Adventures In DNS Land – Telco Blocking Ad-Blocking

I was having somewhat painful DNS lookup fails (page unavailable / site unavailable errors) and very slow page loads (often waiting for gravitar and such odd bits to load, indicating some DNS sloth as likely).

Wasn’t sure if it was the Chromebook or what, but figured as a sanitation measure to just swap from the default Telco DNS server to a bigger bolder one ought to answer the question of DNS Server Sloth.

Decided to swap over to some ad-blocking DNS servers in the process. Well…. That failed entirely. (I’ll skip the hour or two spent trying different ad-blocking DNS servers and ALL of them failing 100%) Eventually I got a clue that maybe, just maybe, it was the ad-blocking aspect. Put in Google DNS server ( and and everything worked Great! and Fast!


FWIW I despise Google on many levels. But when their product is “the right answer” I tend to use it anyway. Example is the Chromebook. I’m using it 100% and only for Blog Stuff. As that is all pretty much public anyway, not a lot of security / privacy worry about someone seeing what’s on the blog or that I go there. Similarly, for a “go to” always up always DDOS protected always good for debugging use, their DNS servers are very good. So I tend to use them “when all else fails” and I need to diagnose: is it, or is it not, the DNS server.

Well, it was the DNS Server. OK… But not just that the Telco server was bog slow and sporadically timing out. It was also the case that attempts to use an ad-blocking DNS server (a few of them actually) were being actively blocked by “somebody”… and that somebody is almost certainly the Telco. In this case, both T-Mobile and AT&T (via the Tracfone purchase of my Tracfone provider).

I’ve not done an exhaustive test of all this. Basically just got it all working and the rough outline identified. FWIW, I’m presently using a “malware blocking” DNS server ( and it is working Just Fine. This leads me to believe that it is active blocking of the ad-blocking DNS servers, which implies the Telco is getting a kick-back from someone on ad serving. Perhaps just that, as these are cell phone hot spots, the much more rapid burn of the “hotspot GB” that comes with lots of ads.

Whatever. I’ll go down that rabbit hole later.

Next task will be to configure PiHole on the Pine64 and get it integrated with the hot spots into a unified LAN on my WiFi router. They can not block DNS lookups done by the PiHole and then the blacklist of sites comes as data inside an encrypted pipe, so hard to block that. And the escalation war goes on… but on another day. Today is a holiday, so BBQ and such takes precedence.

Some public DNS servers:

Alternate DNS offers an affordable, global Domain Name System (DNS) resolution service, that you can use to block unwanted ads.

Try it out:

Set your DNS to (new / fastest!)
Secondary server
For ipv6 2602:fcbc::ad & 2602:fcbc:2::ad

Plain DNS

Default servers
If you want to block ads and trackers.

Non-filtering servers
If you don’t want AdGuard DNS to block ads and trackers, or any other DNS requests.

Family protection servers
If you want to block adult content, enable safe search and safe mode options wherever possible, and also block ads and trackers.

I also got to use the Linux installed in a container on ChromOS to do an nslookup and whois or two. Just a nice thing to have those tools available…

FWIW, the server is a Cloudflare / APNIC server

You may be familiar with their and servers (reputed to not log nor sell your DNS lookups). They have also added a set for blocking malware and one for blocking porn too.

Two years ago CloudFlare launched a secure free fast DNS service to help people surf more privately on the internet.

Today the company processes more than 200 billion DNS requests per day, making Cloudflare the second largest public DNS resolver in the world, behind only Google.

Now Cloudflare has expanded its free DNS service with what they call “ for Families” : – blocks known malware – blocks malware and adult content

In the coming months, CloudFlare will provide the ability to define additional configuration settings for for Families.

You choose whether you want to block malware and adult content or just malware depending on which IP address you configure:

IPv4 setup

Malware and Adult Content
Primary DNS:
Secondary DNS:

IPv6 setup
Malware Blocking Only
Primary DNS: 2606:4700:4700::1112
Secondary DNS: 2606:4700:4700::1002

Malware and Adult Content
Primary DNS: 2606:4700:4700::1113
Secondary DNS: 2606:4700:4700::1003

Let us know if you’re going to use services like this to protect your household.

