Block ads using OPNsense firewall

This post aims to configure your network firewall for blocking ads shown on webpages in order to allow all network devices to use this feature without the requirement to install an ad-blocker on each of them.

Why blocking ads? Simple: they are annoying, they slow down web pages navigation, they can carry malware and lately they are showing up everywhere since web sites want to make profit in order to pay back the costs for running their websites (servers, powers, hosting, etc). I understand that running a website cost money, but when they are annoying you with ads posted everywhere and trying to bait you to click on them, in my opinion it is not a good way to thread users.

This post is based on using an OPNsense firewall (can works on PFsense as well with some adjustment), the DNS unbound service (with DNS forward activated) and all the network clients using the firewall as DNS server, which is my current network configuration. The technique used for blocking ads is to configure the DNS service to refuse the name resolution queries for ads companies websites, and it is accomplished by placing a new config file listing all of those URLs acting as a black-list in the Unbound directory.

I have found/collected the list of ads websites on internet and everything has been stored in my ad-blacklist.conf file (downloadable here).

Here the steps to enable the configuration:

  1. Enable SSH access to the firewall by checking System -> Settings -> Administration -> Enable Secure Shell
  2. Secure copy the file in /var/unbound
  3. Add “include: /var/unbound/ad-blacklist.conf” into Services -> Unbound DNS -> General -> Custom options
  4. Save and apply changes
  5. Disable SSH access by un-checking System -> Settings -> Administration -> Enable Secure Shell

You can test the new config by trying to resolve from a client in your network one of the URLs listed in the file. Let’s use “”:

  1. On a laptop open the terminal and execute nslookup
  2. You should receive the following response: server can’t find REFUSED

Now you can notice many “empty slots” in websites that you are viewing since all the ads are being blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *