That said... I like that Optimal have made this too, because neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts (TV!).
The real questions I have are:
Who sources the list of domain names in there that they will null route?
How will this work with DNSSEC protected sources or whether they anticipate this at all?
How will they become aware of new domains being used by smart devices that are not shared by web sites (and therefore no-one notices and adds it to any blacklist)?
Hi I'm the CEO of Optimal, Rob. We use open source lists of adservers but have had to evolve from those lists since some of them are invalid or overly aggressive. We do not and will never make decisions about what to block based on being paid by any of these companies. We are building a consumer filtering system, and we are responsible to consumers. If you try it out and find any sites that don't work as intended please email us or contact support.
If you want StevenBlack's hosts list to be network-wide I integrated it with an open source, self-hosted DNS server called https://pi-hole.net/ last week which adds a slick admin interface and browser extensions too, then I put it all in a Vagrantfile and set my router to use the VM as a DNS server.
> neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts
Isn't the best approach is to just buy only devices that either known to not have adware onboard (e.g. "dumb" TVs), or that can be re-flashed with software you can relatively trust?
That only applies to the core OS and its capabilities. The apps can contain all the nonsense they want, because OS can deny the access or feeds the sanitized data if the app's badly written or insists on the business model where user pays with their privacy.
DNS service. If you utilize our DNS-based service, we may receive information about your IP address and URLs requested by that address. DNS requests utilize the UDP protocol which means we do not typically get information on the full URL you are attempting to visit (We receive far less information than a company providing a VPN service to you, for example, and that is one of the reasons we prefer this approach as it gives us far less information about user browsing). We do, however, have an IP address associated with each request and so could produce a list of sites visited by each IP address using our DNS servers. We do not know who you are when you use our DNS service, however. IP addresses may also be shared between users, and are not universally regarded as personally identifiable. We only use the IP addresses as follows: (a) the count of unique IPs we use as a benchmark for the adoption of our DNS service, and (b) we may check IP addresses against a free database of countries or cities provided by MaxMind and hosted on our servers, to limit the ability for users outside of certain areas to use our DNS service. We will not use the IP addresses we gather for any other purpose, and we will not correlate or combine them with any other personal information provided by you or other DNS service users, and we will never sell or share any of this information with any outside companies in any way. We may use aggregate request counts to help compensate publishers based on overall site traffic, across all users of our DNS service.
- We may share personal information with your consent. For example, you may let us share personal information with others for their own marketing uses. Those uses will be subject to their privacy policies.
- We may share personal information when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- We may share personal information for legal, protection, and safety purposes.
- We may share information to comply with laws.
- We may share information to respond to lawful requests and legal processes.
- We may share information to protect the rights and property of Optimal.com Corp., our agents, customers, and others. This includes enforcing our agreements, policies, and terms of use.
- We may share information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any person.
- We may share information with those who need it to do work for us.
- We may also share aggregated non-personal data with others for their own uses.
Essentially, there are so many reasons for us to share your personal information that we can't help it.
instead of letting the browser grab the dns abstractly all the way down through the os, use your ISP's standard DNS for the exact address in the address bar and/or a white list, and their DNS for implicit requests. Still leaks a picture of you, but a far muddier one.
Now that's a blast from the past. Back in 1996 I joined a company in Mountain View called Optimal Networks, Inc. which had the domain name optimal.com. We sold the company to Compuware and the domain lived on for a while.
If you search [email protected] you'll find ancient messages from me still lurking on the web. I wonder if that email still receives spam?
This looks really cool, especially for the bajillion mobile-only people connecting straight through their telco without any ublock/ghostery/hosts/etc blocking.
I am using a local DNS server that does this called Pihole [1] supplemented with additional blocklists [2] for malware and privacy.
One thing I don't see is any statistics ... you might be surprised at how much software in your home is endlessly communicating with companies you might not even have heard of, and that's been a great benefit of taking control of my DNS resolution [3].
Pihole is awesome! We love what they are doing and if you can't get there on trusting us but want a pure, local network blocking solution I highly recommend this project! On my medium.com/@robleathern page I talk about my experience setting one up.
It would be useful if their website described what exactly it installs. A recursive DNS server with a web UI and big list of null-routed domains? That's my guess.
How does that help mobile users outside their home network without also setting up a VPN back in?
It turns out to be a pretty bad experience. There are tons and tons of legit domains that serve normal content that also serve ads. I used a subset of urls from a popular ad blocking list (https://github.com/geuis/lead-dns/blob/master/lists/easypriv...).
After only a few hours, using the web normally was near impossible. Just a very broken experience. Sadly, since you can't pass a path to a dns server, there's no finer-grained way to allow certain requests to a domain to go through and block others.
