AdGuard – blocking ads and trackers at the OS level

Everyone loves ad blockers, so long as your livelihood does not depend on advertising. Pretty much everyone I know is running some sort of ad blockers in their browsers, such as uBlock Origin or AdBlock Plus; and the newer Firefox browser even comes with an in-built ad filtering engine! (Which is great btw) But browser extension is so 2009. Let’s read on to find out how you should be dealing with ads and trackers filtering in 2020.

Browser-based adblocker limitations

Browser-based adblockers have their limitations unless you are using Chrome OS where everything runs within the browser. The filtering capabilities of browser ad-blockers are only rested within the browser. Ad-supported apps like many “freeware” out there will continue to display ads under your nose. In addition, browsers like Microsoft Edge displays a default start page full of ads waiting for you to click on, like those circled in red below:

As this starting page was loaded prior to the extensions, the ads will be displayed even if you have an ad filtering extension installed. If you have AdGuard installed in the system, this is what you’ll see:

If you are like me who uses multiple browsers installed on a single computer, you will need to apply the same set of custom rules and exceptions for the ad block extension for each browser, in order to get the same sites to work or block that annoying ad on that specific site you must visit. Having an OS-level blocker would eliminate that, as the same filtering rules would apply to all browsers within the computer, as well as other non-browser apps you’ve specified. In my computer, I have configured AdGuard to perform filtering to both Modern UI apps, Steam client and QQ Music client.

DNS filtering, the pros and cons

DNS filtering works by hijacking the DNS requests and map it to a known database of ads and malware domain names. Examples of such solutions include Pi-hole and Adguard Home. It does the blocking at the domain name resolution level: if the request matches the blacklist, the DNS server would return either 127.0.0.1 as the resolved IP address or an NXDOMAIN (domain not found) response. Both replies would prevent your application from communicating to the blacklisted servers, thus the ad banner or tracking cookies appear to be blocked in the process.

While this method works to some degree, it is not foolproof. As the filtering is domain name based, a lot of ads can slip through the DNS filter. I mean a lot. This is because a full filtering engine can perform URL and HTML/StyleSheet-based pattern matching. For example, a conditional AdBlock rule such as 2345.com#?#.pic:-abp-has(a[href^="http://g.wan."]) cannot be enforced in a DNS filtering solution, as the DNS filter only could either allow access to 2345.com or block it entirely. It does not take into consideration the full URL being requested and the HTML contents. And as a result, your browser or application will believe that the servers are not accessible, and the ads area will be replaced with broken image messages, which can be unsightly.

DNS filtering is also easily bypassed with newer apps that resolve DNS on its own, either using their own DNS servers, or over HTTP or TLS which can be very difficult to block. Such apps are on the rise, given how easy it is for McDonald’s and Starbucks to hijack DNS of the free wi-fi and for ISP to poison DNS cache.

For devices where it is not possible to install filtering apps, like an Apple TV or a non-Android Smart TV, DNS filtering is better than no filtering. Otherwise, AdGuard is probably the best solution out there today to make you forget there are ads out there.

Jitdor Tech Tips

Licensing

When I first purchased AdGuard back in April 2019, it requires different licenses for mobile devices and computers. I have bought a 3+3 license for my phone, tablet, Nvidia Shield TV and my work and personal PC. There was a licensing change in October 2019, where a device license could be assigned to any type of device.

A couple of months back I was caught in the situation of not having enough mobile licenses after getting a new Android device (an Android-based TV box that is not running the Android TV OS). Because my license is a lifetime license, converting the unused computer license to a mobile device license isn’t possible. So during their Black Friday promo, I purchased an additional 9 device license to cover my future needs. In my home network, I have a Sophos XG at the edge that does some URL filtering as well as a couple of Adguard Home instances providing DNS resolution service.

Feature suggestion

To the AdGuard developers out there, if you are reading this, I would very much like to see a setting-sync function, where enrolled AdGuard instances of the same platform could share the same configuration profiles created by me. So when I add an extension or exclude a domain from HTTPS filtering, the new settings get populated to my other computers as well.