I use Pi-Hole plus WireGuard to route all my devices through my home broadband connection (so even on a hotel/train WiFi, when on LTE, etc). I forward it to Unbound which uses DNSSEC and DNSCrypt. I'm using an EdgeRouter Lite for that purpose. It does add a little bit of latency, but I don't mind, as it also increases my privacy on the insecure link. It also works on say a smart TV or an official Android device (I use a rooted Android device with microG which doesn't implement GAds). My partner sees barely any ads at home due to this setup (I did not bother to setup WireGuard on her smartphone as of yet).
On each individual client device I also use a layer 7 firewall ("personal firewall"). On macOS I use Little Snitch and LuLu. On Linux I use OpenSnitch. I don't use Windows, but if I would I'd at least remove all the tracking stuff (for example with O&O ShutUp). On Android, I don't use a layer 7 firewall which is my bad.
For browser, on every OS I use a configured Firefox (which I did NOT document; my bad!) with a bunch of addons. uBlock Origin (mainly to manually block "you are blocking ads" notices). I use uMatrix, Cookie AutoDelete, Smart Referer, Privacy Badger, Decentraleyes, HTTPS Everywhere, containers for Amazon/Facebook/Google (would like to add Microsoft), CanvasBlocker, Tracking Token Stripper, Forget Me Not, Terms of Service; Didn’t Read, and Buster: Captcha Solver for Humans.
uMatrix will break the web. However it is more user-friendly than NoScript ever was. You are going to have to configure such. For websites you regularly use, you can save the temporary changes, or just not use such bloated websites. Also, I recommend the addon Dark Reader and the feature Reader Mode.
To test your setup on your browser, try ipleak.net. One of the things I configured in Firefox, is to disable WebRTC. I don't use an addon for that.
1. Sending a pull-request to the official pi-hole project wiki to get this added to their docs?
2. Adding a small nugget about running just the DNS traffic through the VPN instead of all of it. It is a one-line config, IIRC.
So, a good way for apps to circumvent common blocklists for trackers/ads, is to fall back/connect to a hard coded IP address if connecting to the domain doesn't work...
It would be good if Little Snitch would have an option to disable this behaviour for specific blocklists.
Using these tools    suggest I'm most profileable by the fact I use macOS. Which I can hide in the useragent string, but is then still detected.
It may or may not be worth considering depending on your threat model. There may also be novel techniques published since.
Edit: It looks like amiunique is detecting extensions with Plugin Detector  which claims to work on Firefox, and at the very least can detect Adblock (per amiunique).
I don't use any special plugins; only the default ones (which are a practical, necessary evil). If I were to remove/disable the default plugins, that'd increase my fingerprint.
If I want to be tracked less easily I'd need to not browse fullscreen, I'd need to not use a native Mac browser but run a Windows or Linux VM or a remote SSH connection (which, quite frankly, is quite possible in a terminal these days as per Browsh ), and I'd need to use only the default fonts (because I am using specific fonts in ~/Library/Fonts). Some of these fonts there are temporarily or backup fonts. I will remove these to a temporary directory, and load them ad-hoc.
But, you obviously have a good grasp on what is in your threat model and what isn't. My original comment was geared more towards the people who pile on privacy extensions, sometimes at random, who are under the impression that more extensions always equals more protection.
Or would it be the first-party fingerprinting you and sharing that with their third-parties?
All my clients run firefox with ublock origin and https everywhere. I ran no script for a while but it is quite painfull to manually allow scripts on a lot of pages so I think I have found a nice balance. I have also turned off wasm support in firefox.
If a site doesn't work with the above or shoves large nasty inline popups with "we value your privacy" etc and do not show a clear reject button I leave.
edit: I also pay subscription to most of the websites I use often that support payment and if they don't I email them and tell that I don't want ads and that I'd like to pay for it. Usually one can come to an arrangement.
I want to see how it behaves in the wild before I run it myself.
I did read through it though to make sure it didn't do anything bad, however there is a risk that whatever list you download might be malicious some day.
A couple others I have been given donation links where I can set up what payment I think it's worth as a one off or recurring. Sometimes they have a patron without me finding it.
I ad-block all of them anyway so even if they don't "turn off" the ads I am not seeing them.
Personally, I use uBlock Origin + Privacy Badger (and NoScript for work, per policy). In most cases, if a site doesn't work I've realized I really don't want to be there (and the Internet is likely better off without adding my rant to the comments section of that click bait article I really shouldn't be wasting my time with). It is fairly rare to find a broken site and rarer still to actually need to use it (airlines are the worst), so I don't sweat the time to temporarily disable protection or work out the white list.
