Honestly, as a network engineer with 4 kids, we’re kinda just screwed.<p>The popular responses here are going to be about Pi-Hole and NextDNS (which I use today), but overall it’s a losing battle and all of it is easily circumvented.<p>With DNS-over-HTTPS becoming more and more prevalent in all things end-user devices, I suspect by this time next year using any kind of traditional DNS controls will be worthless.<p>We could go super heavy handed and deploy some home version of enterprise packet inspection, but that’s a whole bag of worms.<p>As for kiddos, I’ve gotten to the point where I combine good communication over obscurantism, device level traffic logging/monitoring, all mixed with a hard off switch for communications at and after certain times to be the winning ticket.<p>As far as tracking and ads... we’re all going to lose that battle fairly soon. The same tech we all praise as good for privacy is also great for data collection and advertising.
It are somewhat seperate problems. But let's begin with ad's, tracking and malware/bots/whatever uses a domainname. You have two different options SaaS and selfhosted. It's a matter of opinion but I would say PiHole (selfhosted) or NextDNS (SaaS) a no cost SaaS would be using the AdGuard DNS servers in your router instead of the ones of your ISP.
Personally I use NextDNS, it's robust and thanks to the options I can tweak it to my needs without having to upgrade / update stuff.
The second part, keeping my network secure is a bit more involved, it can mean anything from simply having different wireless networks for different purposes (IOT, video surveillance and guests are common) to packet inspection and intrusion detection. Mostly, use the seperate wireless network strategy and forget about the rest, the maintenance is too high and the gain too low for personal networks.
Regarding blocking ads, etc. - you might want to check out Pi-hole. It can run on a Raspberry Pi (hence the name) or just about anything. It’s pretty easy to set up. Works for blocking ads and trackers, and you can set up additional blocks as well (for Instagram, for example).
Pi-hole along with any custom blacklists you want (eg. for social media, porn, etc).<p><a href="https://pi-hole.net/" rel="nofollow">https://pi-hole.net/</a><p>Blocklists are all over the place, do some googling. I like <a href="https://firebog.net" rel="nofollow">https://firebog.net</a> as a jump off point.
Does it really matter how private & secure your network is when the nsa can capture all traffic in the upstream?
They can't spy on any US citizens they say, that's the rule, & they have many oversight committees such as Congressional oversight committees to watchdog them.<p>Tricky nsa moved the Upstream & Downstreams to South Africa. So a US citizen's data is no longer in the USA_technically...& they can collect it.
Bulk collection, encryption breaking, data mining with algorithms & keywords....<i>but</i> they only keep it all for 72 hours then it gets securely deleted.
That's the way it is boys. And I'm not a hacker, at all & I found this.
I believe the thing to do is fly stealth under the radar at all times, as minimally as possible, and count the hours (72) between transmissions.
You can use ethernet connections whenever possible so you aren't broadcasting as much info.<p>Not very helpful, but you can also reduce your wifi power and/or place to in the basement (if you have one) to limit the range (physical attack surface). You can also schedule the wifi to turn off during hours that you don't need it (11pm-6am?). This will reduce the amount of time someone could monitor/attack via wifi. It also reduces your exposure to RF, if you're into that.
- Make sure you're on a NAT.<p>- Use privacy-respecting mobile devices, such as Apple.<p>- Use an anti-tracking measures as mentioned like pi-hole and/or hostfile service.<p>- Forbid social media <i>apps,</i> they are a scourge.<p>- Use privacy-respecting browsers like Firefox and Safari. Set protection higher than standard.<p>- Consider browser extensions like ghostery, etc.
I just bought a firewalla blue device that handles this. It's a bit expensive but it really is a no hassle solution. So far I don't regret the purchase.