
Ad blocking with Raspberry Pi and Pi-hole - christian_fei
https://cri.dev/posts/2020-05-03-Ad-blocking-with-Raspberry-Pi-and-Pi-hole/
======
strenholme
I actually have been doing some work with MaraDNS to have the ability to have
a pi-hole sized blacklist. The main source of pi-hole’s blacklist is this Git
repo:

[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

That is about 60,000 hosts, so I added MaraDNS support to have up to 500,000
blacklisted names. Since it’s a speed-optimized (not size-optimized) cache,
each element takes about a kilobyte of memory, so a blacklist this size takes
about 60 megabytes of memory for MaraDNS to store (on a modern Core i7 7600U
processor, it only takes about two seconds to load all 60,000 elements in to
memory), but it’s very rapid to use.

The script to take that blacklist and convert it in to a MaraDNS compatible
format is here:

[https://github.com/samboy/MaraDNS/blob/master/deadwood-
githu...](https://github.com/samboy/MaraDNS/blob/master/deadwood-
github/tools/make.blacklist.sh)

There are ways to make the memory footprint of the blacklist smaller, but this
was a quick and simple way to implement a medium sized blacklist. Finding ways
to have, say, 10 million blacklist elements with a small memory footprint is
left as an exercise for the reader.

My current project is to make a proper Docker container for MaraDNS.

~~~
x3blah
Will you test the efficiency of the block list.

For example, given a block list of 60,000 how many hosts on the list did your
computer actually try to access. Have you ever read through one of those
massive blocklists.

I use a whitelist rather than a blocklist. Similar to a firewall, I block
everything by default. Then carefully choose what I allow.

This way I can see exactly what hosts I actually need to access. Makes it easy
to see attempts to access ad servers, trackers, phone home, etc.

~~~
strenholme
MaraDNS (OK, Deadwood) can handle white lists too:

    
    
        upstream_servers = {}
        upstream_servers["."] = "192.168.253.253" # Never answers
        upstream_servers["good-domain.example.com."] = "9.9.9.9"
        upstream_servers["whitelist-entry.foo."] = "9.9.9.9"
        # And so on
    

The downside is that the code currently only supports 20,000 elements added
this way.

~~~
x3blah
I am a djbdns user. I also use nsd and unbound. I do not use "upstream" third
party DNS, such as 9.9.9.9. Surprised to hear that anyone still uses MaraDNS.

What I am curious about are these massive blocklists. Does anyone actually
read through them. Does it make sense to block 60,000 hosts when only, say 100
or even 1000, ever stand a chance of being accessed by a user's computer --
due to the user's particular usage habits.

~~~
GekkePrutser
Well, why not? 60.000 isn't a huge amount for a modern computer. If they're
known to contain ads/trackers you want to block, then why not include them?

It might make sense though to do a periodic run through them to see if they
still exist.

------
Blackadderz
Pi-hole has been excellent. I was able to discover that my Samsung TV was
reporting minute by minute updates on what I was watching to a local
Australian company.

Unplugged it faster than I could swear.

~~~
ljhsiung
Ever thought about just buying a TV that has no network connectivity
capability at all i.e. "dumb" TVs?

Though rare to find a 4k/OLED TV that's "dumb", I managed to grab one.

If I do want certain smart features e.g. chromecast I can always just buy it
individually for like $30.

~~~
jedberg
I just don't configure wifi on the TV. I can't use the smart features but I
don't need to, I have other devices for that.

------
Sohcahtoa82
For my home desktop browser, I just use uBlock Origin to block ads.

But for my phone, I set up a PiHole running on an EC2 instance and VPN into it
from my phone. Blocks ads in everything, not just my web browser. The VPN is
configured to only tunnel DNS lookups, not traffic, so the EC2 bandwidth bill
is minimal.

~~~
billyhoffman
Interesting that DNS look ups go to the Pi-hole in EC2, but the subsequent web
requests come from the phone. This effectively nullifies the performance
benefit of CDNs. Your phone is where ever it is, but your browser is being
instructed to connect to edge servers that are geographically close to the AWS
region where Pi-hole instance is running.

That said, the massive performance gains of blocking ads and intrusive 3PC
probably more than makes up for it, but something to consider.

~~~
Sohcahtoa82
Never actually thought of that, to be honest.

But for the most part, I imagine it won't make much of a difference. I live
within 300 miles of the data center containing my EC2 instance.

------
LeoPanthera
The move of applications such as Firefox to start using DNS-over-https to
hardcoded DNS servers will render such user-modified DNS services useless.

Firefox can have this feature disabled, but more malicious applications will
simply not give you the choice.

~~~
mulmen
It's a tragic move. The DHCP/DNS ecosystem made managing devices dead simple.
OTOH I suppose we were foolish to ever think our devices were playing nice. Is
there a fix to DNS-over-HTTPS as a network operator? Can you MITM your "own"
proprietary devices? What dragons live there?

~~~
7786655
I know this is a crazy idea, but maybe we should stop buying locked-down IOT
devices?

~~~
mulmen
Sure, I don't really have any right now. In the long run I think that will be
impossible. When my TV dies I have to make a lot of compromises to get a dumb
display with(out) all the other neat features.

Also, moving DNS to the application instead of the OS just makes managing my
well behaved applications harder. It used to be possible to set this
automatically through DHCP, now I have to audit every application and make
sure it is using my preferred DNS and also manually configure those
applications.

DNS-over-HTTPS in Firefox doesn't really benefit me. DNS-over-HTTPS with a
DHCP configured server in my OS would be a beneficial _option_.

Really I would prefer something like DNS over TLS because that solves
everything. DNS keeps working, intermediate parties can't read my DNS requests
and I can reason about my network traffic, at least on devices I trust.

------
jedberg
Is anyone successfully using PiHole with non-technical users?

My main concern with putting PiHole on my home network is that for example my
mother in law might not understand that she can't get to some web page because
it's being ad-blocked, nor would she be able to go to the web admin page and
temporarily unblock it.

Even as a technical person sometimes it takes a while to figure out that a
page isn't working because of adblock or pi-hole.

How do people deal with this?

~~~
ObsoleteNerd
I've set it up for most of my close family and friends, added a physical
button to the top of the Raspberry Pi case that disables it for x minutes (x
changes depending who they are and their needs), so if they're having issues
they go press the button to access the problematic website.

I keep reading about people having to disable the Pi-Hole so much that it
becomes annoying, or constantly butting heads with websites that don't work
with Pi-Holes, but I can honestly say that I, and the people I've set them up
for, BARELY EVER need to use the Disable button. Not for online banking, not
for online shopping, not for any regular content consumed. I can't personally
think of the last time I needed to disable the Pi-Hole for anything at all. It
just sits there blocking ads invisibly, plugged into the back of my
modem/router, and is one of my absolute favourite parts of my tech stack.

What websites are people visiting that the Pi-Hole doesn't work with? I'm
genuinely curious, because I've been running mine for a couple years now and
can't think of anything off the top of my head, and no one in my family group
have ever complained about it, with most telling me it's been flawless and
they barely every touch the button.

~~~
jachee
> What websites are people visiting that the Pi-Hole doesn't work with?

Usually sites where the dev has based functionality on a JS module loaded from
an advertise/tracker site, and that is being blocked, resulting in missing
functionality.

Two prominent examples that I've personally had to deal with: CVS, and Taco
Bell's iOS app.

Edit: Oh, and google's inserted redirects in shopping results lists are
blocked by default.

~~~
afishisafish
Airline metasearch engines like Skyscanner & Kayak use all kinds of
advertisement and tracking trickery.

------
ananonymoususer
Pi-Hole is a great project, and it's not limited to running on a Raspberry Pi
either. I've got it running as a (x86-64 Ubuntu) VM in the same hypervisor
that hosts my firewall. It's lightweight, super responsive, and provides great
statistics on what it is doing.

------
greencar
> Use it for ad-blocking in your home network and to finally browse the web,
> watch videos etc. without annoying ads.

It doesn't really do this as well as a browser adblocker, YouTube ads for
example can't effectively be blocked with pihole

~~~
schwartzworld
it's not really fair to compare it to an in-browser adblocker that way,
especially since using them isn't mutually exclusive. PiHole blocks ads
whether you are in a browser or not, an instant benefit for everybody on your
WiFi network.

~~~
BLKNSLVR
In fact, one of the best things about Pi-hole network wide blocking is the
removal of those 5 to 10 second otherwise unskippable ads in apps.

------
gurrone
I find it amazing how often ad blocking is discussed here, and start to wonder
how many peeps hanging out here on the other hand depend indirectly on ad
revenue to pay bills? There are obviously the big corps Facebook and Google,
but also my own small employer, which is in theory in a different biz, runs
ads on the web shop as an additional income source (which I find not very
clever, increases page load times and is simply not our core biz). Do we all
pay our bills with money made from the pour souls who did not get around to
install an ad blocker or advanced setups like a pi hole? I'm on the pro ad
blocking camp personally, also worked in the past in a biz that was 100% ad
financed for a short period of time. Also there the whole tech department was
using ad blockers.

~~~
dhimes
As always, it's not the ads most of us object to- it's the trackers. Google's
original idea for monetizing the web, that you would be interested in
something related to what you were searching for, apparently failed and now
everybody's trying to follow you around to see what you might be interested in
purchasing.

It needs to stop.

I know it's a lame solution but I use ff and containers and have a "shopping"
container for sites that I don't block trackers on. I also have various other
containers for other sites I don't mind knowing about each other. But mostly I
block them.

~~~
bluntfang
>it's not the ads most of us object to

I would love to see real data on this! Most of my peers don't want to be
marketed to, at least when it comes to internet advertising. Definitely when
it comes to traditional advertising (ie billboards are an eyesore, TV ads are
offensive or irrelevant or just plain annoying).

~~~
dhimes
Depending on how old you are, it used to be the norm in magazines and
newspapers. You have an educational product so you buy an ad on the
educational feature, for example.

I understand that advertisers pay for the sites I use and I would turn off the
ad-blocker if I was promised I wasn't being tracked. But we have no control
over those decisions so we do what we can.

------
strangelove026
This is a great repo. Step by step easy configuration of a pihole on a gcp
compute instance with openvpn. I had pihole running on my phone blocking ads
in the NYTs app!

[https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-
Compu...](https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-
Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs)

------
m3at
The combination of pihole and raspberry pi has impressed me. I just checked
and the last reboot of my pi was 180 days ago, and since then things have just
worked.

It's in stark contrast with my server, which admittedly has more demanding
tasks. For $35 it's the most trustable computer I bought, I now have a lot of
respect for the Pi foundation.

~~~
mulmen
Is uptime really desirable in this situation? How do you get security updates
for a device that lives near the edge of your network?

~~~
m3at
You're right that's a fair question. My comment was trying to highlight the
robustness of the system more than uptime being a good metric for quality. By
that I mean that I didn't _have_ to reboot to keep the system healthy enough
to stay alive. That's unfortunately not the case of some other hardware I deal
with.

For my Pi I regularly update without a reboot, but that might not be enough
for kernel updates. I will look more into it.

------
brenden2
I use pi-hole, and it's great, but for browsers you still need something like
uBlock Origin installed to properly block ads. The thing I like about pi-hole
is it also blocks a long list of trackers that are bundled by various mobile
SDKs. There's no way to block those with iOS or Android, except at the network
level.

~~~
daveslash
I've been using Pi-Hole for quite a while now too. I also have several in-
browser ad blockers. In browser, I'm running Ghostery, uBlock Origin, and
Privacy Badger, DuckDuck Go's privacy essentials, and whatever Firefox's does
when you turn on all of the privacy respecting stuff. Honestly, I don't really
know what does what any more. I recently turned off pi-hole and started to
browse the web using Internet Explorer, just to see. _Holy Cow_... I'd
forgotten what the incredible-edible internet was really like.

~~~
mulmen
This is great and I'm glad it is working for you. I think you are about 6
months ahead of me as I now have two Firefox privacy addons and I'm shopping
for hardware to build a firewall box.

As I read your comment all I could visualize was an IE6 browser with 8
toolbars. The network stack of the future.

------
oschvr
Funny, I did the exact same thing 1 week ago

[https://oschvr.com/posts/blocking-ads-with-
pihole/](https://oschvr.com/posts/blocking-ads-with-pihole/)

~~~
christian_fei
interesting! nice site

------
dastx
Another alternative is AdGuard Home. They've come a long way since they
announced it. I switched to AdGuard Home some 6 months ago and it has been
great.

~~~
ObsoleteNerd
I switched a section of my network over to it a few weeks ago, and I've been
having constant random internet issues since, and when I swap back to the Pi-
Hole the problems go away.

Is there some trickery to getting AdGuard to run stable? I have it running as
an Add-On to Home Assitant, so I'm not sure if that's causing the issues, but
I get lots of failed DNS queries, slowdowns, etc when going through AdGuard.

~~~
dastx
Not that I know of. I'm running on a pi3b and never had issues. I suggest
raising a GitHub issue, they're usually pretty quick to respond and quick to
fix bugs.

------
lordnacho
I'm looking for a way to combine the adblocking with a VPN switcher that takes
eg NordVPN and routes all my home traffic through a variety of tunnels (they
provide a load of openVPN files). Is there a ready-made way to do this? The
idea is for anyone in the house to be protected by both the adblock and the
VPN.

~~~
aesh2Xa1
I'm not aware of an "out of the box" solution, but maybe paying for NordVPN or
similar will do this for you.

VPNs typically tunnel your packets thru an encrypted connection to a gateway
somewhere else on the internet.

Ad blockers point your DNS to a resolver that blacklists ad domains. You can
use a VPN and still set your DNS to whatever you'd like. What works best for
you will depend on your threat model (or just privacy concern, as that other
term sounds loaded).

------
m45t3r
Thanks for the article to remember me of the existence of this project. I
decided to do a setup in my home network using an old Raspberry Pi 1 that I
had. Mainly because the router of my ISP screwed up really hard in its DHCP
server, so I decided to disable it and use Pi-hole's one instead.

I tried to make this setup as robust as possible, using OverlayFS [1] so root
is read-only unless I remount it (to change configuration or upgrades) and
with a watchdog so it can auto-reboot in case my Raspberry Pi is unresponsive.
Pretty happy with this setup and it my internet seems more responsible than
ever.

[1]: [https://yagrebu.net/unix/rpi-
overlay.md/wiki/Setting_up_over...](https://yagrebu.net/unix/rpi-
overlay.md/wiki/Setting_up_overlayFS_on_Raspberry_Pi)

~~~
christian_fei
Awesome!

------
jacques-noris
I'm surprised, that no one here has mentioned Eblocker yet. It works a bit
like Pi-hole, but is much easier to install and use. Eblocker used to be a
commercial product (with its own hardware), but since this didn't work out the
company open-sourced it a few months ago. It's free now, has a good interface
and great performance and the former developers are still working on it. You
can install it on a raspberry, but also on other SBCs. I'm in no way
affiliated with them, just a happy user.
[https://eblocker.org/en/](https://eblocker.org/en/)

------
bberrry
I wish it were more effective in removing Youtube ads on my kids' iPads, but I
understand it's a tall order. At least it gets rid of ads in most other apps.

~~~
jbaber
I pay google the $10/mo. for no ads on youtubeso the kids don't get exposed.

The extra benefits are \- play video with the screen off to listen to lectures
\- youtube music \- specifically good for letting the toddler hear the wiggles
without having to watch a wiggles video on youtube

I also pay hulu for no ads. I'm happy for the opportunity to pay directly for
entertainment instead of with my eyeballs. No way to opt out of tracking,
though, hence the pihole.

~~~
brchn
> specifically good for letting the toddler hear the wiggles without having to
> watch a wiggles video on youtube

I like how you phrased this as a solved engineering problem.

------
doctoboggan
Does anyone have any good suggestions for blacklists? I've only been using the
default and am wondering if I should add some more items to the list.

~~~
zf00002
This is the only one I use:

[https://www.reddit.com/r/oisd_blocklist/comments/dwxgld/dblo...](https://www.reddit.com/r/oisd_blocklist/comments/dwxgld/dbloisdnl_internets_1_domain_blocklist/)

------
pharaohgeek
I set this up a couple of months ago and have been really happy with the
results. Ad blockers on our iPhones/iPads are fine, but not always completely
effective. I can't install one on my corporate laptop so there's no way around
ads there. Using Pi-Hole was a perfect fit. I've only had to whitelist a
single site that had problems with it.

------
delcaran
I currently use a 3-layered solution: browser blockers -> custom host file on
each machine (StevenBlack hosts for linux and windows, nebulo for android) ->
nextdns

I'm actually satisfied, but I'm trying to setup pi-hole+unbound on a
cloudatcost host I own to reduce the load on nextdns, so far without success.

~~~
dingaling
Pi-hole is just a script wrapper around dnsmasq. On a host or server you might
as well just do it straightforwardly:

[https://sfxpt.wordpress.com/2011/02/21/the-best-ad-
blocking-...](https://sfxpt.wordpress.com/2011/02/21/the-best-ad-blocking-
method/)

------
accrual
For OpenBSD users there is unbound-adblock[0]. It's a small shell script that
uses only in-base utilities and can be run with minimal privileges.

[0] [https://www.geoghegan.ca/unbound-
adblock.html](https://www.geoghegan.ca/unbound-adblock.html)

~~~
stock_toaster
Similarly, there is also void-zone-tools[1] for FreeBSD.

[1]: [https://github.com/cyclaero/void-zones-
tools](https://github.com/cyclaero/void-zones-tools)

------
Havoc
There are dockerised versions as well if you happen to have a docker stack
somewhere in your home

~~~
christian_fei
i like the pi-hole installer a lot, since it's a damn one-liner. i was amazed
by its simplicity

~~~
Havoc
Yeah definitely easier to deploy on a raspberry than docker but means an extra
device

~~~
christian_fei
True

------
2OEH8eoCRo0
I already have a home server so I run the pihole container with Podman. Pretty
slick. It started as a quick project and then permanently tied up my raspberry
pi because the adblocking was so awesome I didn't want to shut it down.

------
NicoJuicy
I actually use NextDNS now, it's been on HN before and got good comments.

[https://news.ycombinator.com/item?id=22854209](https://news.ycombinator.com/item?id=22854209)

~~~
0x49d1
Very nice resolver: I've pi-hole at home, but NextDNS as DNS resolver on
mobile and as alternative DNS provider on home router. The setup works well,
the only real thing the browser's adblocker is still needed is YouTube ads ;)
Sure will pay for NextDNS when they will be out of beta.

------
IRegretNothing
I've tested pihole for months now, it's working really well.

Set up a VPN to an EC2 with pihole on it, no more ads on Spotify. Even family
members wanted the VPN config, they really appreciate it.

------
alecco

      curl -sSL https://install.pi-hole.net | bash
    

Sigh

~~~
christian_fei
[https://raw.githubusercontent.com/pi-hole/pi-
hole/master/aut...](https://raw.githubusercontent.com/pi-hole/pi-
hole/master/automated%20install/basic-install.sh)

~~~
alecco
Are you implying everybody is supposed to AUDIT a 2700 line bash script??

------
kd913
Please do note that Android appears to be quite weird in regards to accepting
network set DNS.

My observations so far have been that Android tends to ignore any DNS set by
either the network via DHCP or statically set. Android instead probes the
gateway for 8.8.8.8, and happily uses that instead.

The only way I have been able to solve this has been to setup a VPN (I prefer
wireguard) on the pihole. Android seems to accept this.

The above in combination with say a DDNS hostname means that I now have a
permanent adblocked VPN on my android phone which isn't too bad.

~~~
KungFuJohnny
If you have a decent router, then you can just forcibly redirect any DNS
requests from 8.8.8.8 to your PiHole.

~~~
kube-system
I have had good luck simply blocking any outbound port 53 traffic that doesn't
come from pihole.

Although with DoH these days, I'm not confident my firewall rule is still
doing a good job :(

~~~
mulmen
If someone was rude enough to bypass DHCP's suggested DNS is it reasonable to
assume they were polite enough to use the standard port?

At this point every device on my network is hostile, default deny outbound is
starting to feel like the reasonable starting point.

------
tuananh
some note for those want to use pihole

\- in windows, if you use primary dns as pihole and secondary dns as another
cloud option (cloudflare, google), some ads will go through. secondary dns is
not failover dns. try it and you will see.

~~~
lostlogin
I don't think this is just Windows. I read the pihole documentation and came
to the conclusion that primary/secondary DNS was more "a dns server" and
"another dns server".

------
adam0c
I mean this is a great project and all but don't most moderns routers already
have this built into them and are able to add VPNs.

~~~
winrid
I haven't tried it, but I'd imagine the Pi performs a lot better. I wonder if
anyone has benchmarked it against some common routers for this use case.

