* By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)
* I have 650,000+ in my domain blacklist and folks complaining about "it doesnt work on pihole" just have taken that tiny bit of error to unblock some domains like "ssl.googleanalytics.com" which break a lot apps. It took me about 1 day to see what isnt working (ex Facebook app break if graph.facebook.com is blocked)
* On avg 28% of my requests are blocked and 42% are cached. I am quite sure generally my surfing experience is snappier
Things like learn running PiHole :
How prevalent tracking really is across the web. A lot of apps dont go "online" if google analytics is blocked (example Toggl)
Manufacturers like Xiaomi are spamming the network with requests - mostly for notification spam
How amazingly scalable, stable RPi+PiHole is - we ran a workshop with 150+ DHCP leases and nearly a few 100k DNS requests without a glitch. Pi didnt even heat up a bit
SmartTV are freaking noisy. Samsung TV makes ~300 DNS requests in <5 min of startup. Literally every button press in the "smart home" is tracked
I work for a small ISP-for-schools. We had an issue which eventually turned out to be related to a specific version of Snapchat on Android, when its connection back to Snapchat was blocked, it'd try and send a mixture of GET/POST at a rate of 1000s a minute. When you've got thousands of devices doing that, it's like an internal DDoS.
We've had a few problems like this and it always appears to be Android apps...
I've ended up using uMatrix and uBlock together on my personal machine as they don't interfere with each other and uBlock has an extra list or two that blocks even more tracking and ads - including all youtube ads. Which is just so satisfying. But other devices (of all kinds) run ad and tracker free, with a faster browsing experience to boot.
So that's no ads on any devices on the network, all running on a pi that is also a media centre, NAS and IRC client. Takes minutes to set up and is regularly updated. I don't get what's not to like.
1. Switch off DNS from PiHole to ISP DNS (or Google/CF, whatever non blocking DNS)
2. Reload page in Chrome with uBlock Origin and selectively allow domains to load until the page loads.
3. Whitelist domain in PiHole
This works b/c both uBlock Origin and PiHole out of the box use basically the same blocklists (or you can force them to).
What is involved in selectively allowing domains to load?
Could you do it if the domain is a completely unrelated string to whatever site you are visiting? (Say for site example.com, it requires something from whwehkhsfasfs.com in order to load)... how does step 2 work exactly in this case? Are you being prompted for a small subset of domains that the page is trying to load, for example?
But in Chrome with uBlock Origin - it very clearly tells you what's happening and you can selective unblock domains until the page starts working and then turn around and add that domain to the whitelist.
I'm making this sound harder than it actually is, it's honestly just a couple mouse clicks and page refreshes in Chrome with uBlock origin going.
Pi-hole admin -> Query log -> Show all -> Search filter <domain>
Whitelist whatever necessary.
Example my Samsung TV took some effort :
multiple domains were blocked and had to restart my TV everytime, thankfully PiHole has a neat responsive web interface. After allowing 2 domains it started to work or else it wouldnt go online.
Happens so infrequently though - the lists are made up of domains you don't typically want to whitelist. Only 133,608 on my lists though, and that's pretty up to date.
Same thing on laptop. I use a combination of blackholed DNS, a firewall, and uBlock Origin in the browser. Some sites won't work due to poor error handling which is their loss. I've never had a native app not work.
Exactly what my stance is towards sites that 'need' crap to work. My favorite are news sites/blogs whose primary content is text, but display a completely white blank page when the adblocker is up. (some even do this when you disable JS too. why JS is 'required' for displaying any text is beyond me)
It is not. But this is likely a result of either:
1) simply not realizing that the newfangled 'framework' they are using requires JS to render text
2) intentionally requiring JS to render text, because then JS will be on so they can also deliver ads (i.e., a form of "anti-adblock").
Things like backgrounded next page loading may not seem appealing to you, but stuff like that does fall into the category of "people actually like this" and not "implemented to intentionally force ads on people".
We use an express server to pre-render our text, which means you can always see the content, but when you strip out JS, you lose a lot of navigation perks.
I fully support you not wanting JS, but don't act like opting to use a ubiquitous tool is somehow either ignorant or malicious.
Your argument, whilst full of technical merit and other benefits which you have not mentioned, is perhaps not persuasive enough to those who control the purse strings.
Also, HN has a completely different userbase than most websites. The biggest complaint about Android in the early days was "it has UI/UX for engineers" (that I personally loved). 99% of people aren't looking for a website experience like HN. Most people WANT some sort of slight flashiness and style. Also, most people don't use noscript. It's a valid tool to use, even if it is abused by some. We still run tests to make sure our total delivered payload is small and monitor accessibility stuff. Just because some sites are built like a dumpster fire using modern frameworks doesn't mean all modern frameworks are bad.
That's why I put 'required' in quotes, indicating that they think it is (for the reasons you pointed out) but it's obviously not.
My pi hole graph started to look like - https://imgur.com/a/Jj8bmPW
NVIDIA geforce experience really wants to talk to the mothership :|
Ended up uninstalling it
Then there would be no need to unblock their trackers to make websites function.
Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).
It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.
I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.
However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.
One such open source project for an SSL replacing proxy:
> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands
I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.
It can be done but not in a BYOD situation.
Any idea of the feasibility of this?
Users in general aren't sophisticated enough to do this themselves. ISPs will offer it for a price and users will pay more to have ad free internet while simultaneously benefiting ISPs with bandwidth reductions. Some ads will be allowed through of course, but with significant costs associated with the advertising, the volume will be reduced significantly, like the difference between spam email volume vs that of postal junk mail.
If big sites like Facebook decide to fight it in a cat and mouse game, ISPs can hit them with advertising fees directly or throttle their traffic in retaliation for cheating the system. If browsers like FireFox try to defeat it by doing DNS over HTTPS, then ISPs can funnel 22.214.171.124 directly into the trash. AT&T did this and said it was an accident. I'm sure it was more like a test. They are aware of what underhanded scheme FireFox is up to. Mozilla isn't fooling anyone with their "security" cover story.
Also, Firefox has excellent extension support for browser-level adblocking. No ISPs I'm aware of do any kind of adblocking. If there is no ISP adblocking around, how on earth could DNS-over-HTTPS be a anti-adblocking move?!
I have no idea how you managed to convince yourself that ISPs are anti-ad pro-consumer crusaders while Mozilla are some kind of evil corporation trying to thwart their efforts. The reality is the exact opposite.
Personally, I find a browser based advert/tracking blocker add-on to work better.
If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.
I can't hear this short-sighted comments "it doesn't load with pi-hole? then I just close the tab!"
oh really? that's how easy it is in your world? and then you just don't buy that flight ticket? because that shitty online ticket agent uses third-third-party payment providers etc. whos domain is unfortunately blocked in pi-hole? even one single incident might force you to entirely disable pi-hole. most people can't afford to play around with that until it works.
you can't seriously maintain these block lists yourself. you have to rely on a 3rd party, usually some volunteers - great people btw - but even a huge crowd like them can't make sure, that from time to time, in some part of the internet, in some specific country and language, something will be blocked by mistake and you are stuck. with a browser plugin, at least you can disable it for that specific case. with pi-hole there is no such feature. i have to disable my browser adblocker at least once a month, because something doesn't load. and its always off for sites like paypal, because I really want that payment to work and not suddenly screw up the whole transaction.
This is a surprising statement because I've used mine at home with 6+ devices and zero issues for almost two years now. It seems fair to say it's not ideal for your needs, but why say something like this that will only deter people from seeing if it works for them?
So, yes, it is possible to do this in real world scenarios.
I can't actually think of a case where I've had to disable pi-hole because a site seemed to have broken functionality. I book flights on Expedia et al all the time.
Every once in a while I want to do competitive shopping, and disable pi-hole for an hour. It's a revelation now much crud shows up (and pops up) when I do.
worried about resolving ad/tracking urls, yet ordering things via Expedia
If you don’t understand the irony here I’ll giggle even more
Also since when is giggling mean? The assumption that I intended to be mean, is kind of mean too. This is about the same as somebody saying not to eat sugar yet eating lots of fruit that contain sugars, if somebody says that to you surely you giggle without being mean.
Additionally, you can simply disable Pi-hole for temporary timeframes using the web interface as well, it has options like "Disable for 15 minutes", if you don't want to bother adding things to a whitelist.
I've used all sorts of financial, ordering, etc. sites and generally have not run into an issue. A single credit card site was one of the two I had to whitelist, and it was easy.
As a user of pi-hole, I have no issues with small scale implementations (i.e. less than 20 users) but security is more important than access to random sites for personal use in the environments I work in.
It is just is for security-prioritized environments.
The people who build websites aren't thinking about us.
I ran into that issue with some household members, that had problems with certain websites that didn't work. Since I run my own DHCP server (not through pi-hole), what I ended up doing is giving them a different (e.g. 126.96.36.199) DNS resolver for their machine (based on their MAC address), and then installing uBlock Origin for them. That way, they can easily turn ad blocking on/off themselves, while I can still have network-wide adblocking on by default (especially useful for mobile devices).
It worked great for a long time but then but changed my setup.
Then I wanted to try Pi-Hole again going through the setup again but the results were very different. For example my Samsung smart TV absolutely refused to connect. It is the same TV, same Pi device, same everything but no network.
But it's absurd.
Other crap is resetting the opt-out after a software update. And also putting the agree or disagree checkbox on a separate page than the actual terms you just read. You read it on one page then exit, look at a bunch of terms and scroll to find the matching document that has the agree or disagree checkbox for one of the TOS documents you read. It's a mess.
Never buy a smart TV just buy a monitor without any smarts.
The sound cuts out on it too you'll miss every few words almost as if it were censoring it.
I'm afraid someday it will not work if it can't update its OS.
Earnings growth for shareholders. Something-something-"advertising revolution/innovation".
It's quite obvious that it's Samsung ads as mentioned it's constant not at the start of a video like how YouTube would do it. And at odd times as if it injects every five minutes no matter what.
It's is incredibly annoying to have numerous ads in every video. I even tried to see what was going on using Wireshark but it was beyond my capabilities.
I have also found the reader view functionality on iOS to be a godsend when visiting websites, no more cookie notices, GDPR popups or banners taking up 1/3 of the display - bliss!
"Original anything" (read unique) by definition doesn't go well with the "just go elsewhere" concept. If you can go elsewhere then it's not that original or unique. Time has no bearing on this.
For "mass content" (aggregation or simply independently reporting on the same topic) you have vastly more choice today. And for unique pieces of information, only available in one place, you would have been just as stuck then as you are now. The uniqueness, not the time is what takes the choice out of the equation.
I think I've only seen that once since running pi-hole (which I've done for about six months now), so I assume the rate of occurrence varies widely with what people are browsing. Do you see it a lot on sites with a particular pattern (i.e. pertaining to a certain industry or hobby/interest)?
> and refuse to let you in
I'm fine with that. I doubt the information isn't available elsewhere if I really care about it, and the most insidious stuff I'm blocking tends to be on less important content that I can live without anyway (imgur.com was the final straw that made me install network-level blocking - too many pop-unders, the occasional drive-by install attempt, adverts trying to access my microphone and/or camera, and less worrying but still annoying things like auto-playing audio - if such frivolous sites block me for blocking their ads because they can't police them properly I'm sure I'll live!).
> a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works
> Personally, I find a browser based advert/tracking blocker add-on to work better.
Other people is why I run blocking at the network level ATM (as well as on my individual mobile devices). I'd rather deal with the occasional "I can't get into X, oh, it is because of the malware/ad blocker, try somewhere else" conversations than have the tech support load of undoing drive-by installs!
Also, I wouldn't want other people to easily add stuff to my network's whitelist.
Anyone who really objects can always use their own mobile data plan instead of using my network that runs just fine the way I want it to...
> I'm fine with that.
Agreed. Sounds like the Pi-hole is working exactly as intended.
As I see it, you have a choice between viewing an ad/malware laden cesspit, or avoiding it. And by installing a Pi-hole, you have already made that choice.
>> I'm fine with that.
That's fine with me too, but doesn't cut it in a family environment. Further, some websites break with an adblocker, even when they don't have ads. E.g. Login with Facebook/Twitter, or some JS heavy sites which happen to have a bad keyword in the name of the file.
> many sites that detect that their adverts and tracking scripts don't load and refuse to let you in
>> I think I've only seen that once since running pi-hole
It used to be a daily occurence until I whitelisted sites. At least with an addon, my mum can just click the button and unblock and get on with her day.
If pi-hole could have some companion extension to make whitelisting easier that would be great.
Pihole is purely DNS, it doesn't trigger of filenames.
Especially on data capped devices like mobile phones it works wonders.
That’s false. https://github.com/gorhill/uBlock/wiki/Does-uBlock-block-ads...
> Especially on data capped devices like mobile phones it works wonders.
Are you implying that pihole works wonders on data-capped devices such as mobile phones? If the phone is connected to a network with a pihole, it isn’t using the capped cellular service. If it is using the capped cellular service, it isn’t going through a pihole. Am I missing something?
I guess you could also setup your pihole to be externally accessible and then point your phone's DNS at it, though I'm not sure that's a particularly good idea.
That's quite an erroneous statement, especially given how easy it is to verify.
You can see for yourself by using uBlock Origin along with your pi-hole: your pi-hole will see _less_ network requests with uBO (or any other similar blockers really).
Everything which is blocked by uBO will not be seen by your pi-hole, and this simple observation contradicts your statement.
Hell, you could do a mechanical turk system and pay micropayments to 3rd world employees to crawl ad-infested crap and harvest the content for me (Or better yet, share it for the common good)
>If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.
Aren't you just describing uMatrix?
Just tell your users, if a site isn't loading properly, to go to http://my-pi-hole.local.lan/whitelist and unblock it.
Whether you want them to have access depends on your “users”.
I don't think it would be feasible for me to explain to them how to temporarily whitelist things on the Pi-Hole.
I did give the family members the password to unlock the block temporarily but after a while they simply stopped using those sites altogether.
It's also a big plus for devices that can't adblock themselves (phones, embedded devices, etc.)
e.g. Temporarily disable blocking for 60 seconds,
You can also infuriate the teenagers in the household by blocking and unblocking domains at certain times via crontab.
0 08 * * * /usr/local/bin/pihole -wild --delmode instagram.com youtube.com
0 22 * * * /usr/local/bin/pihole -wild instagram.com youtube.com
Also that crap on the bottom of every Medium article.
With this anyone in your family can temporarily disable it to unblock themselves if needed.
It kind of already has this. Just tail the log in the web admin, then hit the site in your browser. Unblock the sites that were blocked on that request.
I've been using pihole for a year and have only had one site that refused to load. Was pretty easy to figure out which request it was and whitelist it.
At least it can until those apps start to use their own hardwired DNS/DoH server...
Seriously, just stop. It's the only way we're going to move to something less damaging and invasive than the current ad/data economy.
I should note that I do pay quite a lot for journalism and art via subscriptions, Patreon, Kickstater, etc, but I'm not going to tolerate sites clogging up search results with paywalled articles or piles of tracking scripts and media downloads.
Apart from a few non-important edge cases literally every major site works without problems with a pi-hole. I think 'simply stop using sites that refuse to work unless they can track you' is a very valid and workable solution.
I stopped paying attention when I read this.
Pi-Hole is an ad blocker and it is fit for that purpose. No argument from me. However, to give this advice to people for whom device and network security is not a major or even minor concern is frankly dangerous.
Buy an iPhone. Buy a Mac. Keep your Windows PCs updated. Get a mesh WiFi solution that takes care of firmware patches automatically. Run a browser-based blocker that updates in the background without interaction.
These are the low-hanging fruit that should be done long before you are trying to set up what is essentially MITM-as-an-appliance without any paid support or guarantee.
Who is this article actually helping?
It seems to be primarily targeted at highly-technical people, such as those who might stumble on this article via HN, or who casually frequent websites with "crypto" in their name.
These audiences naturally would have a higher tolerance to technical adoption barriers than the average consumer, which is who your other advice seems to be targeting.
Those who cannot afford iPhones and Macs?
A straight-from-Google Android phone is out of support after 3 years, while a comparable iPhone is still supported after 6 years.
With a normal Android device, you are tracked every step of the way, by apps, by Google, by Samsung and their awful software quality or by random Chinese entities.
If you don't spend a lot of time, an iOS device is the lesser evil when it comes to tracking. An iOS device with automatic app updates turned off, no iCloud, and where you say no to most apps asking for permissions on first run, is pretty locked down.
There are downsides, of course. It's kind of sad that you can't buy a mobile device which is just a network node by default, not a spying machine by default.
> After meanwhile four weeks "leisure mode" of the Pi-hole in my network this comes up stately 12245 DNS inquiries, of which 7102 DNS inquiries were blocked. That's 58%. It's interesting, if not surprising, that six of the top 10 blocked domains come from Microsoft, two from Google, and one each from Amazon and Vungle.com.
> People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply you're not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you. You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity. Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. It's yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head. You owe the companies nothing. Less than nothing, you especially don't owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, don't even start asking for theirs.
"You can trespass my private roads as you like, you just have to take this new experimental medication and report the results..." - sounds like an intriguing new business model! /s
My university didn't offer it but my sister's did. She made a few bucks getting injected with a trial flu vaccine and reporting if she got sick afterwards.
Somebody trying to tell me I should keep all ads on because ads pay for the content? Fuck that, tracking my every move pays for the content, and I want no part of that, even if I lose access to the content.
There are apps serving the App Add tiles BEFORE they load real content from their own far-away (by latency) servers.
curl -sSL https://install.pi-hole.net | bash
That said, if you're a linux admin you shouldn't copy-paste r̼̯ḁ͙̬̕n̪͍̯d̳̦͓̜͉͜o̴̳m̳͚ ̡̭s̜̦̣̠̀h͓̲i̼̫̮̗̜t̜̗̜̪̬̲͟ anyways.
Repo explanation: https://github.com/pi-hole/pi-hole#one-step-automated-instal...
Sure an alternative would be great but the point of the article is to get up and running with the pi-hole software so they went with the fastest install.
That said, the chances of your connection crapping out in the second or two it takes to download the average sub-couple-kilobyte shell script is minuscule. The fear is seriously overblown.
Piping (https) curl to shell from a site who you were going to trust and download software/run from if they had an alternative method anyway - is no less secure than downloading a tarball or .dmg from the same site.
Getting into the habit of piping curl to shell is a bad idea though. It's gonna be easier when you're in a rush to not notice you're copy-pasting "curl -sSL https://install.pi-hole.ru | bash" from some "helpful" forum post...
You can sign a .deb, there’s a whole infrastructure around distributing PGP keys for repos, and plenty of us do examine .deb file from strange places before installing them (like ok, this package runs a service but with appropriately restricted privileges, or that package just has data in it, and yes, some of us examine the source). And when someone distributes a bad .deb we have the ability to put together the package and its signature to get basically a smoking gun that person X is compromised and their key should be revoked immediately. The thing is, with a .deb you don't actually have to detect everything ahead of time you can archive the .deb and figure out what happened after you get pwned.
With curl | sh it’s basically impossible. There's no signature, just a bit of TLS at best which is gone to the ether. You can't sign curl | sh and there are some pretty nice attacks which you can use to thwart people who try to read the script sent from the server. I've seen reports of spear phishing attacks sent to otherwise sophisticated developers that use curl | sh as their vector... because curl | sh is fucking perfect for spear phishing. A .deb... is not.
It's an edge case at best. If that's the best argument not to curl, there are no good arguments.
I'm in favor of things that noticably help the risk of spear phishing, but are you sure this does?
Some of these people are crazy because they're paid to be crazy by a software firm. Some of these people are too crazy for the software firms, they work as consultants and in their free time they're constantly trying to get firmware dumps of their game consoles, phones, and laptops.
And yes, a bunch of these people are on your side. But if you curl | sh it's harder for anyone to help you, including yourself, when shit goes south.
For people that are highly paranoid downloaders, I'm surprised they're getting software from a website to being with.
This isn't an all-or-nothing deal. Just because you read the source code for a package doesn't mean that you can't also download the binary. Reproducible builds give you some additional confidence that something weird hasn't been snuck in through a single compromised machine, and additional confidence that the binary package corresponds to the source code even if you didn't personally build it.
Malicious software is also not the only thing you're looking for, but things like unsafe practices in the code or insecure defaults.
In practice I do review source code from time to time before I install something, and sometimes I decide not to install it after looking at the source.
With the one liner above its pulling over ssl so at the very least you have some line of trust to the domain you pulled it from.
Exactly. I stand by it.
Practically speaking the TLS bit is the important thing. Your package signature doesn't offer more in practice.
And the "smoking gun" part is something nobody cares about. By then their systems are compromised.
No, actually, the signing bit is important. You can MITM TLS, and it's easy to miss it if you are not verifying that the cert is from the host you expect it to be from. Meanwhile, the only way signing can be compromised is if the maintainer loses their private key. That's not unheard of, but is much harder/rarer.
curl|sh offers 0 verification of authenticity.
Signing says "craftyguy created this package". TLS says "This script comes from pi-hole.net (which only pi-hole approved admins have access to".
The difference is marginal and uninteresting.
Sure, if you don't care about non-signed or self-signed certificates, then you've got a problem. But that's just the same as not verifying a package signature.
In practice the difference is real. Web servers are much more difficult to secure than package signing keys. Imagine, for example, someone gets kicked out of the project and people forget to revoke the developer's SSH key. Or imagine social engineering attacks against the hosting provider. Or think about teams that run outdated and vulnerable blog software on the same server that hosts their curl|sh script.
The difference ends up being substantial once you look at typical web hosting infrastructure. There's a reason why people don't copy code signing keys to their web server.
But, it is known that there are state-level actors which can forge certificates (because they can coerce CAs). This has happened. You may take a moment to consider whether state-level actors are part of your threat model (and not everyone has an answer to that which they like).
I'm not saying that curl|sh is the golden standard for software deployment.
But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".
I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.
I'm not entirely sure what you mean here, are you poking fun at people who put state-level actors in their threat models? Because for some of us, the choice is between ignoring attacks from state-level actors and figuring out ways to mitigate the attacks, there is no third option where the state-level actors do not attack us.
> I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.
Honestly? I feel you've described my complaints with your argument. Security is a matter of degrees, threat models, evaluating likelihoods and potential severity of attacks, weighing the cost of prevention against the cost and likelihood of a successful attack.
The fact is that curl|sh has a lot of problems that a .deb and src .deb signed by some random developer's key doesn't have. It's not some kind of black-and-white world where curl|sh is inexcusable, it's just a world where on the sliding scale of security versus convenience, some of us think curl|sh is just a little too insecure for what little convenience it provides. I would get a headache trying to write the kind of shell script that makes a cross-distro curl|sh work at all.
> But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".
The third choice is to clone the Pi Hole repository from GitHub and build that.
This is such an obvious falsehood I'm surprised we're even discussing it here. Security is a mix of prevention and detection. The ability to do forensics on compromised systems is important. Sure, it would be better if we could not compromise our systems in the first place but we don't live in some kind of bizarro binary world where if you have a compromised system you have to curl up and die. Life goes on after your system is compromised and it's better to have more information about attack vectors than less.
And realistically speaking, what happens here is some developer's credentials get compromised, the bad .deb gets uploaded somewhere with a good signature, people freak out about it, maybe the developer issues a key revocation, things improve. If you are curl|sh it's that much more difficult.
We're realistically talking about the hypothetical where a .deb is sitting on pi-hole.net, with a GnuPG key right next to it and instructions to trust this key.
I do check for usage figures, project involvement, apparent real name usage and such when considering random apt repos (PPAs).
Recently i upgraded to version 4.0 (https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ft...) and it seems working perfectly fine.
Great job Pi-Hole team! Thank you!
Also Pi-Hole has been great. I'm reminded of how effective it is every time I load up web pages on mobile or at work, or anywhere else that doesn't filter out the large percentage of the Internet that I didn't ask to see.
SNES bomberman 3 I believe actually supports five players (one on joypad port 1 and four more via multitap on port 2). Runs great on Retropie, my nephews love it.
Also I loaded all block lists marked as safe. Yet many sites are broken.
Now I’m contemplating as to how best to repurpose the Pi.
So your option is to have an always-on VPN. If you're doing that from your phone, you might as well install NetGuard, which is a no-root open source adblocking solution that MitMs your connections by pretending to be a VPN, and is available on Google Play. Works with YouTube, and doesn't require monthly subscription.
 Source: Activated the YouTube Red trial when I was on a travel to the US, and lost all the benefits the moment I landed home.
It says in verbatim "However, I do have a problem with: Pop-up and pop-under ads that hi-jack my internet browsing experience".
However, the site itself has a "subscribe" overlay that has to be removed with developer tools or manually blocked if uBlock Origin is enabled with annoyances filters.
and you don't need a device.
Unfortunately I didn't have time to sort the issue, so can't guarantee I didn't err. But I stopped using it; which was a shame as I really liked the device usage reporting in particular.
Anyone else had similar? Make sure to check your stats.
It describes how your Pi-Hole can be used for DNS Amplification Attacks by attackers, and how to prevent it
Also, newest revision of rpi (model 3 b+) is quad core 1.4ghz with gigabit lan. Overkill for a project like this.
Although, tests have shown it's not really gigabit in speed, but it is faster than the old 100mbit NICs previous Pis.
It doesn't matter if you dedicate it to this single use, you'll see more lag if it's also doing file serving stuff in the background for instance (also because of CPU use, not just networking)
The fact that my phone does not have these features baked in and comes with apps that violate my privacy and serve me ads without regard for malware those ads may contain is because my phone doesn't truly obdy me first.
These features made it to the stable build this week so it might be worth trying again for those who had issues in the past.
I wrote a tiny bit about how I do it: https://try.popho.be/byeads.html
Why? A VPN is just another (S)POF. I'm not afraid my ISP will MITM me. With a VPN, who knows what they log or not? Also, OpenVPN's performance is terrible. If you want to avoid detection of BitTorrent, sure, but then just route only that over a VPN. If your ISP MITMs you, and you're paying them, consider to jump ship.
I see uBlock being mentioned throughout this thread. uBlock Origin is (very) nice, but its client-side overhead and you can't use it on "apps". What I do is catch all DNS requests and forward them to my DNS-based adblocking (I basically run Pi-Hole on an ER-L) and forward that to DNS over TLS (which works with Quad9). This is all used even if I'm roaming (via WireGuard, ie. very low overhead). So it is irrelevant which network my roaming clients use.
Regarding your 'why is it more secure' question - because I live in the UK where the government and a myriad of its approved bodies are now allowed to look at user traffic and see my IP and what websites I've visited. I don't have to worry about that now - although yes I need to trust that PIA really are not logging.
The problem with "no logging" policy is you cannot verify it. They can log if they 1) want to 2) mistakenly do so 3) while claiming they really don't 4) are obliged to by (secret) court order (with whatever collateral damage). Its also not anonymous (e.g. correlation attacks). So it seems to be just snake oil to me. I'd rather depend on something like Tor.
I also download over Usenet, over TLS. Its basically impossible to catch those who download over Usenet for copyright infringement since its again private law, and they don't have the power to sniff my ISP's network (though they'd also see encrypted data flowing from a Usenet server).
Also, it seems like Pi-Hole ought to be a router feature rather than requiring a separate device. Does any router vendor or router OS distro integrate Pi-Hole?