Their FAQ says it's a replacement to Adblock Plus (which implies uBlock Origin too).
What makes you use both of them together? Why not just Privacy Badger?
That's somewhat different than uBlock Origin's no-ads-what-so-ever policy.
Your workplace requires you to browse with NoScript?
For phones, you could run DNSCloak with AdGuard DNS (iOS) or Blokada (Android). There's AdGuard Pro, Lockdown Firewall, and Guardian VPN+Firewall for iOS that are super neat.
NoRoot Firewall, NetGuard, and GlassWire Firewall for Android that I've found to have acceptable privacy policies. LittleSnitch or LuLu Firewall for Mac, GlassWire Firewall for Windows are some of the other options.
Pi-Hole your routers too for other devices connecting to Internet.
You can marginally reduce the recaptcha "problem" by using the Privacy Pass extension, though I can't speak to whether there's a net loss of privacy by using it.
Unfortunately Google uses their captchas to train image recognition algorithms so they have an incentive not to do so.
How does this manifest itself to you? With uBlock Origin installed (part of the usual recommendations) you don't see any ads at all. I couldn't tell if some website shared data with another website, because the effects that I could observe (e.g., ads that follow me around) are already gone.
It's PiHole as a Service.
- EDNS is not working (the setting does nothing), I have tested it with Akamai CDN and they don't report any EDNS
- The upstream DNS server used by Nextdns is not always the nearest to you, meaning some CDN will redirect you to some content cache server on another country.
These two problems combined make downloading some content noticeably slower for me.
And the weird part, I reached them via support and started troubleshooting with them and for no understandable reason they dropped the conversation and they do not respond to me now (??). I know it's beta with no warranty but still it doesn't look good.
I'm back to pi-hole for my home network but I'm still using them on my iPhone although I'm looking to setup my own doh server + pi-hole and using the Adguard iOS doh client.
Otherwise, a good value prop, provided you turn off their logging feature that captures client-ip among other metadata.
Also, keep in mind that you could run Pi-Hole on a VPS and split-VPN only DNS traffic through it: https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/ DO charges $5 for 1TB traffic and a decent amt of compute, which ought to be enough for 500 or more (?) devices worth of DNS traffic.
What is the difference between IPv4, unbound, stubby, knot, and cloudfared - do you set one, or all of them? Do I want DNS over HTTPS, DNS over TLS, or both? Is it compatible with a VPN?
For the trouble, it looks like it wouldn't be any harder to just set up your own Pi-Hole. Am I wrong?
Use DNS over HTTPS for:
2. Intra app on Android phones below version 9.
3. Clouflared on Linux.
4. Their official iOS app.
Use DNS over TLS for:
1. Android 9 and above.
2. Knot or Stubby or unbound clients on Linux.
IPv6 and IPv4 are for DHCP provided DNS:
1. With IPv4, you'd need to link your client-ip (public IP of your router) with your nextdns setup.
2. IPv6 doesn't require any such linked-ip acrobatics.
If you use DNS over HTTPS on Android or iOS, you won't be able to use a VPN, and that's because the DNS traffic is itself routed through a VPN and one can't chain VPNs on Android just yet. Other than that, VPN should work with rest of the setup mechanisms.
I ask because it seems simple enough that I can just install it really quickly on non-technical people's computers (when they ask me for help) without bothering to downloading a bunch of extensions on different browsers, updating stuff, etc, etc...
Also, aggressive blocking can cause some websites and apps to break. dns.adguard.com (DoT) and https://dns.adguard.com/dns-query (DoH) whilst not aggressive don't break as many websites and apps, and would remain free to use. Nextdns would cost you $1 a month if you need more than 500k queries once they're out of the beta stage.
Just, wishing I saw this before I settled on Pi-Hole.
If you're talking about the "please disable your adblocker to continue" messages, you can consider something like Anti Adblock Killer  which can help bypass those kinds of blocks.
As far as the best setup I think what you have is fairly close to "the best" already without getting more hands-on. You can check out Pi-hole which I've heard is superior, but harder to setup .
My experience has been generally good, but weird stuff (especially authenticating/login) just won't work sometimes with uBlock and Privacy Badger running.
I also use the HTTPS everywhere Chrome extension, so perhaps that is an added factor that breaks things.
For uBlock Origin, the best solution is to report the breakage to filter list maintainers.
