AdGuardHome Pixelserv-tls Your AdGuardHome

[SomeWhereOverTheRainBow]

The TV sends a DNS request to AdGuard once per minute, no matter what. Then if the response is a pixelserv IP, it goes crazy 20 times per second with HTTP requests to pixelserv. After one minute it talks to AdGuard again ("Are you SURE this is the IP I'm looking for?"). I don't think responses to blocked domains touch the cache, the AdGuard log simply says the domain is blocked and lists the response (the pixelserv IP), no mention to cached replies (see below). In that case, tweaking the AdGuard cache shouldn't have any effect.

I can't dig test right now, but I don't think it would give us any useful information, since the problem seems to be the TV's inability to accept a pixelserv HTTP response and pixelserv's difficulty in dealing with a deluge of HTTP requests.

View attachment 40640

while I see your concern, I have yet to encounter this out of my networks ~120 clients. I am trying to replicate for better understanding more than anything else.

 

[Ericardo]

while I see your concern, I have yet to encounter this out of my networks ~120 clients. I am trying to replicate for better understanding more than anything else.

All you need to replicate is a Samsung TV circa 2013.

 

[SomeWhereOverTheRainBow]

All you need to replicate is a Samsung TV circa 2013.

I might have a better solution to how we get a desired response with our pixel-server. I have to do some testing....

 

[Ericardo]

I might have a better solution to how we get a desired response with our pixel-server. I have to do some testing....

That would be great, let me know if my deranged old TV can help with the tests.

 

[ERamseth2]

I may have found the culprit. An old Samsung TV goes bananas when "prov.samsungcloudsolution.com" is resolved to a pixelserv IP. It starts hammering pixelserv with ~20 HTTP requests per second and each pixelserv response makes the TV even angrier. That was enough to spawn 32 threads and send the CPU load to the 20-30% range. The odd part is that at some point I had a maximum of 5 threads (kvg=1, krq=54), and pixelserv's CPU load was already at 25%. There's something wildly inefficient in the way it deals with situations like this.

The solution is to add (in AdGuard) a DNS rewrite to 0.0.0.0 for the domain the misbehaving device so ardently requests. Incidentally, I've found that rewriting some other domains to 0.0.0.0 also fixes a problem I was having with the Amazon app on Android devices (the sad dog picture error). It seems some devices and apps REALLY hate pixelserv.

I saw similar hatred of pixelserv-tls in the Peacock streaming app.

 

[SomeWhereOverTheRainBow]

The TV sends a DNS request to AdGuard once per minute, no matter what. Then if the response is a pixelserv IP, it goes crazy 20 times per second with HTTP requests to pixelserv. After one minute it talks to AdGuard again ("Are you SURE this is the IP I'm looking for?"). I don't think responses to blocked domains touch the cache, the AdGuard log simply says the domain is blocked and lists the response (the pixelserv IP), no mention to cached replies (see below). In that case, tweaking the AdGuard cache shouldn't have any effect.

I can't dig test right now, but I don't think it would give us any useful information, since the problem seems to be the TV's inability to accept a pixelserv HTTP response and pixelserv's difficulty in dealing with a deluge of HTTP requests.

View attachment 40640

That is weird that it is getting blocked, when I do dig test using that filter, it isn't blocked at all. (dig test on the router).

It isn't until I start doing subdomains that I noticed 192.168.1.4 becoming the return address.

RT-AX88U-C7C0:# dig some.prov.samsungcloudsolution.com

; <<>> DiG 9.17.20 <<>> some.prov.samsungcloudsolution.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;some.prov.samsungcloudsolution.com. IN A

;; ANSWER SECTION:
some.prov.samsungcloudsolution.com. 10 IN A     192.168.1.4

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Apr 06 19:59:43 DST 2022
;; MSG SIZE  rcvd: 68

RT-AX88U-C7C0:# dig prov.samsungcloudsolution.com

; <<>> DiG 9.17.20 <<>> prov.samsungcloudsolution.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53259
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;prov.samsungcloudsolution.com. IN      A

;; ANSWER SECTION:
prov.samsungcloudsolution.com. 10 IN    A       54.82.12.9
prov.samsungcloudsolution.com. 10 IN    A       34.238.14.151
prov.samsungcloudsolution.com. 10 IN    A       52.54.197.147
prov.samsungcloudsolution.com. 10 IN    A       52.70.15.111

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Apr 06 19:59:50 DST 2022
;; MSG SIZE  rcvd: 122

When I dig from a separate client it isn't blocked either

Until I throw in a sub domain

 

[SomeWhereOverTheRainBow]

Well silly me, I have that domain in my allow list. woops.

 

[Ericardo]

Well silly me, I have that domain in my allow list. woops.

View attachment 40645

That reminds me I have to go through my allow list and test if some entries I added to fix broken apps/services can be replaced by a rewrite to 0.0.0.0 or some other bogus IP.

 

[Ellenswamy]

Been running AdGuardHome for awhile now and working perfect. Is there a benefit to doing the pixel tls setup to it?

 

[SomeWhereOverTheRainBow]

Been running AdGuardHome for awhile now and working perfect. Is there a benefit to doing the pixel tls setup to it?

Negligible benefits. If anything, it is more of a "hey I did this just to try it" to say I did it kind of thing.

 

[Ellenswamy]

Negligible benefits. If anything, it is more of a "hey I did this just to try it" to say I did it kind of thing.

So it really anything to write home about unless you want to just do it? No noticeable benefits.

 

[SomeWhereOverTheRainBow]

So it really anything to write home about unless you want to just do it? No noticeable benefits.

Correct. The main benefit I could see is if a user had sooo many pixels certs saves in their cache from diversion, that they wanted to port over using this same cache to adguardhome using the custom blocked ip. The working theory being that somehow utilizing those certs in the cache will some how serve ads much quicker with a tiny pixel than the default black hole timeout into oblivion that is the default behavior.

 

[SomeWhereOverTheRainBow]

So it really anything to write home about unless you want to just do it? No noticeable benefits.

While you may experience loading some sites that are heavily filled with ad to be much quicker utilizing pixelservtls, the perceived advantage is nill with others. It really is more of a toss up, and since not all clients will be compatible to use the imported pixelservtls cert( apple products), there is no real advantage to be gained.

 

[Ellenswamy]

While you may experience loading some sites that are heavily filled with ad to be much quicker utilizing pixelservtls, the perceived advantage is nill with others. It really is more of a toss up, and since not all clients will be compatible to use the imported pixelservtls cert( apple products), there is no real advantage to be gained.

iPhones etc should work with the cert, you just have to go to the site on the device directly and it gets loaded like a profile. Now if it works beyond that I don't know. Also have to make sure you select fully trust.

 

[garett_09]

Hey everyone,

I am just a newbie and i wanted to try this at my router. What if I dont import the certs per device? Will i still get the same benefit of pixelserve or its not worth using at all?

Thanks

 

[L&LD]

Don't use pixelserve today.

 

[SomeWhereOverTheRainBow]

Hey everyone,

I am just a newbie and i wanted to try this at my router. What if I dont import the certs per device? Will i still get the same benefit of pixelserve or its not worth using at all?

Thanks

This is a dead in the water topic, I would skip doing this as it is utterly unnecessary. It was just a fun little project to see if there were any added benefits, but the complexity and work required is not worth it for the level of results achieved.

 

[garett_09]

This is a dead in the water topic, I would skip doing this as it is utterly unnecessary. It was just a fun little project to see if there were any added benefits, but the complexity and work required is not worth it for the level of results achieved.

Alright then. I won't use this. I thought this would improve my adblocking experience better.

Thanks again

 

[garett_09]

Don't use pixelserve today.

Hey,

I thought you are using pixelserv since it is included in your signature.

 

[exoxon]

AdGuardHome itself will have this feature in the future, unfortunately there is no ETA:

Add content blocking proxy settings · Issue #1228 · AdguardTeam/AdGuardHome

We're going to add the proxy module in v0.102: #391 Here's the necessary minimum that should be configurable: Enable/disable Filter lists (consider extending /#filters) Certificate (we should gener...

github.com

GitHub - AdguardTeam/gomitmproxy: Simple golang mitm proxy implementation

Simple golang mitm proxy implementation. Contribute to AdguardTeam/gomitmproxy development by creating an account on GitHub.

github.com