
Pi-hole – A black hole for Internet advertisements - goblin89
https://pi-hole.net/
======
laumars
For those of us - myself included - who run a hosts file list (either using
dnsmasq like Pi-hole or directly), here are the sources that Pi-hole use so
you can add to your own solution:

[https://github.com/pi-hole/pi-
hole/blob/master/adlists.defau...](https://github.com/pi-hole/pi-
hole/blob/master/adlists.default)

There's a few on there I don't use and will look to implement. There's also a
few they seem to have missed (perhaps intentionally?) so below I have included
the lists I use in case it's useful for anyone else:

    
    
       http://someonewhocares.org/hosts/hosts
       http://winhelp2002.mvps.org/hosts.txt
       http://adaway.org/hosts.txt
       http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext&useip=127.0.0.1
       https://raw.githubusercontent.com/StevenBlack/hosts/master/data/StevenBlack/hosts
       http://www.malwaredomainlist.com/hostslist/hosts.txt
       http://www.montanamenagerie.org/hostsfile/hosts.txt

~~~
nigifabio
Sound like an amazing setup, what about sharing all these scripts? How and why
you build your browser?

~~~
laumars
It's just a shell script to manage dnsmasq running on my FreeBSD home server.
It's not sophicated but equally it's written specifically for my server so no
very portable either.

I did think about writing something to share but projects like Pi-hole have
done a better job serving the community than i could have. So i just share the
sources i use instead incase any like-minded sysadmins find it useful.

~~~
time4tea
You could also use py-hole which is a simple apt install of a bit of python
that does the dnsmasq file creation and update.

Its pre alpha but may work for you

[https://github.com/time4tea-net/py-hole](https://github.com/time4tea-net/py-
hole)

~~~
laumars
Thanks for the recommendation but the shell script i have works good enough
and has been for a few years now. Plus the container (FreeBSD jail to be
precise) is pretty low footprint so while i don't have an issue with Python
itself, it's an additional package I don't really need.

------
QuadrupleA
I definitely hate ads like anyone, but it should be acknowledged that ads
serve a purpose too, of creating an economy for free content and giving people
an avenue to get some income in exchange for their efforts, and possibly be
able to devote their full attention to a free project and not have to support
themselves with other income. Ads give creators some incentive to create stuff
- although the income generally isn't great unless your audience is massive.

That said, the ad networks out there seem pretty awful in terms of privacy,
slow-running javascript code mess, huge images or videos adding megabytes to
the size of what should be a simple text page, etc. So if it's not doing it
already perhaps this project can filter and put some pressure on the ad
networks to clean up their mess a bit and not harm the user experience so
much, and if an ad network is playing nicely, allow it through as a way to
support free projects and their creators.

~~~
zeta0134
I've maintained for a long time that the ad networks themselves are the
problem, not advertising as a whole. There is a place for video advertising
(around content that is also video), there is a place for audio advertising
(on the radio, around podcasts, on music services), and there is even a place
for animated, interactive advertisements, on sites that are expected to dance
and move anyway, like online games.

The trouble is, most third party networks are so laser focused on getting
people to "interact" with their advertising that they've skewed the game in
favor of distracting users from the content they arrived to consume. They're
so focused on targeted advertising that they regularly invade users privacy,
utilize questionable data collection practices, and break down security
barriers when browsers try to shut down their violations of user trust. It's
no wonder ad blockers are on the rise, because the existing ad networks are
all untrustworthy.

There will always be a place for advertising when it's done properly. Watch an
NFL broadcast and observe the product placement, the logos and sponsors
everywhere. It's organic, integrated into the very fiber of the broadcast in a
way that couldn't be blocked with even the most sophisticated blocking
software. And it's also usually quite tasteful, there to promote the product,
but not distracting enough to detract from the game the viewers came to the
channel to watch.

This kind of advertising, organic product placement and sponsorships, where
the content creator and the advertiser have a real partnership and coordinate
their efforts, this is the kind of advertising I want to see more of. For all
the drama they tend to draw, I commend the Gawker sites (Gizmodo is
particularly good about this) for their Sponsored posts and their frequent
"Deal of the Day" posts, which are first-party advertising that my blocker
regularly fails to block. And you know what? Some of the deals are genuinely
interesting to me, because Gizmodo clearly _knows their audience,_ and selects
advertising partners that make sense on their blogs. More of that please!

