For millions of people, daily metro commutes are becoming an ordeal not only because of the crush but also because of the aggressive digital noise. Free network Metro_WiFi or Moscow_Free_WiFi While it formally provides internet access, in practice it turns the smartphone into an advertising showcase. Pop-ups, redirects to bookmaker landing pages, and in-browser video inserts can irritate even the most calm passenger.
The problem lies in the Captive Portal authentication technology, which intercepts your traffic until your identity is verified. However, modern encryption methods and packet analysis tools make it possible to find workarounds. In 2026, the most effective method remains a combination of DNS filtering and local proxy servers that do not require root access on Android. In this article, we'll explore the technical aspects of advertising injectors and how to neutralize them.
It's important to understand that underground service providers are constantly updating their blocker detection algorithms. What worked six months ago may no longer be effective today. Therefore, it's important not just to copy the settings, but to understand the principles involved in order to adapt the protection strategy to the current realities of network equipment.
How advertising inserts work in public networks
The mechanism for injecting ads into the subway is based on manipulating unencrypted HTTP requests. When you connect to an access point, the router analyzes the traffic. If it detects a request to a website without a protocol, HTTPS, the system replaces the server's response with its own HTML code containing an advertising banner. This is a classic Man-in-the-Middle (MiTM) attack, legalized by the network's terms of service.
Modern systems have become smarter and can even work with HTTPS, using SSL spoofing techniques for certain domains or relying on vulnerabilities in DNS queries. If your phone sends a request to resolve a domain name to an IP address, your ISP may redirect you to its ad server before you reach the desired website. That's why DNS over HTTPS (DoH) becomes a critical tool.
⚠️ Warning: Using third-party certificates to intercept HTTPS traffic on public networks may be considered a hacking attempt by security services. Only use methods that do not require root certificates to be installed on your device.
It's important to note that many applications use proprietary communication protocols that are more difficult to block or modify. However, browser traffic, especially in older versions of applications or on websites without strict security policies, remains vulnerable. Understanding this architecture helps choose the right filtering tool.
Setting up private DNS on Android and iOS
The simplest and most effective method, which doesn't require installing additional software, is to change the DNS server at the operating system level. In modern versions Android 9+ And iOS 14+ Support for encrypted DNS protocols has been implemented. This allows you to hide your requests from your Metro provider and automatically filter out domains known to be sources of advertising.
To activate the function on Android, you need to go to the menu Settings → Connections → Other connection settings → Private DNSHere, select the "DNS Provider Hostname" mode and enter the address of a trusted filter. For iOS, the path is slightly different: Settings → Wi-Fi → (i) next to the network → DNS Configuration → Manual, although DoH support on iOS often requires the use of profiles or third-party apps.
- 📍 AdGuard DNS:
dns.adguard.com— blocks ads and trackers at the domain name level. - 🛡️ Cloudflare for Families:
1.1.1.3— blocks malicious content, but may allow legal advertising. - 🔒 Quad9:
9.9.9.9— focused on security and blocking phishing sites. - ⚡ NextDNS: requires registration, but allows flexible customization of block lists via a web interface.
After applying the settings, it's recommended to completely reconnect to the metro network. If you see that pages load but the ad banners have disappeared, then the method is working. However, it's worth remembering that some WiFi providers may block access to third-party DNS servers, forcibly redirecting you to their gateways. In this case, a more complex solution using tunneling will be required.
Using local VPNs and filtering applications
If your default DNS settings are blocked by your internet service provider, apps that create a local VPN tunnel can help. Unlike traditional VPNs, they don't change your IP address on a server in another country, but rather simply route your traffic through an internal filter on your device. This allows you to bypass internet service provider restrictions, as all traffic appears as a single encrypted stream.
One of the most popular and time-tested tools is AdGuard or its open analogue BlokadaThese apps create a virtual network interface through which all device traffic passes. Within this tunnel, complex filtering rules are applied that block advertising requests before they reach your browser or app.
For advanced users familiar with the command line, there is the possibility of customization Termux on Android. This is a terminal emulator that allows you to run a full-fledged DNS server or proxy directly on your phone. The command to install the basic packages looks like this:
pkg update && pkg upgradepkg install python
pip install adblock
However, for most users, installing a ready-made APK file from a trusted source (such as F-Droid or the developer's official website) will be safer and faster.
Impact on battery
Using a local VPN filter increases battery consumption by approximately 5-10% per hour of active use. This is due to the constant processing of passing data packets.
Analysis and blocking via HTTP headers
For those who want complete control over their traffic, there's a method for analyzing HTTP headers. Advertising networks often use specific User-Agent or Referer headers that reveal their origin. Using packet sniffers on your device (e.g., Packet Capture or HttpCanary), you can analyze which domains are requesting advertising modules.