There are a LOT of alternative / other DNS servers and perhaps some amount of Dig Here! would find some that ad-block and work with the Telco, but that will be for another day. I did find it interesting that, per this site, Yandex (Russia) has a DNS server offering too. Might provide a bypass for Russian sites if the GEBs decide to start blocking access to some Russian pages via DNS Buggery…

Additional DNS Servers
Here are several more public DNS servers from major providers.

More Free DNS Servers
Provider	Primary DNS	Secondary DNS
Comodo Secure DNS
CenturyLink (Level3)
Hurricane Electric	 
Control D
Some of these providers have several DNS servers. Visit the link above and select a server that's geographically nearby for the optimal performance.

On “Another Day” when I’m feeling more like doing actual work, I’ll give Yandex a spin.

SO, ok, there you have it. Yet Another DNS Fail Bug / Issue resolved. It has generally been my experience that the Telco DNS is slower than others, even on land line installs; so not really a surprise it is more limited on the cell network.

For now I’m using Cloudflare. Later it will be PiHole (where I’ve done articles on it before). In between? A bit of hunt and peck off the lists.

If anyone has a preferred Ad Block DNS, feel free to give it a shout out.

Oh, and along the way was reminded that Chrome Browser will sometimes try to punt DNS lookups to Google at regardless of your server setting in the system. While that’s not (yet) and issue for me, it would be “best practices” to block traffic to Google addresses in your boundary router IFF you are running a secure / private site.

By Default, ChromeOS and Chrome browser are designed to harvest your personal information. You can fight it, but it is an ongoing struggle.

So, with that, I’m off to other things. Back from the morning hot tub and pool, but 45 minutes until the BBQ at the pool starts ;-) Life in a vacation RV Park, keeps getting in the way of work 8-)

End Note:

Just for fun, I’ve put Yandex in my DNS list right after, put in last place (yes, blocks porn, but as I never go looking for porn I just don’t care, but normally don’t like someone else deciding what is and is not porn globally), and with Level 3 in 3rd place.

Nothing Telco nor Google. So far works well. We’ll see about longer term on this device.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits. Bookmark the permalink.

31 Responses to Adventures In DNS Land – Telco Blocking Ad-Blocking

  1. cdquarles says:

    Well, that’s interesting. Given that I am paying for cable internet, and only for cable internet; this has me wondering a bit. I get that if I buy a newspaper from a retailer, I’m going to get their paid ads, too (from the retailiers and the customer paid want ads). Same with over-the-air radio or television (which I no longer watch). I guess I could tor browser search for my cable company’s paid ads being served and what they do to target them.

  2. E.M.Smith says:


    It isn’t just ads the Cable Company might serve, but “did you click on an ad?” information.

    So say you visit, and there’s an ad for Vodka. You click on it to see if the price is good or even just to see who thinks you are a drunkard. That causes a DNS Query. The DNS Server knows that the query happened and from what IP (and likely unless you took some pains, what address and even what person and perhaps your phone number… ChromeOS asks for your phone number and with some effort you can bypass the question… so ChromeOS as defaulted and using Google DNS they have it all. Why Google DNS used inside the Chrome browser instead of your system set up, is not your friend…)

    So now the DNS Server Company can sell that fact that IP x.y.x.z clicked on a Vodka ad and it likely was Joe Drunkard who has a search history of guns, prostitutes and vodka (with a preference for long legged Black Beauties, .357 Magnum, and cheap Vodka but not Russian…) and is at address 124 Skid Row with phone number 666-555-8669…

    So you start getting all sorts of “customized ads” for vodka, shooting ranges, and a local topless bar and escort service. Also consider the utility of this information for LEOs and TLAs…

    For those who might have missed it. To “86” something is cancel and 69 is… oh nevermind…

    All just from DNS lookups and common information leakage gathering / profiles.

    Which is WHY I never click on ANY ads and why I set up alternative DNS services including but not limited to a PiHole pointed at high level DNS servers and not those set up a profit making entity if at all possible. But then, preferably one with a history of flushing logs and tracking information.

    It is also why I periodically “rotate shields” and platforms and change my DNS Service upstream provider and flush the identity off of my systems and have no less than a dozen systems I use most of the time (now down to “only” 4 while on the road) and have a unique email identity for each at several providers and a couple of login IDs on each system and don’t do ANYTHING personal on most of them and and and…

    There’s at least a “dozen me’s” spread all over the place. “Only” 6 in my minimal road kit of 4 computers that I’m using right now (but will rotate to something else in a month or so).

    No, I don’t expect even 1% of folks to do nearly that much protective behaviour / data dirty action. You are dealing with someone with 40 years of being a prime target with root password access to Fortune 500 companies where if I was hacked, the whole company went down. Habits that don’t end easily.

    Oh, and of course, in the present context, a reasonably probable target for doxing / cancel culture MidWit Drones to attack. (I’m not important enough for a full Epstein…or a Clintoncide) So using those habits is still reasonable.

    Besides, I get less ads that way ;-)

  3. philjourdan says:

    We just moved off of cloudflare (Not DNS, as a CDN), but yea, know their DNS servers well. Very original name for their DNS server –

    THe problem today with DNS is that ANYTHING can be a TLD! And most has become such. A long long time ago, the company created some internal DNS zones that were not “.local”. Now, half are TLDs! With any of the others becoming one is a distinct possibility.

    Enough of this domain crap!

  4. jim2 says:

    Spectrum determines my DNS server. I’ve tried just about everything, several months ago so don’t remember details, but my requests always hit their servers. Very frustrating.

  5. Prak says:

    This is what DoT (DNS over TLS) is for; just because you’re bypassing your telco’s DNS servers doesn’t stop them logging your requests (or even changing the results). Get a cheap VPS somewhere reasonably geographically close (DNS is used for working out where you are IRL), configure your local resolver to forward everything to your VPS using DoT and now your telco can’t interfere.
    Failing that, pick a provider you trust and enable DoH (DNS over HTTPS). It’s the latest greatest shiniest thing and it can leak data from your local network almost like it was designed that way, but it’ll stop your telco snooping.

  6. E.M.Smith says:


    Yes, the Telco still sees the traffic and they can screw with it, but I’ve not had them do any changes (yet…). Then again, I’ve mostly been using a PiHole for my DNS services for the last few years and it’s doing more complicated DNS lookups that I think the Telco doesn’t like to screw with (it talks to servers in hierarchical order working out who is source of authority).

    This business with blocking ad-blocking resolvers is the first time I’ve had trouble with Telco screwage other then when using public WiFi at places like StarBucks where they use DNS screwage to block access until you accept their “terms”.. Then again, I’ve been basically on AT&T home wired networking with a PiHole internal server for the last decade+…

    But I also like that with the PiHole any given site is looked up once and done for a significantly long time as it caches a lot (configurable size too). Plus by blocking a lot of the traffic (ads, etc.) that’s even less for any snooping Telco to see. (I don’t really care if they see that I use Wiki, go to my blog, and read various news sources… which is 99% of everything I do ;-)

    The downside is that most of my more complicated configuration has been on the PiHole server and not on my desktops, so I’m “light” on things like configuring a Windoze / ChomeThing / Mac to do much beyond point at a given DNS server.

    I didn’t go into TLS or HTTP based DNS for the simple reasons that I figured most folks reading here would not care much, nor do it as it is complicated, and that the last time I tried to set it up it was a royal PITA. I’m figuring I’ll try it again with the PiHole set up this round.

    I have had on my perpetual ToDo list setting up a virtual server on some cloud provider and running my own VPN through it (plus DNS traffic) but “life gets in the way” some times. Now I’m rebuilding all that I had before that’s now gone due to The Move.

    Routing everything through your own virtual server via a VPN also prevents the Telco seeing your IP traffic. (Even if you hide the DNS lookup, they still see the actual traffic request to that IP and can figure you did a lookup, unless you wrap it all in a VPN / encrypted pipe).

    Which is where all my other habits come in to play. When I find myself on new hardware in a temporary living arrangement using a new and / or improvised network, I still have the whole multiple identities and rotating fingerprints thing helping out.

