Hacker News new | past | comments | ask | show | jobs | submit login
Mmm, Pi-hole (troyhunt.com)
849 points by cryptography 5 months ago | hide | past | web | favorite | 408 comments

My Pi-hole with updated block lists (blocking trackers as well as ads) sits at around 87.7% requests blocked, which is absolutely mind-blowingly ridiculous.

I see absolutely no negative effects browsing like this. Everything I've come across still works fine. Even sites that detect uBlock Origin and tell me to disable it, will work with that disabled and Pi-hole still blocking the ads instead.

I heavily believe we should be supporting creators, and go out of my way to support them in direct ways (Patreon, buying merch, direct donations, Twitch subs, etc), but I absolutely will not submit my family/kids to the mess that is online advertising these days.

Ads that look like legitimate download buttons, or that run scripts to do cryptomining popunders, autoplay video ads with sound, etc etc. Modern online advertising companies are malicious entities that actively harm users, and I absolutely classify them as malware.

> I heavily believe we should be supporting creators

As do I. There's two significant issues I have supporting most sites:

1. They provide only a subscription that is comparable cost to an old-media full subscription. Like most people in the Internet age I have a small number of main sources that I visit daily, and a much larger secondary tier where I may average one or two stories a week. Or they're the sites linked from here that I only visit when something interesting is waved under my nose.

There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing, for a site I might be getting £1 or 10p a month "value" from.

2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

Leaves things a bit stuck, and me paying out a smaller amount than I'm willing to.

I just want to pay a monthly "digital content fee" to some service and have that money be fairly distributed to all the digital services I use: websites, music, video, tools, etc. Is anyone working on a system like that?

I'm surprised no one's mentioned the Brave browser, which operates exactly on the model you describe:


I'm interested and will read more later. But that should not be built into a browse, at least not exclusively. It feels like it could be an add-on. Of course, preventing gaming and malicious manipulation is something to consider...

This is an interesting problem!

Initially, Brave was set up so a user could add bitcoins to an account and set a monthly spending target. Then Brave would split up that monthly amount and send it to sites based on how much time the user spent at each site. But as far as I can tell, they discontinued that model, and now they also sell ads.

Just to back up your (currently downvoted) comment:

"[Brave] browser blocks ads and website trackers. Currently, the company is developing a feature that allows users to opt in to receiving ads sold by Brave Software in place of the blocked ads. Brave intends to pay content publishers 55% of the replaced ad revenue. Brave Software, ad partners, and browser users would each be allocated 15% of the revenue. Users could donate their revenue share to bloggers and other providers of web content through micropayments. The browser claims to improve online privacy by sharing less data with advertising customers, but will target web ads by analyzing users' anonymized browsing history." -- Wikipedia

I consider this ad-replacement scheme extraordinarily scummy. It sounds like the plan is to use protection racket strategies to get the target publishers to buy in.

I'm on the latest version of the browser, and there's a "Payments" tab in Settings where you can add funds with BTC / ETH / BAT / LTC, set monthly budgets, and see what your percentage is. So I'm not sure where you saw that they discontinued that feature or sell ads.

I am guessing they will replace it by the following feature :

Support your favorite sites with Brave’s blockchain-based tokens called Basic Attention Tokens. (coming soon to mobile)


Yeah, they replaced the "Bitcoin proof-of-concept system" [0,1] with BAT for "blockchain-based digital advertising" [2].

[0] https://twitter.com/BrendanEich/status/1036724148146384896 [1] https://brave.com/faq-payments/#previous-bitcoin-wallet [2] https://basicattentiontoken.org/

That's really cool. I had no idea Brave did that, and thought it was just another Chromium spin-off.

Unfortunately I'm unwilling to change browser for this, and would rather see it as an addon or local software install so it works on the user's choice of browser, but it's a very good idea.

Yes, it already exists today, and it's built right into Brave.


So, just imagining this could be Patreon's next service - sign up for X dollars a month for a VIP pass - but the issue suddenly becomes they need to oauth against patreon, and add in a new tier of subscriber .. it's doable but slow

I kind of like tying this into U2F. I think FIDO and the like will rollout as oauth has done - slowly but becoming the "default" way.

If as part of the initial sign up process, you authenticate your public key on site A, as being someone who can have a share of your monthly subscription... then we have built a distributed subscription service ...

i think

I like the idea

People have been thinking seriously about micropayments for many decades now[1]. No one's managed to nail a complete concept and/or an execution that's really worth mentioning, except perhaps as historical interest. tl;dr: it's an enormously tough problem space to get right.

[1] "Every document can contain a royalty mechanism at any desired degree of granularity to ensure payment on any portion accessed, including virtual copies ("transclusions") of all or part of the document." https://en.wikipedia.org/wiki/Project_Xanadu

Personally, I don’t want to pay anything for content. Look at cable tv. It got so bad there is a cord cutting movement. The same will happen again in another form.

I'm confused. You want people to write all content for free? Whilst that works for a lot of people who do it in their spare time, it does restrict anyone looking to write professionally from contributing.

Not parent, but I would absolutely _demand_ people to write all content for free.

I refuse to pay a single cent for anything that is even remotely accessible on the Internet and does not result in a physical tangible good being delivered to me, of which I pay $15/mo as acceptable rate-limited mobile LTE bandwidth -- my only communication related recurring cost.

There are several reasons at play here:

- Content quality is not correlated with amount an author is "compensated". In fact quality is almost universally _inversely_ correlated with profitability. Once dollars are attached, out of the woodwork comes a bunch of charlatans peddling useless shit that will not only give you no useful advantage in seeking external information but will actively degrade your life either through dubious advice that will trash your health, finances, legal status, cognitive & mental state, relationships, you name it, or through malevolent action such as selling your privacy or methodical persuasion in you undertaking self-defeating behaviors by hijacking basic human emotional reactions.

- Time has shown repeatedly that volunteers are the entire backbone of quality information sources. I come to HN to have some chance of experts congregating for an actual discussion on certain topics. QA forums, encyclopedias, topic-specific discussion forums, educational materials, news aggregation, scientific research, _all_ is higher quality in volunteer communities before it's essentially leeched for profit by journals, website owners, policy spinmasters, malvertising business, and venture capital.

- "Writing professionally" is not a useful skill in itself, no matter the fantasy colleges want to dream up by funneling the otherwise academically unfit into a program that will lead to a degree thus allowing them to join in on the unnecessary inflationary credentialization of _remedial_ skills. Linguistic mastery is a necessary but not sufficient requirement for creating useful information, you first need a deep understanding of the material you wish to cover. I'd much rather read barely comprehensible jargon from a deranged genius than an eloquent soliloquy by some shill with no idea of what he's talking about other than a general idea that permuting a dictionary in the right magical incantation will summon a paycheck at the end of the week. If you have skills that allowed you to amass wisdom in a field to the point that it would benefit someone else, there are _much_ more efficient and useful means to acquire income and instead use "writing" as a tool for social meaning and development either through reciprocity, self-selection, altruism, whatever.

- The greatest costs are borne not in writing but in deciphering meaning. The combined readership burden of filtering out the wheat from the chaff will _always_ exceed the cost of an author even doing "important" research. This is the crucial point of it all, with some smart people realizing that if information has any value besides propaganda it's due to careful curation, summarizing, and tailoring to an individual's goals and instantaneous state-of-mind, while even smarter people realizing that this will _never_ scale as a business model. Even "clever" workarounds to this problem by infiltrating an individual's web-of-trust in recommendations always end up backfiring. After decades of this scheme being retried and rehashed, I now am completely confident in ignoring whatever bullshit du jour comes out of the mouths of family and friends, and am even running up against the problem of being contrarian against my own internal thoughts.