I've been using DNS to filter out the worst offenders. I don't mind most ads, so my list of domains is quite small. But, I've found it to be an effective tool.
I agree, however, that anytime a site is broken that I'm left wondering if I'm responsible because I've inadvertently blocked a CDN or something important.
i put this hosts file on every device/router that i touch.
It works fully local. So infinitely (and this is not even a hyperbole) faster and you won't have to exchange one privacy hole for another on the "cloud".
>infinitely (and this is not even a hyperbole) faster
Not if your HOSTS file is >135KB (the one you've provided is 373KB), you're using Windows 8 or earlier and you haven't disabled the DNS Client service.
I'd like to believe that Optimal is being altruistic with their DNS servers and just trying to help rid the world of annoying ads...but I'm also realistic.
My VPN provider (Torguard) provides one of these as well. I'm a little more willing to trust them not to do anything malicious with my DNS requests, if only because I'm paying them.
I don't find the "I can trust them because I'm paying them" idea very useful. Nor the "If you're not the customer you're the product."
The bottom line is, if your information is valuable, then it will be in the advantage of those who possess it to exploit it whether you pay them or not. The only real non-moralistic consideration is whether you will stop paying if they start selling.
Either way, "I have a moral obligation to not sell your info, even if you don't pay me not to" sounds a lot better to me than "I don't sell your info because you think you're paying me not to." It's a horse apiece if you're dealing with strangers and you have to take them at their word.
I'm definitely weary of handing over my DNS data to a company I don't know. Besides, Safari ad blocking plugins already take care of this while surfing.
This may have unintended (both good or bad) affects on normal app experience since it's configured on the network.
An "ethical" ad blocking service launched Thursday that allows users to pay their favorite publishers not to show them ads.
[...]
With Optimal.com, users will pay a flat monthly fee (Leathern told Business Insider the exact amount hasn't been released, but it's likely to be a high single-digit number) to experience an ad free web.
All ad-blocking is ethical. It's the advertisers job to make me aware of products in a way that doesn't anger me, and they're doing a really shitty job.
I've been using it routinely for past couple of months and it works really well. It blocks web ads, but it's blocks in-app ads and tracking as well. Tailing a log when launching an iPad game make for an interesting read. If anything slips through, just check the log, add the offender to the blacklist and restart the daemon.
Protip: Doing this at the DNS and not the browser level leads to lots of brokenness. (Like when you try to sign into an app on your Roku/FireTV and it hangs on a Google Analytics event).
One significant benefit of OpenDNS is you can go whitelist a site/domain from filtering if it's breaking something and they have more categories than just 'Advertising'. I use it to help protect myself and my children from pornography.
I'd like to setup an add-blocking service, but I fear that I'll spend all my time admin-ing/whitelisting sites when a family member has a broken web experience. Is this an inevitability based on the nature of things?
If there is strong demand I could put together a solution sor home networks that does not use a third party resolver, i.e., no tracking whatsoever. It could be run from an SD card or USB stick entirely in memory, i.e. no install needed. All you need is an extra computer; old is fine.
As for the "breaking" some websites, it depends on what you block. Speaking for myself, if blocking doubleclick.net makes one out of thousands hang, then that is acceptable. In fact it's desired because I want to know about such sites. What kind of website would do that? Doubleclick offers zero value to the user. I like this aspect of DNS blocking.
Also it's easy to "whitelist" or "blacklist" certain subdomains if that's what you need to do. Simply a matter of editing a text file, and this can be automated.
As for the comments about what effect this would have if practiced by the masses, I think it would bring these ad-supported search engines and social media sites to a day of reckoning.
Users would have all the power. At least one search engine claims it's focused on users. This would put that statement to the test. Users in control. As it should be.
I have tried DNS ad blocking based on one of the popular lists out there. Sadly it was overly aggressive. It cut off my access to sites like mint.com and the Google Analytics dashboard (need it for $WORK). It also made sites like Hulu not work because of their ads. Debugging why this was happening was a huge pain because for example Mint uses Intuit domain names that are like right levels deep CNAMES.
I am going to try this out, but here I would have even less control since I can't edit the zone file.
Edit: Just turned it on and cleared all relevant caches. Still seeing ads all over Google, CNN, BBC, Imgur and a few others. Don't think this works terribly well.
Edit 2: oh but now the Comedy Central app on my phone won't launch. Turning this off.
How easy is it to temporarily switch it off if a site is broken? Like if they have some crucial JS/CSS served from a blocked domain? I also wonder this with the hosts file approach. Is that kind of flexibility you give up for speed?
This is a slight issue, we are looking at ways to make this easier. The reality on the hosts file approach we think is that we can be far more dynamic and help protect users from bad domains as well, but time will tell.