    Turns out that “eventually I’ll get to that” can take a long time… sometimes…

    So as of right now I’ve got three different Telco cellular hot spots going (since you pay by the GB, it’s roughly free to run a couple of them. Cost me all of $24 for the one on T-Mobile network for a 4G hotspot (no 5G was available at the time). No one Telco gets a full picture. Then I’ve got 4 computers going now (having bought 2 Chromebooks…) So not one fingerprint but 4 for me (and a couple more for the spouse). That seems to confuse tracking enough for most things ;-)

    Oh, and as soon as I get linux on the Chromebook I’ll have one ID on it that always flushes trackers and cookies and such. As of now it’s more manual. I think I can do multiple IDs on the Chromebook too, but it’s a new area for me… I’m mostly Linux / Unix…

    So that’s the quick and easy set of “what I do” as a first layer. Then, coming up:

    Put up PiHole (again…) on this setup. Configure it to look high in the DNS system (i.e. not at my Telco nor any single provider – though probably not at root servers) and then once again hit the TLS / HTTPS configuration inside of it. Last time I set one up was long ago, and IIRC, had trouble making DoT/TLS work. On one of my (now packed in boxes) other servers / desktops I’d set it up to use DoH/HTTPS and that wasn’t too hard. As I get to those bits I’ll likely post how I did it (if anyone is interested).

    But yes, the end goal is in fact DoT from the PiHole as internal DNS server walking the authority tree to the authoritative server for any given lookup. I’d also like to set up DoH or DoT based DNS lookups on the ChromeThings and Android Things, but neither of them is my strongest skill area and I hope to be back on my Linux Desktops inside a month (2 outside) so there’s a timer running… i.e. limited exposure time so limited benefit…

    If you have any pointers on doing DoT or DoH on a Chromebook point away. It will save me the search time. Last ChromeThing I used was an HP Chromebox about a decade ago… (also bought as an emergency fix to a broken system when “on the road”… I think I’m seeing a pattern ;-) When I need a browser, any browser, with a keyboard, and I’m far far away from all my kit, the cheapest quickest thing to do is get a disposable ChromeThing… To say I’m out of date on my Chrome Skills is a vast understatement…

    (If Only a reliable and cheap Linux Laptop were sold in stores..)

  7. E.M.Smith says:


    That’s the case that Prak was pointing out. Your provider is intercepting every DNS lookup request. The only way you get past that is to use encryption in the lookup.

    1) Get a VPN and run all your traffic through it to their exit point to the world. This blocks Spectrum from even seeing the DNS traffic (or any other traffic too). Any VPN service ought to work for that.

    2) Set up DoH or DoT between an internal DNS server and alternative DNS providers. This encrypts the DNS traffic but doesn’t prevent the Telco from observing that actual data traffic nor from observing that you have encrypted traffic to those DNS providers. IF they are Truly Evil, they will block even encrypted traffic to those IP addresses and you will have to resort to #1

    3) Definitely not preferred but…. as a coping mechanism until the rest is worked out: You could set up a WiFi Hotspot and put a “dual homed” system in place that provides DNS to your local network, and looks “upstream” via the hotspot for DNS resolvers. I did something like this with a Raspberry Pi once. Had a T-Mobile 2G Hotspot, then a RPi with one side plugged into my home network via ethernet and the other side doing a WiFi connect to the HotSpot. Since it would only be DNS lookup traffic, there ought to be relatively low data volume so even just using your Cell Phone as hotspot could be enough. Your home computers look to that Server as their DNS resolver but the rest of their traffic routes normally out your Spectrum router. About $50 for the RPi hardware and anywhere from $0 (if using your phone and you have HotSpot Data available) to about $25+ $25/month for a cheap hotspot and burner phone no contract type data plan. You put a hard route for your local network into the Pi (saying, for example, all traffic to 192.168.x.x goes out the ethernet) but leave the default gateway as out the WiFi spigot.

  8. jim2 says:

    Yes, I know, this is Firefox; but apparently they are implementing DoH. If they are doing it, other browsers might be also. I note in the dox there is a way for service providers to turn it off, however.

    I’ve been using TOR for anything I want private. No guarantees in life, however.

  9. E.M.Smith says:

    Hmm… Looks like Chrome has had it since 2019 (looking for newer How To now…)

    As of March 2018, Google and the Mozilla Foundation started testing versions of DNS over HTTPS.

    Starting with Google Chrome 78, you can enable DNS-over-HTTPS via a new Secure DNS lookups command line flag.

    Starting with Google Chrome 83, DNS-over-HTTPS is enabled by default.

    Secure DNS can be configured to use your current ISP’s service if available (default), another provider from a list, or a custom provider.

    See also:
    A safer and more private browsing experience with Secure DNS | Chromium Blog
    More intuitive privacy and security controls in Chrome | Upgraded security with Enhanced Safe Browsing protection and Secure DNS

    My “about Chrome” says:

    Version 102.0.5005.75 (Official Build) (64-bit)

    I think that says I’m on Chrome 102, so ought to be able to point DOH from the browser directly at the DNS provider of my choosing. Hmmm…. That’s a big step up from last time I looked at all this about 8 years ago…

    I think I’m off to find how to point DoH on Chrome somewhere other than the default…

  10. E.M.Smith says:

    Well. That was easy. Using the tutorial in the second link in my comment above, in theory, I’m now using DoH to and can try it with any other provider I like via the “custom” option.

    It is pretty simple really. Open the settings (three dot upper right), chose Security & Privacy, chose Security, scroll all the way to the bottom to turn on “Advanced” so you know the feature exists at all and can configure it, then make your choices…

    Nice. Now I just need to pick a provider … and test if I can do the ad blocking this way.

  11. E.M.Smith says:


    Given that Chrome is now doing DoH by default, I’m wondering if what I thought was the Telco blocking the Ad Blockers was in fact Chrome trying to do DoH to them and them not having it…

    Chrome is by default looking to do DoH to your default DNS resolvers. Not all DNS resolvers do DoH, so some of them will fail. AdGuard, for example, has “plain” resolvers given by IP number and lists DoH servers as available but listed by URL / name. Using the “plain” resolver IP (which is what I’d tested) may well point at a non DoH capable resolver.

    The use of DoH by default is going to complicate debugging for things Chrome.

    So, OK, I now need to find IP numbers I can set for ad blocking resolvers and put one in the Chrome browser configuration…

  12. E.M.Smith says:

    Well… put resolver into Chrome and it worked. seemed to work, but in reality it does not accept IP Numbers there, it wants a URL. But I didn’t notice the change to red font meaning it failed, and it just defaulted back to using so I got to try again. I’m now using: as the resolver. This, to me, does raise the question of how Chrome gets the IP address from that URL to know what to use as the resolver… so some other resolver must be in use for that first step.

    I think this confirms that it was the Telco making it not work before. Maybe… I’m going to leave this system with this DNS resolver for a while and see if in fact ads are reduced and performance continues OK with the browser.

    I’m guessing the Telco was looking for plain DNS traffic to this IP and blocking that, but doesn’t have a rule just generally blocking all traffic to it (so that DoH gets through)? Just seems odd to me that it doesn’t work as a regular DNS resolver but does via DoH to the same I.P.; then again, Telco’s don’t impress me as the best and brightest.

    Whatever… at least for now I have a solution for the ChomeBooks. (Android tablet is old and using an outdated set of browsers with nothing new installable. Pine64 can likely do just about anything if I’m willing to put in the work to figure out how. Spousal Mac? I’ll need to see what’s on it. Then there are the Android Phones and iPhone to figure out, or not…)


    I also found this site:

    That claims to test if your ad blocker is working. It strongly prefers a different ad blocker and it is available only as an extension inside the browser. I’ve since also installed it (in theory I’m using both a DNS DoH ad blocker and the extension).

    Their claim is that many of the “ad blockers” don’t. (warning, contains F-Bomb comic)


    The sorry state of ad blockers
    Many ad blockers are now in bed with the advertising industry. We suggest you stay away from these: Adblock Plus, Adblock, Adguard.

    These blockers maintain a list of advertisers that they deem ‘acceptable’. The list of ‘acceptable’ advertisers is always growing. The user has to opt out of the list to get full ad protection.

    Not all of its 144 million or so users know this, but Adblock Plus comes preloaded with a filter that allows some ads to be shown. That white list is turned on by default when someone installs Adblock Plus, so users must manually opt out if they don’t want to see any ads. Those ads that don’t get blocked come from companies and organizations that Adblock Plus calls “strategic partners.” —RIP: Adblock Plus: Your shady whitelisting ways mean you’re dead to me.

