Hacker News new | comments | ask | show | jobs | submit login
Pi-Hole: Why You Need a Network-Wide Ad-Blocker (cryptoaustralia.org.au)
337 points by gszathmari 6 months ago | hide | past | web | favorite | 288 comments

I am actively using PiHole in my home network with over 8 devices doing around ~30k requests per day. Some highlights:

* By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)

* I have 650,000+ in my domain blacklist and folks complaining about "it doesnt work on pihole" just have taken that tiny bit of error to unblock some domains like "ssl.googleanalytics.com" which break a lot apps. It took me about 1 day to see what isnt working (ex Facebook app break if graph.facebook.com is blocked)

* On avg 28% of my requests are blocked and 42% are cached. I am quite sure generally my surfing experience is snappier

-- Things like learn running PiHole :

How prevalent tracking really is across the web. A lot of apps dont go "online" if google analytics is blocked (example Toggl)

Manufacturers like Xiaomi are spamming the network with requests - mostly for notification spam

How amazingly scalable, stable RPi+PiHole is - we ran a workshop with 150+ DHCP leases and nearly a few 100k DNS requests without a glitch. Pi didnt even heat up a bit

SmartTV are freaking noisy. Samsung TV makes ~300 DNS requests in <5 min of startup. Literally every button press in the "smart home" is tracked

> * By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)

I work for a small ISP-for-schools. We had an issue which eventually turned out to be related to a specific version of Snapchat on Android, when its connection back to Snapchat was blocked, it'd try and send a mixture of GET/POST at a rate of 1000s a minute. When you've got thousands of devices doing that, it's like an internal DDoS.

We've had a few problems like this and it always appears to be Android apps...

How did you resolve that snapchat problem?

I wanted to say something positive too, after seeing how the thread went here. No issues from the non-technical users in the household, at all, really. The domains I've whitelisted are mainly one-offs - I haven't whitelisted GA as above and nothing has broken here.

I've ended up using uMatrix and uBlock together on my personal machine as they don't interfere with each other and uBlock has an extra list or two that blocks even more tracking and ads - including all youtube ads. Which is just so satisfying. But other devices (of all kinds) run ad and tracker free, with a faster browsing experience to boot.

So that's no ads on any devices on the network, all running on a pi that is also a media centre, NAS and IRC client. Takes minutes to set up and is regularly updated. I don't get what's not to like.

When something isn't working, how do you determine with a tiny bit of effort which one or more domains out of the 650,000+ domains to whitelist?

Here is what I do:

1. Switch off DNS from PiHole to ISP DNS (or Google/CF, whatever non blocking DNS)

2. Reload page in Chrome with uBlock Origin and selectively allow domains to load until the page loads.

3. Whitelist domain in PiHole

This works b/c both uBlock Origin and PiHole out of the box use basically the same blocklists (or you can force them to).

How often do you find yourself doing this? Probably hard to determine, how frequent when you first set it up, vs after a month of use? Thanks

Thanks. Can you expand on what you mean in step 2?

What is involved in selectively allowing domains to load?

Could you do it if the domain is a completely unrelated string to whatever site you are visiting? (Say for site example.com, it requires something from whwehkhsfasfs.com in order to load)... how does step 2 work exactly in this case? Are you being prompted for a small subset of domains that the page is trying to load, for example?

So, PiHole has a web interface to blacklist/whitelist items, but it's hard to use for debugging as what it "sees" are just a bunch of DNS requests come through (they aren't grouped by page/user - at least in the version I had going).

But in Chrome with uBlock Origin - it very clearly tells you what's happening and you can selective unblock domains until the page starts working and then turn around and add that domain to the whitelist.

I'm making this sound harder than it actually is, it's honestly just a couple mouse clicks and page refreshes in Chrome with uBlock origin going.

I've always found it trivial to know what to whitelist.

Pi-hole admin -> Query log -> Show all -> Search filter <domain>

Whitelist whatever necessary.

I use the web interface and filter it with the IP address of the device. It will usually show up in the top of the list and try whitelisting.

Example my Samsung TV took some effort : multiple domains were blocked and had to restart my TV everytime, thankfully PiHole has a neat responsive web interface. After allowing 2 domains it started to work or else it wouldnt go online.

Easiest way: check the log to see what was blocked. It's as simple as that.

Happens so infrequently though - the lists are made up of domains you don't typically want to whitelist. Only 133,608 on my lists though, and that's pretty up to date.

I want to know this as well

I use AdAway on my phone to blackhole ads and trackers. I've seen some weird behavior in certain apps I assume is due to it but I've never had any app not work.

Same thing on laptop. I use a combination of blackholed DNS, a firewall, and uBlock Origin in the browser. Some sites won't work due to poor error handling which is their loss. I've never had a native app not work.

> which is their loss

Exactly what my stance is towards sites that 'need' crap to work. My favorite are news sites/blogs whose primary content is text, but display a completely white blank page when the adblocker is up. (some even do this when you disable JS too. why JS is 'required' for displaying any text is beyond me)

> why JS is 'required' for displaying any text is beyond me

It is not. But this is likely a result of either:

1) simply not realizing that the newfangled 'framework' they are using requires JS to render text

2) intentionally requiring JS to render text, because then JS will be on so they can also deliver ads (i.e., a form of "anti-adblock").

3) not all readers just want plain text and there are JS based features that actually appeal to readers.

Things like backgrounded next page loading may not seem appealing to you, but stuff like that does fall into the category of "people actually like this" and not "implemented to intentionally force ads on people".

We use an express server to pre-render our text, which means you can always see the content, but when you strip out JS, you lose a lot of navigation perks.

I fully support you not wanting JS, but don't act like opting to use a ubiquitous tool is somehow either ignorant or malicious.

> We use an express server to pre-render our text

That's silly. Unless your users are on throttled dial-up inet, and you're trying to feed them several volumes worth of text (a MB or so?), pre-rendering text on the next page is not a good enough excuse. This must mean you are using some large framework to deliver text and present your website. HN seems to be able to deliver tons of text to users without javascript bullshit, why can't you?

Cost, I would imagine. It's there. It's working for most people. The "only people complaining" are those who want to take what you have to offer and stop you from getting advertising revenue for seeing it.

Your argument, whilst full of technical merit and other benefits which you have not mentioned, is perhaps not persuasive enough to those who control the purse strings.

I mean we pre-render our text before it hits the browser. So if you have JS disabled, you still get text.

Also, HN has a completely different userbase than most websites. The biggest complaint about Android in the early days was "it has UI/UX for engineers" (that I personally loved). 99% of people aren't looking for a website experience like HN. Most people WANT some sort of slight flashiness and style. Also, most people don't use noscript. It's a valid tool to use, even if it is abused by some. We still run tests to make sure our total delivered payload is small and monitor accessibility stuff. Just because some sites are built like a dumpster fire using modern frameworks doesn't mean all modern frameworks are bad.

There is a huge difference between "you have completely abused javascript and now I get a blank white page with JS off" and "you've used JS to make interacting with your page much nicer"

Thank you for not breaking the non-JS use case, and thanks for elaborating on your point!

> It is not.

That's why I put 'required' in quotes, indicating that they think it is (for the reasons you pointed out) but it's obviously not.

So this happened after a posted this comment (weird coincidence :/)

My pi hole graph started to look like - https://imgur.com/a/Jj8bmPW

NVIDIA geforce experience really wants to talk to the mothership :| Ended up uninstalling it

I wonder how tricky it'd be to serve a local copy of google analytics code that simply didn't report back to them. Or perhaps just redirect outgoing requests from GA to some internal resource that collects (for yourself instead of google) or drops the data and returns an expected response.

Then there would be no need to unblock their trackers to make websites function.

Due to SSL, it wouldn't be easy: you'd need to have SSL certs for some google.com subdomains, and they'd need to be trusted by every device. Blocking the traffic is much easier.

You're right that you'd need to trust the certificates on each machine, but really, you only need to trust a single CA on each device. With an SSL-replacing proxy you create and give control of a CA certificate and key to the proxy and set it between your computer and the network. It replaces the certificate of any (or some small subset if you want to specifically target) site with its own on the fly. Then it can inspect and manipulate the contents of that communication. If the machine trusts the CA, and the CA trusts the certificate (because it replaced and signed the cert itself.. so not so much trust, but.. you get the idea. You could probably limit it to certs signed by CA known by your browsers), the machines would trust the certificates.

Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).

It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.

I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.

However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.

One such open source project for an SSL replacing proxy:


> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands

I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.

The only way to do it is to have admin/root on all the devices so you can install your own SSL root certs and "steal" google's domain internally with suitable certs.

It can be done but not in a BYOD situation.

Sounds a little like the “decentraleyes” extension...


I've been thinking about setting up twilio with PiHole so I can just copy-paste-sms a url to unblock for people on my network.

Any idea of the feasibility of this?

pihole has a CLI to block/unblock URLs, so it should be pretty straightforward

+1 The API support this too

Would you mind sharing your lists? I only have about 140k in mine but would like to increase my protection.

Firebog.net has curated lists

How did you detect which device was the nosiest? Do you have static ip addresses for each one?

It's my home network, there are devices you can count on your finger. Also DHCP lease times by default are in multiple hours on home routers so IPs don't often change. also the web Interface shows hostnames

Which blocklists are you using? Could you share?

I use lists curate by firebog https://firebog.net/

Ultimately, this is going to end badly for advertisers. All ISPs block port 25. In < 5 years, all ISPs will provide PiHole functionality on their networks. "Net Neutrality" is gone. This is going to be glorious. Thank goodness for the FCC making this protection available to the masses.

Or.. Advertisers will pay ISP's to inject ads.

Care to elaborate?

Web ads are the new spam. In response to email spam, all ISPs blocked port 25 by default. ISPs will ultimately do the same to web ads using traffic prioritization techniques like PiHole.

Users in general aren't sophisticated enough to do this themselves. ISPs will offer it for a price and users will pay more to have ad free internet while simultaneously benefiting ISPs with bandwidth reductions. Some ads will be allowed through of course, but with significant costs associated with the advertising, the volume will be reduced significantly, like the difference between spam email volume vs that of postal junk mail.

If big sites like Facebook decide to fight it in a cat and mouse game, ISPs can hit them with advertising fees directly or throttle their traffic in retaliation for cheating the system. If browsers like FireFox try to defeat it by doing DNS over HTTPS, then ISPs can funnel directly into the trash. AT&T did this and said it was an accident. I'm sure it was more like a test. They are aware of what underhanded scheme FireFox is up to. Mozilla isn't fooling anyone with their "security" cover story.

I have no idea why you think ISPs would do something like that. American ISPs are anti-consumer to the hilt. They've been caught numerous times INJECTING ads into unencrypted http connections. Ads cause ISPs no issue whatsoever. Why would they block ads?

Also, Firefox has excellent extension support for browser-level adblocking. No ISPs I'm aware of do any kind of adblocking. If there is no ISP adblocking around, how on earth could DNS-over-HTTPS be a anti-adblocking move?!

I have no idea how you managed to convince yourself that ISPs are anti-ad pro-consumer crusaders while Mozilla are some kind of evil corporation trying to thwart their efforts. The reality is the exact opposite.

My experience with Pi-Hole is that there are too many sites that detect that their adverts and tracking scripts don't load and refuse to let you in. It's really hard to white-list for a site in Pi-Hole, as it's blocking for the whole network, so finding what domains you need to unblock is quite laborious. Additionally, if you are not around, and a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works.

Personally, I find a browser based advert/tracking blocker add-on to work better.

If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.

I couldn't agree more. Pi-Hole is essentially useless for real world scenarios.

I can't hear this short-sighted comments "it doesn't load with pi-hole? then I just close the tab!"

oh really? that's how easy it is in your world? and then you just don't buy that flight ticket? because that shitty online ticket agent uses third-third-party payment providers etc. whos domain is unfortunately blocked in pi-hole? even one single incident might force you to entirely disable pi-hole. most people can't afford to play around with that until it works.

you can't seriously maintain these block lists yourself. you have to rely on a 3rd party, usually some volunteers - great people btw - but even a huge crowd like them can't make sure, that from time to time, in some part of the internet, in some specific country and language, something will be blocked by mistake and you are stuck. with a browser plugin, at least you can disable it for that specific case. with pi-hole there is no such feature. i have to disable my browser adblocker at least once a month, because something doesn't load. and its always off for sites like paypal, because I really want that payment to work and not suddenly screw up the whole transaction.

> Pi-Hole is essentially useless for real world scenarios.

This is a surprising statement because I've used mine at home with 6+ devices and zero issues for almost two years now. It seems fair to say it's not ideal for your needs, but why say something like this that will only deter people from seeing if it works for them?

Same here, I've never even touched the PiHole other than checking stats and doing updates. I've got about 15-20 devices on my network (a few phones, multiple computers, smart TV, Hue Lights, Nest, WeMo, etc). Haven't had a single problem. My Pi just sits there running constantly without even having to reboot it. Can't say the same for any other device that I own.

We're running pi-hole network wide and we just planned a trip with no glitches. The only annoyance (if it's really an annoyance) is clicking on a link in a google search and it's blocked. Go back to Google, realize is was an ad, scroll down a little further and click the real link. No big deal. Nobody in the house is complaining about not reaching sites.

So, yes, it is possible to do this in real world scenarios.

This is my experience as well. I very rarely find sites that don't work because of pi-hole, other than their advertising links.

I can't actually think of a case where I've had to disable pi-hole because a site seemed to have broken functionality. I book flights on Expedia et al all the time.

Every once in a while I want to do competitive shopping, and disable pi-hole for an hour. It's a revelation now much crud shows up (and pops up) when I do.

You made me giggle :-D

worried about resolving ad/tracking urls, yet ordering things via Expedia

If you don’t understand the irony here I’ll giggle even more

Not the person you were replying to, but that was unnecessarily mean. Instead of just poking fun at someone else's ignorance, perhaps you can enlighten them?

Parties like Expedia do more tracking and analytics of what you look at, when you look at and how you look at offers on their site then most of the urls on the pi hole url lists, which are typically referral counting urls (many also just for adult sites), or just for counting traffic. And I wouldn’t be surprised if they sell this data too. Not saying they are, but I wouldn’t be surprised if they do.

Also since when is giggling mean? The assumption that I intended to be mean, is kind of mean too. This is about the same as somebody saying not to eat sugar yet eating lots of fruit that contain sugars, if somebody says that to you surely you giggle without being mean.

Ah, just let him giggle.

If something's really important you could use your phone with wifi off to get an unblocked version via cellular. It's one more step, but some people may find it to be worth the effort.

