Hello,

I would like to suggest you a DNS Blocklist.
It's the "Sebsauvage Blocklist DNS" : https://sebsauvage.net/wiki/doku.php?id=dns-blocklist-en

It's a very useful and tiny blocklist which aggregates several blocklists.

Regards,

Hello,

Can the following Ad tracking/user tracking domains be added to the block list for the following apps on iOS?

Kindle/Comixology/Manga:
device-metrics-us.amazon.com
amazon-adsystem.com
adcolony.com
adtilt.com
app-measurement.com
crashlytics.com
imanga.nyc3.digitaloceanspaces.com
imanga.oss-cn-qingdao.aliyuncs.com
trafficmanager.net

Nytimes:
platform.twitter.com

Others/Misc:
stun.l.google.com
ad.daum.net
revenuecat.com
graphql.instagram.com
graph.facebook.com
www.paypalobjects.com
braze.com
unity3d.com
stats.nba.com
cdn.calculator-tech.com

Edit 17/06:
graph.facebook.com
edge-mqtt.facebook.com
portal.fb.com

Hey. Using adblock.doh.mullvad.net on my android 13 in Private DNS.

From Mullvad check page:
when i use home wifi i have always dns leak but ads are blocked w/o problems;
when i use mobile data connection i have NOT dns leak and also in this case ads are blocked obviously.

Is this normal?

So the only difference is my asus router in a mesh configuration. And the weird thing is that i have the same results using safari on macos and using adblock.doh.mullvad.net in adguard app.
The question is why under wifi seems to have a dns leak (ads block works, strangely) and instead using mobile connection there aren't dns leak?

Thanks, i need help!

Hi,

I am aware this has been posted previously by another user but to show my strong support for this feature I am mentioning this again.

Please strongly consider creating .mobileconfig files for easy access for iPhone/iPad/Mac users to your wonderful Ad-block DNS resolver?

Thank you.

Easylist has other lists for non-English websites

Every supplement removes unwanted items from a particular genre of websites that are not specifically or completely dealt with by the primary EasyList, and might increase the blocking efficiency of the ad blocker used for people who regularly visit non-English domains.

Since Mullvad provides services with servers on multiple continents, having its ad-blocking feature working on non-English website makes a lot of sense.

Do you have information on how to set this up for Windows 11 DoH using the built-in feature?

I've tried using the DNS ip address (tested with base and extended) and using the https link provided as the 'manual template' but it just times out.

do you have a dns server that blocks nothing? I am unable to reach the two biggest social media sites in china when using mullvad. When mullvad is disabled, i can reach them fine.

Please provide a dns that blocks nothing. no adware, malicious sites, etc... thanks.

The domain chtbl.com appears to still be being blocked using doh on android. This breaks some podcasts.

The domain was removed from the custom list here e8c6336 and was removed from adaway a year ago AdAway/adaway.github.io@b6665b8 It doesn't appear in the output.txt however it still resolves to 0.0.0.0. The domain resolves correctly when changing to a different dns.

(I'm new to GitHub. Please understand if it's awkward.) I found an ad domain that Mullvad DNS couldn't block. Please add the domain to the block list.

Domains : altg.widerplanet.com
The web page on which the ad appears : https://www.chosun.com/
Device info : iOS 16.2, Mozilla Firefox
Screenshots :

DNSCrypt offers several advantages over DOT and DOH.

DOT has the following disadvantages when compared to DNSCrypt:

