Need a cleaner way to block all the ads, devices phoning home, unwanted analytic

[awshirley]

I'm currently running AdGuard on OPNsense along with intrusion detection, CrowdSec and some firewall rules to keep the nasties out.  I tried messing with Zenarmor but then OPNsense kept telling me there were updates to apply, when there was none and Zenarmor felt like overkill.  I had used the blocklists in Unbound, but it was duplicating what AdGuard does.

Is there something out there that would pull all these separate things into one, cohesive dashboard or something in Docker?  I'm getting tired of having to check four different places when something my wife needs is getting blocked.

Thanks!

[Clumpton]

Pi-Hole will do most of what you want.
I run two (belt and braces) on a couple NanoPi NEO single board computers, they have a wired ethernet port and cost about 13€ (plus old spare phone chargers to run them). There is a lovely operating system called diet-pi which is light and comes with pre-configured modules which you can install, pi-hole is one of them.
If you're into 3D printing I have designed a case for them.
There are many blocklists available for pi-hole, the software deals with duplicates for you. I have 44 lists which gives me about 600 000 blocked domains.
The interface has a "turn off for X minutes" option for when the Missus wants to go to that dodgy shopping site.
I have also built a "Pie-Stop" button (from Planet Kris) which uses an ESP-01S to send the "turn-off" message via WiFi (pi-hole has an API available).
If you are tempted to run pi-hole in a VM somewhere it will work perfectly, but remember that if you turn off the VM host for some reason you will lose DNS for your whole network.
Hope this helps.

[Seimus]

Same can do AdGuard, it has as well blocklists you can put in. However Pihole same as AdGuard block on DNS level and nothing else. You can control the DNS queries from hosts.

If you want premade block list for AdGuard or Pihole have a look on Hagezis repo
https://github.com/hagezi/dns-blocklists

P.S. I run Piholes in HA cluster

Regards,
S.

[_tribal_]

I have 44 lists which gives me about 600 000 blocked domains.

I have only 4 lists in unbound blacklist category and they gave me about 900k blocked donains. Everything that can be blocked via domains can be blocked as it is, you don't need an additional service for that.

[Patrick M. Hausen]

deleted by author - wrong thread

[Clumpton]

I have 44 lists which gives me about 600 000 blocked domains.

I have only 4 lists in unbound blacklist category and they gave me about 900k blocked donains. Everything that can be blocked via domains can be blocked as it is, you don't need an additional service for that.

OK, will you please come and teach my wife how to unblock a domain in unbound?
Seriously though, the Pi-Hole interface if far more user-friendly, you can easily create groups to follow different rules, whitelist (or blacklist) specific domains from the activity log etc.

[Patrick M. Hausen]

Seriously though, the Pi-Hole interface if far more user-friendly, you can easily create groups to follow different rules, whitelist (or blacklist) specific domains from the activity log etc.

AdGuard Home is available on OPNsense and does that quite nicely, too.

[Clumpton]

AdGuard Home is available on OPNsense and does that quite nicely, too.

Indeed it does, I hadn't looked very closely at it before. However I would still need a second, independent instance to ensure continuity of service while fiddling. 

[Seimus]

Stay with what you like most; Pihole or AdGuard, doesn't matter, from prespective of functionality they do and behave the same. Yes Pihole may have a better looking GUI. But on the other Hand you can not run Pihole on the OPNsense if you are going for a single box doing as well DNS.

Anyway you can always spin Pihole or AdGuard on different machine. If you want to fiddle with it and you are scared to break something spin it in a VM, LXC, or a Docker or whatever outside of OPNsense.

I use Pihole cause it was my 1st FOSS project to install on my new RPi few year back in the past. I have it in HA (RPi + LXC Proxmox), cause when I do something on the primary(upgrades) I dont break the internet for the people at home.

Approaches may vary, implementation can be done in several ways. Point is what you want to use what is your goal. Simplest way spin it on OPNsense if your HW can afford it.

Pihole = AdGuard != GUI

Regards,
S.

[verfluchten]

There is no one-size-fits-all solution especially not for dialing home. You need to know 1) what/who is dialing and 2) where to.
No one is out there to go out of their way to make your task easier to achieve, so do not expect a free ride. It is quite the opposite: the entire Big Ad industry with their English and psychology majors and their troll farm and PR company cronies work hard against you.

I use a combination of hosts files deployed to all devices that block pesky domain names that things dial home to, ex: aka.ms (just an example! blocks many MS softwares such as Teams etc) with LAN FW rules and AdGuard.
In the browsers, I use uBlock Origin which works very similarly to AdGuard but is more flexible.
Everything that does not have to be open is blocked until I determine that it needs a connection to work, and then I go from there.
There are just too many variables in this problem to expect a shrink-wrapped, ready to use single solution.