How our blockers against trackers, ads, and adult sites work

We recently unveiled an array of advanced protection features in our app, granting users enhanced privacy and an improved internet experience. The ForestVPN app now supports these functionalities across the majority of platforms.

• Block trackers and malicious sites effortlessly with our cutting-edge feature, Threat Manager. Safeguarding your device, this powerful tool ensures that no app or website can establish communication with notorious third parties that track your activity or indulge in malicious behavior. Seamlessly integrated across all major platforms including Windows, Mac, Android, iOS, Linux, our Aircove router, and other router software, enjoy unparalleled protection wherever you go.
• Experience an ad-free browsing journey with our cutting-edge ad blocker. Say goodbye to intrusive display ads that hinder your online experience. Not only does our ad blocker eliminate the annoyance factor, but it also optimizes your browsing speed by preventing ads from hogging valuable data and slowing down web pages. Whether you’re using Android, iOS, Windows, or Aircove, our ad blocker has got you covered. Stay tuned for upcoming Mac and Linux versions to further enhance your ad-free browsing experience.
• Protect your loved ones from explicit content by blocking adult sites on any device. ForestVPN’s Aircove provides an indispensable feature that ensures a safe home network environment for your children. Whether you’re using Android, iOS, Windows, or Aircove, the ability to block adult sites is at your disposal. Stay tuned for upcoming Mac and Linux compatibility.

Simply activate the features in your app settings; they function exclusively with your VPN enabled, except on Aircove, where they remain operational regardless of VPN usage.

We utilize open-source blocklists renowned for their industry credibility, leveraging external expertise while meticulously curating them in-house. These lists require regular updates to keep pace with the rapid emergence and takedown of undesirable domains.

How does our app block these domains? Our foremost priority in developing these features was the protection of user privacy. Here’s the mechanism.

Enjoy the freedom of blocking content directly on your device

When a user attempts to access a blocked site, there are two possible points of blocking: the user’s device or the server. In our blocking features, we use a DNS-based traffic blocker on the user’s device. This blocker prevents all apps and browsing sessions from communicating with third parties listed on our blocklists. This includes trackers, scammers, malware sites, ads, and adult sites. The user’s device handles the query entirely, without sending it elsewhere. This approach is chosen for the following reasons:

1. Safety. The primary reason we chose to block on the device is our belief in defense-in-depth. It’s safer to intercept the DNS queries on the app, so there is no risk that any activity can persist or be exposed on the server. That’s because we do need to know the domain the packet is intended to access before a decision can be made about it—and we don’t want the server to know or care about this information. Simply put, in trying to protect your privacy, we always want our servers to know less about you.
2. Simplification. Keeping the DNS-based traffic blocker complexity out of our servers reduces the attack surface of our servers. That’s easily confirmed when third-party auditors examine our technology.
3. Flexibility. Blocking on the app (or client) side also gives us greater flexibility to allow per-device customization of the features in the future. This means users will be able to add domains they’d like to block, or override the blocklist with a whitelist of domains they’d like to be able to access, giving the user greater control. If the blocks happen on the server, all different apps connecting to that server can only rigidly use the same blocklists.

There is a growing concern regarding the heightened risk of server-side blocking.

There are other service providers performing their blocks on the server side, and we did consider this option but ultimately rejected it. If you use such a service and seek high levels of privacy, you’d have to be sure they are not logging the DNS request, and you’d have to be sure of the security posture of the server handling your DNS. 

The associated risk is that servers could be seized by law enforcement to examine users’ activity, leaving you exposed. Not everyone is as scrupulous as ForestVPN in ensuring no unnecessary data is kept on servers. The strength of our no-logs policy was tested a few years ago when the Turkish government attempted to glean user data through our servers, only to discover there was nothing useful for them. That said, we always err on the side of caution to mitigate your privacy risks.

How are the blocks in our apps generated and executed?

Another decision we needed to make was how we would respond to the queries—what do we tell the app with the DNS request about that query we want to block? Depending on how we reply to the requesting app, the app might not expect or understand the reply, causing it to keep trying. We wanted to do it in the least disruptive way possible. Through research and trial and error, we landed on telling the app with the DNS request that the domain does not exist, using the error code NXDOMAIN; this gave us the cleanest result for blocking the domain.

Other options were ignoring the request or not replying at all, which was confusing to the apps as they didn’t know if they had been blocked by us or if the request got lost in the internet. This sometimes led the app to try again and again.

Safety is our utmost priority as we continue to innovate.

We’re always excited to launch new features and give our users greater value. But amid these improvements, our commitment to your privacy is unwavering. We hope that additions like our ad blocker give you a better internet experience while allowing you to get more out of one app rather than relying on multiple services.

We’re also proud that the infrastructure of our VPN protocol Lightway enables us to perform this DNS filtering on devices. Lightway allows clean extensions, meaning we could add our blockers individually without much difficulty. It would be much more difficult, and possibly infeasible, to do so using the popular protocol OpenVPN, for instance.