During my analyzes of sites and applications, the conclusion is often the same: in the absence of real sanctions against publishers, you must protect yourself against advertising surveillance via technical means. This article aims to share my current setup.
The choices of tracker and ad blockers are obviously very personal: you probably use other applications, other extensions, your choices are perhaps more effective. Also, I am far from being the only one to write on the subject and I am not an "Adblock" expert, so don't hesitate to share your experience!
Depending on the device, it is more or less easy to block trackers and advertisements. Here are the different scenarios I face.
Block trackers and advertisements on a “Desktop” browser: adblockers widely adopted today
On my MacBooks (personal, professional), when I surf the web, I use Firefox with uBlock Origin extension. On Firefox, this adblocker detects "CNAME cloaking" and blocks it (which is not the case on Chrome). “CNAME cloaking” is a technique used by certain surveillance marketing players to track you, even if you have taken precautions (this technique also poses security problems). If you want to explore the subject further, read NextDNS explanations (in English) and the presentation of Quadrature du Net (in French).
Above all, unlike a Adblock Plus which I strongly advise against, uBlock Origin does not offer any privileges to advertisers. The company Eyeo, publisher of Adblock Plus, is at the origin of the program Acceptable Ads, and gets paid large sums by monitoring marketing giants such as Google, Microsoft, Amazon, Taboola, Outbrain and Criteo not to block their advertisements by default: a huge hypocrisy!
It's easy for me to recommend Firefox and uBlock Origin to my friends and family:
- Firefox is easy to install and very fast. It is software developed by an independent player (Mozilla), open-source and respectful of the privacy of its users.
- uBlock Origin is also simple to install, and very efficient.
Block trackers and advertisements on the web, on an iPhone: less democratized content blockers
On my iPhone, when I surf the web, I use Safari. Thanks to Intelligent Tracking Prevention (ITP), this protects me against multi-site tracking by third parties (in particular by blocking third-party cookies, but not only). Note that since iOS 14, Intelligent Tracking Prevention also applies to other browsers : Chrome on iOS also protects you against multi-site tracking by third parties! However, ITP does not meet all my needs:
- It does not block ads.
- It blocks multi-site tracking but does not block the sending of trackers (Safari continues to send requests to multiple marketing companies).
- It allows tracking when restricted to a single site: a publisher's analytics tool (Google Analytics when the publisher has not activated advertising features, AT Internet, Adobe Analytics, etc.) will continue to function correctly and analyze your journey (even if the analysis is restricted to the site consulted).
Unlike Android (example: Firefox for Android), iOS does not allow a browser to install extensions (the browser must necessarily use Safari's rendering engine, Webkit): it is therefore impossible to install an adblocker directly.
It is nevertheless possible to install a "content blocker", this will be activated only on Safari (and not on other browsers) and will block lists of trackers and advertisements. So I use the content blocker Firefox Focus to block ads. AdGuard also offers a content blocker for Safari, but when I used it, it blocked certain sites from loading, forcing me to disable it.
It is also easy for me to recommend this option to my loved ones who are on iOS (for Android, I recommend Firefox with uBlock Origin):
- Safari is the default browser, nothing to configure.
- Firefox Focus requires minimal configuration, but it's still fast.
Block trackers and advertisements on native applications: the public is poorly informed, NextDNS to the rescue
More complicated now, on iPhone applications, I was missing a good option to block trackers and advertisements. I paid for ProtonVPN but it cannot be used simultaneously with a blocker such as NextDNS or AdGuard.
Also, I was having major battery problems with the ProtonVPN, NextDNS and AdGuard apps and I thought I knew the cause: these apps were all VPN-based (these apps could sometimes use up to 50% of my old iPhone's battery in a day). Before the release of iOS 14, NextDNS and AdGuard had to use a local VPN to encrypt DNS queries.
Adguard uses a local VPN under iOS
But with iOS 14, Apple adds the ability to encrypt DNS queries natively. No need to go through the “hack” of a local VPN, and therefore more impact on my battery. NextDNS having implemented this option quickly, I decided to use it systematically and I was not disappointed.
With NextDNS, I can:
- Block trackers and ads when I use apps on my iPhone, via the NextDNS iOS app so.
- Block trackers and advertisements on my Apple TV (tvOS also allows DNS requests to be encrypted natively), via the Apple configuration profile generator.
- Block trackers and ads on apps when I use my Mac. An example: the Mac Spotify player is very talkative, it leaks your personal data to Google and Comscore and uBlock Origin is not going to help. The NextDNS Mac app allows you to block these trackers.
- Complete the blocking of trackers and advertisements already carried out by uBlock Origin on Firefox (Mac) and Firefox Focus on Safari (iPhone) via a 2nd layer of NextDNS blocking. I thus made many consent banners disappear, making my surfing more pleasant.
- Configure my Freebox to use NextDNS DNS and thus block the trackers of connected objects (my thermostat in this case).
I can also easily recommend this solution to my loved ones:
- NextDNS is quick to install and configure (unlike a Pi-Hole, which is mainly aimed at tinkerers).
- NextDNS also works in mobility (always unlike a Pi-Hole, which will only work on home personal WiFi).
The usefulness of a DNS directory
NextDNS is a DNS directory (Domain Name System) among others. DNS is one of the essential services on the Internet: it is a directory which will allow the correspondence between a domain name (example: google.fr) and an IP address (example: 216.58.204.99). By default, you use your Internet Service Provider's DNS server. Only here it is:
- These DNS requests are not encrypted, so a hacker can intercept them, learn which sites you are visiting or even modify these requests on the fly to make you download a virus, for example.
- For legal reasons, Internet Service Providers (ISPs) also block access to certain websites. Example: you want to download torrent files (films, series, music) via the site The Pirate Bay, but this may be blocked by your provider. ISPs apply this blocking via the DNS directory that they make available to you.
To have your DNS queries encrypted and to allow you to access certain websites, you can change DNS providers. If you do not want to block trackers and advertisements, OpenDNS is a trusted directory. If you just want to use a quick service and you're not worried about the omnipresence of Google in your life, you can use the Google Public DNS. Likewise, if you are little concerned with the progressive centralization of the web but simply with performance, you can use Cloudflare DNS.
But it would be a shame to stop there! In the case of trackers and advertisements, the DNS directory may return an empty response instead of returning the correct IP address. Example: if you are playing a game on your iPhone and it wants to deliver an advertisement, it will ask your DNS directory for the address of doubleclick.net (Google’s advertising agency). If you use NextDNS and if you have activated the blockers, it will not return a response: you will not be tracked and you will not see advertising!
NextDNS lets you choose your blocklists
As with a “classic” adblocker such as uBlock Origin, NextDNS allows you to subscribe to blocking lists:
My choice among the most used lists.
NextDNS also offers you block lists to protect against “native” tracking:
Apple collects usage statistics? I can now block these requests.
How NextDNS works is transparent
If you decide to enable NextDNS logs, you will have great flexibility:
- On the retention period: from 1 hour to 2 years. If you want to verify that NextDNS is working well and refine blocked domains, 1 hour is enough.
- On the location of storage: notably in the European Union or better, in Switzerland.
You will then be able to “verify” the work of NextDNS via a online interface. Here is the view when I launch the L’Équipe application on my iPhone:
As we have already seen, the L’Équipe application leaks your personal data. But NextDNS prevents these leaks (to ACPM and Weborama on the screen capture), and you will no longer see advertising.
If you ever observe unblocked trackers, you have the choice of subscribing to new blocking lists or simply adding these trackers to your blacklist:
Some trackers added manually
If your logs are activated, you will also have access to aggregated statistics:
NextDNS blocks almost 20% of my queries. If I look at the per device view, NextDNS blocks up to 30% of queries on my iPhone and Apple TV (apps not targeted by other adblockers there). On the contrary, on my MacBook laptops, NextDNS only blocks 3% of requests, uBlock Origin already blocking trackers and other advertisements on the web.
NextDNS also blocks “CNAME cloaking”
The "CNAME cloaking" is an insidious way of monitoring you, bypassing the protections of browsers and other adblockers. Its implementation is often accompanied by a serious security vulnerability, the leak of your connection credentials to the third party. Here are some detailed examples on this blog:
- LeBonCoin uses it in partnership with Criteo.
- Lemonde.fr uses it in partnership with AT Internet.
- Boursorama used it in partnership with AT Internet and Smart AdServer (the problem has since been corrected).
- Criteo pushes this technique aggressively to its customers, more than 10,000 publishers have already implemented "CNAME cloaking" with Criteo.
Criteo in particular is very vicious in its use of "CNAME cloaking": the "feature" is only enabled if you use Safari (in order to bypass "Intelligent Tracking Prevention"). So you might believe that a site is not going through "CNAME cloaking" if you observe the requests with Firefox or Chrome. So, when you use Safari on iPhone, you are not protected against this surveillance technique.
NextDNS implemented tracking protection via “CNAME cloaking” already 1 year ago :
Protection is enabled by default.
What economic model for NextDNS?
Before using such a service, the first question is to fully understand the business model. An example: Google's business model is surveillance marketing. If you are worried about the omnipresence of Google in our lives, you will probably avoid Google Public DNS. NextDNS has a “freemium” model:
- The service is free for up to 300,000 DNS requests per month (note: for my first month of use, despite intensive use, I did not reach this limit). If you reach the limit and don't pay, NextDNS will behave like a simple DNS directory for additional queries: no filters, no logs.
- If you exceed the quotas, the price is very reasonable: $1.99/month or $19.90/year (roughly the equivalent in euros).
- NextDNS also offers paid plans for businesses and schools.
Can you trust NextDNS?
If you haven't changed your DNS settings, you are probably using your Internet Service Provider's directory. When you go through NextDNS, you have to trust a new third party, how do you judge if this third party is trustworthy? It’s up to everyone to form their own opinion, here are the arguments that convinced me.
Presentation of the founders, 2 French, explains the principles of NextDNS:
NextDNS has been founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.
We are true supporters of net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principles. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.
I prefer to use the services of a company with these principles rather than those of my internet service provider or Google. Also note the technical competence of the 2 co-founders (Netflix and Dailymotion), which is also found in the speed of NextDNS :
NextDNS is faster than Google over the last 30 days.
Privacy policy is also direct, concise and very clear:
- The data collected will never be sold or shared.
- Any data that should not be logged (by user choice) is immediately deleted.
- If the user does not explicitly request that their data be logged, nothing is logged. If the user requests it (to see their logs, as I was able to do), they have control over their data and the retention period.
- NextDNS protects you (it doesn't expose your IP address) when it requests information from other DNS directories.
NextDNS was also chosen as Firefox partner in order to encrypt its users' DNS queries (for the moment, the program is only available in the United States). This is a guarantee of seriousness (the only other partner is Cloudflare).
NextDNS vs. Pi-Hole?
If you want to stay in control and you are a tinkerer, the Pi-Hole is a great solution. Note that you will still have to trust to the DNS server called by the Pi-Hole (upstream DNS), so you will always have to trust someone. NextDNS is a kind of "Pi-Hole in the cloud", this article details the advantages and disadvantages of the 2 options.
If you want to explore the NextDNS option, I advise you this article as well as NextDNS FAQ. For my part, the choice was quickly made: due to its simplicity of installation and the fact that it works on the move, NextDNS perfectly meets my needs. I can also easily install it with relatives who are not geeks.
Whatever your preferences, I encourage you to pay for quality information and protect your loved ones by installing tracker and ad blockers on their devices.