~~~
derefr
> ad networks themselves are the problem, not advertising as a whole

I would perhaps say that it's _the way_ that ad networks interact with content
sites that's the problem.

With the current "automated just-in-time auction of the eyeballs of the
person-we-identified-using-the-site's-metrics, with the site itself just
providing the rectangle of space to slot the result into" model, content
providers are essentially entirely beholden to whatever the ad network thinks
is the best thing to put on their page.

An ad network _could instead_ be a sort of "marketplace" service that lets
content providers browse ads from various sources (or get ads suggested to
them, using the same algorithm they'd have used originally to force ads on
users), and then approve for display the ones they find tasteful/in line with
their brand.

That is, after all, the model for running ads in any other medium: the
publisher gets to provide ultimate editorial judgement on whether a given ad
belongs in their publication.

(Also, in such a model, the content provider would likely be the one hosting
the resulting ads, so we'd be able to avoid the whole ads = tracking beacons
problem we face today.)

~~~
stevesearer
As a publisher, I've made the decision to sell advertising in monthly blocks
like a magazine would as opposed to an eyeball-based auction system.
Anecdotally, I think this deters me from trying to maximize how much money can
be made off of every eyeball that visits my website.

I also sell and self-host my own advertising which can only be non-animated
jpgs/pngs which gives me ultimate judgement. There is a barrier to entry on
this style of ad sales, but overall I feel like it has been worthwhile pursuit
so far in the 3 or so years I've been doing it.

~~~
derefr
It can be done relatively simply when you make direct deals with ad agencies
or cross-promotion deals with other product companies. The problem is that no
_ad network_ wants to be a part of it; and for the little guy, ad networks are
the only thing with economies-of-scale large enough to be interested in
purchasing your nearly-worthless ad-space.

Thus my view: we need a "catalogue of creative, you pick what you run"-style
ad network, so that the little guys have somewhere to turn instead of
acquiescing to the existing networks and ending off with their sites showing
chumboxes[1].

[1] [https://theawl.com/a-complete-taxonomy-of-internet-chum-
de0b...](https://theawl.com/a-complete-taxonomy-of-internet-chum-
de0b7a070a2d#.n191s4hb5)

------
nkkollaw
With all the ad blocking technologies that are coming up, I wonder if Google
is devising something to counteract these efforts.

For instance, since browser-based ad blockers work from what I know by
blocking known domain names, couldn't Google create random subdomains and
serve the code from a different subdomain every day or even every few hours,
as well as change the way their JavaScript and HTML looks?

Even something very expensive to run would be justified with all the money
that advertising brings in.

If Google can create software that can tell what's in a picture, or if a
person in a picture is happy or not, why can't they find a way to fool ad
blockers..?

~~~
JoshMnem
Google makes efforts to prevent ad-blocking:

\- Google Chrome for mobile doesn't allow add-ons so you can't install ad-
blockers. (You can install browser extensions with Firefox for Android.)

\- Google Chrome uses a dark pattern where the address bar tends to send users
to the Google search results page instead of to their final destination
(compare the behavior with Firefox's). That means that even if you have an ad-
blocker, many users are likely to click on Google ads on the way to the
destination site, even if they are blocked on the destination site.

\- Android doesn't provide fine-grained permissions control or root access, so
users can't block ads.

\- Some of their content is designed to coerce users to buy restricted
Android-based content-consumption devices. For example, you can't buy movies
on YouTube and watch them HD in Google Chrome (at least on my computer). You
have to buy another computer that doesn't have root access (an Android device)
in order to consume the videos in HD. Once you're on the restricted device,
it's harder to block ads.

\- Google introduces projects like AMP that try to convince webmasters to
restrict their monetization options and make it easier to appify the WWW. AMP
even serves your content from Google's servers. The more control of the
content they have from server-to-eyeball, the more options they have for
stopping ad-blockers (and the worse it is for open technology).

~~~
problems
> \- Android doesn't provide fine-grained permissions control or root access,
> so users can't block ads.

One caveat here - Google devices are probably some of the most allowing of
root access and full device ownership - easily unlocked bootloaders basically
allow it to be a one button process.

Some manufacturers make you put your device on a shitlist with them before
they'll give you a key to unlock the bootloader and root it - others, like
Apple, won't allow you to at all.

Once you are rooted, you do have full ability to block everything and get
fine-grained permission control via XPrivacy for example. Android devices are
actually some of the best here mostly due to strong community support. You
can't even get this control if you want it on many mobile devices these days.

~~~
foodstances
And yet Apple introduced a first-class ad blocking mechanism into iOS that
even works in 3rd party apps (using SFSafariViewController). There are dozens
of ad blocking apps available on the App Store, which are much more accessible
to the average user than having to root your device and install apps that have
full root privileges.

~~~
problems
Yeah, that's definitely a step in the right direction, I certainly wouldn't
say that Google does nothing to protect their interests in advertising -
especially given their recent actions on the Chrome store with AdNauseum.

However, what I'm trying to get at is that, for example on iOS you still can't
block in-app non-Safari ads at all. On Android you can do that if you want to,
and a lot more, you can also block specific connections, block device-specific
identifiers, APN lists, accelerometers, wake state, etc - it's a better
compromise for someone concerned about privacy than other platforms even with
this considered right now.

------
ckastner
The installation shortcut given is

    
    
      curl -sSL https://install.pi-hole.net | bash
    

and one is expected to execute this as root.

Yes, I know this is supposed to be a convenience thing, but I wish people
wouldn't actively encourage this pattern.

~~~
dmbass
from the article:

> Our code is completely open, but piping to bash can be dangerous. For a
> safer install, review the code and then run the installer locally.

~~~
strictnein
The compounds in this medicine are public knowledge, but taking them could be
dangerous. For a safer experience, review all medical literature pertaining to
these compounds before consuming.

~~~
slau
Not really the same. One of the main issues with curl pipes is that the server
(or MITM) can detect that the request goes into a pipe.

This allows an attacker to display one (safe) source when you view it in your
browser on your workstation, or wget it, and serve a different (nefarious)
source when you curl/pipe it.

So, a more complete analogy would be: a bottle that gives you a safe chemical
compound when you extract it for analysis, but throws in some VX when you go
to administer it.

~~~
tpxl
How can you detect if the output is curl/piped?

~~~
nemo1618
Like so: [https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/)

To combat this sort of thing, @jbenet made hashpipe:
[https://jbenet.github.io/hashpipe](https://jbenet.github.io/hashpipe)

------
staunch
One thing is for certain, ad blocking is going to become more and more
prevalent and never less.

The end game for ad blocking is to all but eliminate advertising. An ad
blocking client could, ultimately, just block any domain that has aggressive
anti-ad block features.

With enough users doing this, new sites that are ad free would quickly replace
the old ad driven sites. Some of the ad driven sites would modernize.

Ads are a failed path. By eliminating ads we open the door to novel solutions.
Only a cynical fool could believe technology isn't up to solving this minor
problem. There are already a dozen potential solutions waiting for the
incentives to change.

~~~
finid
_With enough users doing this, new sites that are ad free would quickly
replace the old ad driven sites._

And how will ad free sites supposed to pay writers to make and keep the site
free?

 _There are already a dozen potential solutions waiting for the incentives to
change._

Go ahead and list them...

~~~
bunderbunder
My ideal would not be for all sites to go ad free. It would be for advertising
to go back to following the model it does everywhere else: Places that sell
space for advertising either sell it directly, or go with a 3rd party to
handle the advertising, but still maintain some control over what ads are
presented, how and when.

I have never found ads in buses and trains to be particularly obtrusive, and
usually don't find them to be tasteless. Advertising in print media is fine,
and oftentimes even useful. Advertising on TV and YouTube is generally
tolerable.

The only place where ads really become toxic is when they're being served up
through ad networks. As far as I can tell, nobody likes them. Users obviously
hate them - adblockers are darn near ubiquitous nowadays, and it seems that
folks have generally realized that most Web ads have more in common with junk
mail and telemarketing than they do with other forms of marketing. Advertisers
don't seem to like them much, either, or at least they don't like them enough
to be willing to pay anywhere near the price that they'll pay for ads
delivered any other way. And content providers have to be aware that they've
made a Faustian bargain.

But consider the advertising on a site like knitty.com, which is tasteful and
relevant. And it does it using a targeting model that's eminently sane and
civilized, namely, placing ads on a site you pick based on knowing that their
audience and your target market are one and the same. _That 's_ an online
advertising model I can get behind.

------
gwu78
Default settings use remote, shared DNS caches run by an advertising company.

Regardless, this is a step in the right direction. DNS is highly effective for
this filtering out advertising.

Personally I just run my own authoritative nameserver(s) with all the IP
addresses I need. No recursive cache.

When I browse to websites where I have never been and may not return, I am
never using graphical browser that loads "resources" automatically from any
random domain.

I am using a browser I compiled myself. I am only reading text.

Binary resources, e.g., video, can be downloaded non-interactively with an
ftp/http client.

If it is an important website that I use repeatedly, then I have all the IP
addresses for the resources the website's pages will need stored in a zone
files. Then it is "safe" to use a browser written by an organization company
that makes money from ads. All DNS requests are answered by my server(s).

I can retrieve (refresh) the IP addresses for my zone files very quickly with
custom software I wrote to do this. My lookups are faster than a cold
recursive cache and send out fewer requests.

IMO, the way to think about "ad-blocking" is not to try to imagine how to
block every possible ad server. Instead, just focus on what web content you
want and figure out what addresses you need to get it.

At one point a certain browser written by an advertising company had its own
DNS resolver. Imagine your /etc/resolv.conf being completely ignored. Food for
thought.

~~~
pgrote
Do you find a setup like this takes more time to gather the information you're
looking for? What is your primary reason for doing it this way? Privacy?
Avoiding malware?

~~~
gwu78
"Privacy? Avoiding malware?"

Neither. Those benefits are only side effects.

------
Animats
This is just a DNS filter. Why is it a big deal? DNS filters sort of work, but
they're not new or magic. They trigger some ad-blocking detectors when the ads
don't load.

~~~
geekamongus
Easy to run at home with a web-based GUI for whitelisting, blacklisting and
such. I like this tool a lot, personally, and it helps me feel better about
keeping the family safe(r) online at home.

~~~
olyjohn
Agreed, it's been really nice to run at home. Took about an hour to set up
from a diskless Pi I had sitting around, to a fully running system.
Maintenance has been zero so far, and haven't had any downtime or anything.

The best part was when I first fired up the web interface and saw that it had
already blocked 14 requests after hardly being up for more than 5 minutes.
Nobody was home at the time, so it was kind of a wake up call to see idle
devices reaching out to potential ad servers.

~~~
geekamongus
I was amazed at how much it was blocking on my Roku device hooked up to my TV.
I ended up having to whitelist a few things in order for it to work, but it's
blocking ads there too.

------
j_s
You may have missed the precursor discussion this past weekend, a walkthrough
of setting up pihole on VPS:

 _Set up a cheap cloud hosted adblocker in an hour for $2.50 a month_

[https://news.ycombinator.com/item?id=13852109](https://news.ycombinator.com/item?id=13852109)

Of particular added value there was mention of Android apps that can be setup
to self-host an ad-blocking VPN / hosts filtering without rooting:
[https://news.ycombinator.com/item?id=13853408](https://news.ycombinator.com/item?id=13853408)

[https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)

 _NetGuard is the first free and open source no-root firewall for Android._

~~~
ce4
Alas the plugin that does host-based blocking is not available in the play
store version, it's/was a paid feature for the version on GH only. (edit:
Don't know the current state though. remember from some time ago when I last
checked it).

~~~
j_s
Sounds like this is still true.

 _Optionally block ads using a hosts file (not available if installed from the
Play store)_

I re-linked NetGuard as the most user-friendly, but
[https://github.com/julian-klode/dns66](https://github.com/julian-klode/dns66)
was also mentioned.

------
24gttghh
I went so far as to set up Dnscrypt with a pi-hole setup recently and it was
almost as painless as advertised. And it finally gave me something productive
to do with my RPi3! [https://github.com/pi-hole/pi-
hole/wiki/DNSCrypt](https://github.com/pi-hole/pi-hole/wiki/DNSCrypt) could
use a little wordsmithing, but it wasn't too bad.

------
nikon
Using this at home. Really interesting to see the blocked domains on the
dashboard. Realised my two Samsung Smart TV's were constantly calling home for
example. You'll eventually whitelist some things that break like Spotify/Sonos
IIRC.

I may switch to an Odroid C2 if I go with a permanent VPN connection as the
throughput of the RPi3 network port is not the best.

------
allendoerfer
I love how they recommend curl-bash-piping, but then put a disclaimer beneath
it, even with a detailed post about it. As if people would not just copy paste
it anyway. I think they were just trying to dodge the usual curl-pipe-bash-is-
evil comment thread – unsuccessfully, since I started it anyway.

~~~
JustSomeNobody
Yes, this is evil. Installing software off of <insert platform store here> can
be evil too.

Buyer beware.

------
kuon
I've been running a DNS based ad blocking for ages, but I realized that
recently, youtube has been serving ads from the same domain as regular videos.
I wonder if anybody has seen this.

~~~
dingaling
The primary difference seems to be that the real videos have '/watch?' in the
URL versus the ad videos.

------
crorella
When I tried pi-hole I often noted some urls were added 'automagically' to the
whitelist, they will show up a few days after I removed them. All of them were
weird domains.

~~~
promofaux
Pi-hole Dev here. The only domains added to the whitelist are the domains on
which the source lists are themselves hosted. It's probably complete over-
kill, but the reasoning behind it is just in case one list tried to blacklist
another.

Compare the "automagical" whitelist entries
([http://imgur.com/a/rxgsC](http://imgur.com/a/rxgsC)) to the Default
whitelist here: [https://github.com/pi-hole/pi-
hole/blob/master/adlists.defau...](https://github.com/pi-hole/pi-
hole/blob/master/adlists.default)

Edit: The code that does it: [https://github.com/pi-hole/pi-
hole/blob/master/gravity.sh#L2...](https://github.com/pi-hole/pi-
hole/blob/master/gravity.sh#L257-L266)

~~~
dmix
Looks like your comments were getting killed with [dead] automatically. Maybe
because of a new HN account combined with linking to the same site a couple
times cause it to flag some spam detector? I vouched for your comments so they
appear. Thanks for the project!

~~~
promofaux
Ah! I did wonder what was going on.. :) I've heard of HN before, but never
actively participated, hence only signing up today!

Thanks for vouching for me :)

~~~
dang
Sorry about that, and welcome to HN! (I'm a moderator here.)

You got hit by a spam filter; they're tuned more aggressively for new
accounts. We've marked this account legit so it won't affect you again.

------
a3n
This could be in response to any number of comments on this page:

I use uBO and a few other blockers. I almost never see an ad.

A few days ago I saw an ad, and I was surprised. It was for Cadillac cars. I
hovered over the ad, and it seemed to go directly to cadillac.com. And I was
sort of OK with that.

The page, and the ad, seemed to be designed like any other legitimate link to
another page or site. I don't know how the image made its way on to the page
and in to my browser, but it appeared much less intrusive than a totally ad
network-served ad.

Certainly the 1st party site could collect data about my visit and send it
somewhere, but at least they appear to be more in the loop than just opening
their site to all comers.

And if I clicked through to cadillac.com, they could do the same.

Anyway, that's more along the lines of what I've been wishing for as a
consumer in web ads.

~~~
SomeStupidPoint
If all ads were a picture with a link served as part of the page, I wouldn't
use an adblocker. I read newspapers full of ads and don't really mind -- the
ads make the local weekly free!

But it wasn't me who started an arms race decades ago with pop-over/under
chains and escalated with tracking scripts, auto-playing videos, and bidding
platforms serving malware.

Are advertisers really surprised people opt out of such toxic behavior?

~~~
JustSomeNobody
> Are advertisers really surprised people opt out of such toxic behavior?

I think some <i>are</i> surprised. I think others take a more adversarial view
of it.

------
seedifferently
For anyone interested in a cross-platform single-binary alternative to Pi-
hole, I've been hacking on this:
[https://github.com/seedifferently/nogo](https://github.com/seedifferently/nogo)

(Disclaimer: I am the author of nogo)

~~~
ComodoHacker
1\. Add subscriptions to popular lists like in AdBlock/uBlock with
autoupdating and people will start using it.

2\. Prevent sites from manipulating the list via CSRF.

3\. Packages/Installers with installation as a service/daemon would be a plus.

------
JustSomeNobody
Wow, somebody here hates the author. Every one of their comments is down voted
to death.

What gives? Did they do something to make people mad? I'm really confused.

------
gcb0
solution that doesn't require a dns server (or can be a dns server local
cache)

[http://someonewhocares.org/hosts/](http://someonewhocares.org/hosts/)

I add this to my modem/wifi ap. and then just let every device use it to
resolve. if the device allows to set a hostfile, I also add a local copy for
when iam not in my network.

~~~
dbg31415
* GitHub - StevenBlack/hosts: Extending and consolidating hosts files from a variety of sources like adaway.org, mvps.org, malwaredomainlist.com, someonewhocares.org, yoyo.org, and potentially others. You can optionally invoke extensions to block additional sites by category. || [https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

Direct link:

[https://raw.githubusercontent.com/StevenBlack/hosts/master/h...](https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts)

Also, I think OpenDNS blocks ads too. Haven't tried it in a few years though.

* Home Internet Security | OpenDNS || [https://www.opendns.com/home-internet-security/](https://www.opendns.com/home-internet-security/)

------
ThenAsNow
I have to admit to doing as little as possible from web browsers on phones,
but on the desktop I rely extensively on uMatrix + NoScript (don't know if
adding PrivacyBadger on top would buy me anything). However, NoScript for
Android seems to be moribund and I don't think there is a uMatrix for Android
either. DNS-based ad-blocking seems very 90s (i.e., designed for an era that's
less invasive than today), and there's a ton of javascript content that really
needs to be filtered as well if you want to counter all the ads + tracking. Is
there any equivalent to NoScript + uMatrix on Android?

~~~
majewsky
I only have uBlock Origin on Firefox for Android, as opposed to uMatrix on
desktop Firefox. It's better than nothing wrt tracking blocking, and it kills
most of the ads.

------
geuis
I haven't had time to look at the code yet. I have some questions though.

As an experiment a while back I wrote a simple dns server that blocked ad-
related domains. [https://github.com/geuis/lead-
dns](https://github.com/geuis/lead-dns). While it technically worked, it made
using the web almost non functional. Nearly every site was broken in some way.
So blocking purely by domain isn't going to work. I wonder how pi-hole is
dealing with it.

~~~
promofaux
We have a web interface with a whole host of tools to easily identify and
whitelist the domains that may or may not be causing issues with sites you
browse.

Everyone's mileage varies, but I have only had to whitelist 5 or 6 sites using
the default blocklists.

------
no_wizard
PiHole is pretty cool, very 'plug n play' which I like. A sufficiently
advanced average user can set it up without too much trouble just following on
a guide, even a relatively tech savvy 'lay' person can do this.

If you like a more technical solution I prefer something like running a
Unbound + NSD server

Here's some great tutorials on that:

(Kudos to the people who write Calomel, i really liked these tutorials, it was
a great way for me to get started and look into these services deeper once
understanding what was going on here)

[https://calomel.org/nsd_dns.html](https://calomel.org/nsd_dns.html)

[https://calomel.org/unbound_dns.html](https://calomel.org/unbound_dns.html)

Pairing that with squid proxy can be the ultimate win:

[https://calomel.org/squid.html](https://calomel.org/squid.html)

[https://calomel.org/squid_adservers.html](https://calomel.org/squid_adservers.html)

[https://calomel.org/squid_ua_random.html](https://calomel.org/squid_ua_random.html)

and don't forget dnscrypt people!

[https://dnscrypt.org/](https://dnscrypt.org/)

I'm really big into having ones own DNS server on the network instead of
completely using outside solutions. There is little overhead with a
sufficiently modern implementation.

Also, these solutions run on FreeBSD/OpenBSD for those who prefer.

As a complete aside. Aren't most routers, esp. business class routers, running
modified Unix/Linux anyway? Why on earth hasn't a reputable company made a
guns ready router that lets you have access to the Linux/Unix underpinnings
without flashing (albeit awesome) Open Source alternatives? I would think in
the 'business/enterprise' class hardware side this would be more prevalent.

Maybe I just don't know of any solutions like that available stateside. I
found one in Europe:

[https://omnia.turris.cz/en/](https://omnia.turris.cz/en/)

Can't get it stateside though :(

I instead custom built most of my networking hardware...but still.

~~~
grp
Check: [https://www.pcengines.ch/](https://www.pcengines.ch/)

Maybe you can get some alternatives based on those cards.

~~~
no_wizard
I'm actually wondering if they simply didn't repackage this hardware with a
better then average design for a case, frankly. The specs are very similar. I
think even though these are AMD embedded processors they're ARM, not sure
though, it didn't say (or i missed it).

Thanks for the link!

------
toad_tyrrant
I just set this up at home yesterday (using an Odroid C2). A very pleasant
experience so far.

I'm trying to find other services that are worth running in a similar fashion.
Any ideas?

~~~
wtfishackernews
Not strictly useful for yourself, but you could run a tor relay
[https://www.torproject.org/docs/tor-doc-
relay.html.en](https://www.torproject.org/docs/tor-doc-relay.html.en)

~~~
toad_tyrrant
That is a decent idea.

I have never used Tor though, and I can't say I know the consequences of
running a relay. So I'd probably skip that.

~~~
wtfishackernews
As long as you don't run an exit relay, it should be completely safe and
legal. The EFF has a good write-up about it
[https://www.eff.org/torchallenge/what-is-
tor.html](https://www.eff.org/torchallenge/what-is-tor.html)

~~~
toad_tyrrant
Actually, that is quite interesting. Thank you for the link.

------
harryf
Cache
[https://webcache.googleusercontent.com/search?q=cache:0qPVd8...](https://webcache.googleusercontent.com/search?q=cache:0qPVd8rUYXMJ:https://pi-
hole.net/+&cd=1&hl=en&ct=clnk&gl=ch)

Also github project explains [https://github.com/pi-hole/pi-
hole](https://github.com/pi-hole/pi-hole)

------
WhizzoButter
The Connectify Hotspot app added a similar feature recently. It'll block ads
for all clients connected to the hotspot. It's Windows-only though:
[https://www.connectify.me/blog/block-annoying-ads-
connectify...](https://www.connectify.me/blog/block-annoying-ads-connectify-
hotspot/)

------
vxNsr
How are people dealing with whitelisting when a website becomes broken because
of an over zealous block. I find myself turning off ublock for some websites
at least once a day, not because there are ads on the page but because they're
issuing a dependency somewhere that has been blacklisted.

~~~
wtfishackernews
Through the admin console, you can whitelist domains or disable all blocking
for a given amount of time.

~~~
Bedon292
Yeah, first think I did after setting up pi-hole was go and visit all my
primary sites, and see what was being blocked. Then white listed things I was
OK with, or things that were breaking sites.

------
__oz
+1 for pfSense port.

Also, not sure how I feel about having this device as my primary DNS server
for my entire internal network. What if the project gets compromised and
injects a number of malicious DNS entries, now my entire network is toast?

~~~
wtfishackernews
You can choose to only use it on the machine it is running on, or point other
computers to it selectively.

~~~
__oz
To reliably run this DNS server I would have to have another host on the
network that uses a separate DNS route that checks every entry on pi-hole
against the secondary to confirm something fishy is not going on.

------
ryandrake
I've been doing this at home for probably close to 10 years or so, set up
manually using dnsmasq, and periodically fetching new blacklists. Nice to see
it wrapped in a tidy package--great work.

------
vanekjar
Cool project! Great idea and nice UI. I have tried recently and it works fine
with HTTP.

The problem is with ads served via HTTPS and since today most of the pages are
using HTTPS protocol pi-hole is kinda useless.

For reference on this topic [https://discourse.pi-hole.net/t/websites-hanging-
timing-out-...](https://discourse.pi-hole.net/t/websites-hanging-timing-out-
with-pi-hole-enabled/1530/13)

~~~
wlll
DNS happens before HTTP and HTTPS. If you block at the DNS level it will work
for both HTTP and HTTPS URLs.

That page you linked seems to confirm this, and that Pi-Hole works just fine
blocking HTTPS.

~~~
vanekjar
That's true, but instead of empty ad being server (as in case HTTP), HTTPS
request timeouts and increases loading time for many pages, because the page
waits until all JS loads.

Another problem is that some browsers will retry failed request several times
(Chromium) effectively prolonging the time before final error is confirmed.

More about HTTP retry can be found here [https://tools.ietf.org/id/draft-
nottingham-httpbis-retry-00....](https://tools.ietf.org/id/draft-nottingham-
httpbis-retry-00.html)

To sum it up. Using pi-hole had a negative impact on my browsing experience
because HTTPS pages were more less buggy/slow.

~~~
detaro
HTTPS requests only timeout if your setup doesn't reject them (also described
in your first link).

------
philplckthun
This is really neat! I'm wondering why the name is so Raspberry Pi-specific ;)

Is there a docker container for it already, by any chance?

~~~
pjc50
From Br. Eng. "shut your piehole" (slang), meaning "shut up".

~~~
philplckthun
yep, the name does explain itself, but "pi" and the logo are hinting at
raspberry pi

~~~
Zekio
It might just be it was initially made for Raspberry pi and then expanded over
time

~~~
promofaux
Exactly that!

The name has just kind of stuck, even though you can in fact run it on most
linux distros (We officially support Ubuntu/Debian based distros, but there is
limited support for Centos, and even forks for Arch, and Docker!), on a whole
host of different hardware.

------
verdverm
[https://github.com/looterz/grimd](https://github.com/looterz/grimd)

Is a golang ad-hole. I've found it to be more performant in both the
DNS/server and UI

------
zakk
Stupid question: how does it work when the majority of traffic is through SSL,
making a request to an ad and a request to actual content indistinguishable?

I don't think all websites serve ads from a different host. Do they?

~~~
neoeldex
No such thing as stupid questions, but ads are usually served through a
specific domain, which can be blocked, even with SSL

~~~
kirubakaran
How about this?
[https://twitter.com/officialjaden/status/329768040235413504?...](https://twitter.com/officialjaden/status/329768040235413504?lang=en)

------
SnaKeZ
Link to the Android Client (unofficial):

[https://github.com/friimaind/pi-hole-droid](https://github.com/friimaind/pi-
hole-droid)

------
known
How do I test if it's up and running after curl -sSL [https://install.pi-
hole.net](https://install.pi-hole.net) | bash

~~~
known
dig news.ycombinator.com

------
jerrac
I wonder if there's any way to integrate this with OPNSense firewall. I
already have that set up as my LAN's dns server so I can name my internal
computers.

~~~
majewsky
Can you set the pi-hole as the firewall's upstream DNS?

~~~
jerrac
That's the direction I was thinking of going. My main concern is that I spent
quite a while figuring out the fastest dns servers to use, and I have them set
in OPNSense. I wonder how adding pi-hole to the mix will effect speed... (As
in, finding the dns servers that select the best servers for my streaming
video apps...) Guess the best thing to do is to try it. I would hope pi-hole
would let me select it's upstream servers as well. :)

------
Walf
Network-level means no easy opt-out on a per-site basis. You cannot choose to
support certain sites or view occasional sites that, understandably detect ad-
blocking.

------
shade23
Considering this happens at the DNS level. Any idea how the websites which do
not let you view content till you disable the adblocker will react?

------
pix64
I feel like this is a bit dangerous because it doesn't allow the end user to
disable it if it breaks a website which is quite common.

~~~
promofaux
There is a disable button on the web interface[1] which allows you to either
disable it permanently, or for a specific amount of time. Of course, client
devices need to clear their DNS cache, too, in order for this to work
properly, but at the moment there is no way of automating that.

There are also other tools to help with blacklisted domains that cause
issues/site breakages, such as a query log to identify them, and the ability
to whitelist with ease!

[1] [http://imgur.com/a/DlIeq](http://imgur.com/a/DlIeq)

------
libeclipse
I used this for a while but I found that it was unbearably slow. Perhaps it's
too much to ask from a RaspberryPi3.

~~~
promofaux
When you say unbearably slow, do you mean the actual DNS resolution, or the
Admin interface?

An Rpi3, even a Rpi B or zero is plenty good enough for DNS queries! The Admin
interface has been a bit of a bugbear for a while, but we are working on some
massive improvements for the 3.0 release (coming soon™)

~~~
libeclipse
The DNS resolution itself was really slow for me, slowed down web browsing
severely.

Also I was really concerned by the fact that anyone on the network could
access history for everyone else. It's not a nice feature.

It's a good project otherwise, props to you guys.

------
KiDD
I tried using Pi-Hole but I have so many trouble with IPv6 DNS not working
that I just gave up...

------
jedisct1
dnscrypt-proxy can do filtering as well:
[https://github.com/jedisct1/dnscrypt-
proxy/wiki/Filtering](https://github.com/jedisct1/dnscrypt-
proxy/wiki/Filtering)

------
gravypod
What kind of minimum resources are required to run this? Can I run this on my
128MB VM?

~~~
majewsky
Most definitely, although it of course depends on what else you're running on
that VM. I have a home server running, among other things, a very similar
setup [1] based on dnsmasq and a simple shell script cronjob, and the dnsmasq
weighs in at ~12 MB memory usage (RSS).

[1] [https://github.com/majewsky/system-
configuration/blob/bf0f2b...](https://github.com/majewsky/system-
configuration/blob/bf0f2b7600ec13803cd0687a01828935ad0654da/holodeck-
damogran.pkg.toml#L254-L385)

------
mirimir
Porting this to FreeBSD/pfSense would be cool.

~~~
Bedon292
I used pi-hole until I got pfSense set up. Then I migrated to pfBlockerNG,
which has a lot of the same DNS blocking capabilities built in. You may want
to check it out.

------
Vanayad
what about windows ? :(

------
noja
> Error establishing a database connection

Looks like someone has shut the Pi-hole.

