Hacker News new | past | comments | ask | show | jobs | submit login
Block Ads in Apps on Android (unlikekinds.com)
182 points by whalabi 34 days ago | hide | past | web | favorite | 145 comments

On Android 9, you can do this even more easily:

Settings -> Network & Internet -> Advanced -> Private DNS -> set provider hostname to "dns.adguard.com"

Adguard functionally operates similar to a Pihole install - it just maintains a DNS-based blacklist. You give them your DNS queries, of course, but in return you get an almost entirely ad-free experience with just one setting.

I wasted almost an hour trying unsuccessfully to book a cab using Uber yesterday only to realise it was in my Private DNS which was the problem.

I had internet access just fine (browsers) but Signal, Google Maps, Uber and Ola just wouldn't work with Haven't gotten around to think about the reason

The feature is not stable yet in this new release. Also some queries leak when your device wakes from sleep. More details here https://ba.net/adblockvpn/dnsovertls has issues with archive sites, had to stop using it. Cloudflare blamed the archive sites, but it works with other dns services, so I just stopped using

Interestingly at work, I found out we couldnt even route to, but gave something to the network team to work on.

I too, jumped on the bandwagon when lanched.

instead of use 1dot1dot1dot1.cloudflare-dns.com

Wait, how are you supposed to use a host name as a DNS server?

We heard you like to resolve domain names into IP addresses so we put your DNS provider behind an A record.

This way you can resolve while you resolve.

DNS over HTTPS and DNS over TLS require URLs. Controversial features in that they break abstractions apart from breaking some apps too (for instance, usage of TCP, overhead of TLS/SSL handshakes, absuing HTTP etc)

Me too.. Waze wasn't working and Spotify was taking ages to decide it wasn't offline. On EE in the UK if that helps?

I use DNS66 and I have to pause it any time I use a app that involves Google.

In DNS66, in the apps tab, you can bypass the VPN by app.

I think I tried this and had mixed results though.

For me I only had twitter glitching at one point, but it doesn't now

Thats cloudflare not adguard. I'm surprised about your problem

Do you have similar issues with It seems safer for me.

The solution I follow on all my Android devices is the "NoRoot Firewall", free, no ads. I use it either to block IPs/addresses I "don't like" or global block sites/IPs like Google analytics, Facebook etc.

Can you customise the blacklist?

I found that video ad providers weren't in the usual lists...

Except that my Pixel 2 restarts every few hours if I set that up.

Same here with two OnePlus phones running Pie.

But an official fix is incoming. https://issuetracker.google.com/issues/122141885#comment14

how good is the dns? in term of speed and privacy. PS: all the dns are resolved via that dns or it's added (piled) to the list of default dns resolvers?

You'll have to make your device use the server, so I think you'll at least have to add it to the front of the list.

This is definitely simpler, thank you.

I'm using Pi-Hole on an Ubiquiti router together with WireGuard and DNSSEC. My Synology NAS is backup (with regards to the DNS-based Pi-Hole blocking) taking the adblocking load off the router (there's no redundancy for WireGuard endpoint though). I don't (need) to use a RPi anymore. It works extremely well for me, and all my clients also get to connect to Nextcloud running on the Synology.

My setup does far more than just blocking ads, and works transparent as long as the client is connected through WireGuard (which works seamlessly over LTE and public WiFi).

That being said, I really like how Blokada and DNS66 are available in F-Droid [1] [2], and require minimal technical knowledge to set up. The more [ad blocking], the merrier.

As a backup measure I use Firefox with uBlock. The only machine I don't use uBlock is on Kali because I want to see the website exactly as it is being served.

[1] https://f-droid.org/packages/org.blokada.alarm/

[2] https://f-droid.org/en/packages/org.jak_linux.dns66/

I'm using Pi-Hole in a lxc-container on a Omnia Turris router, blokada for my Android phone with uBlock Origin, Firefox with uBlock Origin on every computer I own and the router encrypts all traffic with WireGuard to several different endpoints for the whole network. Having a bit too slow uplink to connect to the internal network from outside.

