
Pi-Hole 4.3.2 - bjoko
https://pi-hole.net/2019/09/21/pi-hole-4-3-2-release-notes/
======
boyter
Just recently I experimented going without my pi-hole or any ad blocker
software for 4 weeks to see what would happen.

My goodness the internet is a dumpster fire without it. So many pages lagging
and slow to load. Things I wanted to click that jumped when an ad loaded
resulting in miss clicks. Annoying things following me around.

It was especially bad on mobile with the GDRP/Cookie notices and ad's to the
point that on my iPhone SE some pages had a thin smear of the actual content
no taller than a single line of text. News sites were especially bad for this.

With the experiment ended my pi-hole and ad blockers are now set to very on
(and updated to this version and can confirm the block list went from 100,000
to 89,000) and I am much happier. Seems about 20% of the traffic on my network
is blocked now which explains why some pages performed so awfully.

The ad industry really needs to up its game because the current state of the
web is just horrible.

~~~
brenden2
Yep, my experience as well. There must be a better way. I think we're warming
up for a war since browsers (Chrome and Safari at least) have slowly started
making it harder to block ads, which I think will becoming a creeping
normality.

~~~
mtsr
DoH in Firefox will bypass your pihole too and have all your DNS data go to
cloudflare to boot.

~~~
deadbunny
You can disable that; both at a network level, and in the browser itself. You
can also choose a different DoH provider if you don't want to use cloudflare.

Yes, it should be disabled by default but it not the end of the world. I would
hazard a guess that when Chrome implements something similar that it won't be
so easy to disable.

------
Mister_Snuggles
The one thing that's holding me back on actually using Pi-Hole is the lack of
flexibility. What I'd really like to see is the ability to do various things
on a per-client basis.

For example, one commenter wanted a simple "reload without blocking"
functionality and the response was to use a bookmarklet plus the Pi-Hole API
to disable it temporarily. This works, but the problem is that it disables it
temporarily for everyone and will inevitably result in "Hey, why's the ad
blocker broken?" "Oh, sorry, that was me" conversations.

Likewise, I'd also like to be able to configure block lists on a per-client
basis. I don't want any Facebook stuff (for example) to resolve from my
devices, but my girlfriend wants to use Facebook.

Similarly, I may want different rules on different networks. For example, I
may want to restrict what my IoT network can resolve differently than my
regular user network. This is really just a generalization of doing things on
a per-client basis.

Currently the only solution to these types of problems is to maintain multiple
Pi-Hole installations. This isn't a big deal if it's just one or two, but it
doesn't scale reasonably.

~~~
Sendotsh
I have 2 Pi-Holes running. One is the “family” one and our modem/router uses
it as primary DNS so basically everything on our network goes through it. This
protects the family and any visitors in the wifi.

The other is for me, and my personal devices have been manually set to use it
as their DNS. It filters a lot more aggressively as I am more willing to put
up with broken stuff for more privacy (eg completely blocking all FB domains,
lots of Google stuff, etc). It also means I can suspend mine for a bit if I
need to and not have the kids bombarded with ads.

~~~
universenz
This is the perfect solution in my opinion. I never considered using more than
one!

~~~
count
Easy to do running it containers too!

------
zaro
Openwrt has DNS ad-blocking built in which works just as well as pi-hole. It
simply doesn't have the monitoring of what is being blocked but it is rarely
needed anyway.

[https://openwrt.org/docs/guide-user/services/ad-
blocking](https://openwrt.org/docs/guide-user/services/ad-blocking)

~~~
theandrewbailey
If your router hardware is sufficient enough, OpenWRT supports QEMU, so you
can run Pi-Hole in that:

[https://openwrt.org/docs/guide-
user/virtualization/qemu_host](https://openwrt.org/docs/guide-
user/virtualization/qemu_host)

~~~
pimeys
I'm running it in an LCX container on OpenWRT. Better to have an external disk
connected for the container so the logging will not burn the internal storage
too fast.

------
donkeyd
I can't find this anywhere, but does Pi-Hole have any sort of client side
'reload without blocking' functionality? If I were to implement this in my
network and a user has issues with a page not loading/functioning correctly, I
feel like they'd need my help to add the site to a white list, which would be
pretty inconvenient.

~~~
y4mi
It has an API.

> _You can craft a URL that disables pi-hole for X minutes, using the API. You
> hit the boomark and boom, pi-hole temporarily disabled. If you save it to
> your phone 's home-screen, you've got an instant disable button._

~~~
Legogris
What I'd really like is temporary whitelisting a single domain. Just because I
need to use site X for a couple of minutes it doesn't mean I want the flood-
gates open.

~~~
datenhorst
Wouldn't you have to whitelist multiple domains (30+ for theguardian.co.uk)
for a feature like "reload without blocking"?

~~~
Legogris
This is more for the case when a single JS file fails to load from a CDN or
things like ReCaptcha. Since it's an API, even if it would have been 30+ those
could all still be approved with a single script call.

------
1_player
I've had my Pi-Hole for a month now.

It's great, but many blocklists are bad. People often use
[https://firebog.net/](https://firebog.net/) to get their blocklists, and use
only those with a checkmark which are, quote, "least likely to interfere with
browsing".

Bollocks, I've had to disable a few of the recommended ones, and adding manual
whitelisted hosts because they were blocking legitimate sites
(ocsp.apple.com), blocking Windows updates, blocking Instagram altogether!

~~~
lightswitch05
I agree that blocking OCSP (Online Certificate Status Protocol) servers is a
bad practice. The argument to block them is that they can be used for tracking
purposes. OCSP stapling is a great way to use OCSP without the risk of
tracking - but not everyone does it or supports it.

Anyways, I maintain an 'Ads & Tracking' blocklist that I believe is pretty
reliable and you are welcome to give it a try if you like:
[https://www.github.developerdan.com/hosts/](https://www.github.developerdan.com/hosts/)

I've been maintaining my list publicly for over a year, and I've got to say
its not always clear what deserves to be blocked, what should be blocked but
can't be due to broken functionality, and what is legitimate like the OCSP
servers. Everyone has their own personal level of expected privacy vs
functionality. Its impossible to make everyone happy. I just wanted to say
that being a maintainer of these lists isn't always easy. The obvious example
you provided with (ocsp.apple.com) isn't exactly obvious because it _could_ be
used for tracking, and it certainly isn't need for functional reasons
(although I would argue that it is needed for security reasons). Anyways,
there is a lot of gray when it comes to blocking and you can't make everyone
happy.

~~~
drukenemo
Sorry for my ignorance, but how could I load these into Pi-Hole?

~~~
lightswitch05
No problem, there is a FAQ on it: [https://discourse.pi-hole.net/t/how-do-i-
add-additional-bloc...](https://discourse.pi-hole.net/t/how-do-i-add-
additional-block-lists-to-pi-hole/259/32)

------
asymmetric
I spent some time implementing a Pi-hole module for NixOS, but eventually
decided to go for a much simpler setup: dns server (dnsmasq or unbound) +
periodically updated hosts file (via systemd timer) passed to the dns server.

At the end of the day, that’s really all you need as a technical user, so I
couldn’t justify he rest of what came with pi-hole, which I believe targets a
less tech-savvy crowd.

YMMV and I’m very happy Pi-hole exists, I think I’m just not the target
audience.

\--

EDIT: see here[0] for an example configuration.

[0]: [https://deadc0de.re/articles/unbound-blocking-
ads.html](https://deadc0de.re/articles/unbound-blocking-ads.html)

~~~
apexalpha
>dns server (dnsmasq or unbound) + periodically updated hosts file (via
systemd timer) passed to the dns server.

This is what Pihole is...

All extra is just default blocklists, API access, dashboard with stats and
settings.

~~~
asymmetric
I invite you to look at the codebase more closely. Pi-hole is a fork of
dnsmasq (FTL), a PHP web app, and a python web application, plus a bunch of
shell scripts.

Compared to what I linked above, there's really no comparison in terms of
simplicity.

~~~
apexalpha
You literally said: "dnsmasq + periodically updated hosts file".

That is what PiHole, in its core, is!

The rest is just for the webserver, dashboard and API. You don't really need
that. Sure, you're solution requires less code but I don't think it's easier
to setup or manage.

~~~
asymmetric
> The rest is just for the webserver, dashboard and API. You don't really need
> that. Sure, you're solution requires less code but I don't think it's easier
> to setup or manage.

I think this really depends on who you are. For me, using a systemd timer and
a systemd service is easier than the set of ad-hoc solutions Pi-hole uses. For
someone else, probably Pi-hole is easier. That was my point in the OP.

------
fotcorn
I am running Pi-Hole at home (on a Ubuntu VM, no Raspberry Pi necessary). In
addition I have a Wireguard VPN server which uses the DNS server from Pi-Hole.
This way a have a system-wide ad blocker for my smartphone when connected to
the VPN. The latency hit from this setup is barely noticeable.

------
coretx
This might be an alternative for people who are too lazy for setting up a pi-
hole or desire things to be a couple of ms faster:
[https://simplednscrypt.org/](https://simplednscrypt.org/)

~~~
hendersoon
That isn't what I would call a simple solution for lazy people, it requires
the user to run a local service and download/setup their own blocklist, with
no way to automatically update it.

Adguard DNS is a simple solution for lazy people. Change your DNS server and,
well, that's it.

[https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)

------
apexalpha
I'm a huge fan of this project! I have 3 set-up right now.

One as container on my Nuc at home for myself, and 2 other on old Pi's (one is
a 1st gen B model) for family. A simple cron job to run every 2 months keeps
everything up to date. For myself I use Wireguard to only forward DNS packets
to the PiHole when I'm outside the house.

If you install a PiHole (and maybe Unchecky.com) your help desk calls from
family will drop by 90% (personal experience).

------
rietta
I have Pi Hole running on my LAN and it's amazing. Also helped me identify
that my Amcrest PoE security cameras aggressively phone home, even when no
cloud functionality is configured on them. All the reason to keep them on
their own VLAN and off the Internet.

~~~
Mister_Snuggles
Separate VLANs is the right answer.

Phoning home is not an Amcrest-specific thing, all of my cameras (I have a
handful of Amcrest and D-Link cameras, and one Reolink camera) try to do that.
I've put them all in a separate VLAN which can't access anything, not even
DNS. The NVR software lives on a different VLAN and is able to open
connections to the cameras for recording.

This setup works perfectly. Most importantly, the cameras all work fine even
if they can't phone home.

~~~
lifty
What access point do you use the offers VLAN functionality?

~~~
tga
For an actual AP, check out the Unifi AP line.
[https://www.ui.com/unifi/unifi-ap](https://www.ui.com/unifi/unifi-ap)

For a home wireless router, you can buy a supported device and install
OpenWRT.
[https://openwrt.org/supported_devices](https://openwrt.org/supported_devices)

------
crstin
As the situation has worsened with the latest release of Safari I'm really
interested to globally setup Pi-Hole on a VPS via docker and use it in
combination with VPN (Strongswan) for all of my devices (also mobile). Has
anybody had success with such a setup yet?

~~~
obituary_latte
I have run pi-hole on the cheapest tier of Rackspace cloud server for 2+years
now with great success. It’s wonderful. Just configure my routers dhcp to set
my pi ip for dns and no ads anywhere (YouTube, streaming [except Hulu
unfortunately], and general browsing). It’s especially nice now that it seems
every company is offering their own streaming apps with ads. Recent example
was I wanted to watch an action sports video and firetv had it with the
redbull app. Ten or so minutes in and the video was interrupted with “here’s
some ads” stinger and then the video immediately resumed. Kinda caught me off
guard but produced an instant smile.

One thing to consider though is becoming a dns resolver for any random thing
on the net. What I did for this was create a bash script that adds the
visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi
admin uses php so it’s already installed and ready to go) which takes the
REMOTE_ADDR and passes it to the bash script to add to iptables. Makes it
super easy to allow ip’s when isp changes address or when visiting
family/friends and they want to use it.

~~~
rsync
"One thing to consider though is becoming a dns resolver for any random thing
on the net. What I did for this was create a bash script that adds the
visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi
admin uses php so it’s already installed and ready to go) which takes the
REMOTE_ADDR and passes it to the bash script to add to iptables."

I hesitate to mention this, as it causes heads to explode, but the problem
you're describing is nicely solved with port-knocking. Might be easier than
setting up the php page, etc. ...

~~~
pdimitar
Pardon my ignorance: can you recommend a good learning material on port
knocking?

~~~
obituary_latte
Here’s an example: [https://www.inmotionhosting.com/support/website/ssh/how-
to-u...](https://www.inmotionhosting.com/support/website/ssh/how-to-use-port-
knocking) But just search googs for “port knocking” and you’ll find a ton of
info.

------
aurbano
I already have uBlock Origin on Firefox, with tracking protection set to
strict and I don't really remember seeing ads on desktop.

I guess the main benefit of the PiHole is to have ad blocking on mobile
devices, iPads... and others, do you think this is worth the effort of setting
up in your experience?

~~~
pimeys
You can see a screenshot from my VPN pihole blocking tracking requests from my
android phone and make a decision do you need it or not.

[https://i.imgur.com/Hpcw42h.png](https://i.imgur.com/Hpcw42h.png)

~~~
aurbano
Damn, that's amazing.. can't believe 76% of requests are unnecessary.

Assuming you're running this on a RPi at home, do you have DynDNS or how are
you managing the external IP?

~~~
bjoli
I have similar numbers. 90% of the blocked requests I see come from 3 apps
that are particularly diligent about submitting metrics. 2 phones have outlook
installed and boy does outlook hate when metrics fails! Those phones alone
account for half of the DNS requests in a network with about 15 devices,
despite being out of the house for 9 hours every day.

------
philliphaydon
Donno if this is a silly question or not. But if there anywhere to buy a
raspberry + pi with pi-hole pre-configured on it?

I've wanted one for a while but just wanna plug it in and go to the web
console, not buy it set it up install it etc.

~~~
qzx_pierri
All you have to do is run a script from the pi-hole website to install. It’s
very effortless. Like.. literally effortless. If you’re posting here, I
guarantee you could do it in no time. The “hardest” part is excluding an IP
for the pihole & setting your DHCP server to serve that IP w/ new leases. Good
luck dude.

~~~
philliphaydon
Haha ok. I Guess my Xmas present to myself this year is a raspberry pi and
setting this up :)

Thanks!

~~~
guilhermetk
Go for it, it's really worth the effort, even if it is a small one, with the
bonus of being fun (at least for me it is). I can't imagine setting up my home
network without pihole, and I'm considering setting it up at work, I manage a
small network with 100 devices connected to the internet.

~~~
benplumley
Can a Pi really keep up with that size of network or would you run it on more
powerful hardware/a VM?

~~~
theandrewbailey
DNS is a very light protocol. In addition, responses tend to be cached, so
it's not like the Pi would be hit with a dozen queries on literally every page
load for every client on the network.

------
testdelacc1
Is this substantially better than using ublock origin? I feel like my browsing
experience is pretty good right now, and I'm uncertain what the benefits to
upgrading are.

~~~
jeroenhd
No. But it works on all devices in your network (phone, computer, smart TV,
WiFi connected dishwasher, etc.). I've never really understood how much
tracking some apps on my phone did until I saw the graph showing lookups to
Facebook's and Google's servers. In the middle of the night, a bunch of apps
started trying to reach some tracking domain, something I would never have
noticed if it wasn't for the graphing feature.

One way I've noticed the difference with and without pihole is that most apps
on my phone become ad free when I connect to my home network. On most phones
ad blockers exist, but those are just another layer of software that needs to
be woken when the phone wakes from deep sleep.

I use pihole + uBlock in Firefox with tracking protection (on both mobile and
PC) for my browsing, but Pihole saves me the effort of finding a reliable
Android system ad blocker that's reasonably power efficient. I'm considering
also using it on my laptop as a VM to get the same features on the go.

------
yumraj
One unadvertised advantage of pihole is monitoring and blocking sites that you
don't want kids to use, such as the thousands of io-games and what not.

~~~
bloopernova
We use it to block phone-home sites that devices like "smart" TVs use to send
data back for the manufacturer to profit off.

~~~
TheChaplain
There was a thread a month ago here (or on Reddit perhaps) about SmartTV's
scanning/connecting to open hotspots if they can't phone home from their wlan.

Someone also claimed TV's from the same manufacturer connects to eachother in
a mesh to find a way to phone home but that sounds a little too spectacular...

------
froindt
Preface: I'm moderately technical but don't understand the specific nuances of
DNS.

Is there any possibility Pi-Hole and the DNS server plus hosts file could be
used in an attack? Could I setup a web server with identical UI to my target
site, get one of the list providers to direct chase.com to my IP, list gets
propagated to all Pi-Hole devices, and start collecting credentials?

~~~
wnissen
At the moment, if an attacker has control of your DNS, it's game over before
you even start. There are some technologies that help, such as secure DNS
(DNSSEC) and "certificate pinning" but they don't do everything.

~~~
tptacek
In the case of DNSSEC, it doesn't do anything in this scenario, for two
reasons: first, and most importantly, virtually nobody uses it (for instance,
like almost every tech company as well, CHASE.COM isn't DNSSEC-signed and
isn't likely to do so), and secondly because DNSSEC protects only server-to-
server lookups and not client-server lookups, so if your Pi-Hole picks up a
bad record somehow, DNSSEC isn't going to keep your browser from detecting
that.

------
intenseagile
I set up a pi hole a few months ago. I'm not sure why I waited so long to do
so. It's been great to be honest. Now and then someone in my family has a
broken web app and I have to whitelist a few things. Confused my wife once or
twice, but that's about the only downside. Now she knows to check with me if
she doesn't get the expected result.

------
onyva
Isn't it easier to set it up with wireguard? I’ve recently set up my turris
running “adblock” (openwrt) natively with only wireguard open, connecting from
my laptop, ipad and iPhone, which seems to me to be a far lighter and easier
setup ....

------
bni
Can Pi-Hole block YouTube ads yet?

~~~
dexterdog
Either pihole or ublock origin blocks them. That's what I use and I never see
them.

~~~
adestefan
I know ublock origin does because I have been using that on my systems and
never see them.

------
cellover
If the font is too thin for you:

* F12

* Console tab

* jQuery('body').css('font-weight', '500');

------
fluential
I’ve found any vpn including WireGuard running on mobile draining battery too
much.

Disabling third party cookies works much better, and for mobile safari using
free ka-block.

------
Havoc
Not quite clear what they are replacing easylist with?

Like I get depreciating stuff but this seems like it’s still very much in
active use? No plan B/transition?

~~~
lightswitch05
If you are looking for more blocklists, I maintain several. I recommend my
'Ads & Tracking' list for most people. I also have an aggressive list - which
I don't normally recommend. I also have a Google AMP list and a Facebook
products list (not just facebook - but their other products as well). Anyways,
you are welcome to check it out and give me any feedback you have:

[https://www.github.developerdan.com/hosts/](https://www.github.developerdan.com/hosts/)

------
Jaepa
I really wish PiHole would support DOH. Currently if you want to have secured
DNS you have to set up a DOH local proxy, then connect pihole to that.

~~~
mc32
Can’t you setup cloudflared on your pi-hole or does it have issues?

~~~
hendersoon
That's what I did. Works fine. It would of course be far better if Pihole
supported DNS over HTTPS natively.

------
theomega
Any recommendations for block lists for PI-Hole? I found the default lists not
really covering enough. What lists are you using?

------
Fiahil
My pi-hole is blocking 20% of all queries. Can we say that 20% of end-users
internet traffic is for tracking and advertising ?

~~~
derrasterpunkt
This 20% queries could be 50% (or whatever) of your traffic. It depends what
is being downloaded, would the queries be successful. You could measure the
website you‘re visiting with/without the pihole.

------
dfischer
What's the most secure way to setup something like this on your network?

~~~
AnIdiotOnTheNet
The most secure server is one that is turned off, so I recommend that.

------
greenie_beans
cool! thanks for building this, fun for a hobbyist

------
glaberficken
Now what i really want is a universal gdpr-cookies-prompt killer. Does that
exist?

~~~
jannes
Yes! Activate the "annoyances" lists in uBlock Origin. I believe many of them
are off by default.

"AdGuard Annoyances" or "Fanboy's Annoyance List" and "Fanboy's Cookie List"
should do the trick.

However, I recommend enabling "Ignore generic cosmetic filters" in order to
not load giant stylesheets into every single page.

~~~
tombrossman
See also [https://www.i-dont-care-about-cookies.eu/](https://www.i-dont-care-
about-cookies.eu/) for a larger and more specific blocklist.

I found it worked better for me because the annoyances list was too broad and
blocked too many legitimate page elements, such as the <div> containing the
play button for NPR podcasts.

------
auslander
Does Pi-Hole know when a request is third-party or first-party? IMHO only
browser knows that.

