
Maza – Like Pi-hole but local and using your operating system - tanrax
https://github.com/tanrax/maza-ad-blocking
======
hnarn
I've been using [https://nextdns.io/](https://nextdns.io/) for a while and I
really like it. You can do DNS over HTTPS through Firefox (sadly not on an OS
level in Windows for example, but that's fine -- I'm sure OS level support
works better on Linux), and it supports a lot of user-level customization. You
can add and remove entire blocklists, you can black/white-list specific
domains, see logs of your blocks, some analytics, create your own redirects
etc. and it doesn't cost you a thing. The main website does a pretty good job
of explaining the selling points.

You can use it as-is but if you want user-specific configuration you'll get a
custom URL that looks something like
"[https://dns.nextdns.io/c8g88a"](https://dns.nextdns.io/c8g88a"), and
whatever comes in that way will use your settings and will be logged as per
your configuration (of course, you can disable logging).

~~~
darkteflon
I’ve just looked into this - it looks excellent. Can I ask: is this an all-
round superior solution to running your own pi-hole?

I set up dual redundant pi-holes on raspberry pi 4s on my home network but
switching all devices to NextDNS would give me access to filtered DNS even
when away from home, plus save me the trouble of running two raspis (including
two Ubuntu instances) just for that purpose.

Could anyone knowledgeable in such things suggest any downsides to a wholesale
switch?

~~~
jlkuester7
I recently spent a bunch of time comparing NextDNS vs PiHole. The reality is
their features-sets are pretty close, but I eventually settled on NextDNS and
here were some of my takeaways:

    
    
      NextDNS Pros:
      * Can use NextDNS on any network (thanks to their apps or just regular DNS-over-HTTP/TLS).
        * (Could get similar functionality on PiHole with a remote hosted PiHole + VPN, but much more complex to setup)
      * NextDNS allows for multiple different configuration setups per account (so you can fine-tune your blocking/filtering differently for different devices).
        * (PiHole AFIK only supports a single configuration)
      * NextDNS IMHO had the superior UI. With more powerful config options.
        * In reality with some extra manual config/coding you could probably get PiHole to do most of what is in the config for NextDNS, but it would take some work.
    
      PiHole Pros:
      * PiHole is open source.
        * The NextDNS server code is closed-source, but they do have an open-source CLI client.
      * PiHole is self-hosted (much better from a privacy perspective).
        * But you do get all the downsides of being responsible for hosting something as central as a DNS server yourself...

~~~
donclark
Another PiHole pro is that it can work for every device in your house (if you
set it up that way).

~~~
woadwarrior01
You could also setup PiVPN[1] on the same Raspberry Pi running Pi-hole with
Wireguard and setup all your mobile devices to automatically connect back home
when they're off the home wifi.I've had this setup running for a couple of
months now and couldn't be happier with it.

[1]: [https://github.com/pivpn/pivpn](https://github.com/pivpn/pivpn)

~~~
doctoboggan
I am using pihole and WireGuard. How did you set it up so that you
automatically connect back home when you are off your home network?

~~~
woadwarrior01
The WireGuard apps for iOS and OSX have a configuration section titled “On-
demand activation” that lets you do this. On the iOS app, I have it set to
activate on cellular connection and WiFi connections to routers if the SSID !=
my home router’s SSID. Likewise on OSX, except for the cellular option.

~~~
doctoboggan
Awesome, thank you. I am not sure how I missed that previously.

------
swinglock
Who is this for, what's the point?

If you're using a computer on which installing this software is an
alternative, you can install a web browser with an ad blocker, which performs
much better than DNS based filters.

If you're not using such a computer, Pi-Hole proves DNS filtering and this
software doesn't.

What's the use-case between these two that isn't already covered?

~~~
huhtenberg
Just for the sake of argument - to block trackers that are built into other
software, eg. chat clients and some such.

~~~
lonelappde
Pi-hole already does that. You can run pi-hole on your local OS with Docker.
It's 5 minutes to install.

~~~
brigandish
Aside from competition being a good thing, Docker itself introduces attack
vectors.

~~~
swinglock
Surely not more so than curling scripts from the web and executing them as
root, which is the exact install procedure described for this program.

~~~
mega_tux
IMHO, it's way easier to check the script content before sudoing and validate
its security than validate the Docker ecosystem.

------
bestouff
Or if you already run dsnmasq you can:

\- uncomment this in your dnsmasq.conf:

    
    
            addn-hosts=/etc/banner_add_hosts
    

\- put this in a file in /etc/cron.daily:

    
    
            wget -O /etc/banner_add_hosts 'https://pgl.yoyo.org/adservers/serverlist.php?showintro=0&mimetype=plaintext'

~~~
leeoniya
yep, i do this on my edge OPNSense appliance, except with

[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

------
lonelappde
Oh, this is a wrapper for running dnsmasq. It's lighter weight than pihole but
less user firendly.

Not sure why the readme tries to obscure that.

[https://github.com/tanrax/maza-ad-
blocking/blob/master/maza](https://github.com/tanrax/maza-ad-
blocking/blob/master/maza)

~~~
XelNika
> Not sure why the readme tries to obscure that.

I don't think it does, dnsmasq is optional. It does configure dnsmasq
regardless, but that configuration only applies if you install and enable
dnsmasq. As far as I can see, the script does none of that nor does it change
/etc/resolv.conf. The readme is very clear about needing dnsmasq for wildcard
blocking.

The script also modifies the host file which will apply regardless.

------
4nof
I found there is a docker container of pihole which means it can run on
anything including Windows! I tried it and it works in a docker container on
windows just fine! pihole docker steps: (prereq: install docker
[https://www.docker.com/products/docker-
desktop](https://www.docker.com/products/docker-desktop))

1.setup your docker-compose.yml file with the one listed on pihole page
[https://hub.docker.com/r/pihole/pihole/](https://hub.docker.com/r/pihole/pihole/)
(starts with version: '3').

2\. save and do "docker-compose up -d"

3\. do "docker ps" and ensure your pihole is running.

4\. Go to network settings and set your DNS to 127.0.0.1 and ::1 like this:
[https://mayakron.altervista.org/wikibase/show.php?id=Acrylic...](https://mayakron.altervista.org/wikibase/show.php?id=AcrylicWindows10Configuration)

5\. if the docker container is ever stopped, you will need to reverse the
setup step 4 to get back internet.

Hope that helps all you windows users who want a DNS blocker pihole on your
machines!

~~~
jdc0589
I've been doing this for the past year or so.

couldn't run pihole network wide because too many shady "deal /discount" sites
my girlfriend uses kept breaking, so this was my alternative.

------
vezycash
I've been using adguard's dns to block ads on my phone* because pi-hole isn't
an option for me at the moment.

Also set it on a colleague's phone and he's thanked me severally for it.

* (dns.adguard.com

private DNS in network settings on android pie)

~~~
politelemon
Similar to that I've been using NextDNS - in addition to the adblock you also
get custom whitelist/blacklist, analytics... and also supports DNS-over-TLS
(works well with Android's Private DNS feature) and DNS-over-Https

See: [https://nextdns.io/](https://nextdns.io/)

~~~
k__
What can the analytics tell me?

~~~
hnarn
I've been using nextdns and I like it: for one thing, it can tell you the
amount of blocked DNS queries, but it's also very helpful for troubleshooting
since you can see the log of what was blocked, when, and why (which
blocklist). You can then completely disable the blocklist, or whitelist
specific entries if you prefer. It's a level of customization that I don't
believe other DNS adblockers provide since many of them are designed to "just
work".

------
stfwn
Fwiw, you can run Pi-hole locally just fine. But using the hosts file like
Maza does may be a little bit faster than running a DNS-server.

------
tuananh
the one reason i use pihole is to block ads network-wide. this kinda defeats
that purpose.

~~~
nxpnsv
yes, but you have pihole for that... this is if you don't need or want to
issue a network wide block

~~~
tuananh
i couldn't think of an use case for this? can you explain what would you use
this for? if you already have pihole?

~~~
Normal_gaussian
For use on a laptop that you take into other networks (coffee shops, friends
houses, work / client businesses).

For use on a desktop in a network you do not control (e.g. many devs have
complete local control over their own machine)

~~~
XelNika
> For use on a laptop that you take into other networks

I VPN to my home (and by extension my Pi-hole server) when on that kind of
network. A local ad-blocker doesn't prevent MITM or malicious DNS servers.
Maza won't help if DHCP is handing out the IP for a server that claims
google.com is a CNAME to hereisyourvirus.xyz or if the router is transparently
redirecting DNS traffic so you don't even know what DNS server you are
hitting. Which means you have to use DoH or DoT as well.

------
xtf
Network Wide > Pi-hole

Browser > Ublock

Local System > hosts-file

Android (root) > Adaway (does hosts-file)

~~~
antman
Android non root > Intra looks like vpn but its a DNS use with NextDNS

------
fuzzy2
On Windows, a large hosts file may lead to noticeably slower name resolution
performance. Maybe it's less of a problem on Linux/macOS...?

~~~
jeroenhd
I learned this the hard a few years back. The lookup performance was good
enough, but every time I woke the computer up from sleep or rebooted it, it
would spend ten minutes maxing out one or two cores trying to process a hosts
file blocking all known malware/spyware/adware domains.

This took me ages to find the cause of, I had to use a lot of highly-escalated
debuggers and such to figure out what the "system" process was trying to do
that was costing so much time. Once I cleared out the hosts file, the problem
was resolved.

------
achairapart
I'm looking for a simple tool to setup and switch to DNS over HTTPS at the OS
level (MacOS, in this case), with no success.

With it, I would simply switch to one of the many pi-holed/filtered DOH
services[0] out there, or even roll my own on a cheap VPS.

On iOS there is DNSCloak which is excellent, Android 9+ has built-in support
(Private DNS).

[0]: like pi-dns.com or blahdns.com

~~~
ddrt
Out of ignorance, how does DNS Cloak differ/compare to NextDNS?

~~~
achairapart
NextDNS is a commercial solution, there will be more limits to the free plan
when it will be out of beta. DNSCloak is just a tool that let you choose
different DNS resolvers, even your very own.

------
mcovey
For anyone running OpenWRT, you can install the adblock package to accomplish
roughly the same thing as Pi-hole does. I don't believe it supports some
advanced features like DoH/DoT or DNS resolution (e.g. a1b2c3.example.com ->
ad-server-that-should-be-blocked.com), but it does the basics - custom host
file sources, additional blacklist rules, whitelisting, and quick
enable/disable for troubleshooting.

It also has an option to force all DNS traffic (port 53, so again it won't
catch DoH/DoT) to go through the router. Occasionally I forget I've done this
and tried `dig foo.bar @1.1.1.1` and gotten confused until I remember that my
router is forcing that DNS lookup to go through it first, and then through the
router's configured DNS resolver.

~~~
touristtam
You can use dnsmasq on OpenWRT and other packages that void the need for an
additional pi-hole.

------
petre
I'm using this whenever I have a working server lying around. Unbound works
great.

[https://github.com/gbxyz/unbound-block-
hosts](https://github.com/gbxyz/unbound-block-hosts)

------
dmclamb
I use pihole for my entire home network as primary DNS and opendns for
secondary (long time user of opendns, since before Cisco bought it). I also
have VPN setup for remote access (esp. for mobile). I use ublock origin at the
browser level.

These are layers of protection from undesired content (ads, malware, porn,
etc.). If one fails, hopefully the next layer will provide desired protection.

I have kids approaching teen years. There is no magic bullet, and we still
monitor and limit their screen time.

How would you improve this setup? Just curious.

~~~
justanotherhn
Are you trying to shield your teenage kids from seeing porn by accident or
actively seeking it out? If it's the later you've already lost - presumably
they have 4G.

~~~
Tempest1981
Or at least one friend whose parents aren't tech savvy, and aren't home.

------
p2t2p
I'm using simple
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts).
Puts everything into hosts file.

------
steveharman
I wonder why the pi-hole tram doesn't also offer a paid tier (that they host),
to help those who can't or don't want to roll their own?

It could help fund future development and maintrnance costs.

~~~
lonelappde
Maybe they already have a full-time job?

Anyway, it's free software. Anyone in the world can do that if they want. You
can do that.

Also, it's poorly scoped. Pihole is just an app. Any ownclowd provider can
more efficiently host it along with a bundle of every other app people want to
"own" but not run locally.

~~~
GordonS
While this is true, I'd put much more trust in the PiHole team than I would
some random corp - by the very nature of what they've built, and how they
licensed it, I'd expect them to be privacy centric. By paying for such a
service, I'd also feel like I was contributing to the ongoing maintenance of
PiHole by the core team.

I think the GP's suggestion is a fantastic one!

------
StreamBright
I just started to write this in Rust a few months back. Thanks for this
project it is fixing most of my problems with Pi-hole.

------
throwaway4787
Can someone explain how the use case differs from simply using a well-curated
hosts file? (like Steven Black's)

~~~
rovr138
There’s some issues with them being too big and using a lot of resources.

You can even find comments about it on this thread

------
1_player
Great work! One suggestion: please make blocklists configurable.

~~~
tanrax
It is not difficult, I take note to implement it.

~~~
IngvarLynn
That was my thought exactly when I decided to upgrade the very much analogous
script [https://raw.githubusercontent.com/notracking/hosts-
blocklist...](https://raw.githubusercontent.com/notracking/hosts-blocklists-
scripts/master/notracking_update) . The end result sort of works, but I deeply
regret not using sane language for the task. Result:
[https://gist.github.com/ingvar-
lynn/f0b84d5f750bd2e555d3f1de...](https://gist.github.com/ingvar-
lynn/f0b84d5f750bd2e555d3f1ded6ef159e)

------
wp381640
I have a docker-compose.yml locally with:

dnsmasq -> pihole -> stubby

The first dnsmasq is for local .test domains for dev. Works well for when i'm
not on one of my networks.

~~~
XelNika
Why not configure your local .test domains in your Pi-hole? That's also
dnsmasq, you can use the same configuration options.

~~~
rovr138
> Works well for when i'm not on one of my networks.

On the go is the key here.

~~~
XelNika
What do you mean? There's nothing preventing him from running Pi-hole and
stubby locally in Docker. That was how I interpreted his comment.

------
amelius
The point of Pi-Hole is that you can't hack it that easily compared to
software installed on your local computer.

~~~
alpaca128
How is it supposed to be harder to hack? I thought the main point is to have
the blocking enabled in the whole network, including devices like smartphones.

~~~
amelius
Because the Pi-Hole doesn't run untrusted code, like a personal computer does
(e.g. Javascript, installed applications, etc.). Same holds for smartphones.

~~~
jlgaddis
I'd consider the web-based administration interface to be "untrusted code" \--
and there just a remote code execution vulnerability (due to _very_
insufficient input validation of MAC addresses) discussed here yesterday [0] .

[0]:
[https://news.ycombinator.com/item?id=22714661](https://news.ycombinator.com/item?id=22714661)