    This ad, from a company the BBC describes as “at the forefront of ‘click-bait'” is just one example of what Adblock and Adblock Plus deem ‘acceptable’:

    So looks like some more research needed to find an Ad Block DoH server that actually blocks all ads. As I’m mostly looking to do this to reduce the burn rate on my “Data Plan” on my burner phone and hotspot, having as much crap out as possible is my goal.

    But in theory I now have “belt and suspenders” and just need to look for a bit better “belt” DoH server.

    And folks wonder why I’m no longer interested in doing this kind of work for a living…

  13. cdquarles says:

    Click on ads? I try very hard not to click on them. Mis-clicks do happen. If I see something I am potentially interested in, I’ll try to get the seller’s site directly.

  14. E.M.Smith says:

    Says I’ve scored 97 out of 100 (and the “misses” are things that can’t be tested perhaps due to other security settings and one that is “likely passed” but hard to tell for sure.)

  15. H.R. says:

    @cdq – Same ad practice here. My ad-blocker is very effective. I rarely see ads to even have a shot at a mis-click.

    The one that gets me is when on my regular blog rounds, someone in comments posts a link that looks interesting to me, and when I get there, I can’t view the article until I disable my adblocker.

    I won’t disable my adblocker, so there are a good few articles that I miss getting to read.

    When I’m doing a generic search for something, e.g. ‘weed whackers”, I look at what products come up and do the same as you. I go to the manufacturer’s site or I search no a brand and model at a place where I am likely to buy the item, such as Home Depot.

    I’m a “Don’t call me. I’ll call you” kind of guy. 😁

    I’ve told a few of my messin’ with robo-dialed, but in-person boiler room callers. One fun thing I sometimes do is along the lines of “Don’t call me. I’ll call you.”

    I let them get a bit of a start, then interrupt them to say that I don’t do business over the phone and to mail me the information. Then I’ll consider it and contact them if they are interested. The smart ones just say OK, hang up and move on to the next one.

    The dumb ones ask for my address, which gives me an opening to go into my angry rant about them calling people at random; complete strangers that they don’t even know where they are. I can rant ’til they hang up on “the crazy guy.” I suspect I get stricken from their robocall call list.

    It annoys Mrs. H.R. that I mess with spam callers. “Why do you bother? Just hang up.” But it’s just so much fun! 😁😁

  16. Ossqss says:

    @HR, if I am in a quiet environment, I always answer the spam calls and hit mute and speaker phone to see how long it takes them to hang up. It seems to work as most never call back as they must think the line is dead with no voice mail.

  17. E.M.Smith says:

    One of my friends likes to just “play along” and keep asking questions. Does it do foo? How is this financed? Can you go over that again? Eventually they get around to asking him if he’s ready to buy or why so many questions or “whatever” which is when he explains he will never buy anything over the phone, but figures as long as they are talking to him they are not bothering other folks… or making any money.

    Typically never gets another call from that boiler room / product / shop…

  18. E.M.Smith says:

    Well, back on the Pine64, Chromium does not have the DoH feature available yet. So I’ve installed the Ublock Origin extension and I’m presently installing Pi-Hole on it.

    That ought to give me pretty good coverage. And it can act as a DNS resolver for other devices where I can’t do as much (like my very old tablet that can’t get updated anything anymore…

    Odd that a few years after first rollout Debian Chromium still doesn’t have that option. OTOH, it’s Buster so probably a release or two back from current…

  19. E.M.Smith says:

    It took a LONG time for the repository update to complete, but I’ve now got Pi-Hole installed on the Pine64.

    By default the Pine does not look to itself for DNS (i.e. it doesn’t use the pihole install) so I’ve got a bit of work to do to figure out how to make it do that (turns out this SBC has ip2d running, dnsmasq installed, and some other bits of Strange Stuff I was playing with about 2 years ago, so isn’t a vanilla install… so I have to figure out what all I did on it back when to know what it is set up to do now… and then clean up that history for the current use case).

