How our blockers against trackers, ads, and adult sites work

ExpressVPN news
5 mins
Computer with a roadblock.

We recently announced the launch of a full set of advanced protection features on our app, giving users even more control over their privacy and overall internet experience. The ExpressVPN app on most platforms now allows users to:

  • Block trackers and malicious sites. Known as Threat Manager, this feature prevents all apps and websites on your device from communicating with a set of third parties known to track activity or engage in malicious behavior. Available on all major platforms (Windows, Mac, Android, iOS, Linux, and our Aircove router).
  • Block ads. Our ad blocker stops most display ads from loading. Not only can you avoid the intrusiveness of ads, but because ads also slow down web pages and consume your data as they load, an ad blocker could speed up your browsing. Available on Android, iOS, Windows, Mac, and Aircove, with Linux in the works.
  • Block adult sites. With this feature enabled, adult sites are blocked from loading on a device. It is especially useful to enable this feature on ExpressVPN’s Aircove, to block explicit content on your entire home network, including devices being used by children. Available on Android, iOS, Windows, Mac, and Aircove, with Linux in the works.

All you have to do is toggle on the features in your app settings. They work only while your VPN is turned on—except on Aircove, where they work even if you are not using VPN functionality.

The blocklists we use are open source and highly reputable within the industry. By using these blocklists, we’re able to rely on outside expertise, but we also vet and refine them ourselves. They need to be updated frequently as undesirable domains crop up relentlessly and are also taken down quickly.

But how does our app block these domains? When implementing these features, our primary consideration was safeguarding user privacy. Here’s how it works.

Blocking on your device, not the server

When a user tries to access a blocked site, there are generally two points at which the blocks could take place: on the user’s device or on the server. In the case of all our blocking features, a DNS-based traffic blocker running on the user’s device stops all apps and browsing sessions from communicating with third parties on our blocklists, including trackers, scammers, malware sites, ads, and adult sites. The query never leaves the user’s device. Here is why we take this approach:

  1. Safety. The primary reason we chose to block on the device is our belief in defense-in-depth. It’s safer to intercept the DNS queries on the app, so there is no risk that any activity can persist or be exposed on the server. That’s because we do need to know the domain the packet is intended to access before a decision can be made about it—and we don’t want the server to know or care about this information. Simply put, in trying to protect your privacy, we always want our servers to know less about you.
  2. Simplification. Keeping the DNS-based traffic blocker complexity out of our servers reduces the attack surface of our servers. That’s easily confirmed when third-party auditors examine our technology.
  3. Flexibility. Blocking on the app (or client) side also gives us greater flexibility to allow per-device customization of the features in the future. This means users will be able to add domains they’d like to block, or override the blocklist with a whitelist of domains they’d like to be able to access, giving the user greater control. If the blocks happen on the server, all different apps connecting to that server can only rigidly use the same blocklists.

Increased risk of blocking on the server side

There are other service providers performing their blocks on the server side, and we did consider this option but ultimately rejected it. If you use such a service and seek high levels of privacy, you’d have to be sure they are not logging the DNS request, and you’d have to be sure of the security posture of the server handling your DNS. 

The associated risk is that servers could be seized by law enforcement to examine users’ activity, leaving you exposed. Not everyone is as scrupulous as ExpressVPN in ensuring no unnecessary data is kept on servers. The strength of our no-logs policy was tested a few years ago when the Turkish government attempted to glean user data through our servers, only to discover there was nothing useful for them. That said, we always err on the side of caution to mitigate your privacy risks.

How do the blocks happen in our apps?

Another decision we needed to make was how we would respond to the queries—what do we tell the app with the DNS request about that query we want to block? Depending on how we reply to the requesting app, the app might not expect or understand the reply, causing it to keep trying. We wanted to do it in the least disruptive way possible. Through research and trial and error, we landed on telling the app with the DNS request that the domain does not exist, using the error code NXDOMAIN; this gave us the cleanest result for blocking the domain.

Other options were ignoring the request or not replying at all, which was confusing to the apps as they didn’t know if they had been blocked by us or if the request got lost in the internet. This sometimes led the app to try again and again.

Prioritizing safety as we innovate

We’re always excited to launch new features and give our users greater value. But amid these improvements, our commitment to your privacy is unwavering. We hope that additions like our ad blocker give you a better internet experience while allowing you to get more out of one app rather than relying on multiple services.

We’re also proud that the infrastructure of our VPN protocol Lightway enables us to perform this DNS filtering on devices. Lightway allows clean extensions, meaning we could add our blockers individually without much difficulty. It would be much more difficult, and possibly infeasible, to do so using the popular protocol OpenVPN, for instance.

Learn more about the latest new features on our app, including ExpressVPN Keys, our password manager.

Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Andre Lo is Software Engineering Manager at ExpressVPN. He has been with the company since 2018, and has been involved in various cross-platform work for ExpressVPN’s client apps. He currently leads a team of engineers working on the Lightway protocol and core VPN technologies. Andre is also a licensed Professional Engineer in Ontario, Canada.