
Optimal DNS Ad Blocker - uptown
http://optimal.com/network-ad-blocking-beta/
======
buro9
One can achieve this locally, on a laptop/desktop, using
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

Or you can combine that with
[https://github.com/jlund/streisand](https://github.com/jlund/streisand) to
have a VPN service that happens to adblock (great for mobile).

That said... I like that Optimal have made this too, because neither of the
above can work for all devices in a household and more things in the house are
tracking you and serving adverts (TV!).

The real questions I have are:

Who sources the list of domain names in there that they will null route?

How will this work with DNSSEC protected sources or whether they anticipate
this at all?

How will they become aware of new domains being used by smart devices that are
not shared by web sites (and therefore no-one notices and adds it to any
blacklist)?

~~~
benologist
If you want StevenBlack's hosts list to be network-wide I integrated it with
an open source, self-hosted DNS server called [https://pi-
hole.net/](https://pi-hole.net/) last week which adds a slick admin interface
and browser extensions too, then I put it all in a Vagrantfile and set my
router to use the VM as a DNS server.

Screenshot: [https://i.imgur.com/ELL9CDu.png](https://i.imgur.com/ELL9CDu.png)

Vagrantfile: [https://github.com/benlowry/pihole-extended-
hosts](https://github.com/benlowry/pihole-extended-hosts)

~~~
dalanmiller
I use pi-hole at home and it's a great little tool for my home network and I
think makes a noticeable difference on web browsing speeds.

My only wish is that it would serve a page notifying me "this is possibly an
ad, but would you like to continue?" versus just flat out blocking. I know
there's a whitelisting functionality but it'd be cool if I could handle this
directly in my actions in the browser.

------
binaryanomaly
Getting rid of ads in exchange for letting an additional third party know all
my Web-surfing respective DNS-lookups?

Not sure which one is worse ..?

~~~
themihai
Well... what DNS are you currently using now? Isn't a 3rd party? I had 8.8.8.8
so I guess the switch is no-brainer

~~~
binaryanomaly
In fact, I have my own DNS server running ;)

But if I had not:

\- My ISP whose DNS I used, is subject to strong regulations and laws here

\- "Additional" 3rd parties are more out of control from this perspective,
therefore a significant higher risk, imho

I agree, when you used google DNS before, it's same same...

~~~
nickysielicki
In the US, at least where I've lived, most consumer ISPs will hijack nxdomain
to their own search engine, which allows them to display ads and sign deals
with search engines and make some cash on the side.

------
Flammy
Well this makes me feel a little better... from [http://optimal.com/privacy-
policy/](http://optimal.com/privacy-policy/)

WHAT WE COLLECT

We get information about you in a range of ways.

 _snip_

DNS service. If you utilize our DNS-based service, we may receive information
about your IP address and URLs requested by that address. DNS requests utilize
the UDP protocol which means we do not typically get information on the full
URL you are attempting to visit (We receive far less information than a
company providing a VPN service to you, for example, and that is one of the
reasons we prefer this approach as it gives us far less information about user
browsing). We do, however, have an IP address associated with each request and
so could produce a list of sites visited by each IP address using our DNS
servers. We do not know who you are when you use our DNS service, however. IP
addresses may also be shared between users, and are not universally regarded
as personally identifiable. We only use the IP addresses as follows: (a) the
count of unique IPs we use as a benchmark for the adoption of our DNS service,
and (b) we may check IP addresses against a free database of countries or
cities provided by MaxMind and hosted on our servers, to limit the ability for
users outside of certain areas to use our DNS service. We will not use the IP
addresses we gather for any other purpose, and we will not correlate or
combine them with any other personal information provided by you or other DNS
service users, and we will never sell or share any of this information with
any outside companies in any way. We may use aggregate request counts to help
compensate publishers based on overall site traffic, across all users of our
DNS service.

~~~
0xmohit
Additionally, it says:

    
    
      - We may share personal information with your consent. For example, you may let us share personal information with others for their own marketing uses. Those uses will be subject to their privacy policies.
      - We may share personal information when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
      - We may share personal information for legal, protection, and safety purposes.
      - We may share information to comply with laws.
      - We may share information to respond to lawful requests and legal processes.
      - We may share information to protect the rights and property of Optimal.com Corp., our agents, customers, and others. This includes enforcing our agreements, policies, and terms of use.
      - We may share information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any person.
      - We may share information with those who need it to do work for us.
      - We may also share aggregated non-personal data with others for their own uses.
    

Essentially, there are so many reasons for us to share your personal
information that we can't help it.

Amusingly, the website:

\- Uses Google Analytics

\- Runs over HTTP (not HTTPS)

------
jgrahamc
Now that's a blast from the past. Back in 1996 I joined a company in Mountain
View called Optimal Networks, Inc. which had the domain name optimal.com. We
sold the company to Compuware and the domain lived on for a while.

If you search jgc@optimal.com you'll find ancient messages from me still
lurking on the web. I wonder if that email still receives spam?

~~~
optimalrob
We get all kinds of crazy optimal spam!

~~~
dsl
You should hook him up with his old work address!

I actually went on an adventure of re-registering old company addresses a few
years ago.

~~~
optimalrob
Interesting question-> how would he prove that he once had that address? :)

~~~
dsl
The internet will do it for you. [http://www.the-email-archive.com/email-data-
jgc-optimal-com-...](http://www.the-email-archive.com/email-data-jgc-optimal-
com-7804307.htm)

------
benologist
This looks really cool, especially for the bajillion mobile-only people
connecting straight through their telco without any ublock/ghostery/hosts/etc
blocking.

I am using a local DNS server that does this called Pihole [1] supplemented
with additional blocklists [2] for malware and privacy.

One thing I don't see is any statistics ... you might be surprised at how much
software in your home is endlessly communicating with companies you might not
even have heard of, and that's been a great benefit of taking control of my
DNS resolution [3].

[1] [https://pi-hole.net/](https://pi-hole.net/)

[2] [https://github.com/benlowry/pihole-extended-
hosts](https://github.com/benlowry/pihole-extended-hosts)

[3] 5.1% of my networks' requests today got blocked -
[https://i.imgur.com/ELL9CDu.png](https://i.imgur.com/ELL9CDu.png)

~~~
dingaling
It would be useful if their website described what exactly it installs. A
recursive DNS server with a web UI and big list of null-routed domains? That's
my guess.

How does that help mobile users outside their home network without also
setting up a VPN back in?

~~~
optimalrob
We'll be adding more info when we prep things for a wider consumer release. We
are working to learn as much as we can and are looking forward to everyone's
feedback!

~~~
benologist
Features I'd like:

\- reports on who my device(s) are contacting

\- no technical capability for anyone else to access those reports

\- import block lists from browser extensions / hosts lists etc

\- set my own forwarders

\- browser extensions so I can see what's blocked, unblock stuff, pause
blocking etc, maybe an app on my phone could provide the same functionality

Mostly this is about extending your umbrella to cover privacy/malware, I don't
really differentiate anymore between the different flavors of crap websites
embed to make the internet more annoying and less safe.

~~~
optimalrob
Thanks for the suggestions!

------
geuis
I experimented with this idea back in March, [https://github.com/geuis/lead-
dns](https://github.com/geuis/lead-dns)

It turns out to be a pretty bad experience. There are tons and tons of legit
domains that serve normal content that also serve ads. I used a subset of urls
from a popular ad blocking list ([https://github.com/geuis/lead-
dns/blob/master/lists/easypriv...](https://github.com/geuis/lead-
dns/blob/master/lists/easyprivacy%2Beasylist.txt)).

After only a few hours, using the web normally was near impossible. Just a
very broken experience. Sadly, since you can't pass a path to a dns server,
there's no finer-grained way to allow certain requests to a domain to go
through and block others.

~~~
josho
I've been using DNS to filter out the worst offenders. I don't mind most ads,
so my list of domains is quite small. But, I've found it to be an effective
tool.

I agree, however, that anytime a site is broken that I'm left wondering if I'm
responsible because I've inadvertently blocked a CDN or something important.

------
profeta
I will just leave this here
[http://someonewhocares.org/hosts/](http://someonewhocares.org/hosts/)

i put this hosts file on every device/router that i touch.

It works fully local. So infinitely (and this is not even a hyperbole) faster
and you won't have to exchange one privacy hole for another on the "cloud".

~~~
bitchypat
>infinitely (and this is not even a hyperbole) faster

Not if your HOSTS file is >135KB (the one you've provided is 373KB), you're
using Windows 8 or earlier and you haven't disabled the DNS Client service.

[http://winhelp2002.mvps.org/hostswin8.htm](http://winhelp2002.mvps.org/hostswin8.htm)
(about half way down)

~~~
wila
Not OP, but he said "device"/"router", not many of those run Windows 8.

FWIW I do the same, also use that host file at the border router and yes the
difference is quite big. I'm always shocked about the extra adverts I see when
using a computer or tablet outside of my own network.

------
AdmiralAsshat
I'd like to believe that Optimal is being altruistic with their DNS servers
and just trying to help rid the world of annoying ads...but I'm also
realistic.

My VPN provider (Torguard) provides one of these as well. I'm a little more
willing to trust them not to do anything malicious with my DNS requests, if
only because I'm paying them.

~~~
Retra
I don't find the "I can trust them because I'm paying them" idea very useful.
Nor the "If you're not the customer you're the product."

The bottom line is, if your information is valuable, then it will be in the
advantage of those who possess it to exploit it whether you pay them or not.
The only real non-moralistic consideration is whether you will stop paying if
they start selling.

Either way, "I have a moral obligation to not sell your info, even if you
don't pay me not to" sounds a lot better to me than "I don't sell your info
because you think you're paying me not to." It's a horse apiece if you're
dealing with strangers and you have to take them at their word.

~~~
wpietri
The difference is in sustainability. Sure, some people always want more;
morality is no barrier for them. But most people run into trouble only when
they face a significant conflict of interest.

Thinking about companies I've seen the inside of, when the company is doing
ok, it's rare for people to just up and do something sleazy. But if they
company could collapse, suddenly the moral calculus shifts. Even if they don't
do something dubious, they often will consider revenue sources they would have
ignored before. As they say, desperate times call for desperate measures.

So I'm much more likely to trust a company I'm paying a fair rate for what
they're doing. That's not to say that those people don't turn bad sometimes,
but it happens a lot less.

~~~
optimalrob
Read my medium posts (medium.com/@robleathern) to get a sense of what we are
doing and why. It's easy to make money in the online ads industry but we are
not going to compromise our values to keep this company alive. Too many
startups pivot their way to sustainability at the cost of what they set out to
do in the first place. We won't.

------
bognition
Very interesting. I'd be curious to know what Optimal plans to do with all the
DNS traffic they'll be collecting

~~~
matt_wulfeck
I'm definitely weary of handing over my DNS data to a company I don't know.
Besides, Safari ad blocking plugins already take care of this while surfing.

This may have unintended (both good or bad) affects on normal app experience
since it's configured on the network.

~~~
optimalrob
We are not selling this information and never will. We built a safari blocker
called fewerads that's in the App Store. But we found lots of users wanted to
block ads in chrome mobile or inside Twitter or Facebook (to be clear, web
ads, not those platforms' ads), which is what lead us to this idea.

------
nherment
Not sure what to think of it:

An "ethical" ad blocking service launched Thursday that allows users to pay
their favorite publishers not to show them ads. [...] With Optimal.com, users
will pay a flat monthly fee (Leathern told Business Insider the exact amount
hasn't been released, but it's likely to be a high single-digit number) to
experience an ad free web.

Source: [http://uk.businessinsider.com/optimal-launches-
subscription-...](http://uk.businessinsider.com/optimal-launches-subscription-
service-for-ad-block-users-2015-12?r=US&IR=T)

~~~
aphextron
>"An "ethical" ad blocking service "

All ad-blocking is ethical. It's the advertisers job to make me aware of
products in a way that doesn't anger me, and they're doing a really shitty
job.

~~~
witty_username
When you adblock instead of not using adblock websites lose money.

~~~
ionised
They have lost nothing, the money wasn't theirs to begin with.

They don't have the right to decide how users computers should behave when
rendering pages.

------
latitude
I wrote a tiny DNS filtering daemon that does exactly the same -

[https://github.com/apankrat/dnswhisperer](https://github.com/apankrat/dnswhisperer)

I've been using it routinely for past couple of months and it works really
well. It blocks web ads, but it's blocks in-app ads and tracking as well.
Tailing a log when launching an iPad game make for an interesting read. If
anything slips through, just check the log, add the offender to the blacklist
and restart the daemon.

------
jamiesonbecker
Local version, appending to /etc/hosts:

    
    
        curl -q \
        https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \
        2>/dev/null | sudo tee -a - /etc/hosts

~~~
shafiqissani
thanks

------
seanwilson
Say everyone in the world started using this today: what solution would Google
need to use to deliver ads to get around DNS blocks?

~~~
witty_username
Google could use the same domain for advertising or use IP addresses instead
of domain names.

~~~
pbhjpbhj
How would they verifiably record the adds served, say on my example.org page
the ads come from example.org too how can Adsupplier Inc. then be sure I
served those ads to a genuine page-requester?

------
dsl
You can use use OpenDNS and turn on filtering of the "Advertising" category.
[https://community.opendns.com/domaintagging/?category_id=53](https://community.opendns.com/domaintagging/?category_id=53)

Protip: Doing this at the DNS and not the browser level leads to lots of
brokenness. (Like when you try to sign into an app on your Roku/FireTV and it
hangs on a Google Analytics event).

~~~
sparrish
One significant benefit of OpenDNS is you can go whitelist a site/domain from
filtering if it's breaking something and they have more categories than just
'Advertising'. I use it to help protect myself and my children from
pornography.

~~~
pbhjpbhj
I use opendns, the black/white-listing is a bit unrefined IMO, it does work
though. The limit on the list length is quite tight on the free tier too.

------
textmode
If there is strong demand I could put together a solution sor home networks
that does not use a third party resolver, i.e., no tracking whatsoever. It
could be run from an SD card or USB stick entirely in memory, i.e. no install
needed. All you need is an extra computer; old is fine.

As for the "breaking" some websites, it depends on what you block. Speaking
for myself, if blocking doubleclick.net makes one out of thousands hang, then
that is acceptable. In fact it's desired because I want to know about such
sites. What kind of website would do that? Doubleclick offers zero value to
the user. I _like_ this aspect of DNS blocking.

Also it's easy to "whitelist" or "blacklist" certain subdomains if that's what
you need to do. Simply a matter of editing a text file, and this can be
automated.

As for the comments about what effect this would have if practiced by the
masses, I think it would bring these ad-supported search engines and social
media sites to a day of reckoning.

Users would have all the power. At least one search engine claims it's focused
on users. This would put that statement to the test. Users in control. As it
should be.

------
IgorPartola
I have tried DNS ad blocking based on one of the popular lists out there.
Sadly it was overly aggressive. It cut off my access to sites like mint.com
and the Google Analytics dashboard (need it for $WORK). It also made sites
like Hulu not work because of their ads. Debugging why this was happening was
a huge pain because for example Mint uses Intuit domain names that are like
right levels deep CNAMES.

I am going to try this out, but here I would have even less control since I
can't edit the zone file.

Edit: Just turned it on and cleared all relevant caches. Still seeing ads all
over Google, CNN, BBC, Imgur and a few others. Don't think this works terribly
well.

Edit 2: oh but now the Comedy Central app on my phone won't launch. Turning
this off.

------
joemccall86
How easy is it to temporarily switch it off if a site is broken? Like if they
have some crucial JS/CSS served from a blocked domain? I also wonder this with
the hosts file approach. Is that kind of flexibility you give up for speed?

~~~
optimalrob
This is a slight issue, we are looking at ways to make this easier. The
reality on the hosts file approach we think is that we can be far more dynamic
and help protect users from bad domains as well, but time will tell.

------
aorth
Adding another vote of confidence for running your own local DNS resolver with
a block list. I use this script to generate a compatible hosts list for
unbound:

[https://github.com/jodrell/unbound-block-
hosts](https://github.com/jodrell/unbound-block-hosts)

It's not terribly sophisticated, but every few weeks or whatever I just run
this again:

    
    
      $ ./unbound-block-hosts --file=/opt/brew/etc/unbound/local-blocking-data.conf
      $ killall -HUP unbound

------
intrasight
My strategy is to use OpenDNS to block sites, and uBlock Origin to block all
3rd-party access. Then I whitelist stuff. Whitelisting is more work than
blacklisting but I'd claim it is more comprehensive. On my phone I just
disable javascript.

------
esaym
I've been using
[https://github.com/jakeogh/dnsgate](https://github.com/jakeogh/dnsgate) for
about 6 months now. Much better than just throwing stuff into /etc/hosts

------
0xmohit
I haven't used it myself, but I'd believe that Brave [0] might be a better
option.

[0] [https://brave.com/](https://brave.com/)

~~~
optimalrob
I like Brave, and it works well! But many people want to keep using their
FB/TWTR browsers.

------
known
It's not that simple [https://adblockplus.org/filter-
cheatsheet](https://adblockplus.org/filter-cheatsheet)

------
ChartsNGraffs
I noticed a recent trend in sites that refuse to serve when running an ad-
blocker. Is the web a usable experience for people who are running ad-
blockers?

------
mrmondo
I wouldn't trust some random company with all my DNS queries, great way to
essentially MITM you're internet with yet another 3rd party.

------
justin_oaks
If enough people blocked ads via DNS, I wonder how long it would be before we
saw advertisers using plain IP addresses instead of DNS hostnames.

~~~
blinkingled
Would be more and more of a problem with most sites switching over to HTTPS -
Cert mismatch warnings if your ad URL is https and mixed content warning if
not. Besides how hard would it be for someone to add a rule to uBlock to block
by-IP URL access?

------
jakeogh
[https://github.com/jakeogh/dnsgate](https://github.com/jakeogh/dnsgate)

------
ig0r0
Does not seem to be working for me. Tried both the UK and US IPs, never got an
DNS response

------
davidu
Hardcoding DNS servers that are run on Amazon IPs on AWS is just an incredibly
bad idea.

------
boodm
What are the security concerns with a service such as this?

~~~
dsr_
The obvious two: Optimal gets to see every domain name your computer asks for,
including personalized domains like yourname.bloggingservice.com; Optimal gets
to answer those requests in any way it wants to (MITM attacks).

------
thelittleguys
What software is being used? BIND?