    I’ve got it set up to “serve” out the ethernet port, so need to plug it into my WiFi router and then things pointed at that will get Pi-Hole DNS… but that means I also need to set it up to BE a router to the WiFi Hot Spot… which I did with a RPi a decade back but will require some remembering…

    So basically nobody is using the PiHole at present, but it is installed. And “some assembly required” to get it using itself and get other things able to route through it via my own WiFi Router since I don’t have a telco wire to plug into my WiFi Router…

    But it’s late and I’m getting a bit tech fuzzy so need sleep. And Tomorrow is Another Day…

    So I’m likely to just call it a night now and pick it up tomorrow night. After all, the main browser I use on this card is already ad blocking via the extension….

    So one small brick at a time I start rebuilding all the protections I had before that are now living in a box in a storage unit in California… Sigh. Sometimes….

  20. paul says:

    My Pi-hole is at The router is at I told the router to use the Pi at .24 for DNS instead of the ISP’s numbers. Seems to work for everything that gets DHCP from the router… although i had to change DNS on the two PCs that have fixed addresses to use the Pi instead of the router. Easy enough.

  21. E.M.Smith says:


    Yup, easy peasy. That’s basically how my rig was set up in Kalifornia (though at ..1.254 & …1.253).

    The added complication here is that the “network” isn’t wired, it’s any one of 3 cell phone hot spots. So I have a lot less control of what gets done / configured / changed and where. I’m also interested in getting back to using my own WiFi Router so a lot of my “stuff in boxes” will just work as presently configured.

    So one path (as you point out) is to static IP the Pine64 WiFi address and then configure every terminal node appliance to point at it for DNS (can’t change what’s served by DHCP from the hot spots). That will involve changing every system (and I’ve got a few) and would change every time i swap hot-spot telco device (as they use different numbering and I’ve not found a place to change it). I have more than one so when one “runs out of data” I can swap to the next one…

    I figure it would be less trouble longer term to have the Pine64 DHCP a WiFi uplink address when it connects to a given hot spot, and then have a hard coded IP on the Eth0 that plugs into my WiFi Router. Then every device I have just connects to my WiFi Router (access point) and gets the DNS Server address from it as usual. IF I put the Pine64 at the same IP # as my prior Pi-Hole I don’t even need to reconfig much on anything.

    But I would need to configure the Pine64 to act as a router from Eth0 to default gateway.

    Were it just one Hot-Spot and a couple of laptops, then yes, it would be easy enough to just have it all on the Hot-Spot WiFi and hard code the DNS IP. But it isn’t.

    And yes, this is all a horrible kludge. What was supposed to be a 1 month temporary use case has turned into 3 months, so needs some patching over / fixing up.

  22. Taz says:

    If your system can make use of DNS over TLS, the paid NextDNS is a good choice. All of the DNS servers offered by VPN providers have been pretty good. I prefer to VPN from a dedicated gateway box running Privoxy.

  23. Taz says:

    @H.R “I won’t disable my adblocker, so there are a good few articles that I miss getting to read.”

    Might help

    1. Install a simple toggle switch addon to Firefox which switches on/off javascript.
    2. Archive that page to one of teh many online archivers, then read the result. Sometimes takes awhile.

  24. Taz says:

    Privacy badger from the EFF is a good blocker. The DNS checkboxes on NextDNS also help a lot. Everything is pre-configured and stable. Privoxy still works pretty well too though it probably shouldn’t the way I use it. Sometimes I just turn off javascript and only turn it on when one can’t get around it.

  25. E.M.Smith says:


    All good stuff. I’m just getting started on VPN use. I’ve used it on the Tablet when at coffee shops and such as a “free app” but as expected a “free app” had issues with reliability. I’ve just not felt motivated enough to buy / set up a “real” VPN for what I do (which is basically all public on the blog anyway…). I stand by my opinions and publish them. I try to stay 100% legal at all times. I do research for articles that then contain too much research ;-) So I end up just “skipping it” as I don’t have anything in my feed that I’d not defend in the public square, and I’m lazy ;-)

    But we’ve reached the point where honest people following the law are persecuted for normal beliefs and actions, so I need to start doing that whole VPN thing more rigorously…

    FWIW, on the ChromeBooks, I discovered that the Calculator App depends on JavaScript. Turn it off, no calculator. Also and “Odd Bit”:

    I have 4 “bars” in a row in the Chrome Browser when reading my blog pages. From the top down: List of tabs. URL SuperBox. Boodmarks. Then the 4th one has “My Sites”, “Header”, an up arrow to get to the top of page, “Write”, an outline of a person, and a bell. IF I turn of Javascript, the “up arrow” goes away and I must scroll by hand all the way to the top of long pages. But it’s worse than that:

    On the little ChromeBook, after I set a lot of stuff including turning off most information leaking things, that whole 4th bar went away. Try as I might, I can’t figure out (yet….) how to get it back. I have Javascript on but still nothing. Even the “how to get your bars back in Chrome” pages on the net just cover the first 3, not this one.

    If anyone has clue on that, I’d love to have a whack with the Clue Stick!

    (“Someday”, I’m going to sit down with the two ChromeBooks side by side and go through Every Single Setting and try to find any difference… but that’s a few hours)

    But just Be Advised that the ChromeThing seems to depend on JavaScript for some of the basic functions provided, such as the calculator. That was a surprise disappointment to me as I generally shut off JavaScript.

  26. Prak says:

    “we’ve reached the point where honest people following the law are persecuted for normal beliefs and actions”

    Exactly that, which is why I use TOR.

    WRT to the earlier DNS issues, IMHO you’re well past the point where you should have your own router/firewall to make things easier.

    I’d suggest a Pi3 (or newer) running OpenBSD. pf really is the best firewall currently available; a couple of rules (one NAT on the wifi interface) and you’re pretty much done. A couple hours work at most.

    It would also let you do DoT with just a couple of lines of config in /var/unbound/etc/unbound.conf, and Wireguard is in the kernel for when you want to go full VPN. I’ve had a good experiences with both TorGuard and NordVPN, and I think both support Wireguard.

  27. E.M.Smith says:


    I had that all set up in California. Used the Telco Router as the DMZ for things like an I2P router / server and a TV or two along with one DNS server. Then there was “my own router” doing NAT, with my private DNS server behind it and various other servers and desktops. (Then a 3rd one for The Lab where I would do experimental things, so it was isolated by 2 routers up stream from any incoming traffic or outgoing leakage.).

    Oh, and my DNS server was configured to query the Source Of Authority for the first lookup (i.e. not anyone else’s server such as the Telco or Google) and then cache it for a couple of days. Also had spam blocking and a few other things… So at most any IP lookup could leak ONCE per day or two and those to Google et. al. and known SPAM / advertizers never even did that.

    Now I’m living out of a suitcase, so things are slowly being rebuilt. I do have my “interior router” unboxed and was trying to make a go of it a month ago, but the Odroid XU4 didn’t want to talk WiFi to my Hot Spot, so I did a ‘fall back’ to the Pine64 that was working with WiFi.

    I’d expected to be in a house by now, so wasn’t putting time into a temporary set up (hotspot) since it would be wired “Real Soon Now!”.. but that fell through. But “this time for sure!” as we continue the hunt for housing…

    Probably about time I unpacked the Round Tuit and got back to a more normal set-up.

    This is what I’m likely to do as the first step:

    IF I can find the box with the R.Pi in it… or I suppose I can use the Pine64…

    Then I’ll have my boundary router to the HotSpot and can plug in my interior router (Netgear) with it’s own WiFi and then proceed to add all my usual bells and whistles…

    Or maybe I ought to just get a home first… ;-)

  28. jim2 says:

    What with the President Puddin-head recession coming, you might want to suffer for 6 more months. You might get a really good deal on a house.

  29. E.M.Smith says:


    We’re exploring 6 month to 1 year rentals, too. It’s a dynamic thing at the moment. Plus, we’re not going to be using even 1/3 of our cash, so if we buy too early, we’re still hedged.

    OTOH, I’m thinking a modest price RV for a few months, with tanks full so we can ‘relocate’ at least once, if needed… maybe.

  30. beng135 says:

    Shields Up! has a very interesting tool (Windows) for measuring DNS server speeds (you can add to his list).

  31. beng135 says:

    Alternate DNS — works, but the secondary, does not work. whois says that secondary IP address is actually Amazon!

Anything to say?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.