It starts to be really easy to setup all of this so that it just works.

That router looks interesting

Aye, and the successor, currently in development, is modular [1]. I still recommend an APU2 from PC Engines as router though. Best bang for the buck, for now.

[1] https://mox.turris.cz/en/overview/

I've been considering setting up pihole on my home server for a while but I've always been worried that it would break a website for a non-technical family member while I wasn't there to fix it. How has your experience with website breakage been?

Also, how has your experience with wire guard been? I've been using my vpn's default client on all my individual devices out of convenience but after looking at the wire guard website I can see the appeal.

The only site I've seen break was Burrow ironically enough, couldn't get through the checkout flow which is pretty darn stupid for a purchased product.

Our solution is simple, we've got two SSIDs, one w/ PH, one without. They route to separate VLANs and each VLAN uses a different gateway+DHCP with pihole or standard DNS. Fixing a website that doesn't work is simple as hopping over on another SSID.

We're using UniFi gear for the wifi, they support 4 SSIDs(8 if you split 2.4/5Ghz) per access point and USG made it trivial to setup multiple gateways(now on pfSense but that's a whole nother discussion).

Regarding the web, browser based blocking still makes more sense. If I have 2 tabs one which works with adblock and one which does not I can simply click an icon to enable ads on the one. Changing networks seems like a pain in the neck.

On the flip side I've got 4 different devices across 3 operating systems, but putting it at the DNS layer it just works.

FWIW I've been running pihole for almost a year, aside from the issue with Burrow and some social media redirect links used to track(that I want to block) I've not had any other false positives.

Firefox + ublock origin works on mac/windows/linux/android/bsd/some more unusual OS

On almost any machine you could have save for ios.

Yeah, and as much as I love Firefox, the android implementation just isn't up to the level to where I can use it as a daily driver.

I've got nothing against browser blockers, I just prefer something that works in a unified way as a network policy.

What's not up to par for you? Before I went back to iOS (where I use 1Blocker as a content blocker for Safari), Firefox for Android plus uBlock Origin did pretty well for me.

I think pihole makes it reasonably easy to disable for some amount of time or until you switch it back on. I know "reasonable" has different meanings to different people though.

For example, I don't think changing networks is a pain in the neck. It's just 3 clicks on my android phone or 2 on Windows 10. This is compared to 3 clicks to turn off a browser based ad blocker.

I don't think this is a reasonable analysis.

It takes 3 clicks to disable adblocking for a particular site once ever. Click icon at top of window, click disable, click reload. This takes aprox 2 seconds once ever for each site. If you regularly use 7 sites that are annoying in this fashion you have invested 14 seconds.

By contrast lets discuss switching networks one of which uses dns to filter out ads. If you use one of these 7 sites 3 times per week you will incur a 6 second cost not just to click but to actually authenticate and start receiving data from the new net. That is 468 times in 3 years. This means that while I spent 14 seconds you spent 47 minutes.

This is on top of the 60 minutes you spent figuring out the complex solution that only works on your local network buying hardware, configuring hardware.

On net you will ultimately invest over 400x the time for a worse solution.

Using a solution that relies on a custom vpn is stupid in that it prevents you from using an actual vpn to increase your privacy.

Using custom dns even if there is an easy escape hatch to disable/enable it relatively quickly is STILL a global solution which implicitly requires turning it on and off manually and incurring a small time cost per operation.

In conclusion addressing ads via dns/routers wherein you intend to view some content that requires selectively disabling said feature is a complex and grossly ineffective solution. To avoid ads in apps don't install apps with ads. Browser addons remain the obvious choice. If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform. Namely ditch IOS for this and other reasons.

Solve fewer non problems.

> It takes 3 clicks to disable adblocking for a particular site once ever. Click icon at top of window, click disable, click reload. This takes aprox 2 seconds once ever for each site. If you regularly use 7 sites that are annoying in this fashion you have invested 14 seconds.

Per browser/adblocker.

> If your mobile platform doesn't allow someone to release such software for your platform use a different mobile platform.

