Hacker News new | past | comments | ask | show | jobs | submit login
Set up a cheap cloud hosted adblocker in an hour for $2.50 a month (gomez.wtf)
243 points by Racsoo on March 12, 2017 | hide | past | favorite | 120 comments

Just a heads-up, you can get 1 CPU and 0.6 gigs of RAM for free with the new entry tier of GCP: https://cloud.google.com/free/

(Disclaimer: Google employee, unrelated product area)

Notwithstanding the irony of one google service hurting another, the free tier only has 1GB of free egress traffic right?

Dang, you're right, I forgot about that. So not so suitable, unfortunately.

Seems like root + a local hosts adblocker is still the best solution for Android, or a local VPN for iOS (do they have those on Android? never checked).

> or a local VPN for iOS (do they have those on Android? never checked).

It seems so; at least my Android phone has something named "VPN", which I sometimes use to capture traffic and look at what my phone is sending/receiving.

(Packet-capturing your phone traffic is a pretty eye-opening experience; I was surprised just how much data about you goes to ad/tracking services.)

for Android (local VPN) I am using the free "NoRootFirewall" on all my android devices [1]

for iOS (for jailbroken) via Cydia and BigBoss I am using "Firewall IP7" which is not yet updated for iOS10, costs $2.99 or near

both act as firewalls in learning mode.. it can be a little tedious in the beginning but as soon as you block most ads/trackers/beacons "globally" then you feel the difference on speed, bandwidth usage, and user experience

[1] https://play.google.com/store/apps/details?id=app.greyshirts...

I don't have a full understanding of what's going on here, so this might be a stupid comment: Isn't 1GB of DNS lookups quite a lot?

Geez, color me double-wrong. Yes, that should be plenty. I thought was a VPN-esque solution that required shuffling all traffic through the VPS instance, but yes you're right, it's basically just a custom DNS server. In which case this would be totally fine. I might even try it myself if I ever decide to unroot my phone.

DNS66 (https://github.com/julian-klode/dns66) doesn't require root. It uses the Android VPN system to capture DNS requests and forwards everything else.

Agreed. Works really well on all my Android devices and the performance impact is negligible

It would also have to serve the not found responses, no?

Still, if they're short it seems unlikely that you'd have any issues.

Ideally you'd want to have L7 filtering so an SSL terminating proxy is the best thing short of running a fully functional copy of uBlock on your mobile device, lest you run into issues where removing ads on youtube also interferes with normal site function.

AFAIK Block This! Is an example of local VPN - based ad blocker for Android.

I use Firefox on Android with an adblocker installed via its extensions page without root and it makes me a happy browser. It obviously doesn't do anything for other apps, though.

Or, you know, you could actually pay for a reddit app without ads.

Not for personal use in Europe.

But not in the EU, there you cannot sign up as a individual only as a business :(

Am I the only one who finds the cloud console interface very unintuitive? How do I actually make use of the free tier, and set up something I can SSH into?

So, one gets 1 VPS for free forever..?

Yeah it's pretty cool

It seems like it is $300 for the next 12 months. There is no mention of always free.

from the parent's link:

> Always Free Products

> Use these products for free up to the specified usage limits during and past the free trial. These usage limits do not expire, but are subject to change.

Unfortunate that a credit card has to be provided for a "free" trial

.2 cpu

My number one reason for rooting my phone is blocking ads on a hosts-file level. It also stopped me from being able to play pokemon go, which I assume is for the best.

Why not just use Firefox with uBlock? Or do you use a lot of free apps with ads that don't offer a pay for no ads option?

A lot of my phone browsing involves apps with built-in browsers (reddit, HN) so hosts-filter is more practical. Killing ads in free apps is definitely part of the equation as well. The one downside would be not being able to click sponsored links on atop Google when looking for a particular product.

IMO Hacker News works better without an app.

Most reddit apps let you open links in an external browser

I like the Materialistic app for browsing HN, it's really nice.

I like Hews, because I prefer serif font than Material UI

I find Chrome to be faster than Firefox with uBlock on my Android device.

Get Brave browser, it's based on Chrome and looks the same but has adblocker and some other good features.

Is it open source? If not, I wouldn't trust it.

yes it is, from cofounder of Mozilla


Sorry, I meant it's based on Chromium, which is open source unlike Chrome.

Chrome isn't open source.

Sorry, I wanted to say it's based on Chromium not Chrome.

not-op here, but your question made me wonder: If you've paid for a freemium upgrade in an app that relies on Google's ad network, does that default to completely disabling the ads integration?

