OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: bbyrd on July 09, 2022, 02:18:42 pm
-
Hi all - new to OPNSense, just getting everything set up. I'm transitioning across from running ASUS-Merlin on an RT-AC68U (running Diversion for adblocking).
Most things are working (Caddy2 port-forwarding, OpenVPN, Tailscale, fixed IPs etc), but adblocking has been a complete fail. Seemed easy to set up with blocklists in Unbound... but pretty much nothing was being blocked—very frustrating after very effective blocking on the old ASUS.
I worked through a range of guides and examples (even had a play with the community Adguard Home plug-in—decided I didn't need to see that level of detail for now). Noting seemed to be effective.
My current setup is as follows (what I've been led to believe is relevant):
- DNS servers set to Quad9 IPv4 and IPv6 servers under [System -> Settings -> General]
- Port forward rules to DNS to 127.0.0.1 (ordered before default allow rules)
- Unbound enabled
- Blocklists enabled and added (built in AdAway and AdGuard, plus the Steven Black list that is default from Diversion
I noticed how bad the blocking was on my phone (wifi at home—which is usually much better blocking than when out), but have been subsequently testing with https://canyoublockit.com/. I've been running DNS flushes as I've been testing (ipconfig /flushdns in Windows 10).
I did recently change internet providers (ISP).. could they be forcing a different DNS (would this matter re ads?)?
Does anyone have any suggestions / ideas/ other guides for me?
Thanks!
-
Your devices may be using secure DNS (DNS over TLS (port 853) or DNS over HTTPS (port 443)), so filtering port 53 may not be of much use nowadays. I would suggest disabling DNS based filtering altogether and look into Sensei/Zenarmor instead. At least that's what works for me.
-
Try AdGuardHome ;)
https://forum.opnsense.org/index.php?topic=22162.0
-
Thank you both...
Try AdGuardHome ;)
https://forum.opnsense.org/index.php?topic=22162.0
As noted above... I did try Adguard Home (in still installed, just not enabled). It was blocking some things (but not ads). I actually used that tutorial (from, your link to set up), but saw no performance difference than just using the same blocklists in Unbound (i.e. blocked some banners ads in canyoublockit, but that's all).
Your devices may be using secure DNS (DNS over TLS (port 853) or DNS over HTTPS (port 443)), so filtering port 53 may not be of much use nowadays. I would suggest disabling DNS based filtering altogether and look into Sensei/Zenarmor instead. At least that's what works for me.
I'm seeing the same issues on my Windows 10 machine (pretty sure that's not using DoT) as on my mobile device (Android... it could be using DoT... but ads were much better blocked on my old browser by Diversion—which I believe uses DNSMasq and the Scott Black blocklist). So I don't think this is a DoT / port 853 issue—but Zenamour might be worth a look anyway (I did read up a little on it when I was planning my switch over to OPNSense on the HP T620+ device I'm using).
-
Strange I’m just using https://dbl.oisd.nl/ and all I blocked (for me)
-
I'm back trying Adguard Home again (I had already added OISD when testing earlier)... I'm seeing it pick up on a lot of back-to-base calls (like Sensibo and Alexa), but not really anything much that looks like ads (and canyoublockit still displays ads).
Will keep playing!
-
Keep in mind that you can add block lists in AdGuard Home in the UI quite easily. So if you are missing anything that does not come with the default installation, you can still enable whatever list you have come to prefer.
-
Keep in mind that you can add block lists in AdGuard Home in the UI quite easily. So if you are missing anything that does not come with the default installation, you can still enable whatever list you have come to prefer.
Thanks - I was aware (have already added the Scott Black and OISD lists).