This isn't a feasible solution. Why not use DNS-based adblocking instead? It works for my Android TV...

ublock origin can sync between machines meaning once ever for an entire range of devices.

How does the sync work? What protocol?

Firefox optionally syncs a configurable list of things between installations. It uses firefox sync. All of this is opt in and encrypted so that mozilla can't read it.


Cheers, I knew about Firefox Sync (I used Weave with Fennec on the N810 back in the days), I knew it syncs addons, but I did not know it syncs addon settings. I'm still unsure how it determines which settings to use.

> If you regularly use 7 sites that are annoying in this fashion...

I've had one false positive across a year of using pi-hole, so this is a non-issue.

If you want to use an adblocker by all means go ahead, just don't go dumping all over everyone else because your usage doesn't line up with other people's.

If you never ever need to selectively disable adblocking dns based solutions only suck in that they either work only in the lan, don't work with vpns, or require rooted devices to work. No downsides to be seen.

My partner sometimes has a website which breaks, especially when she's shopping online. Which you could consider a Good Thing. For me, the website which breaks is AliExpress. Specifically, the pictures don't load. Quad9 by default also blocks porn websites. For me, that's intentional, but YMMV.

My experience with WireGuard has been fantastic. The configuration is straightforward (way less complex than OpenVPN), wg-quick(8) is ace, the macOS and Android UIs work very well. The performance is great (both throughput and latency, even of the userspace ports). You only need very minimal, basic knowledge about networking and public key cryptography.

I got some minor complaints. For example the VPN is gone on Android when the app gets updated, and there's no official Windows client (though I don't use Windows right now). The EdgeOS port is sometimes out-of-date but its made by a 3rd party. And, compared to ZeroTier (where I was coming from) I miss out on a nice website configuration, but I get back a CLI one.

It's interesting you've found the WireGuard experience to be "seamless".

I have a WireGuard VPN at home and experimented with always-on, on my Android phone. Unfortunately, my provider (EE, UK) throttles UDP traffic something rotten, and my normally great experience with 50/50Mb+ is severly limited to between 0 and 10 Mb making my phone almost unusable by normal standards.

Does your LTE provider not throttle this way, or have you found a way around this?

> Unfortunately, my provider (EE, UK) throttles UDP traffic something rotten

Interesting. I've not noticed performance issues beyond those expected due to signal quality when using work's VPN over a tethered phone using EE. That VPN is using OpenVPN with a UDP transport. Then again it doesn't get used for anything with high throughput so perhaps they only throttle when it looks like bulk transfers are happening or the effect of the throttle just isn't apparent for my interactive use-cases.

> or have you found a way around this?

If they are throttling UDP for your use case then you could try a TCP based VPN (OpenVPN supports this), though there are potential issues with layering TCP inside TCP particularly on high-latency connections so this is not usually recommended. Might be worth a try to compare/contrast though.

I have a play with mine both ways when I finally get round to adding it to my current phone (mainly to use the network level ad-blocker running at home) and see if I can see a measurable difference with each variant.

I don't run my VPN for ad-blocking (my phone is rooted), I use it for more traditional access reasons.

To copy and paste another reply I just made:

"I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise."

I'll give OpenVPN a go over TCP once I have a chance to set it up and I might even consider contacting EE for info.

I would mind the fact that it limits my throughout to, at best 12Mb down, but when on WG it typically approaches 0 making my device unusable and I've already ruled out the rest of my network.

Another possibility is that they are using naive port-based filters in their traffic shaping rules, and it thinks that any encrypted-looking packets not destined to one of a white-listed set of ports is torrent or other P2P traffic.

If you run the server side of the VPN as well as the client, you can test that possibility by trying other known ports (1194 that OpenVPN usually lives on, 433 if that isn't already directed elsewhere on the target address, ...).

I tested running on other known ports such as 443 and hit the same rate limit. I suspect they have some network-wide cap on UDP transfers.

