. you encounter will be from your browser. The fastest and most efficient way in this case is to configure your browser to use secure DNS. Firefox is privacy friendly and it has native support for DNS over HTTPS (DoH). This works on any Mac or PC with Firefox:

1. Open Firefox Preferences to access Firefox settings.

2. In the settings search bar, type DNS and search.

3. Click Settings that comes up in the search results.

4. Scroll down in the settings menu to the DNS over HTTPS section. Check the box next to Enable DNS over HTTPS to enable it.

5. Select Custom for the Use Provider option.

6. In the Custom input field, put the DeCloudUs DoH server info provided. Click OK to apply settings.

The “info provided” is obtusely put in a box up near the top of the page where you get to go back and figure that out (when they could have just said “Put THIS here”…) What you paste in is: https://dns.decloudus.com/dns-query

Then there’s another setting to prevent “fallback” to regular DNS should the DoH give no result. I likely didn’t need to do this as my default DNS is already blocking things, but did it anyway.

Note: sometimes Firefox may still show major Google user sites such as “www.google.com” and “www.youtube.com”; however, other Google domains ads, malware, etc.. will be effectively blocked.
In order to ensure Firefox will not fallback to default network DNS because some sites are blocked, you have to change Firefox configuration setting to no fallback:
1. Load about:config in the Firefox address bar.
2. Click to confirm that you will be careful if the warning page is displayed.
3. Search for network.trr.mode and double-click on the name.
4. Set the value to 3 to make DNS Over HTTPS the browser’s default DNS resolver with no fallback.

Which is a lot easier than it looks.

SO, OK, did that. The test?

First I did a lookup of hunting bow on Google. Deliberately telling them “Hey, this guy wants to look at bows!” and clicked on pick a good bow link:

Then I went to Field and Stream and launched an article about bows.

Where you would expect to see Amazon pushing a bow at me, I had:

“ADVERTISEMENT”

as a space marker…

So next I relaunched a Field and Stream top level URL. Again got “ADVERTISEMENT” text, but no ads.

Launching several other, usually add ridden sites, there was a noticeable lack of ads.

Note that the direct Google Search page will still put up their ad links in the top of the search results (as they control that). Clicking on them gave me a “can’t get there from here” about the google ad sites (though I can’t say for sure if it was the browser or my regular DNS blocking preventing that from working – all I can really say is my Squid Server said “Can’t get there from here”. That needs more testing.)

So, overall, I’m pretty impressed. I do need to do more testing away from my infrastructure of protection. But at a first glance, it seems to be working. It is certainly very easy to set up.

I’m a little more partial to Chromium for videos, but the occasional ad sneaks through (Embedded in the video I think, maybe. Some popup boxes at the bottom are just wire frame as the DNS ad block has caught them, others get text so PiHole doesn’t know to block them yet.) But so far Chromium does not let you set the DoH server value. This may start being an issue once that “upgrade” hits my computer OS level…

For now, the newer FireFox does have DoH, and it is nice to know that I have a choice of either pointing it at “OFF” and using my PiHole DNS protection, or this other option of public blocking DNS. Nice that.

Unfortunately, my Tablet is now old enough that updates / upgrades are scarce, so unlikely I can get a new enough FireFox for it to test away from home. (Probably about time to dust off those old “how to install Linux” on it directions…)

If anyone without a home DNS can do a few tests of this, it would be nice to have some confirmation that it really really is doing what it seems to be doing, blocking ads and not letting info about DNS queries leak.

Until then, I’m kind of enjoying the idea that I’ve bifurcated my DNS traffic with this part of it hidden from my Telco ;-) While I ought to have an encrypted DNS for the upstream from my PiHole build, I don’t know that I’ve done that. It was a long while ago… So next on my list of “Things To Do in DNS Land” is check on what it takes to set or confirm it has encrypted upstream too …

But doing this in the browser was way easier than setting up your own ad blocking DNS servers…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , . Bookmark the permalink.

11 Responses to Relatively Painless Ad Removal – FFox DNSoH

  1. Hifast says:

    Procedure followed with these results:
    -Google daht com yields “Hmm. We’re having trouble finding that site.”
    -Translate daht google daht com yields the same “Hmm. We’re having trouble finding that site.”
    -Youtube yields the same thing.

  2. Hifast says:

    I switched back to “0” from “3” and google and YouTube are accessible again.

  3. E.M.Smith says:

    Interesting… my FFox copy default had been a “2” not a “0”. I wonder what the various values mean…

    FWIW, I’m getting to “google.com” just fine as a typed browser entry. It’s just ads that are being blocked for me.

    Wonder if I really have it working… It’s possible it isn’t working and I’m just getting my default filtering? (Ah, the problems of “belt AND suspenders” and wondering which one is holding up your pants…)

  4. Hifast says:

    E.M., I have Ad Blocker Plus running all along, so that may be the belt and suspenders issue.
    I’ll try other numbers besides 3.

  5. jim2 says:

    EM – Do you have a network monitor running? Can you see the DNS activity?

  6. E.M.Smith says:

    @Jim2:

    I can, but it’s in the other room and I’m lazy ;-)

    Yeah, I’ll do it when I’m next in the office…

  7. E.M.Smith says:

    OK, at the PiHole console, launched FFox at Field & Stream, Sci. Am. and no DNS transactions. Did the same from Chromium without DoH and had DNS requests.

    Looks like it’s working and not showing up on the regular network DNS activity.

  8. E.M.Smith says:

    Wait a mo… Just opened a page on nbc and did see a dns entry on the pihole…

    Still less than expected, but there. OTOH, I’ve got two browsers open right now and it’s possible the other one issued the request from some other page. I think I need to tighten up the test…

  9. E.M.Smith says:

    OK, had to play with it a little bit more. First off, the PiHole queue inspection tool does not auto-update. You have to click it again each time to see the new activity. Then I found that I was in fact having DNS lookups go to it.

    Turns out that the setting for Proxy in the browser has a setting to send HTTPS to the PiHole. OK… AFTER turning that off so DNS via HTTPs was NOT being proxied too, THEN the PiHole had no idea the DNS requests were going out.

    So, it does work. It does hide DNS requests in an encrypted HTTPs and when doing that it DOES block ads. BUT, you need to know if you are using your Proxy Server to also proxy HTTPs DoH requests or they will still show up in the log…

    I guess it’s better that both are really trying hard to make sure the DNS request gets handled right than to have them NOT trying hard enough and have the ads get through ;-)

    So now I’m going back to my regularly scheduled browsing…

  10. philjourdan says:

    It is blocking google sites! But that is fine, I can use Chrome for those if I want to. Firefox is now clean. Thanks

  11. Clyde says:

    Ad blocking in-browser works well enough for me, along with DoH via Simple DNSCrypt, which rotates round-robin the DNS queries between the available DNS resolvers. I’ve chosen to only use DNS resolvers which state that they do not log DNS queries. Some of them have built-in ad-blocking, but I’d rather have finer local control via ad blockers.

    uBlock Origin is especially good… you can block any given part of a page. For instance, on azm.to (a pirated movie website I’d used for testing uBlock Origin), you’ll get pop-ups and pop-unders and in-lines galore without an ad-blocker. Attempting to block them with AdBlock Plus results in the movies not playing. uBlock Origin blocks every single ad while allowing the movies to play.

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.