
November Workshop: Running the Pi-hole Network-wide Ad-blocker, and more - ophelia
https://blog.cryptoaustralia.org.au/2017/11/02/pi-hole-network-wide-ad-blocker/
======
chewz
I am running Pi-Hole like system assembled myself. OpenVPN, Tor, dnscrypt-
proxy[3] and dnsmasq[2] plus large lists of blocks from Steven Black hosts
project[1] and firehole.

I am running this for four years now in different incarnations and it is
generally smooth. It was also quite educational to assemble.

[1]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

[2] [3] dnsmasq isn't necessary as dnscypt-proxy is now able to block domains
and IPs and of caching requests. I am using dnsmasq mostly for dhcp and to
spread traffic among two dnscrypt-proxy clients and Google DNS.

~~~
QuasiAlon
Interesting. For the less tech savvy, is there a way to take the list on [1]
and _automatically_ update the hosts file on my own machine (mac)?

~~~
Raphmedia
Not automatically but you can use something such as Gasmask
([https://github.com/2ndalpha/gasmask](https://github.com/2ndalpha/gasmask))
to easily manage your host.

~~~
unforswearing
You can actually use a "Remote" hosts file with Gasmask and set the update
interval in preferences. I actually just figured this out after a little bit
of trouble -- my issue was that Gasmask cannot files from Github or any https
site[0]. There are non-Github mirrors listed in the table at
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)
which I have been able to use successfully.

[0]:
[https://github.com/2ndalpha/gasmask/issues/90](https://github.com/2ndalpha/gasmask/issues/90)

------
ophelia
Hey CryptoAUSTRALIA is here. We are answering questions in the next hour or
so. Proof:
[https://twitter.com/CryptoAustralia/status/92598468889577062...](https://twitter.com/CryptoAustralia/status/925984688895770624)

~~~
softwarelimits
Why don't you add anything to the project to encrypt DNS traffic by default?

------
juriansluiman
PiHole is a fantastic system and works really well.

The only issue I have is its installer works on a bare system. I prefer to use
the Pi as a multi purpose system: for home-assistent, as unifi controller and
for pi-hole. It will costs you some time to get it running with all the pi-
hole features (auto update and so on) operational.

~~~
ekianjo
Did you describe the steps you took to make it run on a such a system? I would
be interested as well as long as I dont need to get another Pi :)

~~~
cbzbc
Install raspbian, install docker:

[https://www.raspberrypi.org/blog/docker-comes-to-
raspberry-p...](https://www.raspberrypi.org/blog/docker-comes-to-raspberry-
pi/)

Then install pi-hole inside docker:

[https://hub.docker.com/r/diginc/pi-hole/](https://hub.docker.com/r/diginc/pi-
hole/)

Obviously port 53 needs to be mapped externally - port 80 inside the container
you can map to something else, and then use nginx on the host to redirect to
that port.

------
rndomsrmn
Or you just use a very basic dnsmasq installation and make use of a list like:
[https://github.com/notracking/hosts-
blocklists](https://github.com/notracking/hosts-blocklists) that allows you to
also block full domains.

Been using this list for several months now without any issues.

Besides that, it's worth reading in to dnsmasq's configuration in more detail,
in the end pi-hole is just a preconfigured dnsmasq installation with a user
interface to manage hostname based blocklists.

~~~
ophelia
OP here, it's true. Actually, Pi-hole relies on dnsmasq to resolve, block and
cache DNS requests. However, Pi-hole with its friendly web interface allows
people with less technical knowledge to block ads, trackers and C2 servers.

------
mikehotel
If you are running LEDE on a modern router, it's easier to install and use
simple-adblock.

[https://github.com/stangri/openwrt-packages/blob/simple-
adbl...](https://github.com/stangri/openwrt-packages/blob/simple-
adblock/net/simple-adblock/files/README.md)

------
Jaruzel
I ran Pi-Hole for a few weeks, and found it was more trouble than it it was
worth. Because it blocks at the DNS level using (very large) DNS blacklists.
It was cumbersome to temporarily whitelist domains when you hit a site that
just wouldn't load properly as you had no idea which of the many domains that
site was requesting were being blocked. By comparison, using an in-browser
adblocker you can just disable the the adblocker and reload the page, and once
done, a single click re-enables the adblocker again. Also, Pi-Hole used to be
undetectable by anti-adblocker scripts, but now it isn't.

Although very good at what it does (almost too good in fact) it is a blunt
instrument that may or may not suit your needs.

~~~
ophelia
I've been running it at home for about a month and I find it no less
cumbersome to a browser plugin. The whitelists are permanent, and if you think
it's blocking something, you can look at the block list log & whitelist. As a
last resort you can also disable it temporarily.

~~~
Griffinsauce
You meant to write "no more cumbersome" right?

~~~
PuffinBlue
Unlikely, there's a subtle difference in the connotations of 'no more' and 'no
less' in this context.

'No less' is implying they're both bad. It is a subtly ambivalent statement.

~~~
djrogers
Using the phrase 'no less' implies that the former could be _more_ cumbersome
than the latter though, which I think was the opposite of his point.

------
kup0
I use a Pi pretty much exclusively for this purpose and it works very well.
Fairly transparent to me in terms of performance (DNS doesn't feel slower at
least to me). Glad to see ads blocked across the network, including on mobile
devices (including in-app ads). Easy admin panel for
whitelisting/blacklisting/updating and you can also do that via command line
too

~~~
monochromatic
It might well be faster, as it caches requests locally.

------
dre85
Desktops are easier to deal with, but I installed Pi-hole with the hope of
solving the issue on my Android phone. I've had it running for some months now
and while it works it's certainly not a perfect solution. Even with it
running, YouTube ads still run rampant. For me, video ads and especially
YouTube ads are the most intrusive and annoying.

~~~
ashark
Anyone make a Youtube proxy-thingy that youtube-dl's the file, then serves it
through a light HMTL video interface?

------
cup-of-tea
This looks good and something that I might set up soon. But why is it called
"pi-hole"? Is it specific to Raspberry Pi in any way? I'm not going to run it
on a RPi because I have other machines online anyway, so is there something
better that I can use for this purpose?

~~~
creeble
It can install on most Debian-based systems pretty easily. I had it running on
a VPS for a few months before running it on a Pi on my LAN.

Just be aware that running an open resolver on the Internet's can make you a
source for a DNS amplification attack. I ended up just using a firewall rule.

------
yCloser
used a pi-hole for a while. It was great!

then one day power went out, and my sd was corrupted.

(I know, I should have had a backup. I want the internetz to work when I
return home in the evening, not to flash-try-format-reinstalldebian etc)

btw, I tried using pihole on a VPS and everything was perfect

------
JustSomeNobody
Make sure your router is set up with a secondary DNS server if you do this. I
made that mistake and took my server (which is where I host this) down for
maintenance while everyone was home. I could NOT get into my router config
fast enough!

------
voltagex_
I wonder if as people get on the NBN (ill-fated fibre (now copper) broadband
project) whether the Pi will be a bottleneck. I can download at ~90 megabit on
a good day - that's about 3 times faster than my Pi 3 can handle.

~~~
amigoingtodie
That is less than 12MB of transfer per day. Pi should handle it fine.

~~~
majewsky
Pretty sure that "90 megabits" means "per second", not "per day".

------
nyolfen
> but we’ll be focusing on getting it working on a small, ARM-based computing
> device called a Raspberry Pi (RPi), which costs about $100.

?? do rpi's cost an absurd amount in australia or something?

~~~
bigiain
For people who don't have spare micro sd cards, spare usb cables, spare 1+Amp
capable usb power supplies, and who're maybe less prepared to have a bare
RasPi board powered up and running sitting on their table - $100AUD is about
the right expectation to set, yeah.

(I've always got all of that, and I still get grumpy when people talk about
the "$5 Pi Zero" \- I've never been able to get a bare Pi Zero in my hand for
anything less that about $13US which is close to $20AUD...)

~~~
cbzbc
I've come to the conclusion that unless you need space - one of those low end
servers with the manufacturers rebate is usually a better buy for most people
than a Pi (HP Gen8/10 Dell T20 etc).

~~~
bigiain
For me - a Pi is mostly about battery powered portable projects, and GPIO.

If I don't need either of those, a 2nd hand office grade pc can usually be had
for the same price as a Pi3 around here.

------
ww520
Is it possible to run it on a VPS somewhere and make Android points its DNS
setting to it? There are lots of stupid ad in the apps that can use some
blocking.

~~~
svermigo
I have running it there ... [http://adsorb.me/](http://adsorb.me/) I didnt
finish the web yet, but you can use this DNS

~~~
creeble
Be careful of open DNS servers being used in amplification attacks. My
previous internet-based Pi-hole server got flagged for this.

------
b3lvedere
Pi-Hole is awesome. It took not much effort to get it running on a small
default Debian 9 vm. The project is well supported as well. The devs are very
responsive on reddit.

Once a client asked if it were possible to block all internet ads in their
infrastructure. 20 minutes later i had a pi-hole up and running quite well.

I would like a better chronometer script though :)

------
j_s
Are there any writeups on MITM SSL (installing custom trusted root), ideally
showing how to whitelist parts of YouTube?

------
rollulus
How does such a system deal with TLS?

~~~
arkadiyt
It works at the DNS level, i.e. DNS requests to ad network domains are
blocked. It is not able to block first party tracking requests like ad
blocking browser extensions can.

~~~
majewsky
As a general rule of thumb, I consider DNS-level blocking like pi-hole a
defense-in-depth strategy only. It's great for situations where you cannot
install a regular blocker plugin (e.g. IoT, or webpages inside applications
instead of in a browser), but if you can, you absolutely want to use a
dedicated tracking blocker in addition to pi-hole.

------
trisimix
"we’ll be focusing on getting it working on a small, ARM-based computing
device called a Raspberry Pi (RPi), which costs about $100" holy fuck that
made me laugh I realize it might australian but it came off to me as satire
haha.

------
amelius
I'm wondering if one day we can have a device between the computer and the
monitor that eliminates ads based pixels only.

The advantage is that you can eliminate any ad, also if it is embedded in the
content, and not served from an ad-server.

------
wodenokoto
What do you do when you need to look at ads, or you have false positive?

~~~
creeble
There is a "temporary defeat" button in Pi-hole that turns it off completely
for n minutes. I use it surprisingly frequently when I'm shopping for
something.

Google ads can be extremely useful when you're looking for something generic.
But I am happy to have Pi-hole block them 95% of the time.

I do wish I could completely turn off 'admin' in Pi-hole since I run it on my
LAN. Then I'd probably bookmark the "disaable for 1 hour button".

Which is probably possible anyway, just haven't dug into it.

------
yeswecatan
Does it matter which Pi you run it on? I'm slightly concerned about slowing
things down.

------
tyler33
I ran an ad blocker on my router, simpler and cheaper