On the 2 SIM cards I have (Vodafone NL and KPN NL) they don't throttle, as that's illegal, but the plans have data limits (after the limit they just disable 4G for you) and perhaps they do some QoS though. Public WiFi I mainly use Dutch railways (NS) in trains which uses T-Mobile NL. You (or well, anyone, AFAIK) cannot use that to watch on-demand movies though. But I just have that kind of material synced up locally. Same with audio (albeit through Spotify Premium). So with most of my video and audio synced up locally (and the same's true with regards to recent Nextcloud pictures) I end up with mainly traditional websites or apps or an OS/application update or so.

That being said, have you attempted to discuss the issue with them? Have you considered a non-default UDP port? Also, did you compare the usage with OpenVPN? I ran OpenVPN before, the roaming, network speed, and latency is quite terrible.

In my experience, there are actually networks that throttle certain kinds of traffic. For example, on the WiFi on Blauwnet trains I can connect to my OpenVPN server but WireGuard just doesn't seem to make it through. I assume this is because of a combination of unknown ports + UDP + uncommon protocols.

I think the trick to bypass this kind of nonsense is to use port 443/1194/53 so QoS + firewall rules will still allow the VPN to pass through.

Haven't tested it yet, but in my experience non-default ports only make the problem worse. Most filtering/QoS services are pretty dumb and will just match source and destination ports; most firewalls will just plain ignore everything targeted at port 443 because the moment you start messing with HTTPS, you're in for a world of pain. Because WireGuard uses UDP, it's possible to listen on port 443 even if you're already hosting an HTTPS website. Sadly, you won't be able to use QUIC or HTTP3 if you do, but I don't think that's much of an issue these days.

> Sadly, you won't be able to use QUIC or HTTP3 if you do, but I don't think that's much of an issue these days.

Should still be possible. Xs4all had port 80 set up so that if you'd SSH to it, you'd get connected to their shell while with a browser (the normal modus operandi) you'd end up on their website. It worked very well in some of the more oppressive regimes where traffic to port 22 was blocked.

I also don't serve HTTP(S) content on my home connection. I only host WireGuard, that's part of the point.

Indeed this, I only host WireGuard and now you mention it, it'd only take me a second to switch the WireGuard port to 443 or something to test the port theory.

I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise.

I haven't contacted EE about it or tested other VPNs yet. I want to run WireGuard for various reasons so switching to OpenVPN might confirm they issue but not solve my problems (I don't run the VPN for the reasons in the OP)

A way around this could be to use split tunnel filtering VPN. Filter only DNS and route regular tcp traffic normally. We do this at https://ba.net/adblockvpn

I'm using AnyConnect (ocserv backed) VPN, so it presents as TCP/443 and 'upgrades' to UDP/443. Or at least, in theory it's supposed to. I don't think it's actually upgrading to UDP/443 on EE 4G, but throughput speeds with or without the VPN have dropped to <3Mbps in Central London (or 35Mbps+ as soon as I go somewhere less dense) that day to day, I don't notice any impact from the VPN vs not-VPN anyway...

I'm also Central London for work, I typically get at least 30/20 in the office without VPN, and at times up to 50/30, a lot less than the 80/80 I used to get 3-4 years ago in the same spot. With WireGuard I get consistently between 0 and ~10 down. I ran some tests with the guys in WireGuard IRC which seemed to confirm that the issue is specifically EE limiting UDP whether by QoS or otherwise.

> My Synology NAS is backup (with regards to the DNS-based Pi-Hole blocking)

Could you explain this a little further - is the Pihole also running on the Synology? Or is secondary DNS the Synology?

> Could you explain this a little further - is the Pihole also running on the Synology?


> Or is secondary DNS the Synology?

To be precise,

In LAN, the Synology NAS is the primary DNS (running PiHole on Docker), and the router the secondary. This is to reduce the load on the router. They're both using Quad9's servers on port 853 and using DNSSEC.

In WAN, which is only possible via WireGuard, the router is also the primary and only DNS. This is because I don't think it makes sense to add redundancy and additional latency here. If I'd need additional redundancy here, I'd also need an additional endpoint.

All outgoing DNS traffic going to port 53 (such as Google's) gets not coming from the Synology NAS gets forwarded to the router. Which is very little in my use case.

