I'm not a big fan of in-browser adblocking. For one, I have my doubts about several of the extensions – Adblock plus, for instance, comes from a for-profit, though I give you this critique might be partisan. Also, I like to switch browsers freely and certainly don't want to maintain block lists for each of them, and finally quite a few clients other than browsers may render HTML and hence ads.
So, how do you do that? Well, you first make sure that your computer does the name resolution itself. On Debian, you do that by installing the packages resolvconf (without a second e; in a systemd environment I think you want to use systemd-resolved instead) and dnsmasq; that's really all, and that ought to work out of the box in all reasonably common situations:
$ sudo apt install resolvconf dnsmasq
You will probably have to bring your network down and up again for this to take effect.
Once that's done, you can tell dnsmasq what names to resolve to what. The man page dnsmasq(8) documents what to do under the --address option – you could actually configure dnsmasq through command line options exclusively –, where you can read:
Specify an IP address to return for any host in the given domains. […] A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was [sic, as of bullseye] as for --server […]
– and from the documentation of --server you learn that <domain> is interpreted as a suffix (if you will), such that if you give an address for, say, google.com, it will also be used for foo.google.com or foo.bar.google.com.
But where do these address expressions go? Well, at least in Debian, dnsmasq will read (essentially, see the README in there) any file you drop into /etc/dnsmasq.d and add its content to its configuration. Having configuration snippets in different files really helps maintenance and dist-upgrades in general; in this case, it also helps distributing the blacklist, as extra configuration that may be inappropriate on a different host is kept in some other file.
I tend to prefix snippet names with numbers in case order might one day matter. So, I have a file /etc/dnsmasq.d/10spamreduce.conf containing:
address=/doubleclick.net/127.0.0.1 address=/xiti.com/127.0.0.1 address=/adform.net/127.0.0.1 address=/qualtrics.com/127.0.0.1 address=/criteo.com/127.0.0.1 address=/exactag.com/127.0.0.1 address=/optimizely.com/127.0.0.1 address=/googleadservices.com/127.0.0.1 address=/googletagmanager.com/127.0.0.1 address=/ivwbox.com/127.0.0.1 address=/ivwbox.de/127.0.0.1 address=/connect.facebook.de/127.0.0.1 address=/facebook.net/127.0.0.1 address=/facebook.com/127.0.0.1 address=/addthis.com/127.0.0.1 address=/update.googleapis.com/127.0.0.1 address=/googleusercontent.com/127.0.0.1 address=/edgekey.net/127.0.0.1 address=/ioam.de/127.0.0.1 address=/cookiebot.com/127.0.0.1 address=/moatads.com/127.0.0.1 address=/fonts.gstatic.com/127.0.0.1 address=/fonts.googleapis.com/127.0.0.1 address=/ping.chartbeat.net/127.0.0.1 address=/cookielaw.org/127.0.0.1
When you do the same thing, you should restart dnsmasq and then see the effect like this:
$ sudo service dnsmasq restart $ dig +short fonts.gstatic.com 127.0.0.1
As you can see, I have also included some trackers and other sources of annoyance in my address list. Of course, if you actually want to read Facebook (ugh) or need to pull Google's fonts (ughugh), you'll have to adapt that list a bit.
In case you have interesting and useful contributions to this list: Please do write in!
|||Regrettably, with things like DNS over HTTPS, it could be that your browser actually will not use your computer's DNS resolver. Adblocking hence is one extra reason to disable DoH when you see it.|