• Provides more information than regular DNS to resolver operators in order to fingerprint clients, and this has (intentionally?) never been addressed in the specification
• Uses a dedicated port (853) likely to be blocked or monitored in situations where DNS encryption is useful
• Initial connection is slow due to the long handshake (until TLS 1.3 is deployed, which can take time due to middleboxes)
• Not well understood even by its proponents. It is a truck, as it is heavy and slow to load, but most if not all implementations perform a full round trip for every packet (even the excellent miekg/dns library as used by Tenta).
• Padding rules haven’t been specified besides a draft that doesn’t have any implementations, and a last-minute hack that requires altering DNS record sets before wrapping them
• Requires a full TLS stack, introducing a large attack surface
• Difficult to implement securely. Validating TLS certificates in non-browser software is the most dangerous code in the world
  -Readily compatible with industry-standard TLS interception/monitoring devices. Having people install additional root certificates is easier than custom software. Vendors are always ready to passively extract information from TLS 1.3 sessions.
• Requires TCP
• Requires sessions tracking on the server
• TLS is a generic transport mechanism. It doesn’t support reordering and parallelism and doesn’t include any ways to manage priorities. New mechanisms need to be invented and implemented to do so.
• Key management can be surprisingly hard especially if public key pinning is used by clients
• Allows insecure algorithms and parameters
• Will be difficult to improve without introducing more hacks. Unlikely to benefit from any improvements besides new TLS versions or homegrown reinventions.
• Questionable practical benefits over DoH

DOH has the following disadvantages when compared to DNSCrypt:

• Provides more information than regular DNS to resolver operators in order to fingerprint clients, but this is being addressed in the specification
• Requires a full TLS stack and a web server
• Interception/monitoring tools are readily available
• Key management can be surprisingly hard especially if public key pinning is used by clients
• Allows insecure algorithms and parameters
• Requires TCP

To add, DNSCrypt has a very solid Anonymized DNS implementation.

Thanks for the read!

Source: https://dnscrypt.info/faq/

Hi!

mullvad (and WireGuard) newbie.

Is it possible to use this feature when using WireGuard for iOS?

I see a DNS Servers 193.138.218.74 setting after I loaded the mullvad config file.

Would it be as simple as changing that to an adblocking address?

Would Mullvad consider adding the StevenBlack unified blocklist? It seems to already contain a few of the blocklists you mention.
Dan

[Question] How many time tose list are updated (as many as here or more) ?

And if it's more often updated can you refresh them here too (too let us see witch actual version is used on the server.

Thanks !

Hi,

“googletagmanager.com” does not seem to be blocked when running Mullvad VPN on iOS. Issue for blocking this in apps, since then AdGuard will not do the blocking.

This should be an essential domain to block, but for some reason it is not included in oisd basic.

It’s blocked in the basic filters in AdGuard, DDG & uBlock Origin.

Probably the easiest fix is to include “Easylist” (easylist.to/easylist/easylist.txt) in your lists. Alternatively The Block List Project ads list (blocklist.GitHub.I’m/Lists/ads.txt) or preferably oisd full (abp.oisd.nl).

Thanks :)

@ajichiban66
@oskaralmlov

#18 #19 #21 #17

I tried searching then EasyPrivacy list for some entries found in Perflyst / PiHoleBlocklist / SmartTV.txt but I was unsuccessful. So please considering adding a blocklist for smart-tvs and perhaps gaming consoles.

Tl;dr

I spent a lot of time researching a script prevalent on the internet that invades user's privacy and bypasses all security measures such as antivirus and ad-blockers. I have provided a list of domains that are used to pull the script down HERE

Why?

• Lexis Nexis is one of the largest data brokers in the world and bought a company called "Threat Metrix" which produces scripts to heavily fingerprint users and try to determine their "True Location" going as far as port scanning a user’s network with javascript web-sockets. These scripts are stealthily pulled down from a customer-specific subdomain owned by the website you are visiting but have a CNAME record that redirects to *.online-metrix.net to pull down these scripts, making them very difficult to block.

How it works

How invasive is the script?

• The data being exfiled is encrypted into an image with XOR.
• The javascript is assembled via string.join (like malware often does) and then executed in a service worker.
• Each time you load the page, the javascript is re-obfuscated.
• It collects 416 data points about your computer / network. Shown HERE
• Port scans your computer
• Trys to evade being blocked by having their customers set up random subdomains, with no standard scheme, to redirect to their backend servers
• Data can be used to fingerprint users and track them even behind a VPN or just to sell their data

Solution

Luckily this annoyed me enough to find multiple solutions to the problem. I wrote a python script that uses shodan to locate a majority of these customer-specific endpoints. The script can be found HERE I also wrote a FOSS firefox extension to block port scanning in general and dynamically resolve the CNAME's and block any that go to threat metrix infrastructure, but that is beside the point HERE

• I have run this script collecting new endpoints for a few months and have published all of them HERE My request is to please block every domain in this list! :)
• This list will never 100% include every endpoint, just the ones that I can find. There are about ~450 endpoints in there so I am pretty sure it covers a majority. The only way to ensure 100% that your computer never pulls down one of these scripts is to install the firefox addon I wrote since it resolves the CNAME and determines it that way.

How to verify there is no False Positives

while read line; do if [ "$line" != "" ]; then dig @1.1.1.1 +short "$line" cname >> out.txt; fi done < <(cat threatmetrix.txt)

• If you run the bash one-liner above, make sure you pass the right file name to STD-IN, it will use dig to grab the CNAME for each customer specific endpoint I provided and they all should be in the following format h-<company name>.online-metrix.net.

References

• Here is a great post from DJ Nemec who reverse-engineered this malware HERE
• If you remember in May of 2020 Ebay got caught port scanning their users, what actually was happening was they hired this company to run the script pulled down by these endpoints. HERE

This dns block lists are flexible, because, in my Amazon app, Youtube app and in my browser (Samsung internet with Adguard as adblocker) They keep on ads and cosmetics ads appearing.

The EasyPrivacy list is currently sourced from https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt. This list has not been updated since 3 Oct 2022 (according to https://justdomains.github.io/blocklists/).

I've opened an issue about this on the justdomains project (justdomains/ci#7) a few weeks ago, this has received no reply. The last commit date is 3 years ago. This leads me to believe the project is dead with a broken CI pipeline.

Mullvad should switch to a different way of obtaining this list. E.g. is there an alternative source, or is it possible to run a (working) copy of the justdomains code locally?

Hi, I tried to make a new Configuration Profiles for iOS but I can't open any website after connected to:

server IP: 100.64.0.31

server URL: https://adblock.doh.mullvad.net/dns-query

what's wrong?

Actually like many people i have a router who support dns over tls, but it require an "unencrypted" DNS to "activate" the dns over tls.

It's why i ask you to launch an unencrypted dns BUT unlike the old one you have shut down, this "new" one can ONLY resolve your Encrypted dns domain (so adblock.doh.mullvad.net and doh.mullvad.net).

Like that people like me can use it to activate the secure version and if the modem try to access anything else your unencrypted version will just answer 'REFUSED' or 'NXDOMAIN'

I ask for you do to it because i actually don't trust other DNS and i don't trust my router to not try to ask other thing by the unencrypted version.

hagezi blocklist is a all in one blocklist from multiple sources https://github.com/hagezi/dns-blocklists/blob/main/usedsources.md#ultimate

not sure if this is a comprehensive list. spotify would be helpful

edit: https://gist.github.com/opus-x/3e673a9d5db2a214df05929a4eee6a57#file-spotify_eliminate_advertisements

I actually have (thanks to apple news system found 3 tracker not blocked and two i'm not sure it must be blocked (even if they can be used as tracker)):

1. Highly suspected to be tracker :

Adobe analytics

• assets.adobedtm.com

Microsoft analytics

• in.appcenter.ms

Firebase unique identifier : Sources : https://firebase.google.com/docs/reference/android/com/google/firebase/installations/FirebaseInstallations

• firebaseinstallations.googleapis.com

2. Can be a tracker but can break thing (to be tested before)

Can be user as tracker but have more usefull feature : Sources : https://firebase.google.com/docs/remote-config/

• firebaseremoteconfig.googleapis.com

Apple Statistics

• cstat.apple.com

Note : I have made this report only to present eventual thread i will understand if for any reason these are not added.

Hi,

Possible to add hagezi block list?

Can you add support for all list on DOH:

For how i think of something like:

https://dns.mullvad.net/dns-query -> Unfiltered
https://2.dns.mullvad.net/dns-query -> Ad blocking only
https://3.dns.mullvad.net/dns-query -> Trackers only
https://4.dns.mullvad.net/dns-query -> Ad blocking and tracker blocking
https://5.dns.mullvad.net/dns-query -> Malware blocking only
[ ... ]
https://31.dns.mullvad.net/dns-query -> Ad blocking, adult content blocking, gambling blocking, malware blocking, tracker blocking ("Everything")

Like that the DOH domain is easy to remember and the number being match with you "vpn dns" settings.