Keep in mind that all the lists are community-contributed, with filtering issue addressed as users report them. So you benefit from these when using a content blocker making use of these community-maintained lists.
So when you report a broken site and that as a result the lists are updated, then you contributed back to have the issue addressed for others as well when they visit the site.
The basic default lists/settings should have minimal breakage issues.
* * *
 Side note: uBO is a content blocker, not an "ad blocker" -- I never ever referred to uBO as an "ad blocker". I consider this an important distinction.
At home you need to first subvert your ISP.
Make sure you have a router doing blocking, like a PiHole. For mobile devices always use a VPN and DNS protection like dns-crypt. Use Cloudflare’s mobile DNS over HTTPS solution even though that’s a single point of failure, decide for yourself how risky you think that is.
Besides browser specific plugins you should implement a host block. The host block lists are not too exhaustive so if you use dns-crypt configure it to log every dns request and add any new hosts to your block list that look surprising.
It’s a lot of work, but if that’s what you’re looking for you may find some fun ways to automate this workflow :)
My browser has built-in URL-based filters.
I browse with JS disabled except for a handful of sites, which I enable for the session whenever I need it.
My browser makes it easy, with a three-key shortcut to toggle it.
This is about the extent of it.
I used to use uBO, which I still think is great, and enough for more Chrome and Firefox users. Many blessings to its maintainer.
This is the real problem at the end of the day. Some of the worst offenders as far as privacy and security are useful so they're hard to detach from.
Every six months or so I try OpenStreetMap and see if I have the patience to deal with its more limited functionality. So far the answer has been "no" but I'm due for another try...
It's more about wasting my cycles, safety of my environment, etc.
It's certainly nice to not ping 127 trackers per page, a nice bonus.
Google Maps doesn't do that anyway. Except to Facebook, IIRC... Or is that vice versa? Facebook knows where I am too, but at least they're in a no-JS jail, thanks to the half-maintained but sturdy m.facebook.com.
Anyway, feel free to hang out on this lawn as long as you like, it's not like it's mine.
For home I just run my own bind DNS servers internally. And then for friends and family I have them set their routers to a couple bind DNS servers (same config as my internal ones) in the cloud.
For all of the above I use the same block list. It currently has about 25k entries, and is built with some data from a few of the well known public lists. But I augment that with domains I find by regularly auditing specific websites that are particularly aggressive with ads and specifically trackers.
But with that said, since I've got friends, family and paying users working from that list, I do actively try to prevent the breaking of popular sites and services. For example, personally I'd outright block anything related to Facebook since I quit them years ago, but too many people still use it, so for my list I try to keep a good balance by blocking their pixel and stuff like that, while allowing the resources absolutely necessary for the site.
FYI, dns.adguard.com does more or less the same thing, and is free.
There are free alternatives. So, you might need to provide extra value-add for the $1 (I understand no-logs is a value-add).
If I may ask, how does the tech stack look like? And what's the software run for DoT and DoH
Small observation: when you disclose something, it's a disclosure.
Wrote a post about that https://weekly.elfitz.com/2019/02/12/block-ads-and-trackers-...
But the best setup (still haven't done it) would probably be pi-hole, remotely accessible over some vpn (because you don't want to manage what would otherwise amount to a publicly accessible DNS server). It would cover all your apps and devices.
Next best is Firefox with uBlock Origin, uMatrix, Privacy Badger, Cookie Autodelete, Decentreleyes, and a bunch of about:config alterations. Some sites will break. If a site breaks I either forget about it or open it in incognito.
Agreed. lynx(1) is my primary browser, after configuring its "externals" and some patching of it (then re-compiling) to rewrite URLs (mostly the Google crap).
My secondary is emacs-w3m with heavy URL re-writes.
Better uses our own list of blocking rules, curated and maintained by Ind.ie. We use the principles of Ethical Design to decide what should be blocked. This is our only blocking criteria, advertisers cannot pay us to compromise our integrity and unblock them.
Better does not block respectful ads. Respectful ads respect human rights, human effort, and human experience. For an example of respectful ads, see The Deck network, winner of our first Cloud of Fame award.
It only works on Apple’s platforms, and the OP didn’t specify what they’re using. Furthermore, it’s just a Safari Content Blocker with (last I checked) a single list, meaning it has a hard limit of 50k rules, “curated” by (by their own admission) “a tiny two-person-and-one-husky” team.
I’m glad it works for you (and many others), but for a tech-savvy crowd that cares about long-term effectiveness, that’s an inferior solution.
VPN with ipv6 turned off since they don't reroute that
With uMatrix I also block all first party cookies and scripts by default and white list as needed.
This only breaks websites the first time you visit them. Only thing that becomes an issue is uMatrix but as you Whitelist the sites you need it just ends up not being a big deal.
I also use the multi-account container add on and the temporary container add on. This allows me to pin a few big sites to their own containers (google, amazon, etc) and open all other new tabs in temporary containers. This setup works great and appears to help keep firefox fast over time. I use duck duck go to search but firefox makes it trivial for me to re-run a search with google if I need to.
I also run an ad blocking vpn on google cloud using Algo. I use google cloud because the vpn can run on the permanently free tier and I only pay for network traffic (which is near zero), and I also enjoy the irony of it. I have wireguard clients setup on all of my devices to use the vpn either permanently (phone) or on demand (laptops). Having this vpn is nice as it makes it easy to block ads in apps on my kids mobile devices.
This vpn setup works ok but not quite as well as when I ran the same thing using Streisand and open vpn clients. I only say this because I have a homebrew whole-house audio setup with a bunch of google audio chromecasts and no matter how I tweak the wireguard client settings I cannot get that casting to work properly. With open vpn clients, those settings are a cinch.
A way to beef up your privacy protections might be to look at DNS filtering. I use dnscrypt-proxy with a blocklist. You can also put trackers in your hosts file in order to route them to 0.0.0.0. https://filterlists.com/ is a nice resource to start out at.
A bit of a catch 22 - by protecting my privacy (unless I make myself unfingerprintable, which is very difficult) I make myself unique.
Note you don't need a Raspberry Pi to run Pi-hole, you can run it using a Docker image too.
Next, if you have a good password manager that can auto-fill logins, set Firefox to delete all cookies (and everything else) when you close the browser. That way, every time you open your browser you're starting from a clean slate. I promise you'll quickly get used to logging in every time, and it won't be that hard.
Next, enable Firefox's Multi-Account Containers add-on. This basically allows you to isolate sites you commonly use into their own cookie realms. Create containers for the sites you want to isolate (Google, Facebook, LinkedIn, etc.) and set those domains to always open in that domain's container. That way, when you click on a link to Facebook it will auto open a new tab in that Facebook container.
Next, install uBlock Origin. I don't think there's a need to install Privacy Badger since you're already blocking third party cookies, but others please correct me.
Next, for websites that don't work with uBlock Origin, create a dedicated container for that domain and set to always open in that container. Then, whitelist in uBlock Origin whatever tracker on that site you need to run things properly. That way, the tracker is isolated to just that domain's container.
Overall, Firefox's Multi-Account Containers are extremely powerful for isolating site cookies and trackers. I wish they would allow you to set different cookie settings per container, so you could by default clear cookies when you close Firefox and add exceptions for specific containers, but even given that deficiency, is still the most powerful browser feature that's come out since tabs.
1/ Chrome browser with extensions - Disconnect (https://disconnect.me/), Ad blocker, and Anti-Adblock killer script with Tamper monkey.
2/ Cookies disabled by default.
3/ Any sites which refuses to function without them, open in incognito or guest window.
This gives me minimal problems. Most of the tracking is out via Disconnect, many ads are blocked automatically, and the remaining ones I block manually. I will definitely be tracked by a few websites and third-parties, but this gives me a better balance than just focusing on complete block.
To add to it, google provides you an option for not recording searches and location. Also, keep deleting cookies regularly for the ones you have enabled.
I've been out of the game for awhile, so I'm wondering what beats uBlock nowadays... Any recommendations?
That is incorrect.
uBlock Origin has filter syntax not found in ABP, so there will be a meaningful difference when it comes to what is blocked or not, and also there is a difference due to policy.
* * *
The only issues i have had have been on pinterest. What sites do you have issues on?
: "uBlock Origin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle"
: Blocking mode: medium mode
You block domains at the dns, you can download a variety of block lists and you can also create your own. You can log the dns lookups to find out what domains are being used which can be used to further create a block list. The advertising code and tracking code never gets downloaded. Runs on the window pc so you don't have to worry about making changes to anything else upstream, great for laptops and road warriors who use a variety of internet connections.
In my browser I use uMatrix since it gives me fine-grained control over what websites can do. I have very strict default policies that break most sites but you can set them to whatever you want.
Additionally I've written my own regex-based request blocker for YouTube midroll- and page ads since I don't trust other, more opaque ad blocking solutions that handle those (like AdBlock Plus). It does break all other Google services I'm aware of however. (Which I could patch but I don't really mind.)
On older versions of Windows, for example, networking and browsing slows noticeably as the size of the host file increases.
The same can be said for rootable mobile devices, though it’s less noticeable off WiFi because cellular latency is so much higher.
I would guess, marginal consumer and home routers will suffer with larger hosts files, but I don’t have sufficient experience to claim this for certain.
Background: years of discussions and issues at https://github.com/StevenBlack/hosts, which I maintain.
I also just checked via dig if there is any slowdown and dig didn't report any. (I first queried google.com with the large hosts file, then replaced the hosts file with a default one, cleaned my DNS caches and requeried and it didn't show any speedup.)
Simple corporation block list (e.g. Facebook, Google) https://github.com/jmdugan/blocklists/tree/master/corporatio...
"Someone Who Cares" list http://someonewhocares.org/hosts/
Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might need to unblock something) and also a bonus known hacking IP blocklist (prevents common hacking sources). https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
If you have iOS device install an ad blocker app like AdBlock Fast, this plugs to practically all web sessions in the phone.
JSBlocker is cranked up to to the max - no inline JS, or frames or videos, etc. Then as I go about info surfing I progressively enable services that are vetted like some content delivery services, common JS frameworks, etc.
Makes the web actually tolerable.
I use Safari with JS and cross-tracking disabled on macOS and iOS, Firefox with a custom user.js on elementaryOS. I enable JS only when necessary — looking at you, Help Scout.
For actual blocking, I run a Pi-hole on a VPS that connects to multiple DNSCrypt servers that I control, which block everything I want while improving privacy. Planning on replacing Pi-hole with AdGuard Home for DNS over HTTPS and DNS over TLS, since I want to have this server public at some point, for others to use.
If anyone is interested in testing, shoot me an email at email@example.com. No logging, DNSSEC, disk encryption, Canonical Livepatch, 24/7 monitoring and completely open source.
Elsewhere I use LittleSnitch on my Mac, followed by Firefox (w/associates plugins like everyone else).
I don't know how efficient it is for tracking, but at least I have the moral high ground of going after blocking tracking, not ads in general ...
This will break a lot at first, but uMatrix allows you to build a whitelist easily, and slowly over time website won't be broken half as much, and it'll be exceptionally rare for you to have to disable the whole extension whenever you want things to get working again.
I put every "big data" collector (Google, FB, etc.) in a single container using FMAC.
(And to be honest: I tried uMatrix but it was too work intensive.)
I love ublock’s ability to easily block individual elements of a page such as distracting video or moving crap.
uBlock Origin, Decentraleyes, httpseverywhere, DNS over HTTPS (currently Cloudflare, but plan to use my own resolver soon)
If you outsource processing/filtering, that data has commercial value eventually.
Many of the configs you are going to see here can be reasoned through the suggestions at their site.
If one doesn't want to break the web, they shouldn't block ads since most of the web is free thanks to ads.
I use a blacklist approach and only block ads on those websites which clearly have no consideration for usability (popups, autoplaying videos, ...) or for privacy.
I have found that Unlock Origin is great for this approach.
Things you pay for with your privacy and attention aren't free.
If you visited a website and they charged your bank account without your permission, that would be theft. If you visit a website and they take your data and attention without your permission, that's also theft. I don't agree to the self-serving assumption I've somehow agreed to pay for your content on your terms simply by visiting your webpage. You don't have the moral high ground here.
I'm old enough to remember when people put content onto the internet because they wanted to, not because it brought them ad revenue. The internet was better then, and many of those old-style websites are still the best sources of information on the internet. I also pay for content with money, and that content tends to be much higher-quality. If all the businesses supported by ad revenue go out of business, I'm pretty okay with that.
In your words, using a service without paying for it is also theft.
No. If you don't want me to see your content, don't send it to me.
If you want me to agree to do something before looking at your content, then send me a contract of some sort and don't send me the content until I agree to the terms of your contract. Otherwise, I haven't agreed to do anything for you just because you sent me your content.
I'll also point out that you said upthread:
"If one doesn't want to break the web, they shouldn't block ads since most of the web is free thanks to ads."
First you say it's free, then you stay I'm stealing it? Which is it, are they free or am I obligated to pay for them?
Imagine if other businesses worked this way. You hear a store is giving away books, so you go and ask them for a free book, and they say, sure, yes, the books are free! But as you're reading the book, you come to a page where it says that by accepting a free book you've agreed to also read a packet of marketing materials for the bookstore, send them a DNA sample, and spend some time mining gold for them. And no, you can't give the "free" book back, you've already started reading it so if you don't do what the bookstore demands, that would be stealing!
I didn't say that ads are great. I said that NOT ALL ads are bad, and without them some great content couldn't exist, because most people need funds for their work and selling stuff or services sometimes isn't an option.
So if you're talking about tracking ads, I'm totally with you. But if you're talking about ALL ads, then your idea may be an utopia.
Ads are inherently trying to make me want something I don't want, so I'd say that all ads are bad.
> most people need funds for their work and selling stuff or services sometimes isn't an option.
Why is that, exactly?
Nobody has to sell ads. If you business only works because you sell ads, your business model doesn't (or shouldn't) work. I don't think that we as a society benefit from propping up businesses who produce content that is so low-quality that nobody would pay money for it.
> So if you're talking about tracking ads, I'm totally with you.
What ads aren't tracking me? There are only a few ad networks who even claim not to track you, and it's unclear how many ads those companies actually serve up--it's certainly not a large portion of the ads on the internet. And as far as I know none of the ad companies out there have open-sourced their code, so whether they're telling the truth is a big open question. Advertisers certainly have lied about this in the past. Apple, for example, has been dinged for this a few times, while trying to sell itself as a privacy advocating company.
WITH evidence, click through and conversion rates are very low already, so it's pretty hard to persuade advertisers to advertise without collecting as much data about you as possible. So nearly all the ads out there are tracking ads. Even if you only accept that all tracking ads are bad, the word "tracking" is only a minor technicality.
1Bocker for Safari.
uBlock Origin for Chrome.
At home, I have AdGuardHome installed in a VM acting as my home network's DNS. It's pretty effective and is an alternative to PiHole. This is a first-tier filter I have while at home for all my devices. https://github.com/AdguardTeam/AdGuardHome/
On the web browser, I have the AdGuard Firefox extension. https://adguard.com/en/adguard-browser-extension/firefox/ove...
For my mobile phone, it's a little obtuse but relatively straightforward. I have a non-rooted Android phone. I've installed AdGuard for Android there as well. The way it works is it runs a local VPN on my phone, so all device traffic goes through a localhost proxy, which filters the DNS and unencrypted TCP traffic. For HTTPS filtering, it installs a local TLS CA to perform re-signing of websites (you can configure it to ignore EV certificates, as I have, which are more common with online banks and more secure sites). It works pretty well with exception to apps that have built-in ad platforms like Instagram. It blocks 100% of ads in apps like Wunderground, Reddit, and Firefox. https://adguard.com/en/adguard-android/overview.html. There's also an iOS version of the app on their website.
I have a Google Play Music subscription which comes with YouTube Premium. However, more and more YouTubers are diversifying their revenue, and have gone to completely sponsored videos with embedded ads. For sponsored clips in YouTube, SponsorBlock extension: https://github.com/ajayyy/SponsorBlock
Decentraleyes [sic] is another extension that I use primarily on my phone, but also at work. It allows the web browser to use local versions of CSS/JS frameworks and fonts that would otherwise have to load from CDNs that track your requests. Things like jQuery, Bootstrap, AngularJS, FontAwesome, etc. are all loaded from local copies through this extension. This benefits the user by saving bandwidth and page load time as well as stopping unwanted tracking from the remote party. https://addons.mozilla.org/en-US/firefox/addon/decentraleyes...
Don't Fuck With Paste. This extension prevents websites from disabling pasting in form fields. Extremely useful when you are using a password manager to enter form data or just copying and pasting from another location. Websites that break paste are just as bad as websites that serve ads in my book. https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi... (it's also available for Chrome).
If you know someone or you yourself actually still use Facebook, I also highly recommend Social Fixer. Not only does it block Facebook ads and other page elements, but it lets you keep track of other events like who unfriends you. It has a lot of options and I've been using it for years. https://socialfixer.com/
Worth checking out are NoScript extension, PiHole, and UBlock Origin. I don't use these but I've heard good things about them and everyone seems to recommend them.
cli or FFX + ublock origin, ABP, FB container
NoRoot Firewall, NetGuard, and GlassWire Firewall for Android that I've found to have acceptable privacy policies. LittleSnitch or LuLu Firewall for Mac, GlassWire Firewall for Windows are some of the other options.
Pi-Hole your routers too for other devices connecting to Internet.