Your solution is 100 times too complicated for the people who need the most protection online.

Kinda, yes. It depends. All my partner needs is WireGuard installed and running. She doesn't need anything else installed, nor maintain it, nor even run Android. Either way, my solution isn't meant as the better option; it is meant as an alternative.

Dns666 is great and doesn't require your phone to be roolted. It basically acts as a local VPN client/server combo on your phone to handle the blocking. Only downside is that sometimes you have to reboot the app when it shutdown automatically for unknown reason to me.

Pro-tip if you have difficulties in getting the latest updates for one or more of the inbuilt blacklist host files, try to edit manually their URL to be httpS. It worked for me!

Only issue is I need to use a company VPN (and when I choose to, a personal one), pretty often and they can't co-exist with DNS66, so it has to be restarted whenever I log off of either.

Try "Block This!", operates in the same manner but never crashes (at least on my machine ™)

> This is a free, open source app. Open source is important here because all your network requests will go through this app, and we need to make sure we can trust it. Because the app is open source, if it was doing anything shady, it would be found out.

That's the statement that always bothers me because it's only true if you build the app yourself. This is giving people a simplistic view and a false sense of security.

If it's available on F-Droid, it can support reproducible builds, so that's at least one defense against it. https://f-droid.org/en/docs/Reproducible_Builds/

Yes it's available on F-Droid (see comment# https://news.ycombinator.com/item?id=19208623), but currently I have a slight preference for Blokada.

I use Blokada, and I have less problems using it than I did Dns66. Lots of things stopped working with the latter, but I have yet to find anything that doesn't work with Blokada.

However, Blokada has lately been crashing or stopping or being killed. I'm on Android 9. I have to start it manually when the notification disappears.

Another alternative, on a rooted phone, is AdAway, which can be obtained on F-Droid ( https://f-droid.org/en/ ). I'm more than satisfied with it.

AdAway is quite nice as it updates your hosts file directly rather than using the phones VPN feature, although the downside is you do need root.

Which filter lists do you use? I find a few ads still get through on the default settings.


Although to be honest I also use the Brave browser,so that might explain why I have so few ads when browsing. Yeah, I really hate them...

AdAway is, until today, the best option. All the other root-free alternatives requires the app to run on the background which may consume resources, battery or even crash and stop functioning.

I wish the play store would just let me filter based on app intrusiveness. Let me find things that don't use ads, don't have in-app purchases, and don't collect data. Looking at "paid" apps is NOT equivalent. Then I can maybe read reviews and get what I want. Once the quality bar has been raised I don't have any problem paying a few bucks (or more) for an app that behaves the way I want.

On the "don't collect data", I can recommend "exodus privacy" which shows permissions and trackers that are present in your installed apps.

You can search them online [0] or show the analysis of the apps you already have installed [1]

[0] https://reports.exodus-privacy.eu.org/en/search/

[1] https://play.google.com/store/apps/details?id=org.eu.exodus_...

Fosdem talk that explains all of this in more detail: https://fosdem.org/2019/schedule/event/analysis_of_the_behav...

You can use Yalp Store [1]. It allows to search and filter Google Play Store apps based on (i) Apps with ads, (ii) Paid apps and (iii) Apps using GSF.

Another reflex is to look on the F-Droid Store if an equivalent FOSS application exists before looking for one in the Google Play Store. There are some excellent apps there, such as NewPipe [2] for instance!

[1] https://github.com/yeriomin/YalpStore

[2] https://newpipe.schabi.org/

I second this. Finding apps became a lot easyer and faster with F-Droid/Yalp combo. I can look for a free app on F-Droid and if it does not exist I can find a alternative on Play Store, an all with no GSF installed on the phone.

Agreed. I bet there's quite a bit of money out there waiting for whomever starts making paid, tracking-free alternatives to popular free apps.

If the costs are one-off costs, then probably. However, for any services that result in ongoing costs to maintain, it'll mean Yet Another Subscription Service, for which there is already a high amount of fatigue and animosity towards.

Hell, some paid apps have ads which drives me insane.

It's been a while since I've seen that but would drive me crazy too. I would immediately get a refund for it and review it appropriately.

Yeah, that should be an app store foul.

> Because the app is open source, if it was doing anything shady, it would be found out

This is a little misleading... Just because there is source code on GitHub does not mean the random APK you're downloading from the internet and side-loading is safe.

If you're paranoid (and you probably should be - if I was a bad person and wanted to get malware onto your machines, I'd be making some useful "open source" app and publishing "its source code" on GitHub too), you'd want to build the app yourself! :)

To be honest, most people wouldn't even bother to know if it was open source, they would install it anyway. Actually most people probably don't know what "open source" means.

It would work against the HN crowd though.

Honestly, I want something that blocks spam notifications.

Specifically, things like "you have a free credit" notification from Lyft, or Amazon's "Check out our new sale" notification.

My phone should not ding for nonsense like that. That is SPAM, and that is not something that I need to know immediately.

The problem is that apps like Lyft and Amazon have rather important notifications, so blocking all notifications from those apps is not possible.

> Specifically, things like "you have a free credit" notification from Lyft,

I opened several tickets with Lyft complaining about this. In a recent version you can turn off. Settings -> Notification Preferences -> 'Discounts and News' = off.

Oh boy I'm with you 100%

Especially when it's an app I want or need, and it has notifications I need, but still sends out spammy ones too.

I think this is possible on Android as you can give apps access to notifications, so it could filter them.

I want this for chrome on desktop as well. A large portion of websites are now asking for 'notification' permissions, when it most cases it makes no sense (think news websites).

Yeah this bugs me too

Also (although I'm going on a tangent now) there's mobile news sites that require 3 or 4 clicks before I can read the article: close the app download prompt, the gpdr prompt, the subscribe prompt, the video hovering over half the screen.... It's maddening.

Even at night when you don't use your phone, you are tracked and served ads. I use blokada and it blocks over 5000 ads and trackers in three days, 12 hours of effective usage, meaning 400+ ads/h: https://raymii.org/s/blog/My_phone_serves_me_400_ads_per_hou...

Blokada is easier to use that dns66, just one big button and you're done. It doesn't require root, but just like this app uses a local vpn (on the device itself, no servers involved).

For me it even blocks ads inside the YouTube app, which Adguard on iOS couldn't do...

which filters do you use? I tried for so long to get youtube ads to block and at the end, I just gave up.

Youtube ads are hard to block. Use NewPipe to watch videos there

So this is a userspace app that reconstitutes the VPN encapsulated datagrams into outgoing networking socket API calls, a bit like slirp in ye olde days? I can't imagine this process is very lossless, does it really properly handle multicast, ipv6, protocols other than tcp and udp, etc?

edit: apparently, the Android VPN is flexible enough that they can direct only DNS traffic through this process, which mitigates it quite a bit. This issue has some tech details: https://github.com/julian-klode/dns66/issues/193

How does it compare with Blockada?


I've used both but recently there was a discussion on Github about Blokada secretly reporting analytics to the developer. Given that the app is primarily used by the privacy conscious, it seemed like a bad idea. They just added an opt-out yesterday, but it was enough to go back to DNS66. The Blokada dev has been posting surveys to get feedback on various monetisation ideas recently (an anonymising VPN, merchandise, a pro version with extra features, etc) so I doubt it'll remain free, as in its current state, for long. I know everyone is entitled to try and make some money from their work, but I always worry about security/privacy apps when the key motivator is money and not helping the community stay safe. Compare pi-hole.

So I switched back to DNS66. Which is great, but you might need to disable async-dns in chrome://flags depending on your device. On Android 8 (Oreo) tablet, Chrome ignores the device network interface DNS preference and sends DNS requests out the physical interface, and not via the local (filtering) tunnel. My Android 9 (Pie) phone doesn't have this problem. Blokada worked fine on both but DNS66 only worked on the tablet when I turned off async-dns (which I think is a terrible, network-breaking feature anyway).

I've used both and Blockada is better mainly because it has a couple of killer features. One example is that it will keep the app alive, so that the power saving features of your phone does not kick in and turn it off.

Any experience with NetGuard? It has similar functionality and walks you through preventing the battery optimization from killing it.

I haven't really tried. Blockada never gave me a reason to.

How does this affect battery life though?

I have between 1-2% battery usage.

You forgot to say what timeframe.

No matter what time frame 1-2% is 1-2%.

The time very much matters. 1-2% per hour is much different than 1-2% per day or per week or whatever.

I assume that's Android's stats about what % of battery each app uses. If so, time doesn't add anything.

I'm all-in for blocking ads, but I've found full-OS ad-blockers to be entirely unnecessary - I simply don't use apps with ads.

The few apps with ads that I sometimes can't avoid aren't fixable by ad-blockers. (e.g. ads in Google Maps)

I use Blokada and it blocks a lot of telemetry data. Saves my data usage as well.

I don't use any apps with ads, but Blokada has reported blocking ~100k requests a week on my phone.

Does it have an effective breakdown of number and destination of requests per app?

I prefer to generally leave telemetry enabled, and simply not use apps from publishers whom I don't trust to use it responsibly.

Been using https://blokada.org/ Which works the same way with good results. Helps a lot to save on mobile data.

None of these DNS blockers have ever worked on YouTube for me, nor any of my other streaming apps.

Honestly the only real solution I've found is to use Ublock Origin in Firefox for Android.

I've been using blokada on Android and it's been a joy honestly, life without obtrusive ads taking up precious mobile screen real estate is hard to live without. When I use my partners phone it's like a carnival with all the flashy ads trying to get my attention. Good riddance.


I posted a comment on how to do this (without requiring root or installing 3p apps for Android 4 and above) here on a HN thread on AdGuard DNS.

Copy-paste from https://news.ycombinator.com/item?id=18788410

For anyone running on Android 9 or later, navigate to

Settings -> WiFi and Internet -> Private DNS

Select Private DNS provider hostname

Add dns.adguard.com (DNS over TLS)

Click save.

Visit https://segment.com and you should see browser's 'Server not found' (disable existing ad-blockers or they might jump in and block the website anyway).


For anyone on Android 4.0 or later, consider using Intra [0] to use AdGuard DNS over HTTPS, if you prefer it over cloudflare's or google's.

Install Intra.

Open the app, click on Settings.

Choose customer URL and paste: https://dns.adguard.com/dns-query

Be sure to 'lock the app' to prevent it from being killed in the background, and enable 'Auto Start' for the app from installed apps settings page if on newer android versions that support it.

[0] https://getintra.org

For Samsung owners I've heard good things about SABS: https://www.androidsage.com/2018/03/29/download-install-sabs...

Has anyone done testing to see what having an always-on VPN for adblocking does to battery usage?

Also, I have an actual VPN for my Android phone that I turn on whenever I'm on coffee shop wifi, so it seems like it would be impossible to have both running at once.

> so it seems like it would be impossible to have both running at once.

It is. You need to restart the adblocker VPN when done (at least DNS66 operates this way).

That said, I haven't found a measurable difference in battery when using one.

What does DNS66 offer over NetGuard? Near as I can tell, they both use the VPN functionality to work, both don't require root, and both are available on F-Droid.

Edit: I guess Blokada is another to consider, just heard of it from this thread.

https://adguard.com has a similar approach using VPN. Would be interested to know if anyone has compared battery drain of the various apps

Well, it is not that similar. DNS66 is just a DNS changer/filter, AdGuard is a full-scale traffic filter and firewall: https://adguard.com/en/blog/adguard-vs-adaway-dns66/

A more actively worked on app which serves the same purpose would be https://blokada.org/

When it's between 10+ ads per hour or very expensive monthly premium for a pretty bad but addictive game, this is at least a battery saver.

>It's important that free apps continue to be made, and app developers need money to go on doing what they do. So if you can't stand ads in your apps, try to support them in another way, by making a donation or paying a few bucks for the full version of their app.

It feels more than a little disingenuous to post that at the end of a post explaining how to cut the revenue source of devs.

If you don't want ads, how about you pay for the premium tier of the app ?

Because paying for something doesn't necessarily mean that they won't continue to use your information in the surveillance economy. You might not see ads anymore, but that doesn't mean that they're respecting your privacy.

Smart TVs are a good example of this. And most Android phones. And some US ISPs. And Windows 10. And the Sidewalk Labs projects. I'm sure there are many other examples. You cannot expect what are effectively hostile entities to treat you well, just because you give them money.

That's 2 different topics though.

Cutting ads does not also cut analytics frameworks.

I wonder at which point apps will just start to bury analytics in their API calls and serve ads with their main payloads

The way Google is dealing with AdBlockers at the moment soon all these VPN based apps will be taken off Play Store.

DNS66 isn't on the Play Store- you have to sideload it from F-droid or github.

What is Google doing to Adblockers?

Since Android Pie uses DNS-over-TLS it is very easy to setup DNS-based ad-blocking yourself. It requires only dnscrypt-proxy and nginx.

[1] - https://github.com/jedisct1/dnscrypt-proxy/wiki/Connecting-t...

Great idea but what if you want to use a separate VPN service which is disabled by this app? Does this VPN just cover DNS or does it secure all traffic? When on public wifi, I want to have PIA VPN enabled.

Does this secure all DNS traffic like Cloudflare app? If it does, I may use it with the exception of public wifi.

Near as I can tell, there's no way to run an actual VPN alongside something like this. I've been wanting to figure something out myself. Thinking more and more that I just want to set up a DNS tunnel to my home network and set up a PiHole there for similar functionality.

I run unbound DNS + openvpn on a raspberry pi to do the same. Works pretty well.

Anything like possible on iPhone?

This works well:


...but, updates to the app will no longer be allowed, so it will eventually stop working on some future iOS update, by which point I hope to have found an alternative platform.


I use 1Blocker X and don't see any ads.

1Blocker X only blocks ads in Safari. It doesn't block in-app ads, such as the ads in the YouTube app.

Too bad, a truckload of app these days intentionally hardcode ad server IPs and check for blocking.

Can’t remember the last ad I saw on Android or iOS in an app. On the web, sure. In an app?

su root + adaway + afwall.

Accept no imitations.

doesn't work for YouTube

reads article to see anything has changed since 2014

VPN and host file?

In my apps I would just check the host file or ping a certain address to detect if a user was doing this

I would then serve a different kind of ad, shrug emoji

For those struggling to keep their VPN app alive on Android Pie, you can disable the "Battery Optimisation" feature on a per-app basis.

The setting lives under Apps & notifications / Special app access / Battery optimisation / <App name e.g. Blokada> / Don't optimise.

I still think this is a battery win because of all the ads I'm not downloading and displaying.

So you're sending ALL your internet traffic through a VPN, that you know nothing about? Sounds like the craziest idea I've ever heard.

Who owns the VPN? What are they doing with your data?


You create a virtual "VPN" that filters out traffic based on hostnames. DNS requests that are not on the blacklist get forwarded to your DNS of choice.

Other adblockers for non-rooted Android (like NetGuard) work in the same way.

"Using the Android VPN feature" != "Tunneling traffic through a remote network"

Oh - it's a private VPN? Sorry, that wasn't clear in the article

I have a pi-hole running on a Digital Ocean Droplet and have a secure vpn to that. Both run out of docker containers, so theoretically they could run anywhere. It works great and only costs me $5/month. No ads anymore either, and I figure DO probably doesn't care too much about my web traffic - though maybe I'm wrong on that.

The only thing that is slightly annoying is that the iPhone seems to drop the VPN from time to time. If only there was a way to work that out....

> The only thing that is slightly annoying is that the iPhone seems to drop the VPN from time to time. If only there was a way to work that out....

I recall NordVPN on iOS used to do that and I took it as a norm. Perhaps a year ago after few iOS and apps, I noticed that not only the time takes for connecting dropped, the drop rate also decreased a lot.

Not directly answer the question, but this made me think that there is a way...

Isn't it a local VPN?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact