Settings -> Network & Internet -> Advanced -> Private DNS -> set provider hostname to "dns.adguard.com"
Adguard functionally operates similar to a Pihole install - it just maintains a DNS-based blacklist. You give them your DNS queries, of course, but in return you get an almost entirely ad-free experience with just one setting.
I had internet access just fine (browsers) but Signal, Google Maps, Uber and Ola just wouldn't work with 126.96.36.199. Haven't gotten around to think about the reason
Interestingly at work, I found out we couldnt even route to 188.8.131.52, but gave something to the network team to work on.
I too, jumped on the 184.108.40.206 bandwagon when lanched.
This way you can resolve while you resolve.
I think I tried this and had mixed results though.
For me I only had twitter glitching at one point, but it doesn't now
I found that video ad providers weren't in the usual lists...
But an official fix is incoming. https://issuetracker.google.com/issues/122141885#comment14
My setup does far more than just blocking ads, and works transparent as long as the client is connected through WireGuard (which works seamlessly over LTE and public WiFi).
That being said, I really like how Blokada and DNS66 are available in F-Droid  , and require minimal technical knowledge to set up. The more [ad blocking], the merrier.
As a backup measure I use Firefox with uBlock. The only machine I don't use uBlock is on Kali because I want to see the website exactly as it is being served.
It starts to be really easy to setup all of this so that it just works.
Also, how has your experience with wire guard been? I've been using my vpn's default client on all my individual devices out of convenience but after looking at the wire guard website I can see the appeal.
Our solution is simple, we've got two SSIDs, one w/ PH, one without. They route to separate VLANs and each VLAN uses a different gateway+DHCP with pihole or standard DNS. Fixing a website that doesn't work is simple as hopping over on another SSID.
We're using UniFi gear for the wifi, they support 4 SSIDs(8 if you split 2.4/5Ghz) per access point and USG made it trivial to setup multiple gateways(now on pfSense but that's a whole nother discussion).
FWIW I've been running pihole for almost a year, aside from the issue with Burrow and some social media redirect links used to track(that I want to block) I've not had any other false positives.
On almost any machine you could have save for ios.
I've got nothing against browser blockers, I just prefer something that works in a unified way as a network policy.
For example, I don't think changing networks is a pain in the neck. It's just 3 clicks on my android phone or 2 on Windows 10. This is compared to 3 clicks to turn off a browser based ad blocker.
It takes 3 clicks to disable adblocking for a particular site once ever. Click icon at top of window, click disable, click reload. This takes aprox 2 seconds once ever for each site. If you regularly use 7 sites that are annoying in this fashion you have invested 14 seconds.
By contrast lets discuss switching networks one of which uses dns to filter out ads. If you use one of these 7 sites 3 times per week you will incur a 6 second cost not just to click but to actually authenticate and start receiving data from the new net. That is 468 times in 3 years. This means that while I spent 14 seconds you spent 47 minutes.
This is on top of the 60 minutes you spent figuring out the complex solution that only works on your local network buying hardware, configuring hardware.
On net you will ultimately invest over 400x the time for a worse solution.
Using a solution that relies on a custom vpn is stupid in that it prevents you from using an actual vpn to increase your privacy.
Using custom dns even if there is an easy escape hatch to disable/enable it relatively quickly is STILL a global solution which implicitly requires turning it on and off manually and incurring a small time cost per operation.
In conclusion addressing ads via dns/routers wherein you intend to view some content that requires selectively disabling said feature is a complex and grossly ineffective solution. To avoid ads in apps don't install apps with ads. Browser addons remain the obvious choice. If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform. Namely ditch IOS for this and other reasons.
Solve fewer non problems.
> If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform.
This isn't a feasible solution. Why not use DNS-based adblocking instead? It works for my Android TV...
I've had one false positive across a year of using pi-hole, so this is a non-issue.
If you want to use an adblocker by all means go ahead, just don't go dumping all over everyone else because your usage doesn't line up with other people's.
My experience with WireGuard has been fantastic. The configuration is straightforward (way less complex than OpenVPN), wg-quick(8) is ace, the macOS and Android UIs work very well. The performance is great (both throughput and latency, even of the userspace ports). You only need very minimal, basic knowledge about networking and public key cryptography.
I got some minor complaints. For example the VPN is gone on Android when the app gets updated, and there's no official Windows client (though I don't use Windows right now). The EdgeOS port is sometimes out-of-date but its made by a 3rd party. And, compared to ZeroTier (where I was coming from) I miss out on a nice website configuration, but I get back a CLI one.
I have a WireGuard VPN at home and experimented with always-on, on my Android phone. Unfortunately, my provider (EE, UK) throttles UDP traffic something rotten, and my normally great experience with 50/50Mb+ is severly limited to between 0 and 10 Mb making my phone almost unusable by normal standards.