- Even if against all the odds that you paid someone to get valuable information in the long run you'll regret it. Give an inch, they take a mile. Everyone who is dependent on a paycheck dreams of eventually retiring, and quickly to boot once the actuaries remind them of the future. Once you paid someone for content, you just anchored the negotiations of tomorrow and crystallized the form of how protection money must be paid. "Oh I know you paid back then, but life isn't getting any cheaper and I'd like to get to the beach someday without working so I'm really sorry but I _need_ to add some 'features' that will juice my revenue!" Negotiating with terrorists is not a strategy to get to a stable equilibrium in an iterated game -- the cat has been let out of the bag and it's never going back in. Wake up.

Your views are factually incorrect, don’t suggest any real solution, and in my view somewhat extremist. A realistic solution must consider the in turn actions of all influential parties invloved.

It’s economics. It’s requires modeling, strategies, and thinking equally about all parties because it doesn’t matter whether you like them or not it matters what the future would look like a few years out.

This is not personal I have no ties to ad revenue or professional writing. It’s about putting emotion and philosophy in one basket and solutions in another. You’re allowed to have both, but the latter should be dispassionate.

Just one example on the facts, writing professionally is provably a useful skill. Take even what you may consider a mundane job of writing instruction manuals. if it weren’t useful there wouldn’t be jobs and people being paid money to do it. There’s all kinds of writing jobs that require little independent domain expertise. That’s before we even discuss original or creative content.

> Extremist

You say that like it's a bad thing. Once you've stretched the limits of acceptability beyond the capacity of short-term memory, anything of a 'compromise' is just a token dilution that keeps the same status quo intact in everything except a temporary face-saving apology.

A realistic solution must consider the actions of all parties involved, but it doesn't have to actually appease any of those parties with anything they may want.

It's currently an adtech bubble, foaming to the brim. People speculating in attention-based revenue and side-dealing surveillance armaments through malware distribution to ferment the process should feel the losses when the deal goes bad to set an example that hurting others isn't going to get you a bailout. I don't care about your moral plea for "equality" where we make sure no one suffers the consequences of damaging the commons such as the intrinsic value of information and content.

Because of the adtech bubble, we have a _huge_ problem of noise pollution. Valuable public research cannot be funded effectively because the public realizes the history of paid "results" to turn a profit for media proselytizing and reframing unpopular governmental policies.

Public institutions are no longer credible due to the obvious connections between surveillance, profit, and legislation that is effectively mediated through media companies.

There's a real solution here: puncture the bubble by drying up the money stream. It'll help the useful creators in the long term that are being suppressed by the influx of dumb content and blackholing clickbait algorithms designed to minimize utility to maximize profitability.

Now, for writing professionally being a useful skill. That paragraph was obviously in the context of becoming something like a journalist, blogger, or news pundit where your income is paid by this scam of exchanging between attention and currency though a network of super shady intermediaries.

If you're writing instruction manuals for a living, you're not getting paid for how long eyeballs are on your work so that someone can monetize a reader's susceptibility to suggestion. In fact if I hired you, you'd be paid by how _quickly_ a human can view your instructions and move on with their life in doing something productive.

And that's exactly my point: I know many communications major graduates and many engineering major graduates. The former usually went into the program as a last resort for underwhelming academic performance and trying to latch on to the hype before it bursts rather than being gifted in communication ability. The latter could definitely transition to professional writing, not because of language skills that are essentially expected anyways but because their deep understanding in a subject allows them to distill useful insights that are rather hard to crack otherwise.

For example, I love IKEA/Lego instruction manuals not because a random "professional writer" with no independent domain expertise was able to checkmark that off his daily tasklist, but because the manual was made by people with incredibly sophisticated knowledge of how to visualize and communicate the ideas of physical assembly and knew their audience appreciates that expertise. If you're able to document the assembly process, you're qualified to critique and help improve the usability, design, and even materials engineering that ultimately influences what you write in the manual.

This reinforces the idea that if you're just a writer, you're useless because you _should_ be funneling what insight you distilled back to the process your're documenting. And then you're not really a writer, but an engineer.

And just because there are jobs and people being paid money to do it doesn't mean it's useful at all. Biggest fallacy I've ever heard.

Sounds like this is against your beliefs, but I'd pay to read your newsletter.

Simple enough; pay it forward.

The best content I've ever read has been books that each took years to write. After that come NPR and the Washington Post. Then Ars. I pay for all of them, and everything else I read, present company included, isn't even in the same league of quality.

I guess I'm saying that I couldn't disagree with you more; if all the content I didn't pay for went away, I doubt I'd be negativity effected at all.

Very true. There's a proliferation of content nowadays but most of them are just of absolutely horrible quality. I regret having wasted quite some time on hastily written free contents instead of more systematic books.

Cable sucks because the revenue comes from the ads, not your cable bill.

Which is interesting because that is the environment where paid ads have the least structural advantage.

My take is that no matter what people say they prefer to subsidize their content by viewing ads over actually paying the equitable price for it.

I lean toward agreeing with you. Sure. I'd rather view ads than pay. BUT! Why I'm setting up a pi-hole isn't about ads in and of themselves. It's the intrusive and misleading ads. It's the tracking and difficulty opting out of targeted advertising.

I don't have a problem with tv ads for shampoo that I won't ever buy. I do have a problem with a web page that surrounds a legit news article with bizarre ads with cockimamy health claims, and links that don't go where they claim to go.

If a website says, "Pay up or look at these 'spider veins' ads" that's entitlement, arrogance and open contempt. That's not treating me like a desired customer.

Nope. People _say_ they want to pay an equitable price for content rather than viewing ads because that's exactly what they prefer and would do.

The problems are:

- Your definition of 'equitable price' when we live in a time where no single human can digest across their lifetime even a single year's worth of the glut created.

- The quality is universally garbage and as an information consumer you'd still have to spend your resources in thinking critically whether to accept and update your assessment of the information. If you're consuming 'content' as escapism well then you still might consider a more cost-effective route such as heroin or even direct neural stimulation.

- Consumers rightfully work out the long game plan of content creators. They'd like to not view ads but know that once you've climbed above the threshold of starving artist you'll get greedy and the ads will come right back. Always. No exception.

Equitable in this case isn’t determined by the producer or the consumer of the content but by the market.

The market shows that advertisers are outbidding consumers who don’t want ads. That sets the equitable price, not the desire of the consumer.

You do not want to pay?

For TV, I'm happy to pay for renting from google or a monthly fee to Netflix. In return I never need to go to the cinema, I watch films at the time that works for me, and no ads!

Yeah, I'd be happy to pay for quality video, podcast, and articles, but not 5$ to each site I want to read from.

For any content? Have you never bought a book, or paid to see a movie. Paid content is not bad in and of itself.

Check out coil: https://coil.com

Haven't looked at either in a while, but you might look into Flattr and Brave browser

I completely agree with your assessment of the problem.

I'm using https://blendle.com, which offers a wide variety of publications with payment per article (usually something around 0.70 EUR, with the odd 1.99 EUR for articles from DER SPIEGEL). They also have a daily mix of manually curated content and content based on the articles I purchased in the past, which works really well. I'm afraid it's only available in the Netherlands and Germany so far.

