Blocking adware, malware, and tracking sites

So I wanted to block adware, malware, and tracking sites on my laptop.
There’s a few ways to do this, depending on where you block them, and of course, there’s pros and cons for each.

Block on the browser level

You can use things like uBlock, AdBlock, Privacy Badger, etc.
They are nice and they work decently well, but if you have multiple browsers, you must install and configure them everywhere.
Also some extensions work differently in different browsers, eg: blocking works better in Firefox than in Chromium.
A good thing is they don’t just block a domain, they block general rules from a page, so it works for many websites, and a page full of ads looks great after it’s cleaned up.
Another good thing is you can immediately unblock a list of rules for a page in case it’s not working, because the rules are never perfect.

Block on hosts level

You update the /etc/hosts file with a list of known bad hosts.
This is a system-wide blocking, the hosts are blocked on every browser, e-mail, or internet client on your machine.
This is cool because it saves bandwith, the bad websites will never be contacted.
The annoying thing is you need to update the list of hosts from time to time.
Also in a browser, a page full of ads still looks crappy and broken with a lot of empty spaces, and you can still click on the ads by mistake, but at least they won’t load.
The worst to me, is I don’t know exactly when a site doesn’t work at all, or it was blocked. The only way to check is by searching the host in /etc/hosts.
Sometimes this is hard, because one page doesn’t make requests to only one domain, you need to check all the network requests.
If you want to unblock the hosts, you have to comment them in /etc/hosts.

Block on DNS level

You run a local DNS on your machine, or another machine in the same network, you point your network server to the DNS and you block a list of known bad hosts.
Very similar to the previous method, with the same pros and cons. If you want to unblock a host, you have to comment it in the DNS server config - it’s different for each DNS server.
Compared to /etc/hosts, you have a bit more control, because you can block on a specific network (maybe only on Wifi, but not on LAN).

You can also do more tricks like forwarding some domains to other place, instead of just replacing them with 0.0.0.0.
For example, you could serve a static page that says: “This domain was blocked by the DNS”. This message will show up in your browser instead of the ads… which can be weird… but it least you know where it’s coming from.

If you expose the DNS network-wide, you can use the same DNS for all machines in your network, which makes it easier to maintain.
You could have a PiHole (a Raspberry PI that runs the DNS server), or DD-WRT/ OpenWRT/ Fresh-Tomato (a custom firmware for some hardware routers).
Or you can run an old computer and make your own home lab.

I have a page with a few links on /mem/DNS/.

If you want to put your trust on a 3rd party, you can also use an external DNS like DeCloudUs, 1.1.1.1 for Families, or OpenDNS FamilyShield.

Conclusion

I think none of the methods are completely reliable and you should probably have both browser blocking (for making pages look nice and clean) AND host level (for an extra layer of protection).
However you should tweak them a bit, so they don’t overlap too much, eg: if you block the same types of ads in multiple ways. This will be tricky.
The list of hosts you block should be minimal, so you can be pretty sure you’re not blocking the websites that you actually want to visit, because they are harder to unblock.

That’s my 2 cents. Hope you find it useful!

@notes #privacy