
Mmm, Pi-hole - cryptography
https://www.troyhunt.com/mmm-pi-hole/
======
ObsoleteNerd
My Pi-hole with updated block lists (blocking trackers as well as ads) sits at
around 87.7% requests blocked, which is absolutely mind-blowingly ridiculous.

I see absolutely no negative effects browsing like this. Everything I've come
across still works fine. Even sites that detect uBlock Origin and tell me to
disable it, will work with that disabled and Pi-hole still blocking the ads
instead.

I heavily believe we should be supporting creators, and go out of my way to
support them in direct ways (Patreon, buying merch, direct donations, Twitch
subs, etc), but I absolutely will not submit my family/kids to the mess that
is online advertising these days.

Ads that look like legitimate download buttons, or that run scripts to do
cryptomining popunders, autoplay video ads with sound, etc etc. Modern online
advertising companies are malicious entities that actively harm users, and I
absolutely classify them as malware.

~~~
NeedMoreTea
> I heavily believe we should be supporting creators

As do I. There's two significant issues I have supporting most sites:

1\. They provide only a subscription that is comparable cost to an old-media
full subscription. Like most people in the Internet age I have a small number
of main sources that I visit daily, and a much larger secondary tier where I
may average one or two stories a week. Or they're the sites linked from here
that I only visit when something interesting is waved under my nose.

There's no low user or micro transaction options for these, so I get a choice
of pay say £10 a month or nothing, for a site I _might_ be getting £1 or 10p a
month "value" from.

2\. I'm yet to find a site that takes my subscription and turns off ads _and_
invasive tracking. Just ads. Still not an equitable deal.

Leaves things a bit stuck, and me paying out a smaller amount than I'm willing
to.

~~~
lifeformed
I just want to pay a monthly "digital content fee" to some service and have
that money be fairly distributed to all the digital services I use: websites,
music, video, tools, etc. Is anyone working on a system like that?

~~~
xfitm3
Personally, I don’t want to pay anything for content. Look at cable tv. It got
so bad there is a cord cutting movement. The same will happen again in another
form.

~~~
codefined
I'm confused. You want people to write all content for free? Whilst that works
for a lot of people who do it in their spare time, it does restrict anyone
looking to write professionally from contributing.

~~~
1943820037
Not parent, but I would absolutely _demand_ people to write all content for
free.

I refuse to pay a single cent for anything that is even remotely accessible on
the Internet and does not result in a physical tangible good being delivered
to me, of which I pay $15/mo as acceptable rate-limited mobile LTE bandwidth
-- my only communication related recurring cost.

There are several reasons at play here:

\- Content quality is not correlated with amount an author is "compensated".
In fact quality is almost universally _inversely_ correlated with
profitability. Once dollars are attached, out of the woodwork comes a bunch of
charlatans peddling useless shit that will not only give you no useful
advantage in seeking external information but will actively degrade your life
either through dubious advice that will trash your health, finances, legal
status, cognitive & mental state, relationships, you name it, or through
malevolent action such as selling your privacy or methodical persuasion in you
undertaking self-defeating behaviors by hijacking basic human emotional
reactions.

\- Time has shown repeatedly that volunteers are the entire backbone of
quality information sources. I come to HN to have some chance of experts
congregating for an actual discussion on certain topics. QA forums,
encyclopedias, topic-specific discussion forums, educational materials, news
aggregation, scientific research, _all_ is higher quality in volunteer
communities before it's essentially leeched for profit by journals, website
owners, policy spinmasters, malvertising business, and venture capital.

\- "Writing professionally" is not a useful skill in itself, no matter the
fantasy colleges want to dream up by funneling the otherwise academically
unfit into a program that will lead to a degree thus allowing them to join in
on the unnecessary inflationary credentialization of _remedial_ skills.
Linguistic mastery is a necessary but not sufficient requirement for creating
useful information, you first need a deep understanding of the material you
wish to cover. I'd much rather read barely comprehensible jargon from a
deranged genius than an eloquent soliloquy by some shill with no idea of what
he's talking about other than a general idea that permuting a dictionary in
the right magical incantation will summon a paycheck at the end of the week.
If you have skills that allowed you to amass wisdom in a field to the point
that it would benefit someone else, there are _much_ more efficient and useful
means to acquire income and instead use "writing" as a tool for social meaning
and development either through reciprocity, self-selection, altruism,
whatever.

\- The greatest costs are borne not in writing but in deciphering meaning. The
combined readership burden of filtering out the wheat from the chaff will
_always_ exceed the cost of an author even doing "important" research. This is
the crucial point of it all, with some smart people realizing that if
information has any value besides propaganda it's due to careful curation,
summarizing, and tailoring to an individual's goals and instantaneous state-
of-mind, while even smarter people realizing that this will _never_ scale as a
business model. Even "clever" workarounds to this problem by infiltrating an
individual's web-of-trust in recommendations always end up backfiring. After
decades of this scheme being retried and rehashed, I now am completely
confident in ignoring whatever bullshit du jour comes out of the mouths of
family and friends, and am even running up against the problem of being
contrarian against my own internal thoughts.

\- Even if against all the odds that you paid someone to get valuable
information in the long run you'll regret it. Give an inch, they take a mile.
Everyone who is dependent on a paycheck dreams of eventually retiring, and
quickly to boot once the actuaries remind them of the future. Once you paid
someone for content, you just anchored the negotiations of tomorrow and
crystallized the form of how protection money must be paid. "Oh I know you
paid back then, but life isn't getting any cheaper and I'd like to get to the
beach someday without working so I'm really sorry but I _need_ to add some
'features' that will juice my revenue!" Negotiating with terrorists is not a
strategy to get to a stable equilibrium in an iterated game -- the cat has
been let out of the bag and it's never going back in. Wake up.

~~~
WhitneyLand
Your views are factually incorrect, don’t suggest any real solution, and in my
view somewhat extremist. A realistic solution must consider the in turn
actions of all influential parties invloved.

It’s economics. It’s requires modeling, strategies, and thinking equally about
all parties because it doesn’t matter whether you like them or not it matters
what the future would look like a few years out.

This is not personal I have no ties to ad revenue or professional writing.
It’s about putting emotion and philosophy in one basket and solutions in
another. You’re allowed to have both, but the latter should be dispassionate.

Just one example on the facts, writing professionally is provably a useful
skill. Take even what you may consider a mundane job of writing instruction
manuals. if it weren’t useful there wouldn’t be jobs and people being paid
money to do it. There’s all kinds of writing jobs that require little
independent domain expertise. That’s before we even discuss original or
creative content.

~~~
1943820037
> Extremist

You say that like it's a bad thing. Once you've stretched the limits of
acceptability beyond the capacity of short-term memory, anything of a
'compromise' is just a token dilution that keeps the same status quo intact in
everything except a temporary face-saving apology.

A realistic solution must consider the actions of all parties involved, but it
doesn't have to actually appease any of those parties with anything they may
want.

It's currently an adtech bubble, foaming to the brim. People speculating in
attention-based revenue and side-dealing surveillance armaments through
malware distribution to ferment the process should feel the losses when the
deal goes bad to set an example that hurting others isn't going to get you a
bailout. I don't care about your moral plea for "equality" where we make sure
no one suffers the consequences of damaging the commons such as the intrinsic
value of information and content.

Because of the adtech bubble, we have a _huge_ problem of noise pollution.
Valuable public research cannot be funded effectively because the public
realizes the history of paid "results" to turn a profit for media
proselytizing and reframing unpopular governmental policies.

Public institutions are no longer credible due to the obvious connections
between surveillance, profit, and legislation that is effectively mediated
through media companies.

There's a real solution here: puncture the bubble by drying up the money
stream. It'll help the useful creators in the long term that are being
suppressed by the influx of dumb content and blackholing clickbait algorithms
designed to minimize utility to maximize profitability.

Now, for writing professionally being a useful skill. That paragraph was
obviously in the context of becoming something like a journalist, blogger, or
news pundit where your income is paid by this scam of exchanging between
attention and currency though a network of super shady intermediaries.

If you're writing instruction manuals for a living, you're not getting paid
for how long eyeballs are on your work so that someone can monetize a reader's
susceptibility to suggestion. In fact if I hired you, you'd be paid by how
_quickly_ a human can view your instructions and move on with their life in
doing something productive.

And that's exactly my point: I know many communications major graduates and
many engineering major graduates. The former usually went into the program as
a last resort for underwhelming academic performance and trying to latch on to
the hype before it bursts rather than being gifted in communication ability.
The latter could definitely transition to professional writing, not because of
language skills that are essentially expected anyways but because their deep
understanding in a subject allows them to distill useful insights that are
rather hard to crack otherwise.

For example, I love IKEA/Lego instruction manuals not because a random
"professional writer" with no independent domain expertise was able to
checkmark that off his daily tasklist, but because the manual was made by
people with incredibly sophisticated knowledge of how to visualize and
communicate the ideas of physical assembly and knew their audience appreciates
that expertise. If you're able to document the assembly process, you're
qualified to critique and help improve the usability, design, and even
materials engineering that ultimately influences what you write in the manual.

This reinforces the idea that if you're just a writer, you're useless because
you _should_ be funneling what insight you distilled back to the process
your're documenting. And then you're not really a writer, but an engineer.

And just because there are jobs and people being paid money to do it doesn't
mean it's useful at all. Biggest fallacy I've ever heard.

~~~
CamTin
Sounds like this is against your beliefs, but I'd pay to read your newsletter.

~~~
tripzilch
Simple enough; pay it forward.

------
windexh8er
I'm surprised this is the top slot right now. Troy, generally, puts out
interesting info on security related news however this feels a bit minimal.
Since the project has been around a number of years now, and it's not
relegated to only a RPi I would have expected him to delve into things a bit
more. Pi-hole will also break things. I think the common one I always heard
from users on my network at home were that Google click-thrus for products
always fail. But... Don't deploy it on an RPi. It's not worth the
inconvenience of maintaining another entire device for a network service.
There's an actively maintained container I'd recommend, or it's very easy to
deploy as a VM. Troy also didn't hit on anything like DoH or DoT,
surprisingly.

Container link:
[https://hub.docker.com/r/pihole/pihole/](https://hub.docker.com/r/pihole/pihole/)

Edit: word

~~~
ryandrake
It’s essentially dnsmasq which can be run directly on your wireless router if
you are using custom firmware. No separate hw needed, no need to horse around
with dockers or containers or any of that stuff. I’d guess a lot of people are
already running dnsmasq for other purposes, so adding the blocklist and
periodically updating it should be trivial.

~~~
mistermann
Can anyone recommend a "2018 good choice" for a consumer router that can run
custom firmware (including dnsmasq), or a trustworthy recommendation website?
Wirecutter for example doesn't note third party firmware:
[https://thewirecutter.com/reviews/best-wi-fi-
router/](https://thewirecutter.com/reviews/best-wi-fi-router/)

~~~
aurelian15
Not really an off-the shelf consumer router, but since you want to install
custom firmware anyways, you might want to consider the PC-Engines APU2 board
[1]. You can either install any "normal" desktop x86_64 Linux distribution or
a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports
hardware virtualisation, so you're able to run several VMs via KVM to isolate
the services the router is providing.

Of course this board doesn't come with the features of a fully-fledged
consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your
mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots
though.

[1] [http://pcengines.ch/apu2.htm](http://pcengines.ch/apu2.htm) [2]
[https://openwrt.org/toh/pcengines/apu2](https://openwrt.org/toh/pcengines/apu2)

~~~
__david__
I second this. I've been running PC engines stuff for a few years and it's
great. I currently have an APU and it handles my gigabit fiber no problem. I
use a separate off-the-shelf wireless router in bridge mode which let's me
upgrade that independent of the PC engines (wireless hardware tech moves
faster than router hardware tech).

I run openwrt on it and use the "adblock" package which works like pi-hole
(minus the nice web stats). Having it be a plain x86 CPU is nice—For example,
I compiled Telegraf on my local Linux machine (since openwrt doesn't have a
package for it) and was able to just drop it on with minimal problems.

------
galadran
> Do you use a popular browser extension? How confident are you that the
> creator wouldn’t accept a $10k offer to hand it over only to have it then go
> rogue on you?

What makes the Pi-Hole organization any more trustworthy? (and the software
stack it all depends on)

Personally, I'm inclined to trust them both and hope that the long arm of the
GDPR will be effective. Optimistic, I know.

~~~
msmith
Since Pi-Hole is a DNS server running on a separate machine, it just doesn’t
have the same level of access as browser extension would. Even if it was
rogue, the worst it could do is share the list of domains that you visit, and
possibly hijack your HTTP (but not HTTPS) sessions.

~~~
galadran
You, and the other commentator, are forgetting that the DNS Server handles all
connections, not just those from your browser. Are you confident all the self
updating software you use has no vulnerabilities? How about the video games
that you play?

Even assuming the use of HTTPS, there are other threats. For example, PiHole
redirecting you to a MiTM, who simply observes your connection and can learn
sensitive information from the timing and length of your sessions.

I am not arguing browser extensions have strictly less access, just that both
PiHole and your extensions have a fairly catastrophic level of access...

~~~
lvh
You don't have to be confident has "no vulnerabilities" (an absurd standard)
to understand that the worst possible vuln in the DNS server (say CSRFable RCE
in dnsmasq) still puts an attacker in a less privileged position than what
they get if they control uBlock Origin: UXSS. Now that browsers are serious
about mixed content, DNS poisoning just isn't as interesting as it used to be.

Also, odds are a lot of you are running dnsmasq on home routers already
without knowing it, and those are worse from several perspectives, including
patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a
thing in home routers!), and exploitability of network position (e.g. HTTPS
stripping on any non-HSTS website).

~~~
galadran
I absolutely agree with you about users already running dnsmasq, but the
context here is a malicious developer abusing their position. The actual
quality of the software is orthogonal.

I still think you are understating the risk of a malicious DNS server. As you
note, many users will have unpatched IOT or network facing devices (e.g.
cameras, baby monitors or other smart gadgets). With DNS spoofing they all
become vulnerable to a remote attacker...

Maybe we can agree if we consider different types of users? Technically
skilled users are likely to stick to secure hardware and have an awareness of
their general software vulnerability. They choose their passwords carefully
and are concerned about compromise. Less saavy users are more likely to own
insecure devices, use the same password everywhere and be less concerned by
account compromise.

High skill users have more to fear from a Web Extension, its impact is
undetectable and can siphon passwords. Low skill users have more to fear from
a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites
and their hardware will get compromised remotely.

~~~
lvh
I did not say "a compromised DNS server is completely inconsequential", I said
that a compromised WebExtension with :// _/_ and tabs permissions has UXSS
(obviously true) and UXSS is worse than compromising DNS resolution.

Which one of these is worse:

a) I might be able to convince a bad IOT device to connect to an IP I control
which may or may not let me do something interesting,

\-- or --

b) I can just use your session cookie for GMail and reset all of your
passwords for your IOT services and also everything else? And since I get
UXSS, I can scan your internal network and get XSS on that IP/origin too. Or,
I dunno: try to use UXSS to log in to your home router and change the DNS
server to a machine I control?

The crux of your argument seems to be "it is more valuable to be able to point
an IOT device at the wrong IP than it is to get UXSS on a machine on that
network". That seems obviously wrong to me for any user, technical or not. If
anything, it's worse for non-technical users, because they by-and-large don't
have 2FA, making e-mail compromise far worse.

I only use the quality of the software in one sense: to bound how bad DNS
resolution could possibly be. dnsmasq has had more than one of those style of
game-over vulns. A malicious WebExtension or DNS server is indistinguishable
from one with a bad enough vuln.

~~~
galadran
> The crux of your argument seems to be "it is more valuable to be able to
> point an IOT device at the wrong IP than it is to get UXSS on a machine on
> that network". That seems obviously wrong to me for any user, technical or
> not.

If PiHole is malicious, there is already an attacker on your network, DNS
Spoofing is just one example of the possible consequences. The PiHole can also
port scan, connect to services etc. I don't think mounting an effective
phishing attack on a user would be very hard.

My point is that both scenarios are catastrophic, and its hard to justify
choosing one over the other on the grounds "the developer might be malicious".
Telling people "don't worry a DNS server can't do much" is massively
understating the problem, considering all the local network devices directly
exposed to the PiHole device _and_ the fact it is the DNS server.

As I said, I use both and cross my fingers that Mozilla / Open Source code
review / the GDPR mitigates the risk of a bad developer

~~~
lvh
OK, so there's an attacker on the network in both cases (UXSS and the worst-
case-dnsmasq-vuln). So, to compare the two, you look at what else you can do
-- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing
attack" \-- maybe? Except on the most valuable phishing domains, which already
have HSTS -- and the UXSS alternative is that I literally control your browser
which is clearly worse since I have almost definitionally attained the goal of
the phishing attack! And if I really want to just steal your password instead
of just using your session, I'm guessing "full control of the DOM everywhere"
will help with that.

I have also already argued that an extension does not need to be malicious --
just buggy -- to get UXSS.

------
erikpukinskis
I fundamentally believe we have the right to transform content that comes to
our devices.

The idea that we have a moral duty to sit passively and absorb “experiences”
in their intended form... I just don’t see how that works long term. It will
just mean we get abused more and more and we have to take it.

No, if you want my business you have to find a way into my consciousness that
is compatible with the way I arrange information around me. That’s always been
the deal. You can put a free circular in my mailbox and I am free to toss it
without looking.

~~~
a_imho
You don't have to sit passively, you don't even have to block passively,
consider using / contributing to services like AdNauseam or Noiszy.

------
admax88q
Why are our devices so far outside our own control that we need to run an
additional device on our networks to help prevent them from making unwanted
network requests?

The whole approach of Pi-hole feels misguided. Blacklisting domains and hosts
should be something easily done on my device locally. Then it comes with me
when I visit friends or coffee shops, and it's easy to temporarily disable
when it breaks something I'm trying to use.

The fact that I can't do this on things like my phone really illustrates how
little control we really have over our own computing devices.

~~~
ethagnawl
Surprisingly, I've yet to see a service which fronts Pi-Hole or similar and
allows you to point your DNS resolver(?) at it, so you can use it on the go --
without having to use a VPN.

I tried to set this up on my own using a VPS and Pi-Hole and it did work for a
while. However, bad actors eventually found the server and started using it to
perform DNS amplification attacks against, of all things, cricket news
websites. I don't know too much about networking, so this may be a limitation
of the DNS protocol. However, it seems like Quad9, Cloudflare and the like
have figured out a way to prevent this sort of abuse... So, if any provider
out there is reading this, please add this capability and I will gladly pay to
use your DNS service.

~~~
DavideNL
You mean a public Dns server with ad blocking?

[https://adguard.com/en/adguard-
dns/overview.html](https://adguard.com/en/adguard-dns/overview.html)

Note that obviously since you are sharing all your dns requests with them,
it's terrible for privacy... :'(

~~~
ethagnawl
> Not that obviously since you are sharing all your dns requests with them,
> it's terrible for privacy... :'(

Right. I'm not defending this service in any way, but couldn't you say the
same about Quad9 or Cloudflare?

~~~
DavideNL
True.

You could set up pi-hole as a recursive dns server: [https://docs.pi-
hole.net/guides/unbound/](https://docs.pi-hole.net/guides/unbound/) That way
you don't have to use a public dns server like Cloudflare. However, since (as
far as i know) dns requests are not encrypted, this is not perfect either
(security wise).

At least when using Cloudflare you can use DNS-Over-HTTPS: [https://docs.pi-
hole.net/guides/dns-over-https/](https://docs.pi-hole.net/guides/dns-over-
https/)

------
sciurus
I don't use a browser extension, I use Firefox's built-in tracking protection.
It is only enabled by default in private browsing mode, but it's easy to
enable it for all your browsing. See [https://support.mozilla.org/en-
US/kb/tracking-protection](https://support.mozilla.org/en-US/kb/tracking-
protection)

I get 126 requests and 2.3 MB transferred on Daily Mail Australia, which seems
comparable or better than what Troy saw with Pi-hole. See
[https://postimg.cc/3WYwZf3b](https://postimg.cc/3WYwZf3b)

(Disclosure: I work for Mozilla.)

~~~
spurgu
It's sad. I've so much wanted to go back to Firefox after 10 years on Chrome
now but every time I give it a try it just doesn't do it for me. Mostly
because I have quite specific habits and I don't remember off-hand what it was
specifically the last time I tried it that made me give up, I should really do
a write-up the next time I give it a go, as I love Firefox (what it stands
for) but there's always that _something_ that makes me go back to Chrome after
a week or so. Currently I'm exploring Vivaldi (based on Chromium, which has
some awesome power user features).

~~~
spurgu
Also, I get similar results with Daily Mail with Chrome/Vivaldi + Ghostery.
But I'm placing a lot of trust in Ghostery that I would rather place in
Firefox.

------
gorhill
> 82% reduction in the number of bytes transferred

No doubt the reduction is important, however as per screenshots, the reported
reduction should be considered somewhat inaccurate as he forgot to check
"Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-
Hole version. We can see resources pulled from browser cache in the Pi-Hole
version.

------
gnufied
So I have tried using pi-hole in past and I think one of the problems is -
some websites refusing to function if ads are blocked. IIRC - British Airways
website uses some javascript that requires ad to be disabled for finishing
checking in. It may have changed now but there are other websites too which
may or may not work as expected.

With browser extensions it is typically easy to disable the ad blocker one
time and check if that fixes it. With pi-hole IIRC, it was much harder to do.

~~~
ryandrake
I’ve been running this kind of setup for over 5 years on my home network, and
the only complaint I’ve ever gotten was the Google search results that are ads
or shopping links don’t work (yes, my wife clicks on these). If a web site
didn’t function I wouldnt know it was due to DNS, because I never turn this
off. I’d simply chalk it up to it being a defective website and not use it.

~~~
gnufied
Yes - but sometimes you don't have that choice. Would you rather not use a
essential service(flight check-in or pay electricity bill) or disable the
adblocker temporarily? To each its own I guess and tricky thing with pi-hole
is, it is VERY hard to tell if website isn't working because of adblocker or
because you are using Linux or it is simply broken.

~~~
Phenomenit
In the situation I would just disconnect from my wifi and use 4g.

------
eximius
1\. Use Wireguard.

2\. It has a DNS option[1]. Set it to your Wireguard server.

3\. Setup unbound with a public ad domain list. (No link for this, Google is
your friend and there are several different options with minor tradeoffs.)

You're done. Now unless wireguard, a soon to be kernel project, or unbound
injects malicious code, you're safe.

Edit: oh and this also works on mobile

[1] wg-quick man page -
[https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-
quick...](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)

------
WorkLifeBalance
Someone on here recently recommended uMatrix for this purpose and I find that
a nice trade-off between usability and request blocking.

It's an extension but given it's less opaque than a generic ad-blocker I feel
more in control and that it's less likely to go 'rogue' like adblockers do.

~~~
AdmiralAsshat
Longtime uMatrix user here.

The most frustrating thing about UM (which is the same problem I had with
NoScript back in the day) is that some scripts call other scripts. So,
particularly when I'm trying to play an embedded video served by another site
served through a CDN, the process for getting the damn video to play is
something like:

Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist
more scripts being loaded by the first batch of scripts -> reload -> whitelist
some XHR references called by new scripts -> reload -> finally whitelist the
actual media being served.

~~~
egeozcan
90% of the time, I just don't do that dance and not watch the video.

~~~
JetSpiegel
I copy the URL(CTRL-l CTRL-c), open a new terminal and try youtube-dl $URL

~~~
pdimitar
Yep, I do that often. It's apparently a very underrated tool because it can
pretty much download most of the video content out there on the internet at
large. But many people have no idea about it, even technical people.

------
tpush
> [...] it's also the fact that running an ad blocker means giving a third
> party an enormous amount of power over your browser.

That's why Safari's content blocker API is so great[0]. Creators of these
extension have no access to my data and it's faster than normal extensions to
boot.

I'm using Wipr, which seems to work just as well as pi-hole on the example
pages. Blocked his advert too, or at least I can't find it _cough_.

[0]
[https://developer.apple.com/library/archive/documentation/Ge...](https://developer.apple.com/library/archive/documentation/General/Conceptual/ExtensibilityPG/ContentBlocker.html)

~~~
lose-frown-sans
Safari Content Blocker is pretty great but it's restricted to Safari only. So
if you use Reeder, for example, to view articles then ads won't get blocked.

As an additional system-wide layer, I subscribe to Peter Lowe's ad block list
with Little Snitch. Now I can block all outbound requests to ad servers
system-wide.

As much as I like PiHole, I don't think it's a one-stop solution. It's
generally easier to manage stuff locally on my system. I think the big
advantage is for software that isn't as open (like iOS, tvOS, etc).

I find that working in layers instead of trying to find a singular solution is
easier to work with and provides more flexibility.

------
HugoDaniel
Works for most basic ads. Unfortunately basic ads are a thing of the 90's.
Does not work for most common ads nowadays, as youtube et. al. run them from
the same domain as other important parts for the app/site to run. For these
you have to use a different approach, like running an extension in the browser
to block them.

~~~
Cthulhu_
I'm amazed that something that (to me) as simple as an ad and analytics proxy
running on the website domain isn't more of a thing yet. That will already
circumvent a lot of ad blockers. Well initially anyway, the ones based on
blocklists / patterns will probably be updated quickly.

~~~
FroshKiller
You really think anyone wants to maintain something like that, let alone
subsidize the advertisers' bandwidth costs?

~~~
woolvalley
If it's their main source of income, they would. Maybe advertisers could offer
better rates since you'd be reducing their costs.

------
jjnoakes
I hate ads as much as the next guy. This cat-and-mouse game has been going on
for as long as I can remember.

But I have to wonder why the ad networks don't require content creators to
place some "ad libraries" into the web servers or CMS systems directly, so
that the ads are served exactly the same way as the content (same domain, same
pages, etc).

That's my nightmare scenario. I figured it would have happened everywhere by
now. I see it in a few places but it seems pretty rare.

Is it the heterogeneous server-side environments that are slowing down this
approach?

If it ever takes off, what is the mouse to do?

~~~
pdimitar
Wondered that many times myself. I see several reasons:

(1) Their current tech still works on most users so it's not economically
justified to invest several times more just to catch a few extra percent of
the users (the tech-savvy) in their net.

(2) They are not technically savvy enough to figure it out (thank Cthulhu if
that's true!).

(3) They do not want to pay for the extra bandwidth costs and to upgrade their
servers. And they will have to do both because looking at any ad inspection
article reveals that the ad/tracking bandwidth can be easily anywhere from 3x
to 20x the bandwidth needed to serve the content itself. Furthermore, the
ad/tracking tech uses elaborate scripting techniques to avoid part of the
automated defenses of browsers or network devices. Running those scripts 24/7
increases your electricity bill significantly.

Overall I believe it's a case of "we could probably do better but we get a
hell of a deal for the minimal investment we made". Which is really good for
us the techies -- because they leave us alone -- but seriously sucks for
everybody else.

------
CraneWorm
> Somewhere in the middle is a responsible approach, for example the
> sponsorship banner you see at the top of this blog

Uh, sorry, but uBlock Origin blocks it. Also, does anyone else finds
themselves jumping straight into `reader view`?

~~~
ObsoleteNerd
I had a little giggle at him mentioning his ad in an article about pi-holes,
since I run a pi-hole and don't see the ad.

------
avenius
It's about time this became a public discussion. Websites have become so
horribly bloated, while most discussions seem to revolve around whether ads
are acceptable or not.

~~~
theandrewbailey
To be fair, ads are the reason websites are bloated. I don't mind websites
loading 50 MB _if_ I'm in awe of the amazing multimedia presentation it's
giving me. 50 MB of ads just... isn't.

~~~
lbriner
That's not always true. Check out the new GMail, my new corporate account has
no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!)
for the inbox.

In this case, the largest resources are Javascript and CSS (yes 1.2MB CSS
files!). The weird thing is that it appears to be making requests with
different cache-busting strings and getting resources that are the same size.

(32MB now, I haven't done anything on it since starting this post)

~~~
drb91
> Check out the new GMail, my new corporate account has no ads but it still
> weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.

The new gmail is the slowest web app I have ever used. It's gotten so bad I've
started managing my email on my relatively snappy inbox iOS client.

It wouldn't be so bad if they didn't load so much crap, like the gchat
functionality nobody has used since 2008.

~~~
mrob
The old HTML only version still works. I just refreshed mine and got 19.11 KB
transfered with cache disabled. (about half that with cache)

~~~
drb91
Sadly I like the bundling of inbox far too much to switch back at this point.

------
r3bl
Off-topic, but that Vollkron font definitely styles 1s _very_ weirdly. I
thought it said I.I.I.I instead of 1.1.1.1 until I copied the text and pasted
it somewhere else.

~~~
callahad
That's a common, traditional form for non-lining numerals
([https://en.wikipedia.org/wiki/Text_figures](https://en.wikipedia.org/wiki/Text_figures))

Turns out, Al Gore doesn't like it, either:
[https://www.typotheque.com/blog/gores_choice](https://www.typotheque.com/blog/gores_choice)

------
portaljacker
My only issue is if I haven't been to a site in a while it makes an error
showing page not found or something similar, then a reload fixes it.

Otherwise, it's a godsend, especially on mobile. Though some...unscrupulous
sites...I visit on mobile on some occasions still manage to redirect me to
crazy shit. But I get way less adds pretending I have a virus.

------
lousken
With disabled js dailymail loads 603(6.8MB) files 590 of which are images.

~~~
bArray
I run uBlock Origin and noscript - even then I'm amazed with how much guff the
UK Daily Mail website loads. From their perspective - you would think they
would want to reduce the bandwidth to the servers as much as possible...?

~~~
lousken
I run ublock origin and umatrix. And actually they do kinda care - I've tested
their site on Chromium with no addons or blocking and noticed they lazy load
most of those images (it loads "only" ~130images) and about 400requests in
total (I only opted out from advertising using their GDPR dialog). If I opt
in, it constantly pulls data ~6requests/second.

------
philg_jr
Pi-hole is cool, but only works on your home network unless you use a VPN to
connect back home and funnel all traffic over the connection.

I'll continue putting my trust in uBlock Origin on FF for now, until I hear
about any malicious PRs that get merged in /shrug/

~~~
chupasaurus
You can wind up a Linux VDS with dnsmasq and blacklist of domains, then use it
on any device everywhere.

~~~
ricketycricket
If you trust your ability to secure a publicly-accessible DNS server. Pretty
attractive target.

Also, you can't usually specify DNS servers on cellular connections. The VPN
setup would address that.

~~~
chupasaurus
As a subscriber to Debian Security mail list from 2013 I'd got 2 emails on
vulnerabilities in dnsmasq.

I don't think anyone should trust cellular connections at all for many
reasons. Especially because my country (Russia) is the only one in Europe
which has an office of CEIEC (chinese surveillance gov company) which as of
now makes Orwell's tales come true in Xinjang.

------
TheBeardKing
Don't buy a raspberry pi just for this, chances are you have some old windows
machine you can slap Ubuntu server on and set it up easily. That's what I did
and I have very little Linux experience.

My favorite thing about it is ad-blocking in mobile apps. I tried to use it
with OpenVPN on my android phone for ad-blocking when I'm on cellular data,
but the speed it was unbearable. I'm not sure if it was my crappy router or
what, everything I read says that DNS routing should be neglibible to speed.

The downside of pi-hole as opposed to a broswer extension is it's more
difficult to allow things when needed, and whitelisting specific URLs can be
difficult and slow to take effect.

~~~
txcwpalpha
>Don't buy a raspberry pi just for this, chances are you have some old windows
machine you can slap Ubuntu server on and set it up easily. That's what I did
and I have very little Linux experience.

But this would require having a full-blown PC running 24/7 and increasing your
electricity costs by at least a few bucks a month. It would be much wiser to
buy a $10 Pi Zero W and put Pi-Hole on it.

~~~
woolvalley
I agree. The rpi will pay for itself in electricity cost savings fairly
quickly.

Also a reason to use a dedicated NAS appliance. Instead of the 60W minimum
idle that desktops have, your at 1-10W idle with rpi zero and NAS appliances.

Small laptops might have a more efficient idle although, so YMMV.

------
tareqak
1) What would be the quickest way to get a either a Pi-hole device or a router
supporting that level of functionality (ad-blocking, and DNSCrypt) into the
hands of normal consumers on a mass scale (e.g. completely non-technical users
like my parents or grandparents)?

2) I know my next suggestion goes against net neutrality, but what would stop
an ISP from doing something similar at the level of their router (or cluster
of routers)?

Update: Actually for 2), some places that provide Internet access to their
users who aren't ISP customers (e.g. businesses, malls, municipalities,
colleges/universities/schools) could roll this out as well citing bandwidth
savings (therefore cost savings).

~~~
FooHentai
>What would be the quickest way to get a either a Pi-hole device or a router
supporting that level of functionality (ad-blocking, and DNSCrypt) into the
hands of normal consumers on a mass scale (e.g. completely non-technical users
like my parents or grandparents)?

Sell it as a turn-key appliance in a box with three ports: Network in, router
in, and power. Operate as a transparent proxy, automatically update, web
interface on the inside port only, etc etc.

Biggest issue is ensuring it's got enough performance on both Ethernet ports
to not bog down traffic.

------
tomrod
This is excessive. Amazingly so.

I don't mind an ad or two. I don't want you siphoning my network and
computational resources without compensation.

~~~
daemin
I think the news sites are thinking the same thing. "I don't want you to use
my network and computational resources (to read the news) without compensation
(watching our ads/mining our coin/etc)"

~~~
isserson
In that case, these news businesses should not be publishing content on the
World Wide Web. Users pay for devices, electricity, and monthly network
connection, These publishers seem to be stuck in the last epoch. A website is
not a finished product like a book or newspaper, it is publicly-accessible
data. Users can scrape, restyle, delete, and add content _at will_ whenever
they choose to download this content.

So the ideology of capital, which destroyed community morals, is now having
it's own tawdry ethics trashed. It's not news that the news is failing. This
Author Wrote 7 Reasons Why You Can't Make 20th Century Business Web-Scale.

~~~
SketchySeaBeast
So what's the impetus for the news business to be available online? If the
world wide web should be a free love utopia of data slurping why would these
agencies, who have been built on the assumption that the creation and
presentation of their data has an inherent worth? How do they get remunerated
for their efforts? Or do they just never try to take advantage of this new
epoch and die off, leaving us with a billion half-assed citizen journalists?

~~~
krageon
I would pay for a source of journalism that had any actual effort put in it
and wasn't blatantly and hilariously wrong almost all of the time. Sadly news
agencies don't fit that bill at all.

~~~
malnourish
Read reuters, you don't have to pay for it.

------
aphextron
For anyone not interested in setting up pi-hole, having a blacklist host file
is just as effective for your local machine [0]. I have that full list set as
my /etc/hosts file on a Streisand server [1] and run all my devices through
that with IPSEC VPN. It's a little more flexible than pi-hole since you can
use your mobile devices over LTE with it.

[0]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

[1]
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

------
apankrat
For a hardware-free option let me plug my little weekend project called DNS
Whisperer:

[https://github.com/apankrat/dnswhisperer](https://github.com/apankrat/dnswhisperer)

It's been quietly spinning on our mail server for a couple of years and it
works just as you'd expect it to. Block ratio is around 50%, with no notable
effects on browsing experience. It also blocks various in-game ads on the iOS
devices. I update the blacklist now and then, may be once every 4-5 months if
that, but it's largely maintenance-free.

------
josefresco
> And yes, I'll chat to her about the Fox News situation as well!

Highlight of the article right here.

~~~
jumbopapa
I don't really see why he had to make mention of it.

~~~
jonnycoder
Exactly, heaven forbid we read different new sources to view different biases
and takes on stories.

------
hello-w0r1d
I managed to get it running on a few Intel Edison's (no longer supported by
Intel) that were lying around. It makes browsing a stress free experience. For
anyone looking to get it running on an Edison, check this out
[https://hello-w0r1d.github.io/Installing-Pi-hole-on-Intel-
Ed...](https://hello-w0r1d.github.io/Installing-Pi-hole-on-Intel-Edison/)

------
michaelbuckbee
There's an interesting discussion happening in the comments where the fact
that Troy's (very low key, topically relevant, non tracking, entirely text
based) sponsorship banner is being blocked by some AdBlockers. I've found the
same thing with Reddit ads (which also seem quite reasonable).

I'm conflicted, I'd like for there to be some mechanism where reasonably
implemented ad systems can flourish.

------
cmurf
Isn't this an admission the internet is not safe by default, and you need
specialized knowledge and hardware to make the Internet safe(r)?

Xfinity/Comcast hardware (cable and WiFi integrated) works with the Pi-hole
how? I can't change the DNS addresses on Xfinity hardware. Ok so I have to buy
my own router, in which case Xfinity blames all problems on running by own
hardware.

Another ISP with which I'm familiar, when running my own router and assigning
DNS of my choosing (any, DNS Watch, Google, Cloudfare, OpenDNS, whatever), and
the ISP actually redirects the DNS requests to their own DNS servers _anyway_.
The only two ways I've found to get around this is: always on VPN, or DoH
using Firefox+Cloudfare's test they're running. In this case, it's deceptive
having a router that permits me to assign DNS addresses of my choosing.

In either case it means distrusting ISP hardware, getting your own cable
modem, or getting your own network router, and also a Pi-hole. It's esoteric
knowledge. This is a remarkable industry failure.

~~~
jrace
>Xfinity/Comcast hardware (cable and WiFi integrated) works with the Pi-hole
how?

Once the pihole has been setup and has an IP it becomes a DNS server, you just
then tell your end devices to use the piholes ip address as the dns server.

DNS requests either go where you want (static IP addressing) or where to the
xfinity/Comcast (DHCP addressing).

And no, the internet is not safe by default, by neither is the real world.

------
tzs
> Somewhere in the middle is a responsible approach, for example the
> sponsorship banner you see at the top of this blog. Companies I choose to
> partner with get to appear there and they get themselves 140 characters and
> a link. That is all. No images. No video. No script. No HTML tags. No
> tracking.

Even that is blocked by uBlock Origin with default settings. I wonder how it
knows it is an ad?

------
koevet
Been using the pi-hole for a couple of years now. Can only say good things
about it, as it also disallow porn and the such (which is good with kids in
the family).

Sometime, it's convenient to be able to switch it off quickly (as someone
mentioned, certain sites will mulfunction): so I created a simple Alexa task
to turn Pi-hole on and off using voice, leveraging the pi-hole api.

------
kup0
Wow, Daily Mail, 2663 requests and 57.6MB transferred... just for visiting the
homepage. That is a ludicrous amount of data.

------
ocdtrekkie
I set up a Pi-hole recently, and its been a good experience. Probably the one
thing I always have difficulty with though is online streaming for TV
channels. I tried whitelisting domains they used for their ads so that the
shows would play, I ended up giving up after a half hour and pressing pause on
the Pi-hole to watch.

------
user501254
Pi-Hole is great! Around 30% of the traffic is blocked on all my devices.

However, I would recommend adding a few more decent block lists to the default
ones. Also updating these lists through a cron job on a more frequent basis is
a good idea. Here's a script that you can use to setup pi-hole and additional
block-lists:
[https://gist.github.com/user501254/1d4c8cb9f22fb51ae970f5fe0...](https://gist.github.com/user501254/1d4c8cb9f22fb51ae970f5fe0b1f50c4#file-
configure-pihole-sh)

Also make sure you are using 1.1.1.1 as your secondary DNS service. So this
way in case your Pi-hole running RaspberryPi is down, your devices would be
still be able to access the internet with some privacy.

------
Cacti
Should be noted this is useful not just for ads, but also for devices phoning
home and collecting metrics. Things like Win10, Netflix, smart TVs, etc. You
don't have to use every blocklist on the planet if you don't want it to screw
up normal web browsing.

~~~
karrotwaltz
It can be easy to bypass by having an IP / another DNS server hardcoded as a
fallback. I would bet that some devices are already doing it.

------
geuis
I was experimenting with a somewhat similar idea a few years ago,
[https://github.com/geuis/lead-dns](https://github.com/geuis/lead-dns).

I took the most recent block lists that uBlock Origin was using at the time
and filtered out all the css-based selectors to just get the domains and urls.

Unfortunately it basically broke nearly every site that I went to, largely in
part to blocking some top-tier domains from Google I think.

You could run lead-dns locally on your machine, or on another machine on your
network.

I still think its a good approach and will be looking into Pi-hole since its a
lot more developed than my early experiment.

------
mmirate
The last time I checked, the Raspberry Pi was considered unsuitable for use as
an internet middlebox (or router) due to some kind of I/O bottleneck, having
to do with (pardon the faded memory) its ethernet controller being attached to
its USB controller instead of directly to whatever ARM's PCIe-analogue is, as
well as its USB controller being a blob-encumbered Broadcom hunk-o'-jank.

Has this changed recently?

EDIT: Answer: probably not, but that's irrelevant because this Pi-hole
appliance apparently just does DNS, not full traffic routing. Makes reasonable
performance possible, at the cost of granularity.

------
tammer
There is clearly a mass market for preconfigured plug-&-play versions of this.
Reminds me of the little bits they used to (probably still do) sell to go
between landline phones & the jack to screen telemarketers.

~~~
crtasm
You have to change DNS on your router or on each device so I don't think it
could be entirely plug and play? Preconfigured + some instructions seems
doable.

~~~
mirceal
I could definetly see a world where a device like this fronts your home router
and is zero config. Maybe a “super” router?

------
hectorm
I'm currently using my own solution [1] based on Knot Resolver, a shell script
[2] that creates a blacklist from multiple sources and DNS over TLS to
1.1.1.1. It doesn't have a web interface as complete as Pi-hole, but it's very
lightweight.

To block ads when I'm not at home, I use WireGuard and pass DNS traffic
through it.

[1] [https://github.com/hectorm/hblock-
resolver](https://github.com/hectorm/hblock-resolver)

[2] [https://github.com/hectorm/hblock](https://github.com/hectorm/hblock)

------
mitko
This might be dumb question and me missing something: Is it technically
possible for someone to set up a PiHole DNS service similar to how Google has
8.8.8.8 ? It would be much better user experience in my opinion to just set a
different DNS than to have to setup a new machine on your network.

Monetizing such service sounds tough as you have very minimal leverage over
the users (by design!) but perhaps a Patreon/Foundation would be sustainable,
similar to how Wikipedia is? Perhaps it could be bundled to a VPN service?

~~~
robertely
You really want someone you trust as a dns provider.

It would be easy to exploit people and as you say it's basically impossible to
monetize. There would be motivation to do so.

------
kpcyrd
Since he was pointing out scammers buying popular extensions: I would like to
mention that this is a chrome specific problem. Something like this isn't
common with firefox addons.

~~~
yscik
I'd also recommend turning off auto-updates for extensions (which is possible
in Firefox). You also get a page with pending and recent updates, complete
with release notes if the addon author provides them.

------
eb00
Pi-hole is so important to me that I am unwilling to use the web without it. I
also will not use Microsoft Windows without it. The Mozilla DNS over HTTP
project concerns me because of this. If DNS over HTTP becomes the default for
most software then I will have a serious problem.

Don't bother trying to tell me this will be optional. Absolutely nothing will
make me trust you after the MR. Robot incident. I would cut off two fingers to
use Safari on Linux and Windows.

~~~
pdimitar
To address your last: I am rebuilding my career lately and working towards an
income where I have several thousand $ free every month so I can just buy a
maxed out iMac Pro (~$13,500 I think) in 6-8 months and only use my PC for
gaming.

Already fully invested -- a MacBook Pro, an iPhone X, an iPad Pro. Only thing
missing is a desktop machine.

The fellow technical crowd in HN and Reddit loves to crap on Apple for
"slowing down progress" but Safari is a very solid browser. Between a good ad
blocker and reading mode, it actually gives you control and styles pages
for... you know, reading. I really like Safari on all my devices because it
allows me to consume content how I want and forces the websites to behave.

------
Leace
Are there similar projects but running on DNS-over-HTTPS(/TLS)?

That way one could configure only the browser to use this and it would also
work on phones that are using LTE (and not adblocking when using home Wi-Fi
only) [0].

[0]: [https://developers.cloudflare.com/1.1.1.1/setting-
up-1.1.1.1...](https://developers.cloudflare.com/1.1.1.1/setting-
up-1.1.1.1/android/)

~~~
lvh
You can run argo-tunnel/cloudflared on it and use that. You'd still be taking
plain-old-DNS in, but the arguments in favor of DNS-over-HTTPS aren't as
strong on a network you control.

I don't think anyone has written custom DoH stuff you can easily run yourself
yet.

------
muppetman
You don't have to run it on a Rasberry Pi! I have a little server under our
stairs, with the Proxmox Hypervisor (KVM + LXC with a lovely GUI) on it. It's
free and you can figure up VMs etc. PiHole is a LXC container. Seems silly to
"waste" a bit of hardware when most people here will have access to some form
of virtualisation. I've given it 256Mb of RAM and it runs fine.

------
floatboth
I've been using Privoxy.

Killing two birds with one stone here: proxying access through a VPS to hide
the home IP address && blocking ads.

Apart from it occasionally blocking legitimate sites that begin with the word
"ad" (something like, say, "adrian.blog.thing"), it works great. Because it's
an HTTP proxy, it offers an interface for bypassing these unintended blocks.

~~~
paulryanrogers
If it's a dumb string-start check then that could be a lot of false positives.
How often has it been wrong?

I personally hate wondering why something's not working and having to go
through every extension to debug my browsing session.

~~~
floatboth
Quite rarely in practice.

------
user812
Pi-Hole is beautiful and open-source. As long as it doesn't get too popular,
tech savvy people can continue to enjoy network wide content blocking.

Consider supporting them (but not too much ;):
[https://www.patreon.com/pihole](https://www.patreon.com/pihole)

~~~
Cthulhu_
Why the "not too much"? IIRC Adblock was "compromised" in a way because it was
more profitable for them to make deals with advertisers. If they made more
money off of donations they wouldn't need to sell out.

~~~
user812
Well, it was kind of humourous, based on the idea that ad-tech will switch to
first-party proxies when too many people use Pi-Hole.

But on a more serious note, it is simple products like AdGuard DNS which will
probably make Ad-Tech sweat more, because it's so easy to use for average
users.

Adblock was compromised due to lack of integrity imho.

~~~
move-on-by
Pi-Hole is a bit different too in that they do not maintain any block lists.
It does come pre-installed with several lists, but maintained by 3rd parties.
Its also very easy to add items to the block lists or import new lists. I
think having this separation of powers is wonderful and will aid in the
protection of the project.

------
sbr464
Is it possible to chain DNS servers or do multiple lookups for one request?
For example, a dns server that specializes in malware/antivirus checks, and
one that blocks ads etc?

I realize it's not performant, but it makes it hard to choose a dns provider
when several have different features you like.

------
djhworld
I've been running pi-hole for over a year now, it just works.

To make it easier to install and maintain I used this dockerised version
[https://hub.docker.com/r/pihole/pihole/](https://hub.docker.com/r/pihole/pihole/)

------
badbug
I tried pi-hole but my family couldn't make it work. Pihole blocks a lot of
content they want to see, for example, email newsletters from our city gov. I
understand why (privacy/tracking concerns) but it was just blocking too much
and frustrating non-technical users in my house.

~~~
ObsoleteNerd
That's interesting. There's another comment further down saying it broke stuff
too, but I've honestly never had that happen. The most I've ever seen it
"break" anything was formatting issues when people didn't declare the ad div
size.

To be fair, we're very light/casual web users as most of my
hobbies/entertainment are physical electronics and my wife/kids mostly watch
Netflix/Stan or just browse reddit/news sites.

I'm sure there's plenty of stuff it breaks (due to how it works and how
complex modern sites/web-apps can be), I've just been lucky that all of the
sites we use seem to work fine.

~~~
amag
> The most I've ever seen it "break" anything was formatting issues when
> people didn't declare the ad div size.

Haha, I remember some years back a popular C++ programming site would break if
you _didn 't_ have an adblocker because someone had put wide header banner ads
in both of the side banner areas, shrinking the text to a single word column
in the middle. I guess they only tested their website with adblockers on...

------
esaym
If you have a router that already uses dnsmasq (or a simple hosts file) there
is the dnsgate script that basically does the same thing:
[https://github.com/jakeogh/dnsgate](https://github.com/jakeogh/dnsgate)

------
MrEngineer13
There are a couple of downsides to pi hole, anytime a page doesn't work I'll
have to turn it off and check the page again. And you only block domains so if
you want to block Google analytics you can but you can't access their website
without turning it off

------
HammerJack
This project could be improved by using pi-hole and unbound (docker images
available). Unbound is a caching recursive DNS server. In an article all about
hijacking and trust of 3rd parties, I find it amusing the author saw fit to
point to cloudflare's DNS.

------
itsthejb
Honestly, considering how cheaply you can implement this (I resurrected an
unused OrangePiZero), how easily it can be used (just plug it into a router
LAN socket), it's crazy that the creators aren't actively looking to monetize
this

------
efdee
I've tried using Pi-hole a few times in the past, but I always end up shutting
it down again. It breaks too many things, and it doesn't block as many ads as
a browser-based adblocker does. I wanted to believe, though.

------
herf
Also, you can get dnsmasq block lists from several places.

[https://pgl.yoyo.org/as/](https://pgl.yoyo.org/as/) has lots of formats.

------
qrbLPHiKpiux
I've been running this for two years at home and at work and it's a God-send.

I live the ability to block SM on my networks. FB can get to be such a
distraction with employees.

------
jniedrauer
It's easier for me to replicate this functionality myself. I run unbound with
a domain name blacklist. Same functionality, no need for additional hardware.

~~~
pfschell
One of the great things about using unbound is how easy it is to blacklist
entire domains, without having to know the name of each subdomain ahead of
time. I've been doing what pihole does for over ten years using pfSense. I'm
up to 437,000 fully qualified domain names blocked, and over ten thousand
domains blocked outright. It has been years since I've seen an ad.

------
givinguflac
I run AB-solution.info on my Asus router for the same effect without the need
for extra hardware besides a usb stuck. Highly recommend it.

------
acranox
I run a dns server with BIND for my local network. Is there some equivalent
way to get this functionality without using a Pi?

------
detaro
other recent pi-hole discussions:
[https://news.ycombinator.com/item?id=17696397](https://news.ycombinator.com/item?id=17696397)

[https://news.ycombinator.com/item?id=15608052](https://news.ycombinator.com/item?id=15608052)

------
c54
The aria.microsoft.com domain is for analytics and client metrics for probably
some microsoft produced app you’ve got

------
mdonahoe
If DNS blocking catches on, couldn’t ad networks just do DNS in the cloud and
return IPs directly in the JavaScript?

------
firefwing24
Meanwhile, I use both pi-hole + ublock origin for my browsing experience
contrary to Troy's initial statement.

------
rthomas6
Does this work with Hulu and other things that try to prevent content loading
if the ads are blocked?

------
equasar
Does this impact gaming latency performance? I play Quake Live so every ms is
important for me.

~~~
dylz
For DNS? No - it makes no difference. DNS happens generally before you
establish the connection.

------
funkaster
just an FYI: you can also install this on your rpi if you're using archlinux:
[https://aur.archlinux.org/packages/pi-hole-
server](https://aur.archlinux.org/packages/pi-hole-server)

------
michaelmrose
Edit: I'm an idiot didn't realize hacker news was actually paginated

~~~
thsowers
It isn't silently hidden at all, it's just on the second page because this
story has many comments

~~~
michaelmrose
Thank you I feel silly I don't think I have ever even noticed the more button
at the end.

~~~
thsowers
No worries, I think it only gets turned on (sometimes temporarily) for stories
with high volume

------
thecleaner
Are you using linux or did you get this running on a Mac ?

------
shmageggy
2663 requests over 17 minutes? Is there a Poe's law for the web?

------
michaelmrose
Troy's perspective seems to be lacking in several levels. The first thing is
the nature of advertising. Advertising is an attack on the client to convince
him to believe and ultimately to act in ways that could not be contrived
through honest communication. It is an attempt to manipulate.

Even his very benign banner represents an attempt to manipulate. A company
buying such a banner wants an author to speak as he wouldn't naturally to give
a degree of attention to the sponsors content that he wouldn't naturally
inspiring us to give an unnatural degree of regard to the sponsor by implying
that he does by plastering it on the top of his website.

He expresses that blocking this attempt at manipulation is "unjust". Hi Troy
as soon as your content leaves your website and runs on my computer there is
no moral dimension to how I choose to display or not display elements.

In the larger context he believes that the larger struggle is to find a way to
fund creators through acceptable manipulation that merely tries to hack your
brain but doesn't hack your computer or take up your whole screen.

Maybe when there are a billion people out there blogging and the
infrastructure to reach hundreds of thousands costs $20 per month nobody is
going to pay you to blog.

Most of the intellectual property out there isn't scarce and you are going to
have to convince at least some of your readers that they ought to take the
affirmative step of paying you to create because they value your work. If you
can't you'll have to pay the $20 a month yourself and create in your spare
time.

Acceptable manipulation isn't an avenue I'm interested in supporting.

Incidentally the pi-hole is an interesting but pretty bad solution. It is just
technical enough to discourage 90% of people from ever trying it, worthless
outside your home network, and requires even those interested to actually pull
out their credit card and wait for shipping. This is enough to convince
another 99% not to do it. If the website doesn't work with this dns based
blocking OR you want to show ads to support that site this is in theory
possible but only if you log in to another machine and edit its list over ssh?

Whereas ublock origin can be installed by anyone in seconds for free, works
everywhere, and can be selectively disabled on a particular site in 2 clicks.
This is why almost nobody uses a home dns server but adblock extensions are
becoming prevalent.

Troy also tries to throw shade at extensions by suggesting that any particular
extension could be bought by malware authors. This is a legit threat model we
should all think more about but it applies to all software including the
developers of pi-hole.

"The last temptation is the greatest treason. To do the right deed for the
wrong reason." \-- T S Eliot

Troy doesn't want us to avoid extensions so we don't get compromised he wants
us not to run adblock extensions because they block his source of revenue.

------
auslander
uBlock Origin in medium mode, to block 3rd party scripts and frames, is much
more effective, its not depending on any lists.

I'd also neved point to Cloudflare resolver 1.1.1.1, and to Google's too. Use
your VPN's dns or Quad9 9.9.9.9

~~~
pdimitar
What is your recommendation based on? Why don't you trust Cloudflare but trust
Quad9?