I didn't know the Brave browser had a payment model built in, will give this a try as well.

I also recommend blendle. It has the most reasonable payment system.

btw, I've purchased a few articles from Der Spiegel but they were around 0,75€.

I've been waiting for these guys to launch in the USA since I first heard of them. They're still in beta?

I've been using them in the US for over a year for what that's worth.

And I just got the beta invite. Yay!

> 2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

Ars technica. (Subscriptions are tiered but I think this is included in a low tier.)

> There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing

There is yet to be a quick and simple micro-transaction infrastructure for the web. Transaction costs inhibit micro-transactions. They don’t scale down.

Some are trying to use crypto to do micro-transactions, but even crypto has transaction costs that inhibit how small micro-transactions can be, not to mention the exchange rate volatility.

It’s a big unsolved problem. Gotta spend money to spend money.

I read an article once that argued the big problem with microtransactions was the transaction cost imposed on users.

For the sites, sure, everything can be automated. But even in the best case of good browser ui/ux support the burden shifted to users would be massive.

The cognitive cost of trying to decide whether to spend 10c on an article I haven’t read yet costs me way more than 10c. Man that article sucked. Did I just get ripped off by clickbait again?

This argument is what convinced me that straight per-article “microtransactions” will never take off for very low value things on the web.

EDIT: found it: http://hackingdistributed.com/2014/12/31/costs-of-micropayme... - Think it was Nick Szabo.

What’s scary to me is that the one “successful-ish” application we have for microtransactions is mobile gaming. Imagine a huge ecosystem of different beans, gems, flooz, widgets or whatever, and all the dark ux patterns to get people to spend them, and also to hide how much they are spending from people.

I would absolutely pay $10 a month to an aggregator like HN or /. that then paid publishers a portion of that based on article rank and/or number of clicks through.

Yes, agree that fixed-price deals with publishers / aggregators are tenable. Spotify works for people, for example.

The original argument was essentially that there was a minimum transaction size that was cognitively viable at scale.

I understand it's about cognitive costs. What I propose makes the cognitive load of actual monetary payment a single decision per month. I pay X. Let the aggregator and the publishers automatically figure out every little fractional detail.

If the objective of paying is to make the web better and reward quality content, you don't want two pages of clickbait to pay more than one page of watergate-level investigative reporting.

And any automated system to tell clickbait from quality journalism will incentivise people to trick it.

So at the very least, you need a refund button.

they could do it like medium “claps”.

No claps, no money.

Clap as long as you want.

At the end of each month your $10 is divided up by the number of claps you gave.

And if this isn’t for you, then go with ads or be paywalled.

An upvote button and a flag button I think might do the trick.

Well, Spotify works for the consumer. For the musicians, it's mostly advertising, not a useful source of income.

Would it change if there was a button at the bottom of the article, that you could click for an instant refund, no questions asked?

Honestly it almost seems to be worth trying, the potential upshot is _huge_.

blendle.com, which I mentioned earlier in this thread, has this instant-refund feature. I've used it a few times when an article was disappointing, or when there were technical problems (digitized article cut off the second half of the print version).

Seems to work for them, though I don't know their revenue/profit numbers.

Scaling cryptocurrencies would absolutely address this issue, but that's an enormous challenge.

A simple, centralized service could easily fill this role with batched transactions. Each reader pays once a month, each publisher gets payed once a month, and those payments can be shuffled about a database trivially. O(n) vs. O(n^2)

Patreon kind of did/does this. There was a big stink not long ago where this appeared to fall apart. The issue Patreon faced was that it was not so trivial to bundle transactions like this. Some creators wanted to get paid in a piecemeal fashion for each video uploaded, etc. For patreon supporters, they would each be on their own separate billing cycle because they decided it would be bad UX to have the first month be pro-rated or whatever.

As much as Patreon is best situated to provide a service like this, I'm not encouraged that they'll do so.

A transaction on bitcoin cash costs 1 to 2 sat, which is less than 0.01 penny.

It is true that the cost can vary greatly (which sucks, please tell me of a crypto coin that is 1:1 with dollars), but you can adjust the price in real time and since you are selling a digital product even in an extreme situation you are not going to lose money (remember the transaction fee is pretty much going to be 1-2 sat always).

I suggest looking at Lightning Network for micro-transactions. Still emerging tech, but it shows great promise.

Or bitcoin cash! ;)

>There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing, for a site I might be getting £1 or 10p a month "value" from.

A "tip jar" or micropayment model to supplement subscriptions would be a great option. Unfortunately I think processing fees eat up a significant chunk of your take to the point where it's not really profitable to build a business model around it. Even if you get a great solution going, getting buy-in from the number of vendors you'd need on board would be prohibitively difficult. The only ones with the reach would either be inclined to lock it down and stick with the ad centric model (Facebook, Google) or just don't have the organizational culture to give it the attention or support it would deserve (Apple, Amazon).

In the old days you could go to a corner newsstand and pick up a newspaper, even from one of those little boxes on the street. This let you just buy if there was something interesting that you needed to look at that day without committing and, importantly, without handing personal financial information to who-the-hell-even-knows. A payment infrastructure that makes this quick, easy, and cheap enough to where cost isn't a concern would be incredible.

It seems that these fees would be trivially avoidable by having one monthly transaction to the aggregator and one monthly transaction

Sort of like Patreon.

Except it would work a bit differently. Say I approve N number of sites (NY Times, WaPo, EE Times, etc.) They each get paid out of a monthly fund based on how much I visit each of them.

Wouldn't that in itself involve tracking your behaviour on the web, though, which is what commenters on this thread started off saying they disliked?

It could be your own browser who does the bookkeeping.

>2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

As it currently stands, a large chunk of the newspaper industry in the states is willing to block the whole of the EU, when it could offer it that model, so I wouldn't hold your breath.

A source at Tronc says not only have most of the chain's papers blocked EU visitors because of GDPR, but Tronc "currently has no plans to support the EU" because doing so is seen as not economically viable


The usual way people have tried to solve the microtransactions problem is through aggregation/centralization. eg, everyone who wants to gives HN $K/mo, and then HN distributes that money proportionally to sites clicked.

Unfortunately, I think the incentives are too loose. Users aren't obligated in any way to pay for links; as usual, humans aren't charitable enough to actually sustain public goods voluntarily. Secondly, the aggregator site isn't under strong incentives to pass on revenues (which applies equally to ads).

And the usual way people have tried to solve the solved-microtransactions-problem is by gaming the system, which is exactly the history and outcome of the current situation.

The 'microtransactions problem' using 'aggregation/centralization' you're describing would be readily identified as the newspaper industry a few decades ago. Nowadays you have to wrap it up in a healthy dose of cryptocurrency scamming, federated networking bullshit, and other huckster lingo to make it seem like a radical approach.

Newspaper companies, which allowed patrons to exchange a few cents for a daily source of vital information curated by professionals across a wide array of expertise, distributed money received in patronage towards the journalists, editors, fact-checkers, you name it.

Of course, that isn't the full story. What newspaper companies did was become the mouthpiece of the government and eliminate any useful information, filled nearly all the pages to the brim with huge obnoxious ads with little text remaining, started some perverse incentives with journalist pay forcing the smart ones to abandon ship a long time ago, and helped build a mass culture of frantic zombies who cannot tell the difference between fact and fiction, parroting whatever they read as a sort of social lubricant, and trained to resort to looking on a page for the local weather information yesterday that could be far more accurately sourced now by looking up to see if there are clouds above.

