In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
elashri · 1h ago
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
silverwind · 1h ago
Apps that open arbritrary UDP/TCP ports? Isn't that something the app store policies should reject?
epcoa · 1h ago
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
01HNNWZ0MV43FF · 1h ago
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
wang_li · 1h ago
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
mikevin · 7m ago
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
gbuk2013 · 1h ago
To be fair, if you are geeky enough to run a PiHole you will have no trouble finding the config option to turn off DoH in your browser.
notarealllama · 1h ago
Jokes on you, I do have a fortinet which does this.... Oh wait, only up to TLS 1.1 or something and it's slow.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
gbuk2013 · 53m ago
You need to get an F5 box instead. :)
ignoramous · 1h ago
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
parpfish · 25m ago
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
3abiton · 21m ago
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
TechDebtDevin · 9m ago
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
the_dude_ · 7m ago
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
jstanley · 1h ago
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
dvratil · 53m ago
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
FredPret · 5m ago
For me it's because:
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
Twirrim · 9m ago
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
crtasm · 1h ago
uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc.
It's best to run both.
macawfish · 1h ago
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
mikestew · 50m ago
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
BenjiWiebe · 1h ago
uBlock Origin only works in the browser. And on mobile it only works in Firefox (I think).
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
kgwxd · 1h ago
Not all internet traffic goes through a browser.
alexose · 1h ago
I agree. I don't want to be a hater, because it's a cool idea... but I find that this is just the wrong level to operate on.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
itchyouch · 47m ago
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
flaburgan · 40m ago
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
the_dude_ · 1m ago
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
rement · 3m ago
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
Larrikin · 21m ago
You can run it on your phone and outside of your net work with something like Tailscale as your vpn
ryandrake · 1h ago
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
jamesgeck0 · 54m ago
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
m000 · 7m ago
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
mikestew · 34m ago
Oh, it will definitely work on older ones. The one I have, w/o logging in and explicitly looking, is a 3-$SOMETHING, probably 3b+. Works just fine.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
[1] https://github.com/dibdot/DoH-IP-blocklists
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
It's best to run both.
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
Makes it nice and easy for the non-technical members of the fam.
1: https://en.wikipedia.org/wiki/Dnsmasq
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
https://youtu.be/bJHPfpOnDzg
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/