What's new

AdGuardHome Pixelserv-tls Your AdGuardHome

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The TV sends a DNS request to AdGuard once per minute, no matter what. Then if the response is a pixelserv IP, it goes crazy 20 times per second with HTTP requests to pixelserv. After one minute it talks to AdGuard again ("Are you SURE this is the IP I'm looking for?"). I don't think responses to blocked domains touch the cache, the AdGuard log simply says the domain is blocked and lists the response (the pixelserv IP), no mention to cached replies (see below). In that case, tweaking the AdGuard cache shouldn't have any effect.

I can't dig test right now, but I don't think it would give us any useful information, since the problem seems to be the TV's inability to accept a pixelserv HTTP response and pixelserv's difficulty in dealing with a deluge of HTTP requests.

View attachment 40640
while I see your concern, I have yet to encounter this out of my networks ~120 clients. I am trying to replicate for better understanding more than anything else.
 
I may have found the culprit. An old Samsung TV goes bananas when "prov.samsungcloudsolution.com" is resolved to a pixelserv IP. It starts hammering pixelserv with ~20 HTTP requests per second and each pixelserv response makes the TV even angrier. That was enough to spawn 32 threads and send the CPU load to the 20-30% range. The odd part is that at some point I had a maximum of 5 threads (kvg=1, krq=54), and pixelserv's CPU load was already at 25%. There's something wildly inefficient in the way it deals with situations like this.

The solution is to add (in AdGuard) a DNS rewrite to 0.0.0.0 for the domain the misbehaving device so ardently requests. Incidentally, I've found that rewriting some other domains to 0.0.0.0 also fixes a problem I was having with the Amazon app on Android devices (the sad dog picture error). It seems some devices and apps REALLY hate pixelserv.
I saw similar hatred of pixelserv-tls in the Peacock streaming app.
 
The TV sends a DNS request to AdGuard once per minute, no matter what. Then if the response is a pixelserv IP, it goes crazy 20 times per second with HTTP requests to pixelserv. After one minute it talks to AdGuard again ("Are you SURE this is the IP I'm looking for?"). I don't think responses to blocked domains touch the cache, the AdGuard log simply says the domain is blocked and lists the response (the pixelserv IP), no mention to cached replies (see below). In that case, tweaking the AdGuard cache shouldn't have any effect.

I can't dig test right now, but I don't think it would give us any useful information, since the problem seems to be the TV's inability to accept a pixelserv HTTP response and pixelserv's difficulty in dealing with a deluge of HTTP requests.

View attachment 40640
That is weird that it is getting blocked, when I do dig test using that filter, it isn't blocked at all. (dig test on the router).

It isn't until I start doing subdomains that I noticed 192.168.1.4 becoming the return address.

Code:
RT-AX88U-C7C0:# dig some.prov.samsungcloudsolution.com

; <<>> DiG 9.17.20 <<>> some.prov.samsungcloudsolution.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;some.prov.samsungcloudsolution.com. IN A

;; ANSWER SECTION:
some.prov.samsungcloudsolution.com. 10 IN A     192.168.1.4

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Apr 06 19:59:43 DST 2022
;; MSG SIZE  rcvd: 68

RT-AX88U-C7C0:# dig prov.samsungcloudsolution.com

; <<>> DiG 9.17.20 <<>> prov.samsungcloudsolution.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53259
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;prov.samsungcloudsolution.com. IN      A

;; ANSWER SECTION:
prov.samsungcloudsolution.com. 10 IN    A       54.82.12.9
prov.samsungcloudsolution.com. 10 IN    A       34.238.14.151
prov.samsungcloudsolution.com. 10 IN    A       52.54.197.147
prov.samsungcloudsolution.com. 10 IN    A       52.70.15.111

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Apr 06 19:59:50 DST 2022
;; MSG SIZE  rcvd: 122

When I dig from a separate client it isn't blocked either

1649289874067.png

Until I throw in a sub domain

1649289926346.png
 
Been running AdGuardHome for awhile now and working perfect. Is there a benefit to doing the pixel tls setup to it?
 
So it really anything to write home about unless you want to just do it? No noticeable benefits.
Correct. The main benefit I could see is if a user had sooo many pixels certs saves in their cache from diversion, that they wanted to port over using this same cache to adguardhome using the custom blocked ip. The working theory being that somehow utilizing those certs in the cache will some how serve ads much quicker with a tiny pixel than the default black hole timeout into oblivion that is the default behavior.
 
So it really anything to write home about unless you want to just do it? No noticeable benefits.
While you may experience loading some sites that are heavily filled with ad to be much quicker utilizing pixelservtls, the perceived advantage is nill with others. It really is more of a toss up, and since not all clients will be compatible to use the imported pixelservtls cert( apple products), there is no real advantage to be gained.
 
While you may experience loading some sites that are heavily filled with ad to be much quicker utilizing pixelservtls, the perceived advantage is nill with others. It really is more of a toss up, and since not all clients will be compatible to use the imported pixelservtls cert( apple products), there is no real advantage to be gained.
iPhones etc should work with the cert, you just have to go to the site on the device directly and it gets loaded like a profile. Now if it works beyond that I don't know. Also have to make sure you select fully trust.
 
Hey everyone,

I am just a newbie and i wanted to try this at my router. What if I dont import the certs per device? Will i still get the same benefit of pixelserve or its not worth using at all?

Thanks
 
Hey everyone,

I am just a newbie and i wanted to try this at my router. What if I dont import the certs per device? Will i still get the same benefit of pixelserve or its not worth using at all?

Thanks
This is a dead in the water topic, I would skip doing this as it is utterly unnecessary. It was just a fun little project to see if there were any added benefits, but the complexity and work required is not worth it for the level of results achieved.
 
This is a dead in the water topic, I would skip doing this as it is utterly unnecessary. It was just a fun little project to see if there were any added benefits, but the complexity and work required is not worth it for the level of results achieved.
Alright then. I won't use this. I thought this would improve my adblocking experience better.

Thanks again
 
Don't use pixelserve today.
Hey,

I thought you are using pixelserv since it is included in your signature. :D
 
AdGuardHome itself will have this feature in the future, unfortunately there is no ETA:

 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top