Good riddance to 'content creators.' Don't let the door hit you on the way out, and HN will never receive a cent of my money. :D

> I heavily believe we should be supporting creators

As do I. There's two significant issues I have supporting most sites:

If some big company like Apple, Microsoft, or Amazon wanted to get behind micropayments, they might be able to actually get it started. It would basically amount to disrupting the advertising model itself. Advertising would morph into influencer media produced at the behest of advertisers, but much of media would be much freer from the worst depredations of advertising.

> Modern online advertising companies are malicious entities that actively harm users, and I absolutely classify them as malware.

This is exactly the response for anyone that is frustrated by blocking ads impacting revenue for web publishers. Had the ad tech not become so invasive and pernicious, users wouldn't be going out of the way for solutions like this. The advertisers have essentially forced our hand.

Where I feel my hand was forced was when a friend wanted help promoting a professional conference in the area of data and tech. I went to the website and, in the center of the page, there was an ad for cellulite cream.

OH! C'MON!!! I believe in the conference, but I'm not going to share the link with that ad on it.

It's been explained to me that the website owners don't know what ads are being served up. All they know is they signed up for an ad service. If that ad is a redirect to a porn site, the website owner has no clue unless people complain.

And that's why I ordered a raspberry-pi to set up a pi-hole.

I get that a lot of my friends won't like this. They're in advertising and marketing, and they insist that they're one of the good ones. Fine. But the bad ones are REALLY bad.

Also. I've spent HOURS opting out of tracking cookies. Then I heard that my effort is only as good as the entities that respect that I opted out. OH? WOW!

So, when I hear people complain that we're hurting them, and they're one of the good ones, it ignores the real problem. Look ...

if I was bitten by 10 dogs out of 50 dogs, I'm gonna have a problem with dogs. Period. You can insist on how friendly your dog is, but no. Talk to the other dog owners before trying to get me to take another risk.

> if I was bitten by 10 dogs out of 50 dogs, I'm gonna have a problem with dogs. Period. You can insist on how friendly your dog is, but no. Talk to the other dog owners before trying to get me to take another risk.

Exactly my stance on whitelisting advertising. I am sure there is a good amount of fair advertisers out there, but the area at large is full of scum.

I would start with a full-on disable of 3rd party JS but I know that would break a whole lot of other and actually needed functionality. So I have no good solution except not to trust anyone. Pi-Hole is my next stop as well.

Someone's been searching for cellulite cream on Amazon!


Exactly. I believe Troy has another post about this topic where he discusses why he's able to justify selling the single, static banner ad at the top of his site.

> I heavily believe we should be supporting creators

Agreed. Do you disable your pi-hole on sites like Reddit? They vet their ads so not have any of the malicious attributes that you described. All the larger newspagers like WaPo and NYT are also good about this too.

I'm all for blocking intrusive or malicious ads. But quality content depends on ad revenue. The author dedicated an entire paragraph on donating to the pi-hole project, but no mention of supporting quality content with subscriptions or unblocking acceptable ads.

Do you keep your car doors unlocked when you park in safe neighborhoods? Do you give nice strangers a spare key to your house? Do you sleep in an expensive hotel with the door propped open? Do you keep your password on a sticky note at your desk inside your secure office?

Of course not. So why would I disable my security software just because a site I visit hasn't been hacked yet? That's just basic security hygiene.

Agreed. Furthermore, nothing guarantees that them being good actors now won't be changed when they get acquired by a media giant. Policy and culture can and have changed overnight in organizations after acquisition.

It's the same as with Troy's argument about good browser extensions. Yes they are good today but them being bought for 5 figures and the personal data harvested does not make the news and the users are clueless about it. I rather just not take the risk.

> Agreed. Do you disable your pi-hole on sites like Reddit? They vet their ads so not have any of the malicious attributes that you described.

I've still got ads blocked on reddit because they're so clickbaity as of late. They look like posts from subreddits I'm subscribed to and turn out to be an ad, no thank you.

All the larger newspagers like WaPo and NYT are also good about this too.

The ads are not malicious, granted, but in the case of NYT at least they're still "blinky". They get blocked at the Pi-hole now. I do subscribe, however. I'd like to turn the ads back on because I view the NYT to be a quality publication, but I'm not going to have something moving out of the corner of my eye while I try to read the paper.

What in the world does your subscription pay for, if you still get advertisements on the New York Times?

Same thing my subscription pays for if I get the dead tree edition: ads sprinkled in with the news. Right or wrong, it's not like there isn't 100 year old precedent for this.

Right, but if you've already paid I don't see why you'd want to turn ads back on? You've already fulfilled your moral duty to reward them.

I hope more companies offer a paid version of their site that completely removes Advertisements. I cannot stand ads and won't use a site if I can see them. I'm not trying to be a bad guy though, I want to use those sites legitimately. My only option is to not visit them until they offer a compromise.

Reddit is work friendly 4chan. That is, (mostly) not quality content.

I stick to a search engine rather than browsing Reddit directly. If what I'm looking for comes up in a relevant Reddit thread, huzzah.

I get the contemporary meme is "Agree with great-great-grandpas economics of 'survival of the fittest'." But I feel little obligation to pander to it everywhere it exists.

Maybe I'm an odd bird, having grown up in the remote wilderness in the 80s, no TV, growing food and hunting/fishing, and only using money for things like clothing and basic services (water/electricity/phone).

Ads on Reddit used to be alright, but since the advent of their dumpster fire of a redesign, their ads have turned into block worthy material.

I used to have Reddit whitelisted until they started showing subreddit-targeted ads in other subs. I follow a bunch of cryptocurrency subs and the ads there are… well… as you expect.

Why is this bad? You follow cryptocurrency subreddit, they show you relevant ad. You follow "warm mittens" subreddit, they show you relevant ad, etc. So why is it a bad thing?

I can't speak for the GP, but in this case of the cryptocurrency sites/fora I frequent (including topical subreddits), the ads are for idiotic scams. This indicates that whatever vetting they're doing is insufficient, and so they can be safely blocked (specifically -- if they can't be trusted to not display ads for obvious fraud, they can't be trusted to vet ads for other malicious attributes).


My Pi-hole with updated block lists (blocking trackers as well as ads) sits at around 87.7% requests blocked

Where in THE hell are you going on the Internet? Wait, don't answer that. I only wonder because we sit at around 20-30% at our house (which is still ridiculous). But approaching 90%? Maybe I need to crank the blocklists up a notch, but I can't imagine even surfing porn sites all day that I could get anywhere near that percentage of blocked requests. But, man, I enjoy a challenge...

Ever visited Forbes or Business Insider? Easily 90% of those sites are third-party scripts served from other domains.

This is why Forbes is in my blacklist.

I've hit 75% before. My Roku desperately wants to phone home (25k requests/day).

Yeah, upvote for reminding me about chatty IoT crap. I've got a Nest right now that was phoning home every four seconds. Why, I have no idea, so now it doesn't phone home at all. And a Foscam camera that isn't as persistent, but still tries a few times a day. We're still at < 35% blocked, though.

My Samsung TV wants to send home info about everything I watch.

I’m only at 7.5%, probably because I use uMatrix in the first place, and have gone out of my way to kill a few applications that phone home like crazy.

I use a /etc/hosts-based (https://github.com/StevenBlack/hosts) approach to add blocking across my machines, but I have found some sites (fansided.com) comes to mind, which detect that I'm blocking and won't let me read them. How easy is it to get around this with the pi-hole?

Very easy. You can pause it for 10s, 30s, 5mins, or a custom timeframe via the dashboard, or whitelist domains/subdomains as well. You basically do everything via a very slick dashboard running locally on its IP.

Very cool...thanks. I'll give it a serious look.

Highly recommended, incredibly easy to set up and use.

Whenever mine has gone much above 30% (70ish prob highest ever) it generally turns out to be an unattended app left open on the android device I have hanging off the back of the TV. I recall the NYT app, for example, pinging home every 30 seconds or so.

You can trace offending devices and traffic via pi-hole logs. The UI is a bit clunky but gets the job done.

did you use the 'default' lists that come with the installation or did you add new ones? would you mind sharing your feed list?

This is really depressing. I immediately want to blame the ISP for empowering malicious entities to harm their paying customers. 88% is obscene.

I'm surprised this is the top slot right now. Troy, generally, puts out interesting info on security related news however this feels a bit minimal. Since the project has been around a number of years now, and it's not relegated to only a RPi I would have expected him to delve into things a bit more. Pi-hole will also break things. I think the common one I always heard from users on my network at home were that Google click-thrus for products always fail. But... Don't deploy it on an RPi. It's not worth the inconvenience of maintaining another entire device for a network service. There's an actively maintained container I'd recommend, or it's very easy to deploy as a VM. Troy also didn't hit on anything like DoH or DoT, surprisingly.

Container link: https://hub.docker.com/r/pihole/pihole/

Edit: word

Troy's skill is taking security and privacy topics and translating them with practical tips to an IT enthusiast audience that is much broader than hn

Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing

It’s essentially dnsmasq which can be run directly on your wireless router if you are using custom firmware. No separate hw needed, no need to horse around with dockers or containers or any of that stuff. I’d guess a lot of people are already running dnsmasq for other purposes, so adding the blocklist and periodically updating it should be trivial.

I'd argue Pi-hole is quite a bit more than dnsmasq (it's actually a fork of dnsmasq called ftldns) out of the box. It's also very much more approachable by the majority and the web interface gives people immediate feedback and configurability without having to understand configurations for the services directly.



Interesting, didnt realize the “pi-hole” branded package was more than vanilla dnsmasq glued together with shell scripts.

Go back in the project history and you'll see that it originally was! It's matured a lot since then.

I was doing this using Tomato and it introduced serious stability issues in the two routers (both Asus) I tried it on.

Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.

My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.

Use a different root filesystem. Ext4 is not robust against power loss, as I've discovered in multiple embedded Linux systems where Ext4 was used.

The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.

Back in the day (also before ext4) we solved this by mounting the root filesystem read-only. Depending on any other application for the machine, you may not need filesystem writes at all once it is set up. Bonus: it’s even friendlier to the flash.

This is how I've solved the problem in the past. Too bad systemd discourages this. It also doesn't protect the partition where your database and log files are kept.

I'm running a Rpi with 64bit kernel & runit as init via Void Linux, so you're not necessary stuck with systemd as the only option for Rpis.

Yet another reason to not run systemd. (Also, systemd? On a router? That's excessively overkill. Why not a sane init, like SysV?)

You're assuming I make routers.

Do you use YAFFS2 or ETFS on a raspberry pi? I'd be interested to know more about setting something like this up.

I got cheap SSDs in cheap USB cases for my 2 Pis after getting annoyed with SD corruption. SSD prices have dropped recently after being flat for a long time. If you are really cheap the cases often go for $1 or free after rebate at newegg.

Yeah, on openwrt you just install the adblock package


That is what I did. I used a TP-Link Archer C7 router and installed adblock and few other useful packages. Works like a charm so far.

Do you know if it’s possible to deploy it on a virtual AP? E.g. have “MyNetwork” and “MyNetworkWithAds” - so that it is easier for nontechnical users to switch, and also doesn’t deactivate for everyone when just one user needs to (even if only for 5 mins)?

Possible but not that simple actually, as there is little to no documentation or shortcut for such a case available using dnsmasq. Afaik you can only realize this by running multiple instances.

The childproof network example is the fitting how-to you can learn from: https://forum.openwrt.org/t/kidsafe-or-guest-wifi-forced-saf...

Can anyone recommend a "2018 good choice" for a consumer router that can run custom firmware (including dnsmasq), or a trustworthy recommendation website? Wirecutter for example doesn't note third party firmware: https://thewirecutter.com/reviews/best-wi-fi-router/

Not really an off-the shelf consumer router, but since you want to install custom firmware anyways, you might want to consider the PC-Engines APU2 board [1]. You can either install any "normal" desktop x86_64 Linux distribution or a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports hardware virtualisation, so you're able to run several VMs via KVM to isolate the services the router is providing.

Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.

[1] http://pcengines.ch/apu2.htm [2] https://openwrt.org/toh/pcengines/apu2

I second this. I've been running PC engines stuff for a few years and it's great. I currently have an APU and it handles my gigabit fiber no problem. I use a separate off-the-shelf wireless router in bridge mode which let's me upgrade that independent of the PC engines (wireless hardware tech moves faster than router hardware tech).

I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.

Unfortunately it does not come with 3 mPCIe slots, the one furthest to the left is an mSATA port.

I’ve been running the mid to high end Asus routers for years now and am very happy with them. Running wrt-Merlin firmware and AB-Solution via entware is everything I need and doesn’t complicate things with additional devices like pi-hole.

Yes, this is my preference as well. You can also run a vpn with this setup (as you can with other custom firmwares) so you can take advantage of this adblocking from outside your home.

The TP-Link Archer C7 AC1750. https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.

And to come back to your original question, to do your own research, I recommend you search/ask on https://www.reddit.com/r/openwrt/ and https://forum.openwrt.org/ , it's a question that pops up frequently.

Netgear R7800 and any other router with the same Qualcomm chipset work great with OpenWRT.

Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).


edit: link to OpenWRT with a list of supported hardware that is relevant to the parent's question

I buy my routers from flashrouters.com. A little overpriced, but I trust them and their testing. I have the Asus N16rt (I think) running shibby tomato and it's great.

Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.

It may be more full-featured than you are looking for, but have a look at the Turris Omnia. It is extremely customisable and you can add an internal SSD to run LXC containers on (including one running Pi-hole, which is what I do).

Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.


Have you had any issues with the auto updater? I got rid of my Omnia after an auto-update broke DNS while I was away from home.

Ironically, went to Unifi after reading Troy's blogs about it - now regretting it immensely as the hardware is nowhere near as powerful as the Omnia.

This happened to me too, and what I learned is that the Omnia uses the Knot DNS resolver, which re-enables itself after updates and this breaks everything if you have made certain customisations.

The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).

I’ve been also searching for recommendations, particularly on a custom firmware router that allows me to host a VPN server.

It’ll be more involved for you to set up, but pfSense is what I use. I basically forget it’s there until I want to change something (add a new VPN user, monitor bandwidth usage). I’ve set up an IPSec VPN that works well with my Apple devices, especially with a configuration profile that enables on demand VPN (connect via VPN when certain conditions are met, like not on my home WiFi). For hardware I use a cheapish “industrial” computer from AliExpress. Probably not the best thing security-wise (no firmware updates in the past few years, it feels like it’s just shipped directly from a random factory in China), but it’s been great so far.

How do you instruct an iPhone or iPad to use VPN when you are not connected to your home Wi-Fi? I used their former Workflow automation app (now dubbed Shortcuts in iOS12) and it did allow reacting to such an event (going out of range of 1 or more wi-fi networks) but did not realize one of the possible actions was to be able to enable VPN.

Was that what you used? Or was it something else?

And Hacker News is essentially just a bit of HTML, CSS and lots of words.

Assuming I'm only interested in blocking ads in one computer, is there a software solution for this on Linux or Windows? (I know that Mac has Little Snitch).

Why not use a browser extension? uBlock Origin is pretty good from what I hear. I use uMatrix by the same dev, and it serves me well. Both work on major browsers (FF, Chrome, Opera, etc..).

> DoH or DoT

I wasn't familiar with these terms and they are a bit ungooglable. :-/

DoH = DNS-over-HTTPS

DoT = DNS-over-TLS

The simplest approach is to use a hosts file: https://someonewhocares.org/hosts/

That doesn't work the same as pihole. PiHole blocks ads on ALL devices on your network. Your computer, your laptop, your phone, your kids kindle, etc. As long as they are on your network, they are protected (and browsing web pages on an older phone, things are much faster)

Yup, that's a downside. The advantage is that it's much simpler and will also work when you're not on your home network.

You can also run pi-hole on a tiny VPS and set your DNS statically on all devices.

do you have any links for doing this?

Yeah this is something I've been thinking about lately as well. Pi-Hole seems cool but what about most of the time when I'm somewhere else than my local network?

How do I edit the hosts file on my iPhone?

I use AdBlock https://www.adblockios.com on iOS which runs a local DNS server that can blackhole domains. It doesn't work well on very large host files so I gave up trying to import https://github.com/StevenBlack/hosts, but it does work well for smaller lists.

Probably not the answer you are looking for but:

(1) Install "1Blocker X" -- not free but it's cheap. (2) It has a huge number of rules and protects your Safari pretty damn good. (3) You can disable the existing rules if you so choose. (4) You can add new ones based on URL regexes or CSS rules.

I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.

Jailbreak it, install openssh, ssh in and edit /etc/hosts. There's also packages in Cydia that add adblock lists to your hosts for you.

You fire up vi and load /etc/hosts /s

Well, I'm connected to my home network via VPN when I'm not on my home network, so....

There's also Steven Black's host file:


The issue with that is DNS resolution. I noticed that when I disconnect/reconnect my interface, it took >30 seconds for DNS resolution to properly resolve. Why? Because I was using a 65,000 entry host file on my modern Windows 10 machine.

It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.

I'd rather have a separate service to run it.

I also had a performance problem with DNS resolution with a big host file, but disbling the DNS client service helped.

On an RPi I can plug it in to the USB on my router for power and connect with ethernet. Otherwise I have to run a full powered server perpetually to manage DNS for the home network. Made sense to me.

I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.

And if you’re that way inclined, a POE Pi hat can get another cable removed.

I wasn’t aware of that - thanks. I think I’ll be safe as there will be no peripherals plugged in, but that’s something that needs considering it seems.

I've gone the route of using another box to do PoE -> 5V USB, but unfortunately the TP-Link converter is outputting 4.8V instead of 5V (the Pi3b will technically run on this, but it's not a good idea).

Of course I have deployed it on a Raspberry. I don't have another always-on computer, and while it's not the only supported target, it is the one most Pi-Hole users have, so I get maximum community support.

I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.

So far, I love my Pi-Hole. Absolutely no problems with it.

At 100% power draw the charger I use to power my pi uses 5 watts so you're pretty safe on the power.

A cron job every hour with a slack notification of temp >60C has put me at ease. It goes over occasionally so I suppose I’ll need a fan at some point.

Thanks for the link. I guessing this would handle the use case of being able to acess Pi-Hole while traveling or in a coffee shop correct? This seems to be a limitation of having this on a Pi.

The setup script runs perfectly on Ubuntu in an lxd container as well.

I assume DoH is dns over http, what is DoT?

DNS over TLS

> Do you use a popular browser extension? How confident are you that the creator wouldn’t accept a $10k offer to hand it over only to have it then go rogue on you?

What makes the Pi-Hole organization any more trustworthy? (and the software stack it all depends on)

Personally, I'm inclined to trust them both and hope that the long arm of the GDPR will be effective. Optimistic, I know.

Since Pi-Hole is a DNS server running on a separate machine, it just doesn’t have the same level of access as browser extension would. Even if it was rogue, the worst it could do is share the list of domains that you visit, and possibly hijack your HTTP (but not HTTPS) sessions.

You, and the other commentator, are forgetting that the DNS Server handles all connections, not just those from your browser. Are you confident all the self updating software you use has no vulnerabilities? How about the video games that you play?

Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.

I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...

You don't have to be confident has "no vulnerabilities" (an absurd standard) to understand that the worst possible vuln in the DNS server (say CSRFable RCE in dnsmasq) still puts an attacker in a less privileged position than what they get if they control uBlock Origin: UXSS. Now that browsers are serious about mixed content, DNS poisoning just isn't as interesting as it used to be.

Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).

I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.

I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...

Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.

High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.

I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.

Which one of these is worse:

a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,

-- or --

b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?

The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.

I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.

> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.

If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.

My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.

As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer

OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.

I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.

>If PiHole is malicious, there is already an attacker on your network

In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.

A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.

This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

You can also inspect the block lists to ensure they all go to if you’re worried about mitm attacks.

you could do the same with ublock

Not on a network-wide basis, and not on non-browsers. I don’t think anyone here is saying don’t use a browser-based blocker too. I use both a browser plugin on the client and dnsmasq on my network.

I think the blog post is saying that, especially in the quote that started this thread. The post portrays ad-blocking browser extensions as not worth the risk, discussing both the questionable value of blocking all ads and also the possible risk of the extension being sold to a malware creator. It then presents Pi-hole as a safe alternative to browser-based blockers.

when i said

>you could do the same with ublock

that was in response to

>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

Exactly. This thing is in the best possible location for poisoning DNS for every system on your network. That should be a HUGE concern.

It is an order of magnitude safer than a browser plugin.

Right, neither one of them are great ideas unless you can trust the source. To argue otherwise is a relative privation fallacy.

Then don't do it and wait for taboola or google ads serve you a drive by rootkit?

They could easily do a diagnostics / analytics feature where user stats are posted back to developers

In this case it just acts as a DNS resolver. That's potentially risky when resources don't use SSL, but far less than a browser extension that can change a page in place, inject JavaScript, and record keystrokes on all pages.

> resources don't use SSL

Huh? DNS is hit even if the site is SSL. Unless the site has HSTS, and you've got to the site before; DNS poisoning is very much doable.

Yes, but the hijacker will still need to present a valid cert for that domain, which is much harder.

How would the attacker do anything useful with a SSL connection attempt? They can either send the real certificate, and then not be able to decrypt the data, or send a self-signed cert which the OS/browser wouldn't trust?

Are you thinking of some downgrade attack vector?


Pi Hole is open source, so if someone did try to sneak in some malicious code, it would be seen.

Just as a note, a project being open-source doesn't necessarily provide a 100% guarantee that it doesn't contain any (possibly obfuscated) malicious code. Our community likes to think that someone else would catch it, but enough people thinking that way can (and likely often does) lead to the bystander effect. So it's always good to be wary :)

Edit: Heartbleed was a good example of this -


> The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.

Seen by what percentage of users who just download the binaries?

I think a major difference is the update scheme. Browser extensions auto-update. If they switch hands there is no user visibility when getting the updated version. Pi-Hole is installed software and requires manual updates, which gives users more visibility and control.

you can turn auto-updates off. also, you can easily inspect the source for an extension (AMO doesn't allow minified js), you can't easily do that for the multitude of components that make up pi hole.

> you can't easily do that for the multitude of components that make up pi hole

What? The entirety of the project is open source. In fact it's easier to look at the source code that makes up PiHole because it's all in one spot in Github.

Considering that over 20% of https://pi-hole.net is blocked as malicious ads by my browser, I don't really understand why you would trust them to block not only the crap across the wider internet but even against their own self-interest.

Remember the warning signs of craziness with NoScript? It's like you guys never learn!

Could you please not create new accounts for every few comments you post? We ban accounts that do this, and it's in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

HN is a community. Users needn't use their real name, but do need to have some consistent identity for others to relate to. Otherwise we may as well have no usernames and no community at all. That would be a different kind of forum. Anonymity is fine, and throwaways for a specific purpose are ok, just not routinely.


Someone very concerned about ads whitelists can also use multiple ad blocking extensions.

It would take every creator to accept the bribe for the ads to go through. Well, if the extension starts injecting ads it's another story...

I fundamentally believe we have the right to transform content that comes to our devices.

The idea that we have a moral duty to sit passively and absorb “experiences” in their intended form... I just don’t see how that works long term. It will just mean we get abused more and more and we have to take it.

No, if you want my business you have to find a way into my consciousness that is compatible with the way I arrange information around me. That’s always been the deal. You can put a free circular in my mailbox and I am free to toss it without looking.

You don't have to sit passively, you don't even have to block passively, consider using / contributing to services like AdNauseam or Noiszy.

Why are our devices so far outside our own control that we need to run an additional device on our networks to help prevent them from making unwanted network requests?

The whole approach of Pi-hole feels misguided. Blacklisting domains and hosts should be something easily done on my device locally. Then it comes with me when I visit friends or coffee shops, and it's easy to temporarily disable when it breaks something I'm trying to use.

The fact that I can't do this on things like my phone really illustrates how little control we really have over our own computing devices.

Surprisingly, I've yet to see a service which fronts Pi-Hole or similar and allows you to point your DNS resolver(?) at it, so you can use it on the go -- without having to use a VPN.

I tried to set this up on my own using a VPS and Pi-Hole and it did work for a while. However, bad actors eventually found the server and started using it to perform DNS amplification attacks against, of all things, cricket news websites. I don't know too much about networking, so this may be a limitation of the DNS protocol. However, it seems like Quad9, Cloudflare and the like have figured out a way to prevent this sort of abuse... So, if any provider out there is reading this, please add this capability and I will gladly pay to use your DNS service.

You mean a public Dns server with ad blocking?


Note that obviously since you are sharing all your dns requests with them, it's terrible for privacy... :'(

> Not that obviously since you are sharing all your dns requests with them, it's terrible for privacy... :'(

Right. I'm not defending this service in any way, but couldn't you say the same about Quad9 or Cloudflare?


You could set up pi-hole as a recursive dns server: https://docs.pi-hole.net/guides/unbound/ That way you don't have to use a public dns server like Cloudflare. However, since (as far as i know) dns requests are not encrypted, this is not perfect either (security wise).

At least when using Cloudflare you can use DNS-Over-HTTPS: https://docs.pi-hole.net/guides/dns-over-https/

https://adfreetime.com does this, as well as proxying location checking (like MLB's video streaming).

Cool! Thanks for sharing this.

Out of curiosity, do you have any idea how they prevent the scenario I outlined (e.g. metadata, traffic analysis)?

>$1.99 US a month, less than a cup of coffee!

At that price, I doubt they do.

Editing the hosts file is a security risk.

You don't want a malicious app do this in your back so that when you type alice.com, you see bob.com instead.

Fortunately, to some extent, HTTPS or GPG come to the rescue.

Firefox for android can run extensions so its trivial to just install ublock origin. You can even use choose to sync extensions across devices and as soon as you login to your Firefox account all your extensions will be installed automatically.

You can edit the hosts file on Android apparently and the Pi-hole is just a shared hosts file.

It's a self-updating hosts file. If you only do it once in a month you'll start seeing ads again. Also you can edit the hosts file if you're rooted, but you definitely can't if you're running a stock unmodified ROM. If you're rooted and you only care about your Android phone, you can also install Adaway, which does pretty much the same thing without the whitelist capability (Get it on F-Droid), but if you have a number of devices to protect, and some of them are iOS devices, TVs or whatever that can't be rooted, jailbroken, or you don't have administrative privileges to, Pi-hole is a good choice (if you run pfSense at home you can also use pfBlockerNG, which is essentially the same thing too).

Host file blocking on mobile devices produces some weird web browsing. I like using browser plugins because it gets rid of the whole chunk of html so it's like the ad was never there in the first place. On android, there are these huge blank spots you have to scroll past to keep reading. I still keep adaway on but I wish I could just use ublock origin with android's chrome.

You can use uBlock Origin in Firefox on Android, and I've found DNS66 to be a good non-rooted adblocker on Android.

Now there's also Blokada which is a little bit better (found it to block some ads that DNS66 actually let through; it was a random discovery, I am not a researcher).

There are devices that are not easy to free up from ads, eg. unmodified WP mobiles. This way they are protected from ads as well when tehy are conmected to the same network with wifi.

I don't use a browser extension, I use Firefox's built-in tracking protection. It is only enabled by default in private browsing mode, but it's easy to enable it for all your browsing. See https://support.mozilla.org/en-US/kb/tracking-protection

I get 126 requests and 2.3 MB transferred on Daily Mail Australia, which seems comparable or better than what Troy saw with Pi-hole. See https://postimg.cc/3WYwZf3b

(Disclosure: I work for Mozilla.)

It's sad. I've so much wanted to go back to Firefox after 10 years on Chrome now but every time I give it a try it just doesn't do it for me. Mostly because I have quite specific habits and I don't remember off-hand what it was specifically the last time I tried it that made me give up, I should really do a write-up the next time I give it a go, as I love Firefox (what it stands for) but there's always that _something_ that makes me go back to Chrome after a week or so. Currently I'm exploring Vivaldi (based on Chromium, which has some awesome power user features).

Also, I get similar results with Daily Mail with Chrome/Vivaldi + Ghostery. But I'm placing a lot of trust in Ghostery that I would rather place in Firefox.

This is great: it has most of the benefits of an extension without the concern the extension gets compromised (you already have to trust your browser). The only downside is it doesn't address ads in things that aren't browsers, like mobile apps and the like.

I wonder how long it's going to take for ads to be implemented server-side entirely.

True. For mobile browsing it works well as long as you use Firefox on your phone too, but it doesn't help for tracking and ads within apps. Pi-hole can help there, but only when you're connected to your home network.

Or when you run openvpn and pi-hole on a server somewhere and VPN your devices via it.

> 82% reduction in the number of bytes transferred

No doubt the reduction is important, however as per screenshots, the reported reduction should be considered somewhat inaccurate as he forgot to check "Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-Hole version. We can see resources pulled from browser cache in the Pi-Hole version.

So I have tried using pi-hole in past and I think one of the problems is - some websites refusing to function if ads are blocked. IIRC - British Airways website uses some javascript that requires ad to be disabled for finishing checking in. It may have changed now but there are other websites too which may or may not work as expected.

With browser extensions it is typically easy to disable the ad blocker one time and check if that fixes it. With pi-hole IIRC, it was much harder to do.

I’ve been running this kind of setup for over 5 years on my home network, and the only complaint I’ve ever gotten was the Google search results that are ads or shopping links don’t work (yes, my wife clicks on these). If a web site didn’t function I wouldnt know it was due to DNS, because I never turn this off. I’d simply chalk it up to it being a defective website and not use it.

Yes - but sometimes you don't have that choice. Would you rather not use a essential service(flight check-in or pay electricity bill) or disable the adblocker temporarily? To each its own I guess and tricky thing with pi-hole is, it is VERY hard to tell if website isn't working because of adblocker or because you are using Linux or it is simply broken.

In the situation I would just disconnect from my wifi and use 4g.

If a site refuses to work when there are network issues, then you can just close the window. British Airways' competitors will be happy to have your business.

It's super easy to turn it off for five minutes in the admin interface.

> some websites refusing to function if ads are blocked

Don't visit those sites!

They want your eyes and/or your money (if a subscription is an option) and you don't want to give it to them. Just stop going there!

Edit: I don’t understand the downvotes. Sites aren’t obligated to give you something for nothing. Why does it feel like that’s the default view here?

but there are other people that live in or visit my home. Maybe they want to visit those sites.

I'd love a pi-hole like solution that was as easy to temporarily disable as a browser extension.

That is why I don't use pi-hole myself.

I wish it would redirect to a different local webpage that allows you to click a button to temporarily unblock the domain for your ip, like the ublock blocked webpage that pops up sometimes:


If it gets abused, then you can turn it off as an option.

Isn’t that the compromise of roommates or family? Not everyone gets what they want.

Either they’ll move out, resent you, deal with it, or you’ll do what they want?

1. Use Wireguard.

2. It has a DNS option[1]. Set it to your Wireguard server.

3. Setup unbound with a public ad domain list. (No link for this, Google is your friend and there are several different options with minor tradeoffs.)

You're done. Now unless wireguard, a soon to be kernel project, or unbound injects malicious code, you're safe.

Edit: oh and this also works on mobile

[1] wg-quick man page - https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick...

Someone on here recently recommended uMatrix for this purpose and I find that a nice trade-off between usability and request blocking.

It's an extension but given it's less opaque than a generic ad-blocker I feel more in control and that it's less likely to go 'rogue' like adblockers do.

Longtime uMatrix user here.

The most frustrating thing about UM (which is the same problem I had with NoScript back in the day) is that some scripts call other scripts. So, particularly when I'm trying to play an embedded video served by another site served through a CDN, the process for getting the damn video to play is something like:

Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist more scripts being loaded by the first batch of scripts -> reload -> whitelist some XHR references called by new scripts -> reload -> finally whitelist the actual media being served.

90% of the time, I just don't do that dance and not watch the video.

If you do it five times with some intelligence, you have rules that you can apply and have most things work most of the time from then on. It's really not a huge hassle and generally the malware-containing networks aren't the ones you are greylisting.

I copy the URL(CTRL-l CTRL-c), open a new terminal and try youtube-dl $URL

Yep, I do that often. It's apparently a very underrated tool because it can pretty much download most of the video content out there on the internet at large. But many people have no idea about it, even technical people.

I dumped that routine and just started pointing those video URLs at youtube-dl

vlc is a better video viewing experience (and better on battery) than a browser and you can usually start playing a partially downloaded file

Yes, a bit bothersome at times. But if I take the trouble to finetune worthwhile sites I run into, and make the settings permanent, life does get markedly easier after a while.

I rarely see an ad. I didn't see Troy's responsible sponsor message either. I should have and would have if he had chosen to display the thing without the need for scripting. So I don't feel hugely guilty.

I have uMatrix and uBlock. In my case it was uBlock blocking the ad, not uMatrix... or maybe I had whitelisted it before? Not sure.

edit: Okay, it's not blocked by default with uMatrix: https://i.imgur.com/B97lf35.png

uBO can block with pattern-matching URLs of network requests and additionally cosmetic filtering (hide DOM elements), while uMatrix works strictly with hostname of network requests and types of resources.

Keeping those whitelists synced or at least copied across devices can be a challenge. IIRC Noscript could save data to a bookmarklet for that purpose.

Use youtube-dl instead? It's win-win: you don't have to compromise your browser's security, and you get a permanent copy of the video that you can watch whenever you like and that the CDN can't comply with takedown requests on or otherwise maliciously bitrot.

For popular stuff switching to "global" and marking them as enabled helps reduce the song-and-dance for things like YouTube videos or common CDNs (e.g. Bootstrap)

Here's the thing, gorhill maintains uM and uBlock Origin and he is one of the most trusted names in several sec circles to the degree that ubo has been deployed in many enterprise settings. Is the elephant in the room by Troy 'well do you think gorhill will sell out for a measly 10k?' Or is the market for 'adblocking extensions' that inundated with shoddy extensions that simply serve as data mining tools and Troy wants to make us all aware?

I am happy with uMatrix, too, but FWIW, I could not recommend it to non-technical or impatient people. For many pages, I require multiple iterations of stepwise refining of what is and is not allowed before a site works for me.

I do not mind, but I can imagine it easily gets annoying for many people rather quickly. (OTOH, those people would not care to set up Pi-hole, either.)

I would rather spend some time setting up a solution with minimal maintenance than constantly be adjusting and tweaking my solution to get things to work just to browse the web. I use uBo because I rarely have to go in an tweak something and it's mostly just a temporary pause on blocking. A pi-hole might be nice but I like how plugins actually remove the spot where the ad once was so the site looks less like swiss cheese.

I consider myself a pretty savvy user, I'm not a web dev but I understand web technologies, javascript and all that and I simply can't use uMatrix decently. Am I supposed to audit every single external resource to whitelist it? For every website I may want to visit? I don't get it.

Ublock seems to do an okay job of blocking most ads and tracking stuff so I'll stick to that in the meantime but I would be really interested to see a uMatrix tutorial or something like that.

uMatrix takes time to grok. It made no sense to me at first. Overtime I understood it and see it as a beautiful method of presenting data and using controls.

There is very good youtube tutorial of about 7 minutes that explains it use.

I also love uMatrix. Unfortunately its not an option on mobile. You could theoretically install it in Firefox mobile for Android, but it would be so difficult to use. I also use a Pi-Hole. I see my Pi-Hole as the solution for mobile browsing and apps, where uMatrix is the better option for desktop browsing since it can differentiate between image requests vs. scripts, iFrames, cookies, etc

It isn't any harder to use than on the desktop!

Instead of clicking on the uMatrix icon, you click on three dots and then on uMatrix

Rather than bringing up a small window, with all your settings, it brings up a new tab with your settings.

Other than that it is the same! And it will work when you are away from home without needing a VPN to a Pi-Hole.

uMatrix, while having a bit of a dense UI, is what I prefer as well.

I installed a pi-hole in my home network about a week ago, and it survived less than a week.

My wife likes using sites like eBates when she shops online, and it redirects her through a random sequence of tracking sites before landing on a site like the Gap. It caused all sorts of problems for her, as those sites were being blocked.

If I was going to keep the pi-hole running, I would have had to constantly be adding white list entries. Or, I could have manually created a black list from scratch. I was not interested in doing either.

I found that dropping a handful of domains in uMatrix got rid of most ads (but not tracking), and that was good enough for my uses.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact