First, something of a rant so everyone knows why I wrote this article, feel free to skip it if you like. There has been a lot of interest in ad blocking lately. I blame most of it on greedy website owners that force their users to endure very intrusive ads to turn a profit. Annoying users isn’t really a very good business model, and has only contributed to the rise in popularity of ad-blocking. OPNsense can block ads for your entire network.

If your in a work environment, you may need to look up information on the web. Coming across an ad with sound on by default can be annoying for both you and your co-workers. At home they are an inconvenience. Ads that scroll down the page as you read, ads that just randomly pop up after you have read a certain amount of an article, and even non-skip-able ads before YouTube videos. All of these are very intrusive, so naturally users got irritated and started making ad-blockers. When the websites started getting more and more greedy, they started making ads that intentionally try to get users to click on them accidentally.

Now I understand that ads are how websites make money, but I think anything more than a static non-animated non-scrolling side-bar ad is annoying. These greedy websites posting in-your-face ads are ruining it for everyone because in my opinion ad-blocking is no longer optional, it’s a requirement for web browsing. That is why I am writing this article, this is a guide to blocking the majority of ads on your entire network with DNS and OPNsense.

What is OPNsense?

Does it sound a lot like pfsense? Maybe you’ve heard of that one? Or possibly the now-ended m0n0wall project? Anyway if you haven’t heard of any of those feel free to check them out. This article will only be using a fork of pfsense called OPNsense from https://opnsense.org/.

OPNsense is a free firewall Operating System that you can load on just about any old or new computer. The only requirement is really that you need two Network Interface Cards (NICs). A computer from the last decade would probably be ideal. OPNsense only requires a 500mhz cpu for the minimum configuration. If you still have something slower than that around, take a minute and either donate it to a museum or throw it away… There is a somewhat steep learning curve, but their Documentation is great. If you can’t find what you need in their documentation, you can almost always adapt solutions from the pfsense documentation or forums to work in your OPNsense firewall.

The reason I chose to use OPNsense for my home firewall was because it seems to have the most user-friendly Web Interface. I tried other open-source firewalls, but the WebGUI was usually pretty confusing. I run OPNsense on a mini-PC with a 2ghz quad-core 64-bit CPU, 8gb of RAM, a 32gb Solid State Drive (SSD), and 4 gigabit NICs. The average home user probably doesn’t need anything close to that much power, but I usually like to go big. So far I’ve been very happy with my open-source firewall.

Blocking Ads

I don’t want to spend a lot of time going over the initial configuration of OPNsense, but here’s the basics. There is a wizard you can run through to customize the system to your specific needs. There are a couple things that you will need to do to be able to use the built-in DNS server to block ads. Changes are required in both the GUI and from the console.

GUI Configuration

First of all you might want SSH access to the firewall. To enable SSH go to System -> Settings -> Administration, and check the box for “Enable Secure Shell”. Then the next thing your going to need to do is setup the DNS Resolver, not the Forwarder. Below is a screenshot of how I have the DNS Resolver configured:
Pay attention to the “custom options” we will creating that file later on. Beyond that, I just accepted the default configuration. You may need to make your own adjustments for your specific network. For right now, don’t worry if the Resolver service wont start. We need to create the file in the console section.

Console Configuration

I’m going to assume that for this part you are connected to a shell as root. Do this either by using SSH, or logging directly into the console. You need to install some software packages required by the script next. To install them use the following command, I usually add “nano” to the end just because I like it better than vi:

pkg install curl

Any other packages should already be installed. The next thing to do is download the script and set permissions using:

curl https://devinstechblog.com/update-hosts.sh -o update-hosts.sh
chmod +x update-hosts.sh

**I cannot take full credit for this script, it is closely based on a script taken from: https://wuffleton.com/code/unbound-blacklist/. I modified how it parses the information to get it in a format the latest version of OPNsense could use. I also changed the path for the final output file.

If you edit the script you can see commented out lines. Use these to change the whitelist and blacklists variables depending on how much filtering you want. Decide how many to enable based on your needs. All blacklists are enabled by default. The final output file is de-duplicated so you don’t need to worry about duplicate entries. Once you have it configured to your liking, the only thing left to do is run it with:

./update-hosts.sh

A file should have been created in “/var/unbound/ad-blacklist.conf”. If your DNS Resolver is configured correctly, you can go back to the page and restart the service. Your not quite done yet, you still need to configure hosts to use the DNS server. Make sure DHCP and any statically assigned hosts use the firewall as their DNS server. This certainly doesn’t block ALL ads, but it helps a lot. Especially on mobile devices using Wi-Fi with browsers that aren’t capable of using ad-block plugins.

Conclusion

Occasionally I run into pages that don’t load because they are trying to play a video first. A refresh of the browser will usually fix that. In my opinion that is a small price to pay for not having to watch a 30 second video. I still use an ad-blocking plugin for my browser, because this doesn’t block everything. If you ever need to bypass the filter, just manually set a different DNS server. You can comply when websites ask to “Please disable your ad-blocker”, and know that ads will still be blocked. The OPNsense DNS server just resolves known ad-providing domains to 0.0.0.0 which prevents the ad from even downloading. This speeds up loading times, and reduces bandwidth usage.

I hope you found this article interesting, and that it helps you in your fight against ads. For even more protection, you can use your own machine’s hosts file to block ads as well. For more information check out these sites that provide the blacklists:
http://winhelp2002.mvps.org/
http://pgl.yoyo.org/adservers/
and
https://adaway.org/