In other words, is the app still feeding data points into the ad network even though it may not be displaying ads? I had assumed it was, but your question makes me think otherwise.

Best to just block them, than rely on the skill/goodwill/giving-a-damn of the developer to not thrash all over your privacy.

just yesterday was checking many browsers, Firefox on Android is slow, was comparing loading times and it was very slow compared to Brave it RSBrowser or even Chrome plus no pull down to refresh is killer and there doesn't even seem to be plugin to add this only button or more fingers gesture or not just swipe down

on bright side on desktop i switched from chrome to Firefox and it seem ok, though it seem not so many pages are cached and need reload when switching many tabs

Firefox has a bug where first the tab takes ages to load. Open the same page in another app and see it fly

in the end I gave p even on desktop and I am back to Chrome, firefox just kept freezing or was unresponsive even with few tabs open, also always refreshing tabs when returning to them after while, while I experience no problems with Chrome :(

on Android I switched from YuBrowser to Brave browser, Firefox doesn't have simple pull down to refresh and it's not optimized for Snapdragon plus kinda slow in real life scenarios

If you have a Samsung Galaxy with Knox (S6+ I think), you can use Adhell which works without rooting and has all the capabilities of root adblock.

But knox uses a Samsung owned proxy and send private identifying info to Samsung...

Wow! Thanks for this. Adhell is awesome.

great choice (I do the same on my jailbroken iDevices.. my usual go-to hosts resource is: http://someonewhocares.org/hosts/

block responsibly :)

A non-root way: DNS66 via F-Droid.


How do you do this?

I rooted my HTC one, put hosts in /etc/ but somehow the phoen "ignores" it?

I did the same thing but using an old netbook I had lying around. It lives under the house running Pi-Hole and a few other things. I wrote about it here http://www.boyter.org/2015/12/pi-hole-ubuntu-14-04/

No idea what power draw it has (probably $5 a month?) but I have a large solar array so I doubt it costs me anything to actually run. I also get to recycle some old hardware.

EDIT - Seems that post was linked to by the pi-hole project itself at some point. Was wondering why it got so much traffic each month.

You must be blessed enough to have a fast upload speed. I'm still trapped at ~10Mbps. Thanks, Spectrum/TWC!

Not at all. I am still unlucky enough to be on ADSL2+ with 1Mbps upload.

Possibly will be looking at 40Mbit in the future but that depends on how lucky I get in Australia with the NBN, so not expecting much.

Another solution: install DD-WRT or Tomato in your WiFi router and disable all ad servers on the DNS: http://dd-wrt.com/wiki/index.php/Ad_blocking

Pay attention: this might interfere with some google functionality because it will block google ad-services. You'd have 2 workarounds: switch your searches to Duck-Duck-Go or keep google ad-services out of the disable DNS addresses.

But it doesn't work if you're not connected to your WiFi...

There's also LEDE, a fork of OpenWRT.

Note that this is just a DNS-level adblocker, which is already quite useful (I use a HOSTS file myself) but isn't quite as powerful as an actual MITM/filtering proxy like Proxomitron which can more precisely remove the content you don't want without having to block entire domains. If you use DNS-only blocking, you will often see error messages in place of banners and other oddities, because of sites which partly host some of the ad scripts themselves.

You do have to do more initial setup with certificates and such, but IMHO the more fine-grained filtering is worth it. The entire category of sites which actually detect blocking can be worked around this way, as you can filter out that code too.

Woah, Proxomitron, that's a blast from the distant past!

Has anyone picked up development of anything similar these days?

There's Privoxy and Proximodo, but they both lack HTTPS filtering support. There's also https://github.com/amate/Proxydomo which appears to be based on Proximodo and seems to use wolfSSL so it may be able to do TLS MITM, but the documentation is unfortunately all in Japanese.

...and of course at the high end there's the enterprise filtering middleboxes which are probably too expensive and difficult to configure for personal use.

There's also Privoxy, which can block ads based upon URLs, as well as doing other clever stuff like blocking cookies. It falls back to host-level blocking for SSL, unfortunately.

This is really neat and I had thought about doing this when I acquired a new Android device that I don't have root on. Alternatively, a program was made to host a DNS process on the phone in userland that downloads blacklists as well as uses external well known nameservers. Then use build in VPN client to redirect all DNS queries through to the daemon. DNS66 has been doing a fine job since I started using it last week. https://github.com/julian-klode/dns66

I use Netguard (https://github.com/M66B/NetGuard) and found it to be better polished than DNS66, check it out if you're interested, I'm a happy user.

I also use this and prefer it to DNS66 because I can use a hosts file rather than just changing the DNS server. Both work well though. Oh, and both are open source!

When I look at it in F-Droid I see: the upstream source code is not entirely free. What does that mean?

If that's a Samsung with Knox, you can use Adhell without rooting (recommending as a happy user): https://www.reddit.com/r/Adblock/comments/5aovzp/adhell_ads_...

Knox appears to be a privacy nightmare on it's own

Thanks for pointing out this open source tool! There are many with similar functionality but none of them are open, and I don't trust closed source when it creates a VPN tunnel :)

Changing the DNS server on Android is really not ideal and in some networks outgoing DNS requests are blocked or redirected to the local resolver.

I know it's a lot more work but setting up Shadowsocks and Unbound with similar DNS blacklists is a much better solution. This also comes with all the benefits of using a VPN (technically, an obfuscated socks5 proxy using the android VPN interface). If you manage the network, pfSense and pfBlockerNG are also great and easy to set up.

How sad is that we need to jump trough hoops to just disable ads on our devices.

And before ads advocate responds - ask for my money instead of polluting my mental space.

Until ads went rogue and started serving me malware, I never had a problem with them.

After being served up a malicious pop-up that silently installed a bitcoin miner a few years ago, I started whitelisting javascript with a plugin, blocking ads, etc.

I haven't had a malware problem since I started doing this. I don't think it's a coincidence.

The most convenient solution I've found for my phone is using the Firefox app, which has extension support.

Obligatory Forbes push to stop ad-blockers... followed by serving malware:


There are certain attempts to bring this "pay for content" to masses. Current model of subscribing to each site doesnt work. I dont think there is one widely adopted solution exists that would let you do one payment and access to sites. I sae attempts like cointent and brave, but whether they stick or not is yet to be seen.

Ps:google emp.

I'm not sure what you mean by "doesn't work".

Subscription payments can be extremely profitable, leading the the continued existence and even expansion of the site. The only downside is that only people who subscribe can see the majority of the content.

Ads merely mean that more people can access the same information, including people who could have never or would have never paid for it.

Subscriptions are merely less egalitarian.

hey - sorry, didn't see the message before.

subscriptions today are per site. you have to maintain multiple subscriptions. Many people dislikes that. I wouldn't hesitate a second to subscribe if there was something that centralizes the subscription (like 10$ for month worth of content, split among publishers based on how much time i spend and what the value of content is).

You won't pay enough to make up for not showing you ads.

... or simply subscribe to Ad Free Time for $1.99 /pm


yes, very good!

Just curious, if I use their DNS, how to they know it's me? from the hardware address of my network card?

"You need to log in to your Self Service area whenever your IP address changes (i.e. if you only configured your computer and you travel) so that your current IP is validated to your account. If you don’t do this, ads will start to reappear and region unlock will stop working!" -seems like it just registers the IP address when logging into their portal/page.

Out of interest, would somebody be able to reconstruct those blurred-out IP addresses and password by using deconvolution? [1]


I can't help but mention that one of the methods is called a Weiner Filter.


Adgaurd DNS is a free alternative although the web page says its in beta [1]. They also say they don't keep logs and support DNSCrypt. Convinently the DNSCrypt project also seems to have four resolvers configured for them [2].

[1] https://adguard.com/en/adguard-dns/overview.html [2] https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscr...

TL;DR: Vultr + Pi-hole

Pi-hole is great, but there's no reason to dedicate an entire instance to it (assuming you have other uses for one) -- the resources used on my RPi 3 are negligible.

Using a public server instance would seem less likely a cost/resource savings than a convenience factor if you are adblocking on mobile platforms (linked article was mostly focused on adblocking for an Android phone, presumably one that will be used on-the-go and not just at home).

Setting up an at-home RPi solution is probably possible for most people but a lot more cumbersome dealing with inbound server tunneling (which may technically be forbidden by their ISP), dynamic IP services, etc.

My biggest gripe with network level filtering is making exceptions. I am currently running Pi.hole and making exceptions requires logging into the server via the web UI. SSL URLs also do not work and would require some sort of root cert.

With üblock you receive a UI notification of the block and the option to make an exception.

Or you can set it up on a free instance of GCE. The author doesn't get affiliate fees though.

It's already been mentioned that the egress limit is 1 GB.

At $0.12 per GB, he would have to do more than 20 GB of DNS queries on his phone to reach $2.50 / month.

Also, my comment about using GCE was first, so it wasn't already mentioned.

I messed with this for years. This app recently solved it all for me without root :


You can use the custom rules to add any of the adblocker lists such as HP hosts, etc.

Also whitelists play nice with voip apps too.

Just a small fyi about the Vultr match credits: unused credits expire after 12 months. Vultr are great by the way, love them.

I would very much prefer an ansible playbook so I can deploy this in a blink, than all those countless manual procedures.

It would be even better if there was a way to pay $2.50 that get distributed among the creators of the consumed content.

brave browser try this business model with their ad blocker, though i am also using adaway

I ran this same setup for a while, but became nervous about the potential for DNS poisoning. I'm reasonably confident in my ability to lock down a public-facing system, but you sure are putting a lot of trust in that pi-hole install and your ability to make sure you're always using SSL on every device and site.

Seems like overkill. Why not just use openwrt and the adblock package?

Grab a tl-wr841 for <$20 on ebay - some go for $5

You could even get an orange pi or Rpi zero + ethernet to usb adapter and hang it off your existing router for power.

Isn't there a really simple work-around to these dns-hole adblockers? Ad links just need to use actual IP address surely?

Pi-hole with raspberrypi is free.

Cloud hosted Pi-hole is also free. You pay for the hosting.

With the cloud hosting you also get a fixed ip address which you can use from all the places, while most people have dynamic ip addresses at home (which you need to track and change in all devices). Furthermore initial cost of a pi and accessories are equal to 10-20 months of hosting.

As long as you get a free raspberrypi and free electricity.

Considering how little a Pi consumes, you might notice the electricity cost after a few years.

Probably 50¢/month total, 47.75¢ for the electricity[1], and 2-something cents monthly opportunity cost of $30 earning interest in a money market fund.

The throughput on a Raspberry Pi isn't great though, even compared to a typical low end VPS.

[1] http://m.wolframalpha.com/input/?i=5+watt+*+months+at+13+cen...

The software is free. At least when you're done with it, you get to keep the hardware which over time will pay for itself.

Can someone tells me the est. bandwidth traffic per month on such setup?

If you want something even cheaper, check out https://www.time4vps.eu/pricing/#!

If you purchase a 512MB RAM machine for two years it is €0.99/month!

Horrible company with absurd ID requirements. I stopped trying to be validated user after confirming my email, confirming my text message and being close to send them my government issued IDs for God knows who and when to hack into them and steal it for identity fraud purposes.

Edit: oh and don't expect much customer support help for 99cents per month, even if their customer support is located in Cambodia.

Actually, both their data center and their support team are located in Lithuania.

Time4VPS is essentially the international brand of the largest ISP in the country.

I was sceptical at first, but I have a VPS running there for a few months, serving 100k hits per day, with no technical problems from their side so far.

I just used their support once, but they responded in minutes.

The company you're talking about ("Interneto Vizija") isn't an ISP. They are, however, the largest .lt registrar (recently passed 100k domains) and the largest hosting provider (shared/VPS/dedi) in the country.

Why would i do this if i can do it for free ? If it's a PC:

- Change the hosts file with adblocked domains or..

- Install an extension on the browser;

On the phone we have firefox with adblock extensions as well.

So, why would i pay for adblocking ?

Did you even read the first sentence of the article?

"I recently got fed up enough with ads while regularly using my mobile Android Marshmallow phone"

And i said: "On the phone we have firefox with adblock extensions as well."

firefox for android is really slow rendering pages compared to chrome.

Not all ads are in the browser.

What kind of insane world do we live in where we can't block ads on our own devices?

Hmm, that sounds like it could be useful for other things, but for ad blocking, running a blocker on the device seems to work fine...

Title should be amended to clarify "if you use android"

It's really platform independent. If you have an iPhone or iPad, these settings could be used: http://osxdaily.com/2014/08/08/change-dns-settings-ios/ to set it to the adblock instance IP.

Otherwise, it could also be set at the router layer to use the cloud instance to block the ads.

Why? One can set up any device to use the pi-hole machine as their DNS server.

Because iOS apps don't have ads, right?

Apple allows ad blocking software in the app store.

Firefox for Android has addons, so you can use uBlock Origin. That seems to be the go-to solution for many Android users. But just like content blockers on iOS, it won't affect other apps.

So does Google. In fact nearly every browser in the Play Store blocks ads.

but not chrome, which is the major browser on android...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact