MikroTik

Hello,
are you using Mikrotik to block ads? I know there is i.e. Pi-hole but I'm afraid pages loading will work slower if there will be requests to raspberry.

Found https://stopad.hook.sh

Tried it but it seems to not work for me, maybe I skipped something.
I started script manually but I still see ads in websites.
Any idea?

No, I am using Pi-hole.

Where are you seeing ads??

ie letemsvetemapplem.cz, idnes.cz etc.

I never see ads on my MT router.
Do they popup in your Winbox??

I'm talking about pc browser, not mikrotik. Want to block ads in browsers via mikrotik

I'm talking about pc browser, not mikrotik. Want to block ads in browsers via mikrotik

That is a browser problem. Fix it in your browser and also is a user problem, thus educate your users.
What next, automatically provide tissue paper when a PC user is going to sneeze??
I know, while we are at...... howbout ask MT to cure cancer.................

By the way, Type 2 Diabetes is DIY disease!!! Chew on that for a while!!!

You don't understand me. I'm looking for similar solution like Pi-hole but for mikrotik. Some script.

Don' want use adblock, ublock etc in my computers and mobile devices.

You don't understand me. I'm looking for similar solution like Pi-hole but for mikrotik. Some script.

Don' want use adblock, ublock etc in my computers and mobile devices.

But that would put pi-hole out of business, a very ruthless move on the part of MT.
What is it exactly that pi-hole does then? If its not CPU intensive it sounds like something that should be coded in to the MT functionality??
Perhaps a feature request??

Quick research, is that they use a BASH list............anyway a pointer to a DB to check against adds.
Dont see why the MT couldnt check the same DB (ie not loaded onto the device) for DNS activies??????????????

Hello,
are you using Mikrotik to block ads? I know there is i.e. Pi-hole but I'm afraid pages loading will work slower if there will be requests to raspberry.

I made some tests with a pi-hole running with docker in my laptop and I don't think any slowing will be significant. But I don't have a place
right now where I can run a docker container reliably, and also I have a travel router where I like the scripted idea...

So thank you for:

Found https://stopad.hook.sh

(...)

I started script manually but I still see ads in websites.
Any idea?

You can see ads in websites for several reasons:

• Your dhcp-server network in the router is giving them a DNS different from your router. You can check and solve this one in your router.
• Your PCs are ignoring the DNS settings that the DHCP server provides. You can force them by firewalling / redirecting DNS request to the router
• Some program/apps use their own web services to resolve or fetch apps using addresses
• Not everything is covered by those scripts/dns entries

You need to check which one applies and solve it.

Hey, Term, have you been able to make any progress on solving this issue?
I've used the same script and added ~15,000 hosts to dns static settings to no noticeable effect.
I'll try to check why it doesn't work (it does resolve added dns to the ip adress I specified), but if you've had any insights since your last post - please share it.

I think pi hole is the best way to block ads. best $10 i ever spent. Check out this thread on reddit:
https://www.reddit.com/r/pihole/comment ... d_via_usb/

@Term,

I use the IP-addresses provided by https://public-pihole.com/ and this work well (for me).

I think pi hole is the best way to block ads. The best $10 i ever spent. Check out this thread on reddit:

Update:
I understand now. A Pi Zero W is plugged into a MikroTik's USB port to get power and also act like an ethernet card. The MikroTik is this person's router, and they send DNS queries to this USB-to-Ethernet port. Very clever. I think I'll just build or buy a small server. Would be cool if MikroTik had a package for this.

Can you expand on this more? I'm researching implementing Pi-hole and thought I would use a Raspberry Pi 4 Model B or something. The reddit link makes it seem like the hAP AC could be used? I want to use, I guess, a Pi-hole server and hand out its IP address to all my clients.

... every filter (dns, av, antispam ... whatsoever) will slow down your secured application ... EVERY !
... because you delegated sagacity to an entity with more discipline than you own by yourself ... and thats a good thing ... when it comes to computed routines
... but it adds cpu-, asic-, whatsoever-related-time to decide...
.
suggestion:
change /etc/cron.d/pihole
from
. .
to
. .
... for a more day-by-day-discipline ... this is not (only) a joke

btw.
there tons of articles in this forum how to make use of anti-spam-, anti-phishing, - or country-code related community-lists with a MTik-board.
.
add a local anti-virus-proxy ... and your'e good to go

@Term,

I use the IP-addresses provided by https://public-pihole.com/ and this work well (for me).

Out of interest, how many hops and what roundtrip times are you seeing to the pihole servers you are using?

I initially used the public servers but found them very slow for my location - a traceroute would show many hops and 300ms+ roundtrip times from here in NZ. Also it was blacklisting some dropbox A records which caused me issues.

I found the free DNS servers at adguard to be very good
https://adguard.com/en/adguard-dns/overview.html. They seem to have more locations and the roundtrip is only 50ms. They also have some "family friendly" DNS servers which may interest some households.

While I have ordered a raspberry pi zero to use as a pi-hole/unbound, unless you are a techy that wants to have more control over blocklists, caching, privacy etc, simply using free public DNS servers would likely suffice for most home use internet setups.

just had an over-christmas-discussion with my colleagues over the topic ...
.
just check !!
... even dns-filtering is a walrus-nipples-thing :
.
... ad-content is filtered ... the loaded site(s) seems to be slow ... because the content of interest is placed last ... no effin pictures of socks inbetween
.
so everyone who's lookin on it's (screen) browser says: lame web-performance !
.
this a case for pestalozzi .. not for tesla ( while claude e. shannon is taking notes )

I think pi hole is the best way to block ads. best $10 i ever spent. Check out this thread on reddit:
https://www.reddit.com/r/pihole/comment ... d_via_usb/

+1 for pi hole. Does the job perfectly.

I use Pi-hole and find that it works quite well. It doesn't slow anything down. In fact, it speeds up browsing because I'm not pulling in as many ads.

I had it running on a Raspberry Pi Zero W and the performance was excellent. I saw far fewer ads on all of my devices, and not just via web browser. You can also block sites that host malware or are fraudulent if you want. Blocking things that track you is another possibility.

You can point your Pi-hole at whatever upstream DNS providers you like. It can also work with DNS over TLS or DNS over HTTPS if you want to do that. It can do DNSSEC too. It does some caching, so repeat queries may return faster for you, depending upon what other query caching you're doing, etc. It doesn't, by default, use a very large cache, so I wouldn't say that caching is its best feature. Any queries for records pointing to ad servers are returned very quickly, and that will help things load more rapidly too.

I have actually switched to using a Raspberry Pi 3 b+ for Pi-hole. I wanted to do DNS over HTTPS, and I used the cloudflare proxy for this. Cloudflare has dropped support for old Raspberry Pis, so the Zero W was only able to run an older version of cloudflared. I ran into some problems with that older version, and I had a 3 b+ sitting around, so I just switched to that and am now using the current version of cloudflared.

My Mikrotik router is set to use my Pi-hole system for its DNS, and I also have it set to pass that out to client devices via DHCP. That gives me ad-blocking for things like smartphones.

There are a few things to be aware of. The blocklists are maintained on the Pi-hole server and will apply to any device using it for DNS. Users will therefore be unable to directly disable ad-blocking for a particular site; that would have to be done in Pi-hole. That hasn't been a problem for me, but it could be depending on your users and how many of them there are.

Pi-hole also doesn't currently do a great job of blocking youtube ads. Google does their own ad-serving and they've integrated it tightly enough with youtube that it's very difficult to use DNS to block those ads. You would therefore still need an ad-blocking browser extension if you want to block all youtube ads.

You have to give some thought to your choice of which blocklists to use (just as you do with an ad-blocking extension in your browser). You can add a lot of lists and be very restrictive, but then you also stand more of a chance of breaking some sites. Or you can add few lists and it may not block all ads. I've taken a compromise approach and I use a fair number of blocklists, but only ones that shouldn't require me to do a lot of adjustment (make exceptions so sites can work, etc.).

I still see some ads with Pi-hole. It's not perfect. However, it blocks ads in more than just browsers, and it blocks does noticeably improve the experience of using a smartphone IMO. Blocking tracking and other data collection for my entire LAN is also very valuable to me.

As I mentioned, I'm doing DoH (DNS over HTTPS). This keeps my ISP from seeing my DNS queries. (They can still see your traffic if you're not using a VPN, but they can't harvest quite as much info as if you don't encrypt your DNS queries.) Yes, this does shift your trust from your ISP to your DNS provider. In my case, I trust my DNS provider more than I trust my ISP. (I'm stuck with my ISP until maybe the new satellite systems give me an alternative.)

I found that setting up Pi-hole and getting everything the way I want it was fun. I already had the hardware, so I didn't have to buy anything new to set it up. It was a nice little project and I feel it's been quite useful.

As you already wrote, ad-blocking using DNS is limited and will not always work.
The best ad-blocking is still in the browser, as it can operate on full URL instead of only hostname.
Also it can in theory (unfortunately ABP cannot do that) load some ad data and not display it, e.g. in cases where a website will not work when you do not load the ads.

@stuartkoh

Thanks for the write-up.

I found the free DNS servers at AdGuard to be very good. They seem to have more locations and the roundtrip is only 50ms. They also have some "family friendly" DNS servers which may interest some households.

Nice find. Will give them a try.

Yeah I've been using them for several days now, with no obvious issues.

Will probably use them as secure upstream dns servers from a pihole too, seeing as they reckon they don't log queries...

"AdGuard DNS takes several measures to ensure your privacy safety. We support DNSCrypt, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols."

Sent from my Mi 9T using Tapatalk

I have actually switched to using a Raspberry Pi 3 b+ for Pi-hole. I wanted to do DNS over HTTPS, and I used the cloudflare proxy for this. Cloudflare has dropped support for old Raspberry Pis, so the Zero W was only able to run an older version of cloudflared. I ran into some problems with that older version, and I had a 3 b+ sitting around, so I just switched to that and am now using the current version of cloudflared.

there are still some unofficial cloudflared builds for pi. But I've configured 'unbound' DNS resolver on pi zero w with forwarders to cloudflare and quad9 over DoT (dns over TLS). Config posted in the same reddit thread. this works better than cloudflared daemon. My new lookups are 0.2 seconds , which is a bit slow imo, but not too bad. also Unbound refreshes cache on its own for the repeating queries to reduce the lookup time (ie the longer it runs the more it "learns" how to pre-populate the cache).

there seems to be an initiative by chrome and Firefox to enable a DoH resolver built in to the browsers. this would bypass pihole. I would stay away from this setting if you are using dns based ad blocking. sorry if this is obvious but wanted to mention anyway..

I am using 3 ways to block unwanted content (ads are a part of the unwanted content)

1) uBlock on any browser on our computers I use Vivaldi (Chromium based) and push uBlock with an GPO on Windows
2) Pi-Hole running on a virtual linux computer
3) IP blocking in Mikrotik
With uBlock you are also blocking unwanted scripts in the pages.

For the IP's to block I'd like to refer to:
1) http://www.squidblacklist.org/downloads.html which serves various IP list you can autmaticaly import with a script into your MKT device.
2) https://mikrotikconfig.com/firewall/, with this site you can create a IP block list for a lot of countries

Hey.
Squidblacklist.org is dead (as it's owner), sorry.
Some time ago i was showing ads-blocker made on squidblacklist blacklists... (https://www.youtube.com/watch?v=DhheFeUPo2g)

However squidblacklist is dead, the pi-hole project is so vital now...
Now presenting: the pi-hole to mikrotik converter.
Check it out:
The converter: https://pastebin.com/rQVYcdi3

##############
#/bin/sh
mtuser=admin
sshpass="$(cat mtpass)"
mtip=192.168.2.1
# echo $sshpass
#expand aliases
shopt -s expand_aliases
source ~/.bashrc
listy=("https://raw.githubusercontent.com/Majki ... stfile.txt")
listy+=("https://raw.githubusercontent.com/Majki ... d_host.txt")
listy+=("https://raw.githubusercontent.com/Majki ... onnect.txt")
listy+=("https://raw.githubusercontent.com/Majki ... e_host.txt")
listy+=("https://raw.githubusercontent.com/Majki ... tended.txt")
listy+=("https://raw.githubusercontent.com/Majki ... ervers.txt")
listy+=("https://raw.githubusercontent.com/Majki ... pihole.txt")

# echo ${listy[@]}

#nazwa pliku wynikowego
_script_file=blacklista.rsc
rm -f $_script_file 2>/dev/null 1>/dev/null
rm -f "${_script_file}.tmp" 2>/dev/null 1>/dev/null
rm -f "${_script_file}.tmp.tmp" 2>/dev/null 1>/dev/null


for i in "${listy[*]}"
do
curl -sL $i >> ${_script_file}.tmp
done;

# Convert to unix format - wymaga doinstalowania
dos2unix ${_script_file}.tmp 2>/dev/null 1>/dev/null

LC_ALL=C


######################
# Help aliases

alias incl_ipaddr="egrep -e '([0-9]|[0-9][0-9]|[0-9][0-9][0-9])\.([0-9]|[0-9][0-9]|[0-9][0-9][0-9])\.([0-9]|[0-9][0-9]|[0-9][0-9][0-9])\.([0-9]|[0-9][0-9]|[0-9][0-9][0-9]).*'"

alias strip_comment="sed 's/#.*//'"
alias remove_empty_lines="sed -r '/^\s*$/d'"

alias excl_regex_rules="grep -v '\\$'"
alias incl_regex_rules="grep '\\$'"

# real cmd rule: sed -e 's/\\/\\\\/g' -e 's/\$//g'
alias conv_expr_2_rsc_fmt="sed -e 's/\\\/\\\\\\\/g' -e 's/\\$//g'"

alias conv_2_alphanumeric="tr -cd '[:alnum:]._\-\n-'"
alias conv_2_alphanumexpr="tr -cd '[:alnum:].+*[]_\-\\\(|^$)\n-'"


# Help func
prnt_col_2()
{
awk '{print $2}'
}

# Convert plain name rules
cat ${_script_file}.tmp | remove_empty_lines | incl_ipaddr | prnt_col_2 | strip_comment | excl_regex_rules | conv_2_alphanumeric | sed -e 's/^/\/ip dns static add address=127.0.0.1 name=/i' | sed -e 's/$/ ttl=600w/i' >> "${_script_file}.tmp.tmp"

# Convert regexp name rules
cat ${_script_file}.tmp | remove_empty_lines | incl_ipaddr | prnt_col_2 | strip_comment | incl_regex_rules | conv_2_alphanumexpr | conv_expr_2_rsc_fmt | sed -e 's/^/\/ip dns static add address=127.0.0.1 regexp="/i' | sed -e 's/$/" ttl=600w/i' >> "${_script_file}.tmp.tmp"

#####################

sync

# Sort and remove doubles - keep unique lines
sort -u "${_script_file}.tmp.tmp" > "${_script_file}"

rm -f ${_script_file}.tmp.tmp 2>/dev/null 1>/dev/null
rm -f ${_script_file}.tmp 2>/dev/null 1>/dev/null

#wymaga doinstalowania sshpass
sshpass -p $sshpass scp "${_script_file}" $mtuser@$mtip:/
##############

It's mostly based on someone else's idea; (https://forum.qnap.net.pl/threads/pi-ho ... iku.27017/)

Now - just put the converter to cron (on pc or eg. home NAS) and add simple script oo mikrotik to refresh dns blacklist list

/ip dns static remove [find where ttl=600w]
:delay 50
/import file-name=blacklista.rsc;:log warning "import regulek PiHole";
:delay 5
:log warning "Removed old AdsBlockList records and imported new list";

May it serve you well!

.
If the Force might be with us
.

@scob What device are you running this on? I get several errors running it from a couple of Debian based devices. Maybe it's due to them being ARM based?

I have actually switched to using a Raspberry Pi 3 b+ for Pi-hole. I wanted to do DNS over HTTPS, and I used the cloudflare proxy for this. Cloudflare has dropped support for old Raspberry Pis, so the Zero W was only able to run an older version of cloudflared. I ran into some problems with that older version, and I had a 3 b+ sitting around, so I just switched to that and am now using the current version of cloudflared.

there are still some unofficial cloudflared builds for pi. But I've configured 'unbound' DNS resolver on pi zero w with forwarders to cloudflare and quad9 over DoT (dns over TLS). Config posted in the same reddit thread. this works better than cloudflared daemon. My new lookups are 0.2 seconds , which is a bit slow imo, but not too bad. also Unbound refreshes cache on its own for the repeating queries to reduce the lookup time (ie the longer it runs the more it "learns" how to pre-populate the cache).

I wanted to add an update to my original post about exactly this.

I found that the cloudflared daemon just wasn't very reliable, no matter what version I used. I had used unbound in the past at various workplaces, so I installed it and set it up to do DoT and removed cloudflared. I'm happy with the results. Like you I do see some initial queries are a bit slow, but not bad. A lot of queries are then answered out of cache, so overall there's no performance problem.

A friend of mine uses Plume devices for his home network (he said that their Superpod uses the same IPQ-4019 and QCA9984 that the Mikrotik Audience uses, but the Wave2 features work) and he's not happy with their ad-blocking functionality. He's planning to add a Pi Hole device too. He isn't concerned about DoH or DoT, so I told him a Raspberry Pi Zero W should be fine.

(I've been wondering whether it's really worth doing DoH or DoT myself. I might be better off just having unbound do queries to the authoritative nameservers rather than forwarding to another, outside server like Quad9 or Cloudflare.)

it works. Excellent !@#$%

I think pi hole is the best way to block ads. best $10 i ever spent. Check out this thread on reddit:
https://www.reddit.com/r/pihole/comment ... d_via_usb/

Thanks for linking to this. I'm trying to find the ideal pi-hole setup and this post & subreddit will definitely be helpful!

Convert Pihole address lists to static Mikrotik DNS records and enjoy. Manual update.

You can block ads by mikrotik in several way. You can be use static dns, create firewall rules or ad block dns doh.
In this link you can find some appropriate methods

https://karimzi.blogspot.com/search/label/mikrotik?m=1

Follow this blog for advanced level of mikrotik security.

I'm currently using NextDNS via DoH from my Mikrotik router. It's working really well and I'm pleased with the results. I was never completely happy with pihole and had periodic issues with it, plus it was another thing and another system that I had to maintain. NextDNS is as easy to use as Quad9 was (which is what I was using with pihole). Performance is really good too.

download the file to desktop;
https://raw.githubusercontent.com/Steve ... ster/hosts

open notepad++ replace with regex;

find: ^#[^\n]*
replace: "" (empty)

find: ^![^\n]*
replace: "" (empty)

find: ^[^0]
replace: "" (empty)

find: #[^\n]*
replace: "" (empty)

find: ^(0\.[^ ]*) ([^\n]*)
replace: add address=$1 name=$2

set mode to normal (not regex)
find: "=0.0.0.0 "
replace: "=127.0.0.1 "

upload the file to routerOS;

/ip dns
/import StevenBlack_hosts_20210808.rsc

##### TURKISH #####

download the file to desktop;
https://raw.githubusercontent.com/Steve ... ster/hosts

open notepad++ replace with regex;

find: ^(127\.0\.0\.1) ([^\n]*)
replace: add address=$1 name=$2

remove res.cloudinary.com entry as it breaks www.dev.to

paste on terminal. because many lines conflict with generic list.

note: uses lots of memory and takes about 10 minutes on RB4011.

note: static entries are always in the cache. so I needed to set cache size to 307200 (300 mb)

note: I update static list monthly and when I receive complaint.

It would be easier if MikroTik officially supported importing hosts file.

for example: IP->DNS->Filter Subscriptions

you enter URL(s] to download hosts files... and interval (for example: daily, weekly, monthly)

after that, they could add whitelisting feature.

but whatever. it is just a dream unless they want to gain market-share from Pi-Hole

I temporarily use it on mikrotik. Because I plan to buy a Raspberry Pi 400.

This script adds a big list of IP to block ads in a MikroTik router:
viewtopic.php?t=172942

Works OK but resource intensive.

You are wrong at some points.

Memory used 25% to 48% used, still have lots of memory free.
CPU does not see any difference. Lookup a name on an internal tabell may be faster and use less CPU compare to lookup at external DNS server.
Disk use: if you have space, it does not mater if its 80% or 90% full. OK at my RB750G r3

You should use a tool to monitor your ruter to see if anything run full.

This script adds a big list of IP to block ads in a MikroTik router:
viewtopic.php?t=172942

I consider a true security breach import any file downloaded from 3rd party site with /import file-name=$scriptName command.

If some hacker or the author itself put some commands inside the downloaded file, can do anything he want with the RouterBOARD...

You are 100% correct. So I do not schedule the script.
I do open the link in a web browser:
https://www.micu.eu/adblock/adblock.php
Have a look at it, and if there is only one command /ip dns static, then I do run the script.

@Jotne, your is correct way to do that,

but for be little paranoid... or considering the real possibility,

the webserver can check user agent,
if it is "Mikrotik/6.x&Fetch" can provide different contents than
if it is, for example, "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"...

Catch the point?

Noting wrong with being paranoid.
Get your points

Maybe the script one can change the script to search for commands and stop/delete it if there are more than one command ...

Maybe the script one can change the script to search for commands and stop/delete it if there are more than one command ...

Or search on import script on each line the DNS,
this permit also to set a comment="from the x list", instead of generic add...

Cant wait for the improved script Jotne!!

Cant wait for the improved script Jotne!!

Probably someother finish the script, i do not know if Jotne is rewriting the script...:

viewtopic.php?f=9&t=166293&p=871962#p871962

Cant wait for the improved script Jotne!!

Probably someother finish first the script (jvanhambelgium) , i do not know if Jotne is rewriting the script...:
viewtopic.php?f=9&t=166293&p=871962#p871962

I dont think the world is ready for two rextendeds (duplicate post)

The work go on:
viewtopic.php?f=9&t=166293#p872049

Fetch bank account from browser cache, send all money to rextended ??
When I get time I will ask you about it, but busy building an enclosure.

You are wrong at some points.

oh yes? what about boot time?

10 minutes without firewall rules on RB4011 and CPU spike.

I do not reboot, so have not seen any of this. It also may be different from router to router.

I do not reboot, so have not seen any of this. It also may be different from router to router.

LOL. ok. ;P

You don't understand me. I'm looking for similar solution like Pi-hole but for mikrotik. Some script.

Don' want use adblock, ublock etc in my computers and mobile devices.

But that would put pi-hole out of business, a very ruthless move on the part of MT.

PiHole is not a business, it is an open source free project. There are already many variants, most of them use dnsmasq in one way or the other, like diversion.ch and adguard.
PiHole community could not care less if mikrotik would have its own similar system.

It will not. This is the point of Pi-hole.

Where you get DNS to your hosted webserver (on your lan), does not mater. If its DNS or DoH as long as its the public name for your server.
DoH in your browser will however bypass both your local DNS or local DoH server settings.

I know there is i.e. Pi-hole but I'm afraid pages loading will work slower if there will be requests to raspberry.

Your fears are unfounded.. Pi-Hole only answers the DNS queries (they are tiny chunks of data), all your internet traffic doesn't go through the Pi board when using Pi-Hole.. You can also install Pi-Hole on a normal VM/PC/server.

DoH in your browser will however bypass both your local DNS or local DoH server settings.

Not necessarily.
Because DoH server can be blocked, and then fallback to standard DNS.

DoH in your browser will however bypass both your local DNS or local DoH server settings.

Not necessarily.
Because DoH server can be blocked, and then fallback to standard DNS.

How can you ever block all DoH servers? You would at least have to know which DoH server(s) your browser uses...
DoT is of course easier to block.

How can you ever block all DoH servers?

Not possible, of course. But possible to block the "well known" DoH servers.

Not necessarily.
Because DoH server can be blocked, and then fallback to standard DNS.

Since you can not see what's inside HTTPS packages, you can not know if its a web site or DoH traffic. And since any can setup a DoH or DoT server, there are no way you can block this.

1) Since you can not see what's inside HTTPS packages, you can not know if its a web site or DoH traffic.
2) And since any can setup a DoH or DoT server, there are no way you can block this.

1) Since every "well-known DoH-server" has an IP, its possible to block. Or after interception of SNI.
Besides, assuming installation of special cert on clients (possible on corp devices, for example), your statement is wrong, too, because of transparent interception of https.
Although I doubt, it would be possible using RoS.
2) Corret. However, "... block this" does not belong to the group of "well-known DoH-servers".

DoT uses a default port so for admin easier to control. DoT uses default a port that is encrypted.
However the domain used still can be extracted and this will be impossible with latest version in which also the domain will encrypted.

DoH is difficult to block when the IP address is not on your block-list. DoT can be be evasive as DoH but lacks encrypting of the domain.

Some reading about this: viewtopic.php?p=925442&hilit=doh#p925442 (PDF file)

"Some reading ..." confirms my statement from above. Thank you.

There is the built-in adblock for RouterOS. Folllow this thread to get it working fully !

viewtopic.php?t=209239

Using Winbox/web-GUI and newest RouterOS version.

1: Create a text-file with your blacklisted domains in this format:
2: Upload the file to Files

3: Open IP, DNS and select "Adlist"

4: Select you file: That's it
Make sure you have assign enough cache size in the DNS form in case your file is very big
See more here: https://help.mikrotik.com/docs/display/ ... DNS-Adlist

Those are bad recomendations....
With new mikrotik dns block list you do not need Pi Hole anymore....

Go to IP/DNS and resize CACE SIZE. If you have enough RAM put 30 000. Then choose the right dns block list from this link https://www.avoidthehack.com/best-pihole-blocklists you can choose the same dns block list which Pi Hole use or AD Block. There are many lists to choose. Then copy link to the list for example this is what Pi Hole use as default

https://raw.githubusercontent.com/Steve ... ster/hosts

then go to IP/DNS/ADLIST click NEW and paste the link to the dns block list.

The Pi Hole block list is daily updated and mikrotik will download the data from the list every few hours.

Look herehttps://www.youtube.com/watch?v=RMJnjyAOfLI

What you write is correct, but the other two users are just necroposting with a topic from 2022 just to post something random...