I wouldn't write it off - one possible trick here is to also MITM the DoH/DoQ server and disable ECH by removing the relevant records from the DNS response. We've just added DNS support to mitmproxy and this is a natural follow-up. :)

Oh? Do you guys have a blog writeup? I would LOVE to read more about this! I want to eliminate the small amount of ads that make it through my PiHole.

Not yet, but you might be lucky soon. We have an RSS feed on mitmproxy.org and a Twitter account. :-)

Anyone who cares about ad blocking should not be using any Chromium based browser at this point, but isn't this the sort of tool you'd use at a network or virtual network level?

There's no reason to let applications on your device bypass your own network settings - and this is something we probably need to start accommodating in Linux distros to start with (specifically: disabling all the weaponized E2E encryption that vendors are using, and forcibly MITM'ing it with keys under the users control).

Network-namespaces should make this eminently possible - launch the user's entire environment into a network namespace which can only speak to "user rights" networking stack.

Run your own DoH filtering DNS server, I set this up a few months ago. DNS blocking is not obsoleted by transport encryption.

OP is stating that "apps and devices" may circumvent DNS blocking by resorting to DoH. You can run your own DoH server, and you can even advertise it via your DHCP server, but clients ("apps and devices") do not need to accept the supplied servers for their own configuration.

A lot of things are possible, but are they done?

I am yet to hear of any examples of hardcoded DNS servers. I believe this to be too fragile to implement.

They don't even have to be hardcoded, they just have to ignore anything you specify or not give you any option to specify your own. As long as a device manufacturer can push updates to your device (even by IP address) they can regularly update their chosen DNS servers when needed. Honestly though, for many devices I doubt they'd even bother. Companies seem to have little trouble taking the position that if your device is more than a few years old you're insane for expecting them to still support it and you should have already thrown it away and bought another one.

League of Legends hardcodes 8.8.8.8.

Thank you for the example, probably 53/udp, which one can set up a NAT rule to direct all outgoing 53 to the local filtering DNS resolver.

How do your force applications to use this server? I mean, even if you MITM the connection to the application’s preferred DoH server, the application probably checks the certificate of the DoH server and refuses to work at all if it can’t get a verified connection.

You don’t mitm the DoH, you substitute it with your own server.

I have yet to see DNS/DoH “pinning”, and apps (browsers) will let your override it. Embedding DNS entries in apps is a bad idea (as opposed to cert pinning, which is about fixed trust, and a good idea). Given that sometimes this is going to be blocked, even if they did it would fall to the host resolver.

Very curious about how you went about this as I would like to do the same.

Many options, take a look at https://wiki.archlinux.org/title/DNS_over_HTTPS_servers

Update the DHCP on your router, all done.

In my understanding ECH/ESNI shouldn't be an issue in this setup as long as the browser issues a domain-specific CONNECT request (i.e. "CONNECT google.com" instead of "CONNECT 24.154.13.11"). I think even with ECH enabled you should be able to impersonate the web server if you have a valid root CA certificate in the browsers' trust store. Remember, you're not performing "hostile" MITM-ing, but explicitly configure a proxy and root certificate in your browser. DNS shouldn't be an issue either as the browser leaves domain resolution to the proxy.

This is, of course, assuming that you can trust the browser to obey its proxy settings. (And proxy setting do not apply at all to local “smart” devices.)

Does AdGuard also use this approach?

https://kb.adguard.com/en/general/how-malware-protection-wor...

4. Deliver ads from same host as content (like Twitter, YouTube)

D. Create a whole bunch of VMs with browsers and “fake users” to DoS the whole ad-based business model.

(Note: DoS not literally, of course, but by feeding it with so much fake metrics that the signal - metrics for actual, live users - gets lost in the noise.)

Or perhaps forget about VMs, and have some kind of browser plugin that performs "fake browsing" - to throw off analytics - with your real cookies, but hidden from view, so it's not annoying to the live user browsing the web in the usual manner.

Some people might do this, but it will never be enough people to even register on the scales of the ad-funded businesses.