Adding another vote of confidence for running your own local DNS resolver with a block list. I use this script to generate a compatible hosts list for unbound:
My strategy is to use OpenDNS to block sites, and uBlock Origin to block all 3rd-party access. Then I whitelist stuff. Whitelisting is more work than blacklisting but I'd claim it is more comprehensive. On my phone I just disable javascript.
[+] [-] buro9|9 years ago|reply
Or you can combine that with https://github.com/jlund/streisand to have a VPN service that happens to adblock (great for mobile).
That said... I like that Optimal have made this too, because neither of the above can work for all devices in a household and more things in the house are tracking you and serving adverts (TV!).
The real questions I have are:
Who sources the list of domain names in there that they will null route?
How will this work with DNSSEC protected sources or whether they anticipate this at all?
How will they become aware of new domains being used by smart devices that are not shared by web sites (and therefore no-one notices and adds it to any blacklist)?
[+] [-] optimalrob|9 years ago|reply
[+] [-] benologist|9 years ago|reply
Screenshot: https://i.imgur.com/ELL9CDu.png
Vagrantfile: https://github.com/benlowry/pihole-extended-hosts
[+] [-] stordoff|9 years ago|reply
I use this with DD-WRT to get network-wide filtering. It's not perfect (only updates on router boot), but good enough for me.
Additional DNSMasq options:
Startup script:[+] [-] koolba|9 years ago|reply
[+] [-] Borating|9 years ago|reply
[1] https://github.com/tbds/FreeContributor
[+] [-] drdaeman|9 years ago|reply
Isn't the best approach is to just buy only devices that either known to not have adware onboard (e.g. "dumb" TVs), or that can be re-flashed with software you can relatively trust?
That only applies to the core OS and its capabilities. The apps can contain all the nonsense they want, because OS can deny the access or feeds the sanitized data if the app's badly written or insists on the business model where user pays with their privacy.
[+] [-] hoopsho|9 years ago|reply
[+] [-] JustSomeNobody|9 years ago|reply
[+] [-] binaryanomaly|9 years ago|reply
Not sure which one is worse ..?
[+] [-] themihai|9 years ago|reply
[+] [-] Flammy|9 years ago|reply
WHAT WE COLLECT
We get information about you in a range of ways.
snip
DNS service. If you utilize our DNS-based service, we may receive information about your IP address and URLs requested by that address. DNS requests utilize the UDP protocol which means we do not typically get information on the full URL you are attempting to visit (We receive far less information than a company providing a VPN service to you, for example, and that is one of the reasons we prefer this approach as it gives us far less information about user browsing). We do, however, have an IP address associated with each request and so could produce a list of sites visited by each IP address using our DNS servers. We do not know who you are when you use our DNS service, however. IP addresses may also be shared between users, and are not universally regarded as personally identifiable. We only use the IP addresses as follows: (a) the count of unique IPs we use as a benchmark for the adoption of our DNS service, and (b) we may check IP addresses against a free database of countries or cities provided by MaxMind and hosted on our servers, to limit the ability for users outside of certain areas to use our DNS service. We will not use the IP addresses we gather for any other purpose, and we will not correlate or combine them with any other personal information provided by you or other DNS service users, and we will never sell or share any of this information with any outside companies in any way. We may use aggregate request counts to help compensate publishers based on overall site traffic, across all users of our DNS service.
[+] [-] 0xmohit|9 years ago|reply
Amusingly, the website:
- Uses Google Analytics
- Runs over HTTP (not HTTPS)
[+] [-] boxfire|9 years ago|reply
[+] [-] jgrahamc|9 years ago|reply
If you search [email protected] you'll find ancient messages from me still lurking on the web. I wonder if that email still receives spam?
[+] [-] optimalrob|9 years ago|reply
[+] [-] benologist|9 years ago|reply
I am using a local DNS server that does this called Pihole [1] supplemented with additional blocklists [2] for malware and privacy.
One thing I don't see is any statistics ... you might be surprised at how much software in your home is endlessly communicating with companies you might not even have heard of, and that's been a great benefit of taking control of my DNS resolution [3].
[1] https://pi-hole.net/
[2] https://github.com/benlowry/pihole-extended-hosts
[3] 5.1% of my networks' requests today got blocked - https://i.imgur.com/ELL9CDu.png
[+] [-] optimalrob|9 years ago|reply
[+] [-] dingaling|9 years ago|reply
How does that help mobile users outside their home network without also setting up a VPN back in?
[+] [-] geuis|9 years ago|reply
It turns out to be a pretty bad experience. There are tons and tons of legit domains that serve normal content that also serve ads. I used a subset of urls from a popular ad blocking list (https://github.com/geuis/lead-dns/blob/master/lists/easypriv...).
After only a few hours, using the web normally was near impossible. Just a very broken experience. Sadly, since you can't pass a path to a dns server, there's no finer-grained way to allow certain requests to a domain to go through and block others.
[+] [-] josho|9 years ago|reply
I agree, however, that anytime a site is broken that I'm left wondering if I'm responsible because I've inadvertently blocked a CDN or something important.
[+] [-] profeta|9 years ago|reply
i put this hosts file on every device/router that i touch.
It works fully local. So infinitely (and this is not even a hyperbole) faster and you won't have to exchange one privacy hole for another on the "cloud".
[+] [-] bitchypat|9 years ago|reply
Not if your HOSTS file is >135KB (the one you've provided is 373KB), you're using Windows 8 or earlier and you haven't disabled the DNS Client service.
http://winhelp2002.mvps.org/hostswin8.htm (about half way down)
[+] [-] AdmiralAsshat|9 years ago|reply
My VPN provider (Torguard) provides one of these as well. I'm a little more willing to trust them not to do anything malicious with my DNS requests, if only because I'm paying them.
[+] [-] Retra|9 years ago|reply
The bottom line is, if your information is valuable, then it will be in the advantage of those who possess it to exploit it whether you pay them or not. The only real non-moralistic consideration is whether you will stop paying if they start selling.
Either way, "I have a moral obligation to not sell your info, even if you don't pay me not to" sounds a lot better to me than "I don't sell your info because you think you're paying me not to." It's a horse apiece if you're dealing with strangers and you have to take them at their word.
[+] [-] bognition|9 years ago|reply
[+] [-] chews|9 years ago|reply
[+] [-] matt_wulfeck|9 years ago|reply
This may have unintended (both good or bad) affects on normal app experience since it's configured on the network.
[+] [-] nherment|9 years ago|reply
An "ethical" ad blocking service launched Thursday that allows users to pay their favorite publishers not to show them ads. [...] With Optimal.com, users will pay a flat monthly fee (Leathern told Business Insider the exact amount hasn't been released, but it's likely to be a high single-digit number) to experience an ad free web.
Source: http://uk.businessinsider.com/optimal-launches-subscription-...
[+] [-] aphextron|9 years ago|reply
All ad-blocking is ethical. It's the advertisers job to make me aware of products in a way that doesn't anger me, and they're doing a really shitty job.
[+] [-] quickben|9 years ago|reply
Is that even legal?
[+] [-] latitude|9 years ago|reply
https://github.com/apankrat/dnswhisperer
I've been using it routinely for past couple of months and it works really well. It blocks web ads, but it's blocks in-app ads and tracking as well. Tailing a log when launching an iPad game make for an interesting read. If anything slips through, just check the log, add the offender to the blacklist and restart the daemon.
[+] [-] jamiesonbecker|9 years ago|reply
[+] [-] shafiqissani|9 years ago|reply
[+] [-] seanwilson|9 years ago|reply
[+] [-] witty_username|9 years ago|reply
[+] [-] dsl|9 years ago|reply
Protip: Doing this at the DNS and not the browser level leads to lots of brokenness. (Like when you try to sign into an app on your Roku/FireTV and it hangs on a Google Analytics event).
[+] [-] sparrish|9 years ago|reply
[+] [-] ChartsNGraffs|9 years ago|reply
[+] [-] textmode|9 years ago|reply
As for the "breaking" some websites, it depends on what you block. Speaking for myself, if blocking doubleclick.net makes one out of thousands hang, then that is acceptable. In fact it's desired because I want to know about such sites. What kind of website would do that? Doubleclick offers zero value to the user. I like this aspect of DNS blocking.
Also it's easy to "whitelist" or "blacklist" certain subdomains if that's what you need to do. Simply a matter of editing a text file, and this can be automated.
As for the comments about what effect this would have if practiced by the masses, I think it would bring these ad-supported search engines and social media sites to a day of reckoning.
Users would have all the power. At least one search engine claims it's focused on users. This would put that statement to the test. Users in control. As it should be.
[+] [-] IgorPartola|9 years ago|reply
I am going to try this out, but here I would have even less control since I can't edit the zone file.
Edit: Just turned it on and cleared all relevant caches. Still seeing ads all over Google, CNN, BBC, Imgur and a few others. Don't think this works terribly well.
Edit 2: oh but now the Comedy Central app on my phone won't launch. Turning this off.
[+] [-] joemccall86|9 years ago|reply
[+] [-] optimalrob|9 years ago|reply
[+] [-] aorth|9 years ago|reply
https://github.com/jodrell/unbound-block-hosts
It's not terribly sophisticated, but every few weeks or whatever I just run this again:
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] intrasight|9 years ago|reply