Hello!.

Today I'm testing the 2022.1 Beta 1 version for windows.

Mullvad is including malware blocking, but the blocking list is not shown here, I didn't find any detail on the malware blocking list on the blog.

Thanks in advance!

I just discovered this through privacyguides.org and I'm rolling it out to all of my devices and clients' devices! I think it would be good to also offer them over IPv6.

Mullvad does list an IPv6 DNS options on this page, but it might not be public:
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/

But even then the IPv6 only says it does adblock, rather than the other blocklists available here.

Just for setting up in routers it's great to have these IP options.

When trying to watch YouTube and having adblock on, Watch History is not being updated since the domain s.youtube.com is being blocked. If you check the adaway blocklist you can see that s.youtube.com is there. Here is a source for other domains needed for web functionality as well.

someone has already created unofficial and unsigned .mobileconfig files for Mullvad's DNS so that the DNS config can easily be added to iOS and MacOS. It would be cool however, if official (and signed) configs were available as well.

It happens randomly, the DNS server just stops working. It sucks that I have to use less secure option when Mullvad DNS doesn't work, unfortunately Bahnhof does have a less secure PPTP Wireguard option. If there could be a indicator with timestamps of downtime it would be great.

Device: OnePlus 3T

ROM: Android 11

In your readme.md you say that the hostnames for your Encrypted DNS are the following:
Vanilla: dns.mullvad.net
Ad-block: adblock.dns.mullvad.net
Extended: extended.dns.mullvad.net

Are you sure it has to be dns, not doh? The Mullvad page still says doh.

I noticed that for the past 4 days, all ads that were previously blocked on websites are now slipping through when using adblock.doh.mullvad.net.

This is on the current version of Android 13.

i'm the first sad to see since some month, the daily updated blocklist project is not updated on git anymore.
So i do recommand mullvad to switch their gambling list to another list actually updated

their git to see the last update : https://github.com/blocklistproject/Lists

@jbjorkang

Hi there,

so if i read the docs correctly it's only possible to block Ads with the public DNS service (using adblock.doh.mullvad.net);

Please consider providing more variants of the IP-addresses/hostnames, like this for example, to have the ability to also block Adult, Gambling, etc.

Reason: i can currently only use this in the Mullvad app, but not on my router...

Thank you!

Hello,

Thanks for the good VPN service - they are rare these days. 😄

I am wondering if there is a vetting process or anything for adding additional blocklists to this functionality.

I have a domain-based blocklist that I have been working on over the years myself that might be worth adding, for example:
https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt

This is a list that I use myself - for personal and work networks - so I can vouch that when something breaks I am eager to fix it pretty fast.

Is there a more rigid process I can go through for this? Or is your team not really looking to add additional blocklists at the moment?

Cheers,
-Rooney

Please check,
with this latest blocklist update, google.com is blocked.
Please fix that

I would like to suggest adding the Anti-Malware List created and maintained by Dandelion Sprout. It contains many lesser-known but still dangerous malware, scam, and fake shop sites, especially Nordic-language scam sites.
There are some alternate versions of the Anti-Malware List in Dandelion's Github repo that might be compatible with DNS filtering: https://github.com/DandelionSprout/adfilt/tree/master/Alternate%20versions%20Anti-Malware%20List

Wishing you all a splendid and malware-free day!

Cheers.

Hello there,

Please may I request a review for the following domains to be blacklisted as they are adware and/or trackers:

1.	fengkongcloud.com
2.	urbanairship.com
3.	scorecardresearch.com
4.	telemetry.bluedot.io
5.	stocks-analytics-events.news.apple-dns.net
6.	device-metrics-us-2.amazon.com
7.	device-metrics-us.amazon.com
8.	firebaseinstallations.googleapis.com
9.	firebasedynamiclinks.googleapis.com
10.	firebaseremoteconfig.googleapis.com
11.	firebaseinappmessaging.googleapis.com
12.	fcmtoken.googleapis.com
13.	k.isprog.com 
14.	deviceid.tantanapp.com
15.	sc-report.tantanapp.com
16.	devices.tantanapp.com
17.	client-monitor.tantanapp.com
18.	report.tantanapp.com
19.	client-tracking.tantanapp.com
20.	paas-push-api-log.immomo.com
21.	referee.immomo.com
22.	counter.tantanapp.com
23.	connperf.immomo.com
24.	app-log-lab.tantanapp.com
25.	geolocation.onetrust.com
26.	cdn.cookielaw.org
27.	row-advil.waze.com
28.	advil.waze.com
29.	scontent-iad3-1.cdninstagram.com
30.	scontent-iad3-2.cdninstagram.com
31.	app-site-association.cdn-apple.com
32.	paas-push-api.immomo.com
33.	autoupdate.tantanapp.com
34.	keepconn.tantanapp.com
35.	keepconn.gcp.vip.tantanapp.com
36.	app-site-association.cdn-apple.com
37.	notice.sp-prod.net
38.	campaign.adobe.com
39.	datadoghq.eu
40.	datadoghq.com
41.	geolocation.onetrust.com
42.	redirector.gvt1.com
43.	analytics.google.com
44.	redirector.googlevideo.com
45.	reports.radiotime.com
46.	protostats.bigo.sg
47.	bugsnag.com
48.	usabilla.com
49.	analytics.sky.com
50.	metrics.sky.com
51.	smetrics.sky.com
52.	madmetrics.com
53.	dzc-metrics.mzstatic.com
54.	braze.com
55.	braze.eu
56.	smetrics.mcdonalds.com
57.	onetag.com
58.	webproxy-advp.iad-apple.com.akadns.net
59.	tracedock.com
60.	ingenioustechnologies.com
61.	a8.net
62.	actionlink.jp
63.	365you.com
64.	securemvt.apple.com
65.	userreport.com
66.	sf16-muse-va.ibytedtos.com
67.	startup.mobile.yandex.net
68.	mc.yandex.ru
69.	graph.digiseller.ru
70.	postaffiliatepro.com
71.	eulerian.net
72.	bat.bing.com
73.	quantummetric.com
74.	lightboxcdn.com
75.	quantummetric.com
76.	ads.54646.co
77.	adfarm.adition.com
78.	benabid.me
79.	cryft.com
80.	adfarm1.adition.com
81.	mobile-data.onetrust.io


 * Some may already be blocked.

Thank you.

Hi,
It's not really the DNS filtering from the app, but your SOCKS5 proxy (at least in Switzerland) is blocking the website divested.dev, which I don't think is warranted. It'd be great to be able to use as it provides filter lists for uBO.
Thanks!

ดูนี่สิ... 👀 https://pin.it/2aRm0rK

Hello.

I'm connected to Mullvad via wireguard in Android 11, and have Private DNS configured to adblock.doh.mullvad.net as per https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/

I receive the messages "private dns server cannot be accessed" "mobile network has no internet access" despite being able to resolve the DNS endpoint's hostname, and connectivity actually being fine.

Question: Is a Google/Android connectivity checker blocked by an entry in these lists?

Private DNS

Connectivity check lookup

Mobile network has no internet access: Private DNS server cannot be accessed

Mullvad connection check

DOH server lookup

Since one version of your blocker block Ads/tracker and malware.
Can you add : https://oisd.nl/
to the DNS will full blocking (since oisd is a known list who block all without breaking anything (and if they break something) they are very fast to fix the problem.

Note : i recommend OISD only for the the "everythin" (ads, tracker, malware).

Thanks

If I try to go to any of the sites contained within those blocklists, the sites does not get blocked, is this normal?
Ads are getting blocked, DNS is set fine on my router, i'm getting 79% of ads and trackers blocked in this test.

as I understand it, adblock.doh.mullvad.net is currently the only filter option available via DoH. I assume that it uses the same filters as 100.64.0.1?

It would be cool if the other filter options could be made available via DoH as well. I'd be particularly interested in what 100.64.0.7 does.

I don't know if you have already fixed but now there are only two blocklists: big and small versions.
And consequently the links to use the list have changed.

Check here:
https://oisd.nl/downloads

ipinfo.io is at best tracking but definitely not ads