Does your LTE provider not throttle this way, or have you found a way around this?
Interesting. I've not noticed performance issues beyond those expected due to signal quality when using work's VPN over a tethered phone using EE. That VPN is using OpenVPN with a UDP transport. Then again it doesn't get used for anything with high throughput so perhaps they only throttle when it looks like bulk transfers are happening or the effect of the throttle just isn't apparent for my interactive use-cases.
> or have you found a way around this?
If they are throttling UDP for your use case then you could try a TCP based VPN (OpenVPN supports this), though there are potential issues with layering TCP inside TCP particularly on high-latency connections so this is not usually recommended. Might be worth a try to compare/contrast though.
I have a play with mine both ways when I finally get round to adding it to my current phone (mainly to use the network level ad-blocker running at home) and see if I can see a measurable difference with each variant.
To copy and paste another reply I just made:
"I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise."
I'll give OpenVPN a go over TCP once I have a chance to set it up and I might even consider contacting EE for info.
I would mind the fact that it limits my throughout to, at best 12Mb down, but when on WG it typically approaches 0 making my device unusable and I've already ruled out the rest of my network.
If you run the server side of the VPN as well as the client, you can test that possibility by trying other known ports (1194 that OpenVPN usually lives on, 433 if that isn't already directed elsewhere on the target address, ...).
That being said, have you attempted to discuss the issue with them? Have you considered a non-default UDP port? Also, did you compare the usage with OpenVPN? I ran OpenVPN before, the roaming, network speed, and latency is quite terrible.
I think the trick to bypass this kind of nonsense is to use port 443/1194/53 so QoS + firewall rules will still allow the VPN to pass through.
Haven't tested it yet, but in my experience non-default ports only make the problem worse. Most filtering/QoS services are pretty dumb and will just match source and destination ports; most firewalls will just plain ignore everything targeted at port 443 because the moment you start messing with HTTPS, you're in for a world of pain. Because WireGuard uses UDP, it's possible to listen on port 443 even if you're already hosting an HTTPS website. Sadly, you won't be able to use QUIC or HTTP3 if you do, but I don't think that's much of an issue these days.
Should still be possible. Xs4all had port 80 set up so that if you'd SSH to it, you'd get connected to their shell while with a browser (the normal modus operandi) you'd end up on their website. It worked very well in some of the more oppressive regimes where traffic to port 22 was blocked.
I also don't serve HTTP(S) content on my home connection. I only host WireGuard, that's part of the point.
I haven't contacted EE about it or tested other VPNs yet. I want to run WireGuard for various reasons so switching to OpenVPN might confirm they issue but not solve my problems (I don't run the VPN for the reasons in the OP)
Could you explain this a little further - is the Pihole also running on the Synology? Or is secondary DNS the Synology?
> Or is secondary DNS the Synology?
To be precise,
In LAN, the Synology NAS is the primary DNS (running PiHole on Docker), and the router the secondary. This is to reduce the load on the router. They're both using Quad9's servers on port 853 and using DNSSEC.
In WAN, which is only possible via WireGuard, the router is also the primary and only DNS. This is because I don't think it makes sense to add redundancy and additional latency here. If I'd need additional redundancy here, I'd also need an additional endpoint.
All outgoing DNS traffic going to port 53 (such as Google's) gets not coming from the Synology NAS gets forwarded to the router. Which is very little in my use case.
Pro-tip if you have difficulties in getting the latest updates for one or more of the inbuilt blacklist host files, try to edit manually their URL to be httpS. It worked for me!
That's the statement that always bothers me because it's only true if you build the app yourself. This is giving people a simplistic view and a false sense of security.
However, Blokada has lately been crashing or stopping or being killed. I'm on Android 9. I have to start it manually when the notification disappears.
Although to be honest I also use the Brave browser,so that might explain why I have so few ads when browsing. Yeah, I really hate them...
You can search them online  or show the analysis of the apps you already have installed 
Fosdem talk that explains all of this in more detail:
Another reflex is to look on the F-Droid Store if an equivalent FOSS application exists before looking for one in the Google Play Store. There are some excellent apps there, such as NewPipe  for instance!
This is a little misleading... Just because there is source code on GitHub does not mean the random APK you're downloading from the internet and side-loading is safe.
If you're paranoid (and you probably should be - if I was a bad person and wanted to get malware onto your machines, I'd be making some useful "open source" app and publishing "its source code" on GitHub too), you'd want to build the app yourself! :)
It would work against the HN crowd though.
Specifically, things like "you have a free credit" notification from Lyft, or Amazon's "Check out our new sale" notification.
My phone should not ding for nonsense like that. That is SPAM, and that is not something that I need to know immediately.
The problem is that apps like Lyft and Amazon have rather important notifications, so blocking all notifications from those apps is not possible.
I opened several tickets with Lyft complaining about this. In a recent version you can turn off. Settings -> Notification Preferences -> 'Discounts and News' = off.
Especially when it's an app I want or need, and it has notifications I need, but still sends out spammy ones too.
I think this is possible on Android as you can give apps access to notifications, so it could filter them.
Also (although I'm going on a tangent now) there's mobile news sites that require 3 or 4 clicks before I can read the article: close the app download prompt, the gpdr prompt, the subscribe prompt, the video hovering over half the screen.... It's maddening.
Blokada is easier to use that dns66, just one big button and you're done. It doesn't require root, but just like this app uses a local vpn (on the device itself, no servers involved).
For me it even blocks ads inside the YouTube app, which Adguard on iOS couldn't do...
edit: apparently, the Android VPN is flexible enough that they can direct only DNS traffic through this process, which mitigates it quite a bit. This issue has some tech details: https://github.com/julian-klode/dns66/issues/193
So I switched back to DNS66. Which is great, but you might need to disable async-dns in chrome://flags depending on your device. On Android 8 (Oreo) tablet, Chrome ignores the device network interface DNS preference and sends DNS requests out the physical interface, and not via the local (filtering) tunnel. My Android 9 (Pie) phone doesn't have this problem. Blokada worked fine on both but DNS66 only worked on the tablet when I turned off async-dns (which I think is a terrible, network-breaking feature anyway).
The few apps with ads that I sometimes can't avoid aren't fixable by ad-blockers. (e.g. ads in Google Maps)
I don't use any apps with ads, but Blokada has reported blocking ~100k requests a week on my phone.
I prefer to generally leave telemetry enabled, and simply not use apps from publishers whom I don't trust to use it responsibly.
Honestly the only real solution I've found is to use Ublock Origin in Firefox for Android.
Copy-paste from https://news.ycombinator.com/item?id=18788410
For anyone running on Android 9 or later, navigate to
Settings -> WiFi and Internet -> Private DNS
Select Private DNS provider hostname
Add dns.adguard.com (DNS over TLS)
Visit https://segment.com and you should see browser's 'Server not found' (disable existing ad-blockers or they might jump in and block the website anyway).
For anyone on Android 4.0 or later, consider using Intra  to use AdGuard DNS over HTTPS, if you prefer it over cloudflare's or google's.
Open the app, click on Settings.
Choose customer URL and paste: https://dns.adguard.com/dns-query
Be sure to 'lock the app' to prevent it from being killed in the background, and enable 'Auto Start' for the app from installed apps settings page if on newer android versions that support it.
Also, I have an actual VPN for my Android phone that I turn on whenever I'm on coffee shop wifi, so it seems like it would be impossible to have both running at once.
It is. You need to restart the adblocker VPN when done (at least DNS66 operates this way).
That said, I haven't found a measurable difference in battery when using one.
Edit: I guess Blokada is another to consider, just heard of it from this thread.
It feels more than a little disingenuous to post that at the end of a post explaining how to cut the revenue source of devs.
If you don't want ads, how about you pay for the premium tier of the app ?
Cutting ads does not also cut analytics frameworks.
I wonder at which point apps will just start to bury analytics in their API calls and serve ads with their main payloads
 - https://github.com/jedisct1/dnscrypt-proxy/wiki/Connecting-t...
Does this secure all DNS traffic like Cloudflare 220.127.116.11 app? If it does, I may use it with the exception of public wifi.
...but, updates to the app will no longer be allowed, so it will eventually stop working on some future iOS update, by which point I hope to have found an alternative platform.
Accept no imitations.
VPN and host file?
In my apps I would just check the host file or ping a certain address to detect if a user was doing this
I would then serve a different kind of ad, shrug emoji
The setting lives under Apps & notifications / Special app access / Battery optimisation / <App name e.g. Blokada> / Don't optimise.
I still think this is a battery win because of all the ads I'm not downloading and displaying.
Who owns the VPN? What are they doing with your data?
You create a virtual "VPN" that filters out traffic based on hostnames. DNS requests that are not on the blacklist get forwarded to your DNS of choice.
Other adblockers for non-rooted Android (like NetGuard) work in the same way.
The only thing that is slightly annoying is that the iPhone seems to drop the VPN from time to time. If only there was a way to work that out....
I recall NordVPN on iOS used to do that and I took it as a norm. Perhaps a year ago after few iOS and apps, I noticed that not only the time takes for connecting dropped, the drop rate also decreased a lot.
Not directly answer the question, but this made me think that there is a way...