Once the culprits have been identified, they can be added to the file. hostsOn non-rooted devices, this is done through apps that use a local VPN to spoof DNS responses. You create a rule: if a request goes to ads.metro-provider.com, then return the IP address 0.0.0.0This way, the browser thinks the site is not found and the ad is not loaded.
The table below shows examples of domains that are often used for ad injections on public networks and that should be blocked first:
| Domain / Host | Content type | Recommended action | Impact on the network |
|---|---|---|---|
gw.metro-wifi.ru |
Authorization gateway | Allow (otherwise you won't be able to enter) | Critical |
ads.metro-banner.net |
Advertising banner | Block (0.0.0.0) | High |
track.provider.com |
Statistics collection | Block | Average |
video-inject.wifi |
Video insert | Block | High |
Manually adding hosts is labor-intensive, as addresses are constantly changing. Therefore, it's better to use ready-made block lists that are updated automatically. It's also a good idea to use community-based lists that aggregate data on new advertising domains in real time.
Authorization problems and their solutions
A common problem with blockers is the inability to complete initial authorization. You connect to WiFi, but the login page doesn't appear because the blocker is blocking captcha or redirect scripts. In this case, you need to temporarily disable filtering.
The algorithm of actions in such a situation is simple: turn off the VPN or change the DNS to automatic, re-enter any HTTP site (for example, http://neverssl.com), log in to the metro and only after successfully accessing the internet can you re-enable protection. Some apps allow you to set up a "Whitelist" for authorization domains.
☑️ Network Login Checklist
It's also worth considering that some networks require periodic re-authentication. If you're using hard blocking, this process may be interrupted. In your filter settings, consider adding exceptions for the default gateway IP addresses to ensure service traffic flows unimpeded.
Data security when using public WiFi
When removing ads, don't forget the main threat—your data security. Subway networks are high-risk areas. Even if you've removed visual ads, an attacker on the same network could attempt an ARP spoofing attack or eavesdrop on unencrypted traffic.
Using a VPN (even a local one with filtering) creates an additional layer of encryption between your device and the access point. However, for complete protection, it is recommended to use full-fledged VPN services with protocols WireGuard or OpenVPNThey will hide all your traffic from your metro provider and other network users.
⚠️ Warning: Free VPN services often monetize themselves by selling your browsing statistics. Use only trusted paid services or set up your own private server if sensitive data is involved.
Never enter bank card information or make payments over public WiFi without a VPN enabled. Even the most reliable ad protection doesn't guarantee that the network is free of packet sniffers configured to intercept logins and passwords. Remember, security is a complex set of measures, not a single setting.
Comparison of blocking methods
The choice of method depends on your technical skills and speed requirements. DNS filtering is the fastest, but less reliable. Local VPNs are more reliable, but can reduce speed and increase device heating. Full-fledged VPNs provide maximum anonymity, but often reduce speed due to server locations.
In today's environment, the optimal strategy is a combined approach: using private DNS for basic filtering and enabling a local ad blocker (like AdGuard) only during peak hours, when the amount of ads becomes unbearable. This allows for a balance between comfort and battery consumption.
Don't expect a "magic button" to remove ads forever. It's a constant game of cat and mouse with the subway network administrators. However, with an understanding of how networks work, you'll always be one step ahead and enjoy the content, not the annoying offers.
Why do ads appear even after installing an ad blocker?
This could happen for several reasons: the ad blocker hasn't updated its domain databases, the ISP is using new injection methods (for example, via IPv6 if it's not filtered), or the app you're seeing ads in is using its own communication channels that bypass the system proxy.
Will blocking ads slow down my internet speed?
On the contrary, speed may increase because the device won't waste bandwidth downloading heavy banner ads and videos. However, the filtering process itself requires processor resources, which could theoretically add minimal latency (ping), noticeable only in online games.
Is it safe to use third-party DNS?
Using public DNS (Google, Cloudflare, AdGuard) is safe from a virus standpoint. However, you're entrusting your query history to the DNS server owner. For normal browsing activity, this is an acceptable risk, but for working with sensitive data, it's better to use corporate or private DNS servers.
Is it possible to remove ads in metro apps?
Ads in native transport service apps are more difficult to remove, as they are often embedded in the app's code (SDK). Only system ad blockers with HTTPS filtering (requiring a certificate) or modified versions of the app can help, which may violate the service's terms of service.
Do these methods work on iPhone?
Yes, iOS supports DNS over HTTPS and has a built-in "Content Blocking" feature in Safari. There are also blocker apps from the App Store (such as AdGuard or Lockdown) that work like a local VPN, similar to Android.