In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
elashri · 5h ago
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
In this arms race you are saying a current "move" is a curated list of IPs that correspond to known DoH servers ... and that's fine ..
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
baby_souffle · 2h ago
That might work but if your Samsung example is behind cloudflare, you're basically going to have to block any and all access to cloudflare's Network.
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
jeroenhd · 2h ago
And before DoH was a thing, several Chinese apps I've used also used to do plain HTTP for DNS resolution (I only caught them by chanbecause they were doing HTTP). PiHoles only work for apps that stick to the standards and don't mind being caught.
iugtmkbdfil834 · 5h ago
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
bongodongobob · 4h ago
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
wang_li · 5h ago
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
mikevin · 4h ago
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
EvanAnderson · 25m ago
The option for clients to use a bespoke protocol for name resolution has always existed. It's just easier now. No bespoke software is necessary.
DNS-over-HTTPS, with its "network operators are 'evil nation state' opponents of freedom" ethos of its design, allows clients to use standards-based protocols (and off-the-shelf libraries) to do the same thing that previously would have required a bespoke protocol.
I'm being a bit hyperbolic, but there's definitely a bent to the advocates for DNS-over-HTTPS that network operators should not have the ability to control standards-based name resolution within their networks. The rallying cry of the DNS-over-HTTPS advocates is always "you should be filtering on the client". This smacks of smug disregard of the fact that not every client supports its owner making filtering decisions.
gbuk2013 · 5h ago
To be fair, if you are geeky enough to run a PiHole you will have no trouble finding the config option to turn off DoH in your browser.
int0x29 · 3h ago
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
hnuser123456 · 1h ago
Except, now you don't really control your web browser either, and ad blockers are getting crippled. It is an uphill battle.
woleium · 3h ago
And then there is amazon sidewalk, which can only be evaded by unplugging the wifi board on your tv
nobody9999 · 51m ago
>Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
freedomben · 3h ago
True, but I want all the devices on my home network to have DoH disabled too. Most of them I can't change directly.
notarealllama · 5h ago
Jokes on you, I do have a fortinet which does this.... Oh wait, only up to TLS 1.1 or something and it's slow.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
gbuk2013 · 5h ago
You need to get an F5 box instead. :)
ignoramous · 5h ago
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
shaky-carrousel · 2h ago
You can block known DoH servers.
silverwind · 5h ago
Apps that open arbritrary UDP/TCP ports? Isn't that something the app store policies should reject?
epcoa · 5h ago
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
01HNNWZ0MV43FF · 5h ago
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
xracy · 3h ago
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
chihuahua · 3h ago
Edge browser + uBlock Origin, and YouTube works perfectly without ads.
iramiller · 1h ago
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
everdrive · 1h ago
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
itchyouch · 5h ago
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
n_ary · 3h ago
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
dend · 1h ago
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
firesteelrain · 58m ago
Always wanted to do this but if I get a call from home and I am either
1) at work
2) out of town
3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
overfeed · 13m ago
What black-swan event would cause would 2 PiHoles go down simultaneously? You could always use a non-PiHole guest-network if your WiFi hardware supports it, and let your family know to use the guest network if the regular network is down. The manual switching might not be necessary as most computers, phones and tablets automatically disassociate from a WiFi network if it's "offline", such as when DNS resolution fails.
procarch2019 · 35m ago
They could just switch their dns back to auto (or statically use google/cloudflare/etc depending on how you configure it), no? Then fix it when you’re back.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
jstanley · 5h ago
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
gh02t · 6m ago
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though.
dvratil · 5h ago
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
timbit42 · 3h ago
I just don't connect those devices to any internet.
ThrowawayTestr · 3h ago
Some people like to watch YouTube on their TV
jstanley · 3h ago
I watch YouTube on my TV. Using Firefox, with uBlock Origin. We have a laptop plugged into the TV, with a bluetooth keyboard. It is a vastly superior experience to any smart TV I have ever seen.
timeinput · 1h ago
I'm with you entirely, and that is how I interact with youtube.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
dividedcomet · 2h ago
And also more than most people want to have setup in the living room. My wife would rather have ads on YouTube occasionally than an ugly computer plugged in all the time. It’s also more difficult to deal with than a remote you can work one handed.
crtasm · 5h ago
uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc.
It's best to run both.
rsync · 2h ago
"uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc."
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
timeinput · 1h ago
I mean I expect devices and apps to move to DoH, but they haven't yet, or at least not all of them. My experience generally on my phone at home (with DNS blocking) is better enough than my experience away from home that I'm glad I took the half a day or there about to set up a DNS blocking tool a couple years ago.
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
Twirrim · 4h ago
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
nativeit · 1h ago
Yeah, blocking the bloated Adobe telemetry from their CC apps has been worth the cost of entry alone.
macawfish · 5h ago
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
Havoc · 1h ago
Even with ublock the pihole still ends up catching a bunch of stuff.
Best to run both if you're in a position to do so
mikestew · 5h ago
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
BenjiWiebe · 5h ago
uBlock Origin only works in the browser. And on mobile it only works in Firefox (I think).
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
FredPret · 4h ago
For me it's because:
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
swiftcoder · 4h ago
> When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser
I'm not sure how a blocker would work if it couldn't see the content of the page...
FredPret · 3h ago
Exactly, that's why I do it on the DNS level
kgwxd · 5h ago
Not all internet traffic goes through a browser.
alexose · 5h ago
I agree. I don't want to be a hater, because it's a cool idea... but I find that this is just the wrong level to operate on.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
whalesalad · 1h ago
pihole, adguard, nextdns etc work at the network level. meaning you do not need to configure client devices. its one and done. also means that your dummy clients like TVs, IOT devices, etc... are going to be participating as well. you can't install ublock origin on a TV, or my dog's wifi collar, etc.
chaoskitty · 52m ago
I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
gh02t · 10m ago
What do you mean without machine specific binaries? Like, building it from source? The instructions for that are pretty ambiguous and look like they are only for part of the system (https://docs.pi-hole.net/ftldns/compile/). However, if you just mean running it bare metal then running the installer script mentioned at the top of the Github page will install it using native packages for your system (apt, rpm, etc).
lambdaba · 5h ago
Tailscale with NextDNS is a simpler alternative to this and is easy to set up on all your devices.
eamag · 5h ago
Why is tailscale needed?
lambdaba · 53m ago
You don't strictly need it, it just makes it a tiny bit more convenient since you can set it up to override DNS on any connected device, and Tailscale sets up a private VPN mesh between your devices I've come to get take for granted - a tangential feature that goes well with centrally managed DNS.
JamesSwift · 1h ago
It lets you leverage it while physically outside of the network (eg at a hotel)
benhurmarcel · 16m ago
But NextDNS isn’t on your network anyway. You can access it from anywhere.
vaxman · 4h ago
So people with access to the TailScale control plane can easily add and remove devices from your network.
There's a lot more to Tailscale but for a basic setup you just install the client on all your devices, and set DNS to the NextDNS endpoint. Any device on your network will automatically pick it up.
parpfish · 4h ago
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
3abiton · 4h ago
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
TechDebtDevin · 4h ago
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
bongodongobob · 4h ago
Did you not give the pihole a static address or something? What is breaking?
TechDebtDevin · 3h ago
No idea, it barely works.
eldaisfish · 2h ago
pihole is one of the most straightforward pieces of software out there. It is so easy to use that it is practically an appliance.
bongodongobob · 2h ago
Then there's something wrong with your network. All it does is serve DNS.
bongodongobob · 4h ago
It's very straightforward. You set the IP of the pinhole for DNS in the settings of whatever is doing DHCP on your network. That's it.
Dries007 · 3h ago
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices.
The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
Gucio · 3h ago
Check out smarttubenext if you are on an Android TV.
ryandrake · 5h ago
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
jamesgeck0 · 5h ago
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
m000 · 4h ago
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
GloriousKoji · 4h ago
I recommend against the Pi Zero. Once you add in the cost of the microUSB to USB-OTG adapter and the ethernet USB adapter you might as well buy a 3B or 4. Price aside it adds an extra mechanical point of failure as microUSB is not very robust.
mikestew · 4h ago
Oh, it will definitely work on older ones. The one I have, w/o logging in and explicitly looking, is a 3-$SOMETHING, probably 3b+. Works just fine.
shrikant · 4h ago
My Pi-hole runs on a ~13 year old Model B, which has survived several house moves. Definitely don't need top of the line hardware for it!
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
olelele · 1h ago
I run mine on a RPi 1 and it doesn't even break a sweat
flaburgan · 5h ago
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
rement · 4h ago
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
potatocoffee · 3h ago
Pi hole devs recommend running it locally only and discourage exposing your pi-hole to the internet. I used pi hole for years but have been using NextDNS lately and it works well outside of my home network, and even has a free tier.
freedomben · 3h ago
No, but it won't have auth in front of it so it will eventually be discovered and used by people who aren't you. That could get you wrapped up or even implicated in a cyber attack.
Larrikin · 4h ago
You can run it on your phone and outside of your net work with something like Tailscale as your vpn
the_dude_ · 4h ago
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
rockbruno · 2h ago
Setting up a Pi-Hole taught me a ton about how networks work. It's a really cool thing to setup for fun.
M95D · 3h ago
For those who think DNS-over-HTTPS can't be blocked: just disable routing and use a whitelist filtering proxy server instead.
duckkg5 · 3h ago
$155 seems like a lot. I do this with a $5 pi zero and a $5 adapter and it works flawlessly.
dark-star · 4h ago
> 66.6% of all traffic is blocked
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
kube-system · 1h ago
66.6% of traffic per DNS request is a metric of network traffic. You could measure by bandwidth, by number of packets, by number of sessions, etc. There are many measurements one could use, and DNS requests is one of them. It would probably be irrelevant for other purposes but isn't a crazy measurement given this context.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
pnw · 3h ago
66% would indicate that OP may have a device repeatedly trying to resolve a blocked query with no reasonable backoff logic.
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
whalesalad · 2h ago
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
incomingpain · 5h ago
<3 my pihole.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
jyap · 2h ago
It’s all relative. I’m at 24.4% but I have quite a few devices like Wemo light switches at the top of my DNS queries. Only have one Amazon Alexa device but that’s near the top as well.
IoT devices which constantly phone home will skew things.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
[1] https://github.com/dibdot/DoH-IP-blocklists
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
DNS-over-HTTPS, with its "network operators are 'evil nation state' opponents of freedom" ethos of its design, allows clients to use standards-based protocols (and off-the-shelf libraries) to do the same thing that previously would have required a bespoke protocol.
I'm being a bit hyperbolic, but there's definitely a bent to the advocates for DNS-over-HTTPS that network operators should not have the ability to control standards-based name resolution within their networks. The rallying cry of the DNS-over-HTTPS advocates is always "you should be filtering on the client". This smacks of smug disregard of the fact that not every client supports its owner making filtering decisions.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
Makes it nice and easy for the non-technical members of the fam.
1) at work 2) out of town 3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
It's best to run both.
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
Best to run both if you're in a position to do so
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
I'm not sure how a blocker would work if it couldn't see the content of the page...
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
https://youtu.be/bJHPfpOnDzg
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
1: https://en.wikipedia.org/wiki/Dnsmasq
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
https://news.ycombinator.com/item?id=41382231
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
IoT devices which constantly phone home will skew things.