Have used a Pi-hole for two years and maybe had to whitelist one or two sites (easily found looking at the log), which was easy using Pi-hole's web interface

Additionally, you can simply disable Pi-hole for temporary timeframes using the web interface as well, it has options like "Disable for 15 minutes", if you don't want to bother adding things to a whitelist.

I've used all sorts of financial, ordering, etc. sites and generally have not run into an issue. A single credit card site was one of the two I had to whitelist, and it was easy.

> I couldn't agree more. Pi-Hole is essentially useless for real world scenarios.

As a user of pi-hole, I have no issues with small scale implementations (i.e. less than 20 users) but security is more important than access to random sites for personal use in the environments I work in.

It is just is for security-prioritized environments.

You wouldn't really be STUCK if you are blocked... you can just point your DNS to another IP (like or something). This is DNS based, so if you don't use the Pi-hole DNS server, you aren't affected.

Agreed, sometimes you just NEED to use a shitty site. I have my main browser specially configured ad free and privacy secure but I always have a backup browser.

The people who build websites aren't thinking about us.

Been using pi-hole for over a year with no issues. Not sure what's going on with your experience.

> Additionally, if you are not around, and a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works.

I ran into that issue with some household members, that had problems with certain websites that didn't work. Since I run my own DHCP server (not through pi-hole), what I ended up doing is giving them a different (e.g. DNS resolver for their machine (based on their MAC address), and then installing uBlock Origin for them. That way, they can easily turn ad blocking on/off themselves, while I can still have network-wide adblocking on by default (especially useful for mobile devices).

I used to use a pi hole since YouTube on a Samsung smart TV is horrible both YoutTube and Samsung put ads in the same video (YouTube at the start and Samsung ...whenever). But Samsung inject ads frequently and aggressively. Even short ten minute videos are interrupted at least twice by ads sometimes a few seconds before a video ends, I mean really?!?

It worked great for a long time but then but changed my setup.

Then I wanted to try Pi-Hole again going through the setup again but the results were very different. For example my Samsung smart TV absolutely refused to connect. It is the same TV, same Pi device, same everything but no network.

Well that just sold me on never buying another Samsung TV ever. How in the hell does Samsung, a device manufacturer justify inserting ads over content thats not even theirs?

I think basically because (1) they can and (2) no one has stepped in to prevent them from doing it.

But it's absurd.

It seems worse for some videos too which made me think it was YouTube but I can't see YouTube inserting ads mid-video or a few seconds before the end of a video. It's local ads too for my small town so it's targeted very precisely to me.

Other crap is resetting the opt-out after a software update. And also putting the agree or disagree checkbox on a separate page than the actual terms you just read. You read it on one page then exit, look at a bunch of terms and scroll to find the matching document that has the agree or disagree checkbox for one of the TOS documents you read. It's a mess.

Never buy a smart TV just buy a monitor without any smarts.

The sound cuts out on it too you'll miss every few words almost as if it were censoring it.

I'm afraid someday it will not work if it can't update its OS.

> . How in the hell does Samsung, a device manufacturer justify inserting ads over content thats not even theirs?

Earnings growth for shareholders. Something-something-"advertising revolution/innovation".

What model Samsung do you have? I have been using the KS8000 for a couple years and have only ever noticed the small ad that looks like another app in the home screen. I've never had Samsung ads in 3rd party apps.

I tried to find the model in the menu but I can't see it. It's a 50 inch, 4K, UHD only about three years old. I think it has an OS that's different that what is currently available.

It's quite obvious that it's Samsung ads as mentioned it's constant not at the start of a video like how YouTube would do it. And at odd times as if it injects every five minutes no matter what.

I've been using a Samsung TV for the last 3 years and never seen an ad on YouTube. Which model are you using?

I'm not sure it's 50 inch, UHD, 4K so possibly UHDxxxx something.

It's is incredibly annoying to have numerous ads in every video. I even tried to see what was going on using Wireshark but it was beyond my capabilities.

I typically browse the internet with JavaScript disabled by default and rarely come across issues - when I do unless the website is appealing enough to white-list for js I go elsewhere.

I have also found the reader view functionality on iOS to be a godsend when visiting websites, no more cookie notices, GDPR popups or banners taking up 1/3 of the display - bliss!

I see "just going elsewhere" as a possible solution 10 years ago but not today, depending on how much you're using the internet.

To me it feels like the number of sources of information has grown exponentially in the past 10 years. So unless you're talking about a service that more or less locks you in (like a mail provider that you can't easily switch) you can find the same information on dozens of sites. Just pick one that either has reasonable ad practices or one that accepts adblockers.

That depends if you are reading original journalism or aggregated journalism. Something from Reuters or AP (or a tweet .. ) might be on hundreds of websites, but look at a list like this, https://www.aldaily.com/media/ , how many of these stories dont really get published elsewhere.

Sure but how was this better 10 years ago?

"Original anything" (read unique) by definition doesn't go well with the "just go elsewhere" concept. If you can go elsewhere then it's not that original or unique. Time has no bearing on this.

For "mass content" (aggregation or simply independently reporting on the same topic) you have vastly more choice today. And for unique pieces of information, only available in one place, you would have been just as stuck then as you are now. The uniqueness, not the time is what takes the choice out of the equation.

Find a commercial website that doesn't use google-analytics.com or googletagservices.com its pretty hard.

Yes, but you are part of the tech saavy bubble. That's not a solution for most users who don't want a downgraded version of their facebook/instagram/gmail/etc experience.

> many sites that detect that their adverts and tracking scripts don't load and refuse to let you in

I think I've only seen that once since running pi-hole (which I've done for about six months now), so I assume the rate of occurrence varies widely with what people are browsing. Do you see it a lot on sites with a particular pattern (i.e. pertaining to a certain industry or hobby/interest)?

> and refuse to let you in

I'm fine with that. I doubt the information isn't available elsewhere if I really care about it, and the most insidious stuff I'm blocking tends to be on less important content that I can live without anyway (imgur.com was the final straw that made me install network-level blocking - too many pop-unders, the occasional drive-by install attempt, adverts trying to access my microphone and/or camera, and less worrying but still annoying things like auto-playing audio - if such frivolous sites block me for blocking their ads because they can't police them properly I'm sure I'll live!).

> a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works

> Personally, I find a browser based advert/tracking blocker add-on to work better.

Other people is why I run blocking at the network level ATM (as well as on my individual mobile devices). I'd rather deal with the occasional "I can't get into X, oh, it is because of the malware/ad blocker, try somewhere else" conversations than have the tech support load of undoing drive-by installs!

Also, I wouldn't want other people to easily add stuff to my network's whitelist.

Anyone who really objects can always use their own mobile data plan instead of using my network that runs just fine the way I want it to...

>> and refuse to let you in

> I'm fine with that.

Agreed. Sounds like the Pi-hole is working exactly as intended.

As I see it, you have a choice between viewing an ad/malware laden cesspit, or avoiding it. And by installing a Pi-hole, you have already made that choice.

You can also use a remote service like outline.com, paste the url there, and still read the content without the ads and without being blocked by an ad-blocker-blocker, and often even without being blocked by view-limiting paywalls.

> and refuse to let you in

>> I'm fine with that.

That's fine with me too, but doesn't cut it in a family environment. Further, some websites break with an adblocker, even when they don't have ads. E.g. Login with Facebook/Twitter, or some JS heavy sites which happen to have a bad keyword in the name of the file.

> many sites that detect that their adverts and tracking scripts don't load and refuse to let you in

>> I think I've only seen that once since running pi-hole

It used to be a daily occurence until I whitelisted sites. At least with an addon, my mum can just click the button and unblock and get on with her day.

If pi-hole could have some companion extension to make whitelisting easier that would be great.

>Login with Facebook/Twitter, or some JS heavy sites which happen to have a bad keyword in the name of the file.

Pihole is purely DNS, it doesn't trigger of filenames.

Good point. I stand corrected :)

This might be unpopular, but I hope Pihole remains untenable for non-technically savvy users. Advertisers and ad-blocking are always engaged in a game of cat and mouse. I'd prefer advertisers to see Pihole as a tiny niche of the market they don't need to seriously work to defeat.

The only way to defeat them would be to self-host ads. Which would actually be a good thing since publishers would now have an incentive to make them as light as possible since it's their bandwidth being used.

because of how pi-hole works (works on the DNS level), all they have to do is use some CDN domain, which can't possibly be blocked without serious collateral damage.

Yes, but as long as they don't pihole works beautifully because the ads are killed before they are downloaded, in stead of stripped after the download (like with uBlock).

Especially on data capped devices like mobile phones it works wonders.

>the ads are killed before they are downloaded, in stead of stripped after the download (like with uBlock).

That’s false. https://github.com/gorhill/uBlock/wiki/Does-uBlock-block-ads...

> Yes, but as long as they don't pihole works beautifully because the ads are killed before they are downloaded, in stead of stripped after the download (like with uBlock).

> Especially on data capped devices like mobile phones it works wonders.

Are you implying that pihole works wonders on data-capped devices such as mobile phones? If the phone is connected to a network with a pihole, it isn’t using the capped cellular service. If it is using the capped cellular service, it isn’t going through a pihole. Am I missing something?

It's less common, but some people use a VPN while on mobile data to get back to their local network.


I guess you could also setup your pihole to be externally accessible and then point your phone's DNS at it, though I'm not sure that's a particularly good idea.

Some ISPs have caps as well. Comcast has caps in most of the USA for example.

My phone and tablet connect via openvpn to a server running pi-hole.

> in stead of stripped after the download (like with uBlock)

That's quite an erroneous statement, especially given how easy it is to verify.

You can see for yourself by using uBlock Origin along with your pi-hole: your pi-hole will see _less_ network requests with uBO (or any other similar blockers really).

Everything which is blocked by uBO will not be seen by your pi-hole, and this simple observation contradicts your statement.

This is what CDNs are designed for, the allow a few companies to get a monopoly on your browsing data. This is why I prefer uMatrix, it blocks all third party requests, a lot of stuff breaks but it breaks because their tracking you.

Doesn't using a CDN break impressions statistics, making it impossible to administer?

Agreed, I find that self-hosted ads tend to be the least offensive. Even if this changed, and some self-hosted ads were intrusive or malicious, it would certainly be a simple problem to solve: block site X.com and don't visit site X.com

I'm waiting for the next generation ad blockers where a cloud based html rendering engine renders the image of the page to a frame buffer, crops out the article or pictures, compresses them, and sends it to my device.

Hell, you could do a mechanical turk system and pay micropayments to 3rd world employees to crawl ad-infested crap and harvest the content for me (Or better yet, share it for the common good)

>Personally, I find a browser based advert/tracking blocker add-on to work better.

>If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.

Aren't you just describing uMatrix?

I think he's describing a local network ad-blocker that you can control and configure from any browser with a simple extension. This means that you can update rules from any device in your home/office and it would still apply for all devices in your network.

exactly! You wouldn't even need an extension.

Just tell your users, if a site isn't loading properly, to go to http://my-pi-hole.local.lan/whitelist and unblock it.

It would be ideal if the workflow could be something more like "click this link" (and pi-hole's GUI would then give you a prominent button to redirect you to an unfiltered version of the last request from your device (or maybe a list, since who knows how many background ones are being silently killed), which would be whitelisted for an hour.

You can do this already. The URL is http://pi.hole

Whether you want them to have access depends on your “users”.

A 1-click option (or maybe 2) is a much better solution for tech-averse users :). And extensions already exist to enable/disable Pi-Hole, the functionality could be expanded to include quick whitelisting.

I would have the same concern, I imagine the Pi-Hole is best for households only inhabited by tech-affine people. I installed the uBlock Origin addon for some family members and even there they can be easily confused when a website breaks due to it (occurs rarely, but it happens). At least there I can easily tell them to temporarily disable ad-blocking by pressing that big uBlock button.

I don't think it would be feasible for me to explain to them how to temporarily whitelist things on the Pi-Hole.

I don't think that's a problem at all.

I did give the family members the password to unlock the block temporarily but after a while they simply stopped using those sites altogether.

It's also a big plus for devices that can't adblock themselves (phones, embedded devices, etc.)

You can add a button to your Raspberry Pi to temporarily disable all the blocking. Not the best solution but still useful to know I think.

I really like this idea. Make it big and red. Easily done it seems:


Do you have a link to a tutorial?

For the non-tech-savvy members of the household you can provide a link to the disable API.

e.g. Temporarily disable blocking for 60 seconds,

http://pihole.lan/admin/api.php?disable=60&auth= .

You can also infuriate the teenagers in the household by blocking and unblocking domains at certain times via crontab. e.g.

0 08 * * * /usr/local/bin/pihole -wild --delmode instagram.com youtube.com

0 22 * * * /usr/local/bin/pihole -wild instagram.com youtube.com

In my experience, most adblock blockers take a lazy approach - it's just a piece of JS loaded together with the main document. So it's ridiculously easy to protect against: just switch off JS with a click and you can read the page in question. Of course it works for documents only - if you need to use an app, things are much trickier and you need to dig up a bit to understand which script you have to block.

Due to bandwidth constraints I surfed with images and JS disabled (safari developer options) and oh my god what an improvement it was. No trackers. No ads. No auto-playing video. No newsletter pop ups. No cookie notices. This was GDPR but I imagine that would be gone on most sites too. I'll probably switch back soon. I long for the speed, the elegance...

Usually you don’t even need that, they just cover the page with a div that you can delete in inspector.

There's also this bookmarklet which deletes fixed elements (unfortunately I don't know the original author):


This is a very useful skill. I run into a surprising number of pages where invisible elements prevent you from continuing (unintentionally, eg payment forms).

Also that crap on the bottom of every Medium article.

... and the top... and the sides...

"kill sticky" is amazing for this. One click gets most annoying stuff.


That's at least two clicks. Disabling JS with a plugin like disable-HTML is one click.

Or zap with uBlock origin

Weird, my experience doesn't match yours, and I run both Pi Hole and uBlock. I guess the blocklists factor in a lot and also the sites you visit.

Here is how to disable pihole via a url: https://www.reddit.com/r/pihole/comments/81z8jp/temporarily_...

With this anyone in your family can temporarily disable it to unblock themselves if needed.

Sending the pihole admin password in a non-https url query string seems like a bad idea. You might argue that your network is 'trusted', but then I'd remind you that this pihole device is designed to intercept all dns on your network, and would be used quite maliciously if compromised.

You can add a certificate and then access it over https: https://discourse.pi-hole.net/t/enabling-https-for-your-pi-h...

I don't think my neighbors are sniffing my wifi traffic, I wouldn't think the password to be at risk

It's best to just not go to those sites. Never whitelist, it defeats the whole purpose if you care one bit about tracking. If I come across enough links to a site that does that, I add them to my url blacklist, so I never see them again. I wish uBlock Origin would add that feature so I did't have to maintain my own junky plugin to do it.

Simple phrasing could change this. If the site was deemed "unacceptable", not just "blocked", with no particular detail people would find alternatives (even pick up the phone?). This could be done at both the browser and ISP level, as well as something like Pi-Hole.

>If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.

It kind of already has this. Just tail the log in the web admin, then hit the site in your browser. Unblock the sites that were blocked on that request.

I've been using pihole for a year and have only had one site that refused to load. Was pretty easy to figure out which request it was and whitelist it.

Generally, I agree - though I imagine the advantage of pi-hole is that it can also block ads in non-browser contexts, e.g. mobile apps.

At least it can until those apps start to use their own hardwired DNS/DoH server...

I've found that most sites which attempt to block access due to ad-blockers typically do so with a full-page pop-up element which hides the (fully loaded) content underneath. With uBlock Origin it's easy enough to use the element-picker to remove the blocking elements of the webpage.

I'd really really like a simple whitelisting interface too. Sometimes I just need to get shit done for a minute, and then I'd just start blocking again. All or nothing is incredibly frustrating sometimes.

It's got that... Disable for 10s, 30s, 5m, custom or permanent. GUI or CLI.

ok, sold then

I run a Pi-hole (mostly for my phone and paired with OpenVPN and iOS/MacOS content blockers) and run into the same "problem". My advice is to stop patronizing those sites at all. Just like paywalled articles linked on HN, just stop visiting.

Seriously, just stop. It's the only way we're going to move to something less damaging and invasive than the current ad/data economy.

I should note that I do pay quite a lot for journalism and art via subscriptions, Patreon, Kickstater, etc, but I'm not going to tolerate sites clogging up search results with paywalled articles or piles of tracking scripts and media downloads.

This is completely untenable advice to give family that shares your Internet connection, which the OP clearly pointed out.

Why? I've been running pi-hole on the home network for over 2 years already, and indeed sometimes I get complaints about shopping sites not working, but there is always an alternative site that does work so we order there instead. Just last week it even saved us money because it turned out a different site had the same product at a significantly lower price.

Apart from a few non-important edge cases literally every major site works without problems with a pi-hole. I think 'simply stop using sites that refuse to work unless they can track you' is a very valid and workable solution.

I purposely black list any sites that complain about not able to load their ads. Using both is a better answer.

you could have pi-hole redirect to a site with the same story maybe? or even pi-hole could cache it.

Not a problem. I can't remember that ever happening, but if it did I would just close the tab. Pi-hole works as intended.

> In other words my current smartphone will be unsafe for everyday use after September 2018, but it may have some life left in it by protecting its operating system with some network level security.

I stopped paying attention when I read this.

Pi-Hole is an ad blocker and it is fit for that purpose. No argument from me. However, to give this advice to people for whom device and network security is not a major or even minor concern is frankly dangerous.

Buy an iPhone. Buy a Mac. Keep your Windows PCs updated. Get a mesh WiFi solution that takes care of firmware patches automatically. Run a browser-based blocker that updates in the background without interaction.

These are the low-hanging fruit that should be done long before you are trying to set up what is essentially MITM-as-an-appliance without any paid support or guarantee.

Who is this article actually helping?

> Who is this article actually helping?

It seems to be primarily targeted at highly-technical people, such as those who might stumble on this article via HN, or who casually frequent websites with "crypto" in their name.

These audiences naturally would have a higher tolerance to technical adoption barriers than the average consumer, which is who your other advice seems to be targeting.

> Who is this article actually helping?

Those who cannot afford iPhones and Macs?

In what universe is an apple product helping you in any meaningful way?

In the 90's alternate reality where "Macs don't get viruses."

> Buy an iPhone. Buy a Mac. Keep your Windows PCs updated.


It's pretty simple: buy a device that is supported by the manufacturer for the lifetime of the device. The Nexus 5X was released in 2015, so it's abandoned after three years. The oldest supported iPhone is the 5s, which was released in 2013 and will be supported by iOS 12 which means it gets security updates until at least fall of 2019 (maybe longer).

A straight-from-Google Android phone is out of support after 3 years, while a comparable iPhone is still supported after 6 years.

An iOS device tracks a lot of what you do, especially if you don't opt out of anything iCloud. But the bulk of the tracking is done by one "evil" corporation, who takes the majority of its money from selling devices.

With a normal Android device, you are tracked every step of the way, by apps, by Google, by Samsung and their awful software quality or by random Chinese entities.

If you don't spend a lot of time, an iOS device is the lesser evil when it comes to tracking. An iOS device with automatic app updates turned off, no iCloud, and where you say no to most apps asking for permissions on first run, is pretty locked down.

There are downsides, of course. It's kind of sad that you can't buy a mobile device which is just a network node by default, not a spying machine by default.

Agree with this. Android is unfortunately a bit of a disaster in terms of privacy and security. The easiest security advice you can give to say friends and family would be to just buy an iPhone. As for asking them to buy a Mac - I can list a few dozen reasons why that is also a good idea.

It's the one of reason why dumbphones so popular on HN.

How is a DNS server MiTM?

I love how the Protestant Church of Germany has a very good installation description on their web site: https://datenschutz.ekd.de/2018/04/12/pi-hole-ein-erfahrungs...

I found this bit interesting:

> After meanwhile four weeks "leisure mode" of the Pi-hole in my network this comes up stately 12245 DNS inquiries, of which 7102 DNS inquiries were blocked. That's 58%. It's interesting, if not surprising, that six of the top 10 blocked domains come from Microsoft, two from Google, and one each from Amazon and Vungle.com.

If you block Windows telemetry domains and run Windows, naturally those domains will be at the top... I have a lot of blocklists, but I think one of the default ones includes Windows telemetry.

watson.telemetry.microsoft.com 15110

v10.vortex-win.data.microsoft.com 11338

fls-na.amazon.com 4397

nexus.officeapps.live.com 3547

settings-win.data.microsoft.com 3463

collector.githubapp.com 3396

www.google-analytics.com 3379

www.googletagmanager.com 2246

www.googletagservices.com 2204

clc.stackoverflow.com 2173

I'm not surprised. I remember reading before that Germany was one of the countries with the highest adblocker use.

For some reason, I was reminded of the message iOS’s original top-selling as blocker posted when pulling their app [1]. (TL; DR They felt bad about denying advertisers their revenues.) While the web is gnarly and unforgiving, we’ve progressed—as a culture—in our general treatment of ads and ad blockers.

[1] https://marco.org/2015/09/18/just-doesnt-feel-good

What an odd thing to feel bad about.

> People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply you're not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you. You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity. Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. It's yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head. You owe the companies nothing. Less than nothing, you especially don't owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, don't even start asking for theirs.


Actually Sean Tejaratchi. Banky used it with attribution, though that's frequently lost / misstated (as here).


Wonderful quote. The concept I have been playing with I call "consensual communication". We dont allow people to run up to us and shove food in our mouths, and yet we allow information to be shoved into our minds - and as the quote notes, they have the gall to place restrictions on the object of assault.

> We dont allow people to run up to us and shove food in our mouths

"You can trespass my private roads as you like, you just have to take this new experimental medication and report the results..." - sounds like an intriguing new business model! /s

That's actually close to reality. A lot of US universities have some kind of for-pay drug research going on. Since college kids are notoriously low on cash, they sign up to get injected with something and report the results afterwards.

My university didn't offer it but my sister's did. She made a few bucks getting injected with a trial flu vaccine and reporting if she got sick afterwards.

Personally, it's not primarily about the actual ads, but all the tracking and JavaScript and shady UI patterns.

Somebody trying to tell me I should keep all ads on because ads pay for the content? Fuck that, tracking my every move pays for the content, and I want no part of that, even if I lose access to the content.

The ad industry wired the consumers to expect things for free to begin with, so I don't know why I should feel any guilt at all for trying to block ads and gigabytes worth of unnecessary and often down right malicious JavaScript code.

When I am on home wifi, no ads in my mobile thanks to PiHole. So many apps are filled with ads while on the move. Clearly pihole version of web feels more snappy.

There are apps serving the App Add tiles BEFORE they load real content from their own far-away (by latency) servers.

The install process is curling a script into bash:

    curl -sSL https://install.pi-hole.net | bash

Curl bash is fine [0]. Even Windows tools do this now [1].

That said, if you're a linux admin you shouldn't copy-paste r̼̯ḁ͙̬̕n̪͍̯d̳̦͓̜͉͜o̴̳m̳͚ ̡̭s̜̦̣̠̀h͓̲i̼̫̮̗̜t̜̗̜̪̬̲͟ anyways.

[0] https://brew.sh/

[1] https://chocolatey.org/install#installing-chocolatey

They do at least call it out in the writeup as being poor form. But they don't explain why or offer any alternative...

What we need is for the blog to explain things as nicely as the GitHub repo does - unfortunately, it's a topic that's a bit hard to concisely explain in one line.

Repo explanation: https://github.com/pi-hole/pi-hole#one-step-automated-instal...

Maybe they added it after you read it, but when I read the post they specifically mention it's bad and provide a link to read more on why it's bad.

Sure an alternative would be great but the point of the article is to get up and running with the pi-hole software so they went with the fastest install.

If by they you mean the pi-hole website then I recall being told I could download it and run the download if I didn't want to pipe curl to bash.

I mean really how is that different from downloading .exe installers and running them?

The more realistic fear is what happens if your connection goes away mid-download. While a partial binary won't run, a partial shell script will, and it might just do something bad to your system if you're unlucky.[1]

That said, the chances of your connection crapping out in the second or two it takes to download the average sub-couple-kilobyte shell script is minuscule. The fear is seriously overblown.

[1]: https://www.seancassidy.me/dont-pipe-to-your-shell.html

I reckon the biggest problem is normalising the pattern.

Piping (https) curl to shell from a site who you were going to trust and download software/run from if they had an alternative method anyway - is no less secure than downloading a tarball or .dmg from the same site.

Getting into the habit of piping curl to shell is a bad idea though. It's gonna be easier when you're in a rush to not notice you're copy-pasting "curl -sSL https://install.pi-hole.ru | bash" from some "helpful" forum post...

They do have an official docker image, that's a pretty good alternative in my opinion.

Seems like RPi needs a trusted package manager solution

That's like saying the 2018 Lenovo X1 Carbon needs its own trusted package manager.

I’m not sure why Pi Hole doesn’t even maintain a Raspbian apt repo; I’m guessing at least 95% of users use it since it’s the ‘default’ OS for the Pi. Failing that, Debian itself.

It already has a bunch, depending on which OS you are running.

Who cares? Do you unpack your deb archives and look through them, in case the packager snuck something in?

Where the hell did this argument come from? “If you don’t personally inspect your .deb you might as well be piping curl | sh?”

You can sign a .deb, there’s a whole infrastructure around distributing PGP keys for repos, and plenty of us do examine .deb file from strange places before installing them (like ok, this package runs a service but with appropriately restricted privileges, or that package just has data in it, and yes, some of us examine the source). And when someone distributes a bad .deb we have the ability to put together the package and its signature to get basically a smoking gun that person X is compromised and their key should be revoked immediately. The thing is, with a .deb you don't actually have to detect everything ahead of time you can archive the .deb and figure out what happened after you get pwned.

With curl | sh it’s basically impossible. There's no signature, just a bit of TLS at best which is gone to the ether. You can't sign curl | sh and there are some pretty nice attacks which you can use to thwart people who try to read the script sent from the server. I've seen reports of spear phishing attacks sent to otherwise sophisticated developers that use curl | sh as their vector... because curl | sh is fucking perfect for spear phishing. A .deb... is not.

Do you know anyone that archives a deb offline/write-only before installing?

It's an edge case at best. If that's the best argument not to curl, there are no good arguments.

I'm in favor of things that noticably help the risk of spear phishing, but are you sure this does?

Yes, I absolutely do know people who do this. I know people who accidentally let a GPG key expire and spent some long nights figuring out a way to get the thing trusted again so they could sign .debs, because dammit, THEY sign the .debs not some maintainer somewhere else. I know people who run their own deb mirrors (this is really common! I know SHITLOADS of people with Debian mirrors!). I know people who do everything from control servers that have a minimal set of software, people who run new software in locked down testing servers before wider release. And I know people who are Debian maintainers who actually do review the code that gets built, even if it's not a line-by-line audit. I know people who compile from source and compare executable checksums to see if it matches the official repo, ever since reproducible builds is a thing.

Some of these people are crazy because they're paid to be crazy by a software firm. Some of these people are too crazy for the software firms, they work as consultants and in their free time they're constantly trying to get firmware dumps of their game consoles, phones, and laptops.

And yes, a bunch of these people are on your side. But if you curl | sh it's harder for anyone to help you, including yourself, when shit goes south.

Someone actually reviewing the source code is in a different category entirely, they don't need a download at all.

For people that are highly paranoid downloaders, I'm surprised they're getting software from a website to being with.

> Someone actually reviewing the source code is in a different category entirely, they don't need a download at all.

This isn't an all-or-nothing deal. Just because you read the source code for a package doesn't mean that you can't also download the binary. Reproducible builds give you some additional confidence that something weird hasn't been snuck in through a single compromised machine, and additional confidence that the binary package corresponds to the source code even if you didn't personally build it.

Malicious software is also not the only thing you're looking for, but things like unsafe practices in the code or insecure defaults.

In practice I do review source code from time to time before I install something, and sometimes I decide not to install it after looking at the source.

In your second line you've jumped into stating you do personally inspect debs...

With the one liner above its pulling over ssl so at the very least you have some line of trust to the domain you pulled it from.

> “If you don’t personally inspect your .deb you might as well be piping curl | sh?”

Exactly. I stand by it.

Practically speaking the TLS bit is the important thing. Your package signature doesn't offer more in practice.

And the "smoking gun" part is something nobody cares about. By then their systems are compromised.

> Practically speaking the TLS bit is the important thing. Your package signature doesn't offer more in practice.

No, actually, the signing bit is important. You can MITM TLS, and it's easy to miss it if you are not verifying that the cert is from the host you expect it to be from. Meanwhile, the only way signing can be compromised is if the maintainer loses their private key. That's not unheard of, but is much harder/rarer.

curl|sh offers 0 verification of authenticity.

You're wrong.

Signing says "craftyguy created this package". TLS says "This script comes from pi-hole.net (which only pi-hole approved admins have access to".

The difference is marginal and uninteresting.

Sure, if you don't care about non-signed or self-signed certificates, then you've got a problem. But that's just the same as not verifying a package signature.

The key piece is whether curl performs hostname verification of the cert, or not. Their ssl certs page is unclear[0] (they go off into the weeds about self-signed certs). If they are not verifying the hostname, then your argument is completely off base since it's basically "you trust a person who signed a thing" vs "you trust a thing you got from someone who has a cert that is trusted by a CA on your system" (and that's pretty trivial to get considering how many 'trusted' CAs distros/OSes ship by default).


> The difference is marginal and uninteresting.

In practice the difference is real. Web servers are much more difficult to secure than package signing keys. Imagine, for example, someone gets kicked out of the project and people forget to revoke the developer's SSH key. Or imagine social engineering attacks against the hosting provider. Or think about teams that run outdated and vulnerable blog software on the same server that hosts their curl|sh script.

The difference ends up being substantial once you look at typical web hosting infrastructure. There's a reason why people don't copy code signing keys to their web server.

Note that it's 'curl', not 'curl -k'

Easy to miss? How so?

IIRC, in the past Curl had some bad defaults.

But, it is known that there are state-level actors which can forge certificates (because they can coerce CAs). This has happened. You may take a moment to consider whether state-level actors are part of your threat model (and not everyone has an answer to that which they like).

Yes, that's "security by dramatization". ;-)

I'm not saying that curl|sh is the golden standard for software deployment.

But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".

I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.

> Yes, that's "security by dramatization". ;-)

I'm not entirely sure what you mean here, are you poking fun at people who put state-level actors in their threat models? Because for some of us, the choice is between ignoring attacks from state-level actors and figuring out ways to mitigate the attacks, there is no third option where the state-level actors do not attack us.

> I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.

Honestly? I feel you've described my complaints with your argument. Security is a matter of degrees, threat models, evaluating likelihoods and potential severity of attacks, weighing the cost of prevention against the cost and likelihood of a successful attack.

The fact is that curl|sh has a lot of problems that a .deb and src .deb signed by some random developer's key doesn't have. It's not some kind of black-and-white world where curl|sh is inexcusable, it's just a world where on the sliding scale of security versus convenience, some of us think curl|sh is just a little too insecure for what little convenience it provides. I would get a headache trying to write the kind of shell script that makes a cross-distro curl|sh work at all.

> But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".

The third choice is to clone the Pi Hole repository from GitHub and build that.

> And the "smoking gun" part is something nobody cares about. By then their systems are compromised.

This is such an obvious falsehood I'm surprised we're even discussing it here. Security is a mix of prevention and detection. The ability to do forensics on compromised systems is important. Sure, it would be better if we could not compromise our systems in the first place but we don't live in some kind of bizarro binary world where if you have a compromised system you have to curl up and die. Life goes on after your system is compromised and it's better to have more information about attack vectors than less.

And realistically speaking, what happens here is some developer's credentials get compromised, the bad .deb gets uploaded somewhere with a good signature, people freak out about it, maybe the developer issues a key revocation, things improve. If you are curl|sh it's that much more difficult.

The problem is that curl|bash isn't authenticated, I don't really know whether the executable I'm getting was really built by the maintainer or if a malicious attacker was able to sneak in and replace it (like what happened with eslint a few weeks ago[1]). Passing off a signed package (as .debs are) as genuine requires getting a hold of the signing key as well, which increases the difficulty of the compromise.


No, it doesn't. We're not talking about the Debian package archive.

We're realistically talking about the hypothetical where a .deb is sitting on pi-hole.net, with a GnuPG key right next to it and instructions to trust this key.

Um, sometimes; but I'm conscious it would be pretty easy to sneak something below my radar ...

I do check for usage figures, project involvement, apparent real name usage and such when considering random apt repos (PPAs).

My experiences using a Pi-Hole at home (Debian VM) have been very good.

Recently i upgraded to version 4.0 (https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ft...) and it seems working perfectly fine.

Great job Pi-Hole team! Thank you!

Is there any reason you chose running on a VM as opposed to something like a RPi3?

I'm also running it on a VM because I had spare capacity on an existing VM host, so it was essentially a no-cost addition.

Also Pi-Hole has been great. I'm reminded of how effective it is every time I load up web pages on mobile or at work, or anywhere else that doesn't filter out the large percentage of the Internet that I didn't ask to see.

Marginal speed gains (though Pi hole isn’t super resource-intensive so the speed up isn’t huge unless you’re piping through a ton of DNS traffic), and you don’t need a Pi at all :)

Mine is on a Debian VM too, I already had a server to put it on and my RPI is busy running 4player super bomberman :-)

I only ever played 2-player super bomberman on the SNES, but it was once of the most fun games I've ever played. Now I've gotta make this possible for / with my kids!

Back in the 90s I read about this new HDTV thing they had in Japan and how they could play TEN player bomberman on it - mind blown.

SNES bomberman 3 I believe actually supports five players (one on joypad port 1 and four more via multitap on port 2). Runs great on Retropie, my nephews love it.

Just got one a month ago. Doesn’t work for YouTube ads, which was my primary use case. In Canada, we don’t have YouTube Red, and thus there’s no way to buy out of the ads.

Also I loaded all block lists marked as safe. Yet many sites are broken.

Now I’m contemplating as to how best to repurpose the Pi.

Since mid-June it's been renamed YouTube Premium and you can get it in Canada.

Sweet! Thank you for letting me know! Problem solved :D

Use it to carry all your traffic to a US-based host via VPN and purchase YouTube Red with a US address? Hacky, I know.

You'd have to be connected to the VPN at all times to use it. The minute you're not using it, all the Red features disappear, regardless if you have an active subscription or not[0].

So your option is to have an always-on VPN. If you're doing that from your phone, you might as well install NetGuard, which is a no-root open source adblocking solution that MitMs your connections by pretending to be a VPN, and is available on Google Play. Works with YouTube, and doesn't require monthly subscription.

[0] Source: Activated the YouTube Red trial when I was on a travel to the US, and lost all the benefits the moment I landed home.

uBlock Origin blocks YT ads in the browser.

Make a Youtube-dl server? Or run kodi+YouTube and watch on your TV with no ads.

The page is very self-contradicting...

It says in verbatim "However, I do have a problem with: Pop-up and pop-under ads that hi-jack my internet browsing experience".

However, the site itself has a "subscribe" overlay that has to be removed with developer tools or manually blocked if uBlock Origin is enabled with annoyances filters.

I guess he made his point

If you run OpenWRT/LEDE on your home router, you can just install this package:


Alternative for those who run OpenWRT on their modem/router: you can opkg install adblock, and also get an easy web based administrator interface via LuCi.


and you don't need a device.

Where do I edit the hosts file on my iPhone? Or my Android device? Or my smartTV, etc, etc, etc

I put mine on router with dnsmasq.

Or https://github.com/notracking/hosts-blocklists that uses a dnsmasq feature to block full domains.

I tried pi-hole (a few months back on an rpi3) and am pretty sure it got hacked, making something like 100,000 DNS requests in a few minutes during a low use period. I'd guess that's some sort of advertising impressions hack.

Unfortunately I didn't have time to sort the issue, so can't guarantee I didn't err. But I stopped using it; which was a shame as I really liked the device usage reporting in particular.

Anyone else had similar? Make sure to check your stats.

This article might be of interest to you : https://docs.pi-hole.net/guides/vpn/overview/

It describes how your Pi-Hole can be used for DNS Amplification Attacks by attackers, and how to prevent it

If the case is the pi-hole was an open resolver, then a simple firewall rule should have been enabled to block port 53 from the WAN...

why is it based on the raspberry when it has so terrible network interface? literally a +6 year board with a cual core and a gigabit interface can do this for better.

Because everyone and their dog has two of those boards gathering dust in a drawer, in hopes of being used for some project one day.

Because the pi-hole is a dns server. So it doesn't need to filter all traffic. It just replies to dns requests. And you need a LOT of traffic to completely saturate a 100Mbit link with dns requests :)

It’s just resolving dns queries. What types of resources do you think it needs?

Also, newest revision of rpi (model 3 b+) is quad core 1.4ghz with gigabit lan. Overkill for a project like this.

> with gigabit lan

Although, tests have shown it's not really gigabit in speed, but it is faster than the old 100mbit NICs previous Pis.

IIRC the bus of the NIC is shared with USB which is USB (v2) which is 480 Mbps or about half of 1 Gbps. If you care about throughput, don't use the USB ports when you care about it. But either way, 100 Mbps is more than fine for a Pi-Hole. I'd worry more about any possible latency overhead.

mostly nitpicking, but it's not gigabit lan; the interface is limited by internal bus to 300Mbs

It doesn't matter if you dedicate it to this single use, you'll see more lag if it's also doing file serving stuff in the background for instance (also because of CPU use, not just networking)

I have it running on an Ubuntu virtual machine on my NAS. You can probably run it on whatever 6 year old board you like


You can run it on whatever hardware you like.

It really seems like the only reason I need this device is that most of my devices are not truly under my control.

The fact that my phone does not have these features baked in and comes with apps that violate my privacy and serve me ads without regard for malware those ads may contain is because my phone doesn't truly obdy me first.

Internet without ad and tracking blocker is unwatchable and unusable at this point. Occasionally I get taste of it while browsing on the iphone (unable to edit the hosts file) and it is a nightmare. Advertisers and tracking providers hijacked the web.

iOS has several nice ad blockers and has for quite some time now.

I had issues with Pi-Hole slowing down page loads significantly until they introduced NXDOMAIN and NULL blocking as an option.

These features made it to the stable build this week so it might be worth trying again for those who had issues in the past.

I do it differently on my own DNS ad blocker: it returns the IP of my "happy" webserver that always returns `204 No Content`, whatever query you send to it. Of course, there's still the issue of https failing, but I've never had any performance issues - much more the opposite actually.

I wrote a tiny bit about how I do it: https://try.popho.be/byeads.html

There's a persistent bug with my Pi-Hole where every time it's active it causes my wife complains that several of the websites she wants to visit are unusable. :-D

Pi-Hole has dnsmasq built in so it is also handy for doing things like connecting to ssh servers in your network with your own hostnames instead of just ip addresses.

I wrote a lightweight DNS proxy for this purpose in python+twisted and sqlite3: https://gitlab.com/Sharky/blocklist2bind/blob/master/twisted... which also works really well on a RaspPi 3 with pypy3.

I've added an LXC container builder for it: https://github.com/kstenerud/virtual-builders/tree/master/ma...

For me i use http://www.ipcop.org/ then use the blacklist on http://www.shallalist.de/ Using this on an old laptop.

I use wireguard with DNS routed to an `unbound` instance on the wireguard VPS. The VPS costs me $1/mo. The only problem I've gotten is when `unbound` crashes because it uses ~400MB of RAM to hold the blacklist and the little vps only has 256MB of RAM (and 1GB of swap)!

I could be on the wrong track here, but the MACE ad-blocker built into the PIA VPN seems to work very well by itself. It's not free like PiHole is, but pretty cheap, and a VPN is probably a better starting point for security than a local blocker. Am I missing something here?

> and a VPN is probably a better starting point for security than a local blocker. Am I missing something here?

Why? A VPN is just another (S)POF. I'm not afraid my ISP will MITM me. With a VPN, who knows what they log or not? Also, OpenVPN's performance is terrible. If you want to avoid detection of BitTorrent, sure, but then just route only that over a VPN. If your ISP MITMs you, and you're paying them, consider to jump ship.

I see uBlock being mentioned throughout this thread. uBlock Origin is (very) nice, but its client-side overhead and you can't use it on "apps". What I do is catch all DNS requests and forward them to my DNS-based adblocking (I basically run Pi-Hole on an ER-L) and forward that to DNS over TLS (which works with Quad9). This is all used even if I'm roaming (via WireGuard, ie. very low overhead). So it is irrelevant which network my roaming clients use.

The performance of my network is certainly not terrible when connected to the VPN. Download speed is not noticeably affected and my ping to quake servers (I run VPN all the time, even while gaming) is often lower with the VPN connected.

Regarding your 'why is it more secure' question - because I live in the UK where the government and a myriad of its approved bodies are now allowed to look at user traffic and see my IP and what websites I've visited. I don't have to worry about that now - although yes I need to trust that PIA really are not logging.

PIA is a company from the USA.

The problem with "no logging" policy is you cannot verify it. They can log if they 1) want to 2) mistakenly do so 3) while claiming they really don't 4) are obliged to by (secret) court order (with whatever collateral damage). Its also not anonymous (e.g. correlation attacks). So it seems to be just snake oil to me. I'd rather depend on something like Tor.

Tor is way more secure and anonymous of course, but not at all practical for high bandwidth / low latency applications. Yes you need to trust the VPN that they don't log (your points 1-3). If you trust them not to log, then there is nothing they can reveal under court order (your point 4). It's not snake oil if it does what the seller says it does.

Yeah, that's why I use a VPN; for BitTorrent solely. Which here falls under private law; not criminal law. So the equiv of the RIAA cannot do the correlation attacks whereas (the equiv of) 3 letter agencies can. But the latter don't do private law cases.

I also download over Usenet, over TLS. Its basically impossible to catch those who download over Usenet for copyright infringement since its again private law, and they don't have the power to sniff my ISP's network (though they'd also see encrypted data flowing from a Usenet server).

I have a VPS with an Outline VPN that I use. I'm going to try to put PiHole on there and see if I can get it to work.

Does anyone use Pi-Hole for larger-than-home networks, e.g., for an office, cafe, school...?

Also, it seems like Pi-Hole ought to be a router feature rather than requiring a separate device. Does any router vendor or router OS distro integrate Pi-Hole?

I like the idea of running a Pi-hole, but my crappy ISP provided router is unreliable enough as it is, I don't really want to add a second layer of software that can break. So I'll just stick with UBlock.

I also prefer a blocking list and blocker on each terminal device rather than central on the network. It is unpleasant otherwise to open one's laptop at the library or at a friend's house and be bombarded by ads.

This is the single greatest argument against getting a Pi-hole.

Yeah, this is a valid point. But, you can also just keep something like uBlock installed and just disable it when using pi-hole and then enable it once you’re on something like a public network.

Why disable uBlock? I have both Pi-Hole and uBlock Origin active.

You can do both

I can recommend to buy your own router instead (e.g. Turris Omnia/Mox or Ubiquiti EdgeRouter series) and put your provider's in bridge mode. If you're from the EU, you might be able to compel your ISP to do just that.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact