Hacker News new | past | comments | ask | show | jobs | submit login
Mmm, Pi-hole (troyhunt.com)
849 points by cryptography on Sept 26, 2018 | hide | past | favorite | 408 comments



My Pi-hole with updated block lists (blocking trackers as well as ads) sits at around 87.7% requests blocked, which is absolutely mind-blowingly ridiculous.

I see absolutely no negative effects browsing like this. Everything I've come across still works fine. Even sites that detect uBlock Origin and tell me to disable it, will work with that disabled and Pi-hole still blocking the ads instead.

I heavily believe we should be supporting creators, and go out of my way to support them in direct ways (Patreon, buying merch, direct donations, Twitch subs, etc), but I absolutely will not submit my family/kids to the mess that is online advertising these days.

Ads that look like legitimate download buttons, or that run scripts to do cryptomining popunders, autoplay video ads with sound, etc etc. Modern online advertising companies are malicious entities that actively harm users, and I absolutely classify them as malware.


> I heavily believe we should be supporting creators

As do I. There's two significant issues I have supporting most sites:

1. They provide only a subscription that is comparable cost to an old-media full subscription. Like most people in the Internet age I have a small number of main sources that I visit daily, and a much larger secondary tier where I may average one or two stories a week. Or they're the sites linked from here that I only visit when something interesting is waved under my nose.

There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing, for a site I might be getting £1 or 10p a month "value" from.

2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

Leaves things a bit stuck, and me paying out a smaller amount than I'm willing to.


I just want to pay a monthly "digital content fee" to some service and have that money be fairly distributed to all the digital services I use: websites, music, video, tools, etc. Is anyone working on a system like that?


I'm surprised no one's mentioned the Brave browser, which operates exactly on the model you describe:

https://brave.com/


I'm interested and will read more later. But that should not be built into a browse, at least not exclusively. It feels like it could be an add-on. Of course, preventing gaming and malicious manipulation is something to consider...

This is an interesting problem!


Initially, Brave was set up so a user could add bitcoins to an account and set a monthly spending target. Then Brave would split up that monthly amount and send it to sites based on how much time the user spent at each site. But as far as I can tell, they discontinued that model, and now they also sell ads.


Just to back up your (currently downvoted) comment:

"[Brave] browser blocks ads and website trackers. Currently, the company is developing a feature that allows users to opt in to receiving ads sold by Brave Software in place of the blocked ads. Brave intends to pay content publishers 55% of the replaced ad revenue. Brave Software, ad partners, and browser users would each be allocated 15% of the revenue. Users could donate their revenue share to bloggers and other providers of web content through micropayments. The browser claims to improve online privacy by sharing less data with advertising customers, but will target web ads by analyzing users' anonymized browsing history." -- Wikipedia

I consider this ad-replacement scheme extraordinarily scummy. It sounds like the plan is to use protection racket strategies to get the target publishers to buy in.


I'm on the latest version of the browser, and there's a "Payments" tab in Settings where you can add funds with BTC / ETH / BAT / LTC, set monthly budgets, and see what your percentage is. So I'm not sure where you saw that they discontinued that feature or sell ads.


I am guessing they will replace it by the following feature :

Support your favorite sites with Brave’s blockchain-based tokens called Basic Attention Tokens. (coming soon to mobile)

https://brave.com/features/


Yeah, they replaced the "Bitcoin proof-of-concept system" [0,1] with BAT for "blockchain-based digital advertising" [2].

[0] https://twitter.com/BrendanEich/status/1036724148146384896 [1] https://brave.com/faq-payments/#previous-bitcoin-wallet [2] https://basicattentiontoken.org/


That's really cool. I had no idea Brave did that, and thought it was just another Chromium spin-off.

Unfortunately I'm unwilling to change browser for this, and would rather see it as an addon or local software install so it works on the user's choice of browser, but it's a very good idea.


Yes, it already exists today, and it's built right into Brave.

https://brave.com/publishers/


So, just imagining this could be Patreon's next service - sign up for X dollars a month for a VIP pass - but the issue suddenly becomes they need to oauth against patreon, and add in a new tier of subscriber .. it's doable but slow

I kind of like tying this into U2F. I think FIDO and the like will rollout as oauth has done - slowly but becoming the "default" way.

If as part of the initial sign up process, you authenticate your public key on site A, as being someone who can have a share of your monthly subscription... then we have built a distributed subscription service ...

i think

I like the idea


People have been thinking seriously about micropayments for many decades now[1]. No one's managed to nail a complete concept and/or an execution that's really worth mentioning, except perhaps as historical interest. tl;dr: it's an enormously tough problem space to get right.

[1] "Every document can contain a royalty mechanism at any desired degree of granularity to ensure payment on any portion accessed, including virtual copies ("transclusions") of all or part of the document." https://en.wikipedia.org/wiki/Project_Xanadu


Personally, I don’t want to pay anything for content. Look at cable tv. It got so bad there is a cord cutting movement. The same will happen again in another form.


I'm confused. You want people to write all content for free? Whilst that works for a lot of people who do it in their spare time, it does restrict anyone looking to write professionally from contributing.


Not parent, but I would absolutely _demand_ people to write all content for free.

I refuse to pay a single cent for anything that is even remotely accessible on the Internet and does not result in a physical tangible good being delivered to me, of which I pay $15/mo as acceptable rate-limited mobile LTE bandwidth -- my only communication related recurring cost.

There are several reasons at play here:

- Content quality is not correlated with amount an author is "compensated". In fact quality is almost universally _inversely_ correlated with profitability. Once dollars are attached, out of the woodwork comes a bunch of charlatans peddling useless shit that will not only give you no useful advantage in seeking external information but will actively degrade your life either through dubious advice that will trash your health, finances, legal status, cognitive & mental state, relationships, you name it, or through malevolent action such as selling your privacy or methodical persuasion in you undertaking self-defeating behaviors by hijacking basic human emotional reactions.

- Time has shown repeatedly that volunteers are the entire backbone of quality information sources. I come to HN to have some chance of experts congregating for an actual discussion on certain topics. QA forums, encyclopedias, topic-specific discussion forums, educational materials, news aggregation, scientific research, _all_ is higher quality in volunteer communities before it's essentially leeched for profit by journals, website owners, policy spinmasters, malvertising business, and venture capital.

- "Writing professionally" is not a useful skill in itself, no matter the fantasy colleges want to dream up by funneling the otherwise academically unfit into a program that will lead to a degree thus allowing them to join in on the unnecessary inflationary credentialization of _remedial_ skills. Linguistic mastery is a necessary but not sufficient requirement for creating useful information, you first need a deep understanding of the material you wish to cover. I'd much rather read barely comprehensible jargon from a deranged genius than an eloquent soliloquy by some shill with no idea of what he's talking about other than a general idea that permuting a dictionary in the right magical incantation will summon a paycheck at the end of the week. If you have skills that allowed you to amass wisdom in a field to the point that it would benefit someone else, there are _much_ more efficient and useful means to acquire income and instead use "writing" as a tool for social meaning and development either through reciprocity, self-selection, altruism, whatever.

- The greatest costs are borne not in writing but in deciphering meaning. The combined readership burden of filtering out the wheat from the chaff will _always_ exceed the cost of an author even doing "important" research. This is the crucial point of it all, with some smart people realizing that if information has any value besides propaganda it's due to careful curation, summarizing, and tailoring to an individual's goals and instantaneous state-of-mind, while even smarter people realizing that this will _never_ scale as a business model. Even "clever" workarounds to this problem by infiltrating an individual's web-of-trust in recommendations always end up backfiring. After decades of this scheme being retried and rehashed, I now am completely confident in ignoring whatever bullshit du jour comes out of the mouths of family and friends, and am even running up against the problem of being contrarian against my own internal thoughts.

- Even if against all the odds that you paid someone to get valuable information in the long run you'll regret it. Give an inch, they take a mile. Everyone who is dependent on a paycheck dreams of eventually retiring, and quickly to boot once the actuaries remind them of the future. Once you paid someone for content, you just anchored the negotiations of tomorrow and crystallized the form of how protection money must be paid. "Oh I know you paid back then, but life isn't getting any cheaper and I'd like to get to the beach someday without working so I'm really sorry but I _need_ to add some 'features' that will juice my revenue!" Negotiating with terrorists is not a strategy to get to a stable equilibrium in an iterated game -- the cat has been let out of the bag and it's never going back in. Wake up.


Your views are factually incorrect, don’t suggest any real solution, and in my view somewhat extremist. A realistic solution must consider the in turn actions of all influential parties invloved.

It’s economics. It’s requires modeling, strategies, and thinking equally about all parties because it doesn’t matter whether you like them or not it matters what the future would look like a few years out.

This is not personal I have no ties to ad revenue or professional writing. It’s about putting emotion and philosophy in one basket and solutions in another. You’re allowed to have both, but the latter should be dispassionate.

Just one example on the facts, writing professionally is provably a useful skill. Take even what you may consider a mundane job of writing instruction manuals. if it weren’t useful there wouldn’t be jobs and people being paid money to do it. There’s all kinds of writing jobs that require little independent domain expertise. That’s before we even discuss original or creative content.


> Extremist

You say that like it's a bad thing. Once you've stretched the limits of acceptability beyond the capacity of short-term memory, anything of a 'compromise' is just a token dilution that keeps the same status quo intact in everything except a temporary face-saving apology.

A realistic solution must consider the actions of all parties involved, but it doesn't have to actually appease any of those parties with anything they may want.

It's currently an adtech bubble, foaming to the brim. People speculating in attention-based revenue and side-dealing surveillance armaments through malware distribution to ferment the process should feel the losses when the deal goes bad to set an example that hurting others isn't going to get you a bailout. I don't care about your moral plea for "equality" where we make sure no one suffers the consequences of damaging the commons such as the intrinsic value of information and content.

Because of the adtech bubble, we have a _huge_ problem of noise pollution. Valuable public research cannot be funded effectively because the public realizes the history of paid "results" to turn a profit for media proselytizing and reframing unpopular governmental policies.

Public institutions are no longer credible due to the obvious connections between surveillance, profit, and legislation that is effectively mediated through media companies.

There's a real solution here: puncture the bubble by drying up the money stream. It'll help the useful creators in the long term that are being suppressed by the influx of dumb content and blackholing clickbait algorithms designed to minimize utility to maximize profitability.

Now, for writing professionally being a useful skill. That paragraph was obviously in the context of becoming something like a journalist, blogger, or news pundit where your income is paid by this scam of exchanging between attention and currency though a network of super shady intermediaries.

If you're writing instruction manuals for a living, you're not getting paid for how long eyeballs are on your work so that someone can monetize a reader's susceptibility to suggestion. In fact if I hired you, you'd be paid by how _quickly_ a human can view your instructions and move on with their life in doing something productive.

And that's exactly my point: I know many communications major graduates and many engineering major graduates. The former usually went into the program as a last resort for underwhelming academic performance and trying to latch on to the hype before it bursts rather than being gifted in communication ability. The latter could definitely transition to professional writing, not because of language skills that are essentially expected anyways but because their deep understanding in a subject allows them to distill useful insights that are rather hard to crack otherwise.

For example, I love IKEA/Lego instruction manuals not because a random "professional writer" with no independent domain expertise was able to checkmark that off his daily tasklist, but because the manual was made by people with incredibly sophisticated knowledge of how to visualize and communicate the ideas of physical assembly and knew their audience appreciates that expertise. If you're able to document the assembly process, you're qualified to critique and help improve the usability, design, and even materials engineering that ultimately influences what you write in the manual.

This reinforces the idea that if you're just a writer, you're useless because you _should_ be funneling what insight you distilled back to the process your're documenting. And then you're not really a writer, but an engineer.

And just because there are jobs and people being paid money to do it doesn't mean it's useful at all. Biggest fallacy I've ever heard.


Sounds like this is against your beliefs, but I'd pay to read your newsletter.


Simple enough; pay it forward.


The best content I've ever read has been books that each took years to write. After that come NPR and the Washington Post. Then Ars. I pay for all of them, and everything else I read, present company included, isn't even in the same league of quality.

I guess I'm saying that I couldn't disagree with you more; if all the content I didn't pay for went away, I doubt I'd be negativity effected at all.


Very true. There's a proliferation of content nowadays but most of them are just of absolutely horrible quality. I regret having wasted quite some time on hastily written free contents instead of more systematic books.


Cable sucks because the revenue comes from the ads, not your cable bill.


Which is interesting because that is the environment where paid ads have the least structural advantage.

My take is that no matter what people say they prefer to subsidize their content by viewing ads over actually paying the equitable price for it.


I lean toward agreeing with you. Sure. I'd rather view ads than pay. BUT! Why I'm setting up a pi-hole isn't about ads in and of themselves. It's the intrusive and misleading ads. It's the tracking and difficulty opting out of targeted advertising.

I don't have a problem with tv ads for shampoo that I won't ever buy. I do have a problem with a web page that surrounds a legit news article with bizarre ads with cockimamy health claims, and links that don't go where they claim to go.

If a website says, "Pay up or look at these 'spider veins' ads" that's entitlement, arrogance and open contempt. That's not treating me like a desired customer.


Nope. People _say_ they want to pay an equitable price for content rather than viewing ads because that's exactly what they prefer and would do.

The problems are:

- Your definition of 'equitable price' when we live in a time where no single human can digest across their lifetime even a single year's worth of the glut created.

- The quality is universally garbage and as an information consumer you'd still have to spend your resources in thinking critically whether to accept and update your assessment of the information. If you're consuming 'content' as escapism well then you still might consider a more cost-effective route such as heroin or even direct neural stimulation.

- Consumers rightfully work out the long game plan of content creators. They'd like to not view ads but know that once you've climbed above the threshold of starving artist you'll get greedy and the ads will come right back. Always. No exception.


Equitable in this case isn’t determined by the producer or the consumer of the content but by the market.

The market shows that advertisers are outbidding consumers who don’t want ads. That sets the equitable price, not the desire of the consumer.


You do not want to pay?

For TV, I'm happy to pay for renting from google or a monthly fee to Netflix. In return I never need to go to the cinema, I watch films at the time that works for me, and no ads!

Yeah, I'd be happy to pay for quality video, podcast, and articles, but not 5$ to each site I want to read from.


For any content? Have you never bought a book, or paid to see a movie. Paid content is not bad in and of itself.


Check out coil: https://coil.com


Haven't looked at either in a while, but you might look into Flattr and Brave browser


I completely agree with your assessment of the problem.

I'm using https://blendle.com, which offers a wide variety of publications with payment per article (usually something around 0.70 EUR, with the odd 1.99 EUR for articles from DER SPIEGEL). They also have a daily mix of manually curated content and content based on the articles I purchased in the past, which works really well. I'm afraid it's only available in the Netherlands and Germany so far.

I didn't know the Brave browser had a payment model built in, will give this a try as well.


I also recommend blendle. It has the most reasonable payment system.

btw, I've purchased a few articles from Der Spiegel but they were around 0,75€.


I've been waiting for these guys to launch in the USA since I first heard of them. They're still in beta?


I've been using them in the US for over a year for what that's worth.


And I just got the beta invite. Yay!


> 2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

Ars technica. (Subscriptions are tiered but I think this is included in a low tier.)


> There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing

There is yet to be a quick and simple micro-transaction infrastructure for the web. Transaction costs inhibit micro-transactions. They don’t scale down.

Some are trying to use crypto to do micro-transactions, but even crypto has transaction costs that inhibit how small micro-transactions can be, not to mention the exchange rate volatility.

It’s a big unsolved problem. Gotta spend money to spend money.


I read an article once that argued the big problem with microtransactions was the transaction cost imposed on users.

For the sites, sure, everything can be automated. But even in the best case of good browser ui/ux support the burden shifted to users would be massive.

The cognitive cost of trying to decide whether to spend 10c on an article I haven’t read yet costs me way more than 10c. Man that article sucked. Did I just get ripped off by clickbait again?

This argument is what convinced me that straight per-article “microtransactions” will never take off for very low value things on the web.

EDIT: found it: http://hackingdistributed.com/2014/12/31/costs-of-micropayme... - Think it was Nick Szabo.

What’s scary to me is that the one “successful-ish” application we have for microtransactions is mobile gaming. Imagine a huge ecosystem of different beans, gems, flooz, widgets or whatever, and all the dark ux patterns to get people to spend them, and also to hide how much they are spending from people.


I would absolutely pay $10 a month to an aggregator like HN or /. that then paid publishers a portion of that based on article rank and/or number of clicks through.


Yes, agree that fixed-price deals with publishers / aggregators are tenable. Spotify works for people, for example.

The original argument was essentially that there was a minimum transaction size that was cognitively viable at scale.


I understand it's about cognitive costs. What I propose makes the cognitive load of actual monetary payment a single decision per month. I pay X. Let the aggregator and the publishers automatically figure out every little fractional detail.


If the objective of paying is to make the web better and reward quality content, you don't want two pages of clickbait to pay more than one page of watergate-level investigative reporting.

And any automated system to tell clickbait from quality journalism will incentivise people to trick it.

So at the very least, you need a refund button.


they could do it like medium “claps”.

No claps, no money.

Clap as long as you want.

At the end of each month your $10 is divided up by the number of claps you gave.

And if this isn’t for you, then go with ads or be paywalled.


An upvote button and a flag button I think might do the trick.


Well, Spotify works for the consumer. For the musicians, it's mostly advertising, not a useful source of income.


Would it change if there was a button at the bottom of the article, that you could click for an instant refund, no questions asked?

Honestly it almost seems to be worth trying, the potential upshot is _huge_.


blendle.com, which I mentioned earlier in this thread, has this instant-refund feature. I've used it a few times when an article was disappointing, or when there were technical problems (digitized article cut off the second half of the print version).

Seems to work for them, though I don't know their revenue/profit numbers.


Scaling cryptocurrencies would absolutely address this issue, but that's an enormous challenge.

A simple, centralized service could easily fill this role with batched transactions. Each reader pays once a month, each publisher gets payed once a month, and those payments can be shuffled about a database trivially. O(n) vs. O(n^2)

Patreon kind of did/does this. There was a big stink not long ago where this appeared to fall apart. The issue Patreon faced was that it was not so trivial to bundle transactions like this. Some creators wanted to get paid in a piecemeal fashion for each video uploaded, etc. For patreon supporters, they would each be on their own separate billing cycle because they decided it would be bad UX to have the first month be pro-rated or whatever.

As much as Patreon is best situated to provide a service like this, I'm not encouraged that they'll do so.


A transaction on bitcoin cash costs 1 to 2 sat, which is less than 0.01 penny.

It is true that the cost can vary greatly (which sucks, please tell me of a crypto coin that is 1:1 with dollars), but you can adjust the price in real time and since you are selling a digital product even in an extreme situation you are not going to lose money (remember the transaction fee is pretty much going to be 1-2 sat always).


I suggest looking at Lightning Network for micro-transactions. Still emerging tech, but it shows great promise.


Or bitcoin cash! ;)


>There's no low user or micro transaction options for these, so I get a choice of pay say £10 a month or nothing, for a site I might be getting £1 or 10p a month "value" from.

A "tip jar" or micropayment model to supplement subscriptions would be a great option. Unfortunately I think processing fees eat up a significant chunk of your take to the point where it's not really profitable to build a business model around it. Even if you get a great solution going, getting buy-in from the number of vendors you'd need on board would be prohibitively difficult. The only ones with the reach would either be inclined to lock it down and stick with the ad centric model (Facebook, Google) or just don't have the organizational culture to give it the attention or support it would deserve (Apple, Amazon).

In the old days you could go to a corner newsstand and pick up a newspaper, even from one of those little boxes on the street. This let you just buy if there was something interesting that you needed to look at that day without committing and, importantly, without handing personal financial information to who-the-hell-even-knows. A payment infrastructure that makes this quick, easy, and cheap enough to where cost isn't a concern would be incredible.


It seems that these fees would be trivially avoidable by having one monthly transaction to the aggregator and one monthly transaction


Sort of like Patreon.

Except it would work a bit differently. Say I approve N number of sites (NY Times, WaPo, EE Times, etc.) They each get paid out of a monthly fund based on how much I visit each of them.


Wouldn't that in itself involve tracking your behaviour on the web, though, which is what commenters on this thread started off saying they disliked?


It could be your own browser who does the bookkeeping.


>2. I'm yet to find a site that takes my subscription and turns off ads and invasive tracking. Just ads. Still not an equitable deal.

As it currently stands, a large chunk of the newspaper industry in the states is willing to block the whole of the EU, when it could offer it that model, so I wouldn't hold your breath.

A source at Tronc says not only have most of the chain's papers blocked EU visitors because of GDPR, but Tronc "currently has no plans to support the EU" because doing so is seen as not economically viable

https://twitter.com/mathewi/status/1001571559679582209?lang=...


The usual way people have tried to solve the microtransactions problem is through aggregation/centralization. eg, everyone who wants to gives HN $K/mo, and then HN distributes that money proportionally to sites clicked.

Unfortunately, I think the incentives are too loose. Users aren't obligated in any way to pay for links; as usual, humans aren't charitable enough to actually sustain public goods voluntarily. Secondly, the aggregator site isn't under strong incentives to pass on revenues (which applies equally to ads).


And the usual way people have tried to solve the solved-microtransactions-problem is by gaming the system, which is exactly the history and outcome of the current situation.

The 'microtransactions problem' using 'aggregation/centralization' you're describing would be readily identified as the newspaper industry a few decades ago. Nowadays you have to wrap it up in a healthy dose of cryptocurrency scamming, federated networking bullshit, and other huckster lingo to make it seem like a radical approach.

Newspaper companies, which allowed patrons to exchange a few cents for a daily source of vital information curated by professionals across a wide array of expertise, distributed money received in patronage towards the journalists, editors, fact-checkers, you name it.

Of course, that isn't the full story. What newspaper companies did was become the mouthpiece of the government and eliminate any useful information, filled nearly all the pages to the brim with huge obnoxious ads with little text remaining, started some perverse incentives with journalist pay forcing the smart ones to abandon ship a long time ago, and helped build a mass culture of frantic zombies who cannot tell the difference between fact and fiction, parroting whatever they read as a sort of social lubricant, and trained to resort to looking on a page for the local weather information yesterday that could be far more accurately sourced now by looking up to see if there are clouds above.

Good riddance to 'content creators.' Don't let the door hit you on the way out, and HN will never receive a cent of my money. :D


> I heavily believe we should be supporting creators

As do I. There's two significant issues I have supporting most sites:

If some big company like Apple, Microsoft, or Amazon wanted to get behind micropayments, they might be able to actually get it started. It would basically amount to disrupting the advertising model itself. Advertising would morph into influencer media produced at the behest of advertisers, but much of media would be much freer from the worst depredations of advertising.


> Modern online advertising companies are malicious entities that actively harm users, and I absolutely classify them as malware.

This is exactly the response for anyone that is frustrated by blocking ads impacting revenue for web publishers. Had the ad tech not become so invasive and pernicious, users wouldn't be going out of the way for solutions like this. The advertisers have essentially forced our hand.


Where I feel my hand was forced was when a friend wanted help promoting a professional conference in the area of data and tech. I went to the website and, in the center of the page, there was an ad for cellulite cream.

OH! C'MON!!! I believe in the conference, but I'm not going to share the link with that ad on it.

It's been explained to me that the website owners don't know what ads are being served up. All they know is they signed up for an ad service. If that ad is a redirect to a porn site, the website owner has no clue unless people complain.

And that's why I ordered a raspberry-pi to set up a pi-hole.

I get that a lot of my friends won't like this. They're in advertising and marketing, and they insist that they're one of the good ones. Fine. But the bad ones are REALLY bad.

Also. I've spent HOURS opting out of tracking cookies. Then I heard that my effort is only as good as the entities that respect that I opted out. OH? WOW!

So, when I hear people complain that we're hurting them, and they're one of the good ones, it ignores the real problem. Look ...

if I was bitten by 10 dogs out of 50 dogs, I'm gonna have a problem with dogs. Period. You can insist on how friendly your dog is, but no. Talk to the other dog owners before trying to get me to take another risk.


> if I was bitten by 10 dogs out of 50 dogs, I'm gonna have a problem with dogs. Period. You can insist on how friendly your dog is, but no. Talk to the other dog owners before trying to get me to take another risk.

Exactly my stance on whitelisting advertising. I am sure there is a good amount of fair advertisers out there, but the area at large is full of scum.

I would start with a full-on disable of 3rd party JS but I know that would break a whole lot of other and actually needed functionality. So I have no good solution except not to trust anyone. Pi-Hole is my next stop as well.


Someone's been searching for cellulite cream on Amazon!


LOL!


Exactly. I believe Troy has another post about this topic where he discusses why he's able to justify selling the single, static banner ad at the top of his site.


> I heavily believe we should be supporting creators

Agreed. Do you disable your pi-hole on sites like Reddit? They vet their ads so not have any of the malicious attributes that you described. All the larger newspagers like WaPo and NYT are also good about this too.

I'm all for blocking intrusive or malicious ads. But quality content depends on ad revenue. The author dedicated an entire paragraph on donating to the pi-hole project, but no mention of supporting quality content with subscriptions or unblocking acceptable ads.


Do you keep your car doors unlocked when you park in safe neighborhoods? Do you give nice strangers a spare key to your house? Do you sleep in an expensive hotel with the door propped open? Do you keep your password on a sticky note at your desk inside your secure office?

Of course not. So why would I disable my security software just because a site I visit hasn't been hacked yet? That's just basic security hygiene.


Agreed. Furthermore, nothing guarantees that them being good actors now won't be changed when they get acquired by a media giant. Policy and culture can and have changed overnight in organizations after acquisition.

It's the same as with Troy's argument about good browser extensions. Yes they are good today but them being bought for 5 figures and the personal data harvested does not make the news and the users are clueless about it. I rather just not take the risk.


> Agreed. Do you disable your pi-hole on sites like Reddit? They vet their ads so not have any of the malicious attributes that you described.

I've still got ads blocked on reddit because they're so clickbaity as of late. They look like posts from subreddits I'm subscribed to and turn out to be an ad, no thank you.


All the larger newspagers like WaPo and NYT are also good about this too.

The ads are not malicious, granted, but in the case of NYT at least they're still "blinky". They get blocked at the Pi-hole now. I do subscribe, however. I'd like to turn the ads back on because I view the NYT to be a quality publication, but I'm not going to have something moving out of the corner of my eye while I try to read the paper.


What in the world does your subscription pay for, if you still get advertisements on the New York Times?


Same thing my subscription pays for if I get the dead tree edition: ads sprinkled in with the news. Right or wrong, it's not like there isn't 100 year old precedent for this.


Right, but if you've already paid I don't see why you'd want to turn ads back on? You've already fulfilled your moral duty to reward them.


I hope more companies offer a paid version of their site that completely removes Advertisements. I cannot stand ads and won't use a site if I can see them. I'm not trying to be a bad guy though, I want to use those sites legitimately. My only option is to not visit them until they offer a compromise.


Reddit is work friendly 4chan. That is, (mostly) not quality content.

I stick to a search engine rather than browsing Reddit directly. If what I'm looking for comes up in a relevant Reddit thread, huzzah.

I get the contemporary meme is "Agree with great-great-grandpas economics of 'survival of the fittest'." But I feel little obligation to pander to it everywhere it exists.

Maybe I'm an odd bird, having grown up in the remote wilderness in the 80s, no TV, growing food and hunting/fishing, and only using money for things like clothing and basic services (water/electricity/phone).


Ads on Reddit used to be alright, but since the advent of their dumpster fire of a redesign, their ads have turned into block worthy material.


I used to have Reddit whitelisted until they started showing subreddit-targeted ads in other subs. I follow a bunch of cryptocurrency subs and the ads there are… well… as you expect.


Why is this bad? You follow cryptocurrency subreddit, they show you relevant ad. You follow "warm mittens" subreddit, they show you relevant ad, etc. So why is it a bad thing?


I can't speak for the GP, but in this case of the cryptocurrency sites/fora I frequent (including topical subreddits), the ads are for idiotic scams. This indicates that whatever vetting they're doing is insufficient, and so they can be safely blocked (specifically -- if they can't be trusted to not display ads for obvious fraud, they can't be trusted to vet ads for other malicious attributes).


Yep.


My Pi-hole with updated block lists (blocking trackers as well as ads) sits at around 87.7% requests blocked

Where in THE hell are you going on the Internet? Wait, don't answer that. I only wonder because we sit at around 20-30% at our house (which is still ridiculous). But approaching 90%? Maybe I need to crank the blocklists up a notch, but I can't imagine even surfing porn sites all day that I could get anywhere near that percentage of blocked requests. But, man, I enjoy a challenge...


Ever visited Forbes or Business Insider? Easily 90% of those sites are third-party scripts served from other domains.


This is why Forbes is in my blacklist.


I've hit 75% before. My Roku desperately wants to phone home (25k requests/day).


Yeah, upvote for reminding me about chatty IoT crap. I've got a Nest right now that was phoning home every four seconds. Why, I have no idea, so now it doesn't phone home at all. And a Foscam camera that isn't as persistent, but still tries a few times a day. We're still at < 35% blocked, though.


My Samsung TV wants to send home info about everything I watch.


I’m only at 7.5%, probably because I use uMatrix in the first place, and have gone out of my way to kill a few applications that phone home like crazy.


I use a /etc/hosts-based (https://github.com/StevenBlack/hosts) approach to add blocking across my machines, but I have found some sites (fansided.com) comes to mind, which detect that I'm blocking and won't let me read them. How easy is it to get around this with the pi-hole?


Very easy. You can pause it for 10s, 30s, 5mins, or a custom timeframe via the dashboard, or whitelist domains/subdomains as well. You basically do everything via a very slick dashboard running locally on its IP.


Very cool...thanks. I'll give it a serious look.


Highly recommended, incredibly easy to set up and use.


Whenever mine has gone much above 30% (70ish prob highest ever) it generally turns out to be an unattended app left open on the android device I have hanging off the back of the TV. I recall the NYT app, for example, pinging home every 30 seconds or so.

You can trace offending devices and traffic via pi-hole logs. The UI is a bit clunky but gets the job done.


did you use the 'default' lists that come with the installation or did you add new ones? would you mind sharing your feed list?


This is really depressing. I immediately want to blame the ISP for empowering malicious entities to harm their paying customers. 88% is obscene.


I'm surprised this is the top slot right now. Troy, generally, puts out interesting info on security related news however this feels a bit minimal. Since the project has been around a number of years now, and it's not relegated to only a RPi I would have expected him to delve into things a bit more. Pi-hole will also break things. I think the common one I always heard from users on my network at home were that Google click-thrus for products always fail. But... Don't deploy it on an RPi. It's not worth the inconvenience of maintaining another entire device for a network service. There's an actively maintained container I'd recommend, or it's very easy to deploy as a VM. Troy also didn't hit on anything like DoH or DoT, surprisingly.

Container link: https://hub.docker.com/r/pihole/pihole/

Edit: word


Troy's skill is taking security and privacy topics and translating them with practical tips to an IT enthusiast audience that is much broader than hn

Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing


It’s essentially dnsmasq which can be run directly on your wireless router if you are using custom firmware. No separate hw needed, no need to horse around with dockers or containers or any of that stuff. I’d guess a lot of people are already running dnsmasq for other purposes, so adding the blocklist and periodically updating it should be trivial.


I'd argue Pi-hole is quite a bit more than dnsmasq (it's actually a fork of dnsmasq called ftldns) out of the box. It's also very much more approachable by the majority and the web interface gives people immediate feedback and configurability without having to understand configurations for the services directly.

https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ft...

https://docs.pi-hole.net/ftldns/


Interesting, didnt realize the “pi-hole” branded package was more than vanilla dnsmasq glued together with shell scripts.


Go back in the project history and you'll see that it originally was! It's matured a lot since then.


I was doing this using Tomato and it introduced serious stability issues in the two routers (both Asus) I tried it on.

Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.

My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.


Use a different root filesystem. Ext4 is not robust against power loss, as I've discovered in multiple embedded Linux systems where Ext4 was used.

The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.


Back in the day (also before ext4) we solved this by mounting the root filesystem read-only. Depending on any other application for the machine, you may not need filesystem writes at all once it is set up. Bonus: it’s even friendlier to the flash.


This is how I've solved the problem in the past. Too bad systemd discourages this. It also doesn't protect the partition where your database and log files are kept.


I'm running a Rpi with 64bit kernel & runit as init via Void Linux, so you're not necessary stuck with systemd as the only option for Rpis.


Yet another reason to not run systemd. (Also, systemd? On a router? That's excessively overkill. Why not a sane init, like SysV?)


You're assuming I make routers.


Do you use YAFFS2 or ETFS on a raspberry pi? I'd be interested to know more about setting something like this up.


I got cheap SSDs in cheap USB cases for my 2 Pis after getting annoyed with SD corruption. SSD prices have dropped recently after being flat for a long time. If you are really cheap the cases often go for $1 or free after rebate at newegg.


Yeah, on openwrt you just install the adblock package

https://github.com/openwrt/packages/tree/master/net/adblock/...


That is what I did. I used a TP-Link Archer C7 router and installed adblock and few other useful packages. Works like a charm so far.


Do you know if it’s possible to deploy it on a virtual AP? E.g. have “MyNetwork” and “MyNetworkWithAds” - so that it is easier for nontechnical users to switch, and also doesn’t deactivate for everyone when just one user needs to (even if only for 5 mins)?


Possible but not that simple actually, as there is little to no documentation or shortcut for such a case available using dnsmasq. Afaik you can only realize this by running multiple instances.

The childproof network example is the fitting how-to you can learn from: https://forum.openwrt.org/t/kidsafe-or-guest-wifi-forced-saf...


Can anyone recommend a "2018 good choice" for a consumer router that can run custom firmware (including dnsmasq), or a trustworthy recommendation website? Wirecutter for example doesn't note third party firmware: https://thewirecutter.com/reviews/best-wi-fi-router/


Not really an off-the shelf consumer router, but since you want to install custom firmware anyways, you might want to consider the PC-Engines APU2 board [1]. You can either install any "normal" desktop x86_64 Linux distribution or a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports hardware virtualisation, so you're able to run several VMs via KVM to isolate the services the router is providing.

Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.

[1] http://pcengines.ch/apu2.htm [2] https://openwrt.org/toh/pcengines/apu2


I second this. I've been running PC engines stuff for a few years and it's great. I currently have an APU and it handles my gigabit fiber no problem. I use a separate off-the-shelf wireless router in bridge mode which let's me upgrade that independent of the PC engines (wireless hardware tech moves faster than router hardware tech).

I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.


Unfortunately it does not come with 3 mPCIe slots, the one furthest to the left is an mSATA port.


I’ve been running the mid to high end Asus routers for years now and am very happy with them. Running wrt-Merlin firmware and AB-Solution via entware is everything I need and doesn’t complicate things with additional devices like pi-hole.


Yes, this is my preference as well. You can also run a vpn with this setup (as you can with other custom firmwares) so you can take advantage of this adblocking from outside your home.


The TP-Link Archer C7 AC1750. https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.

And to come back to your original question, to do your own research, I recommend you search/ask on https://www.reddit.com/r/openwrt/ and https://forum.openwrt.org/ , it's a question that pops up frequently.


Netgear R7800 and any other router with the same Qualcomm chipset work great with OpenWRT.

Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).


https://openwrt.org/toh/views/toh_available_864

edit: link to OpenWRT with a list of supported hardware that is relevant to the parent's question


I buy my routers from flashrouters.com. A little overpriced, but I trust them and their testing. I have the Asus N16rt (I think) running shibby tomato and it's great.

Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.


It may be more full-featured than you are looking for, but have a look at the Turris Omnia. It is extremely customisable and you can add an internal SSD to run LXC containers on (including one running Pi-hole, which is what I do).

Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.

https://omnia.turris.cz/en/


Have you had any issues with the auto updater? I got rid of my Omnia after an auto-update broke DNS while I was away from home.

Ironically, went to Unifi after reading Troy's blogs about it - now regretting it immensely as the hardware is nowhere near as powerful as the Omnia.


This happened to me too, and what I learned is that the Omnia uses the Knot DNS resolver, which re-enables itself after updates and this breaks everything if you have made certain customisations.

The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).


I’ve been also searching for recommendations, particularly on a custom firmware router that allows me to host a VPN server.


It’ll be more involved for you to set up, but pfSense is what I use. I basically forget it’s there until I want to change something (add a new VPN user, monitor bandwidth usage). I’ve set up an IPSec VPN that works well with my Apple devices, especially with a configuration profile that enables on demand VPN (connect via VPN when certain conditions are met, like not on my home WiFi). For hardware I use a cheapish “industrial” computer from AliExpress. Probably not the best thing security-wise (no firmware updates in the past few years, it feels like it’s just shipped directly from a random factory in China), but it’s been great so far.


How do you instruct an iPhone or iPad to use VPN when you are not connected to your home Wi-Fi? I used their former Workflow automation app (now dubbed Shortcuts in iOS12) and it did allow reacting to such an event (going out of range of 1 or more wi-fi networks) but did not realize one of the possible actions was to be able to enable VPN.

Was that what you used? Or was it something else?


And Hacker News is essentially just a bit of HTML, CSS and lots of words.



Assuming I'm only interested in blocking ads in one computer, is there a software solution for this on Linux or Windows? (I know that Mac has Little Snitch).


Why not use a browser extension? uBlock Origin is pretty good from what I hear. I use uMatrix by the same dev, and it serves me well. Both work on major browsers (FF, Chrome, Opera, etc..).


> DoH or DoT

I wasn't familiar with these terms and they are a bit ungooglable. :-/

DoH = DNS-over-HTTPS

DoT = DNS-over-TLS


The simplest approach is to use a hosts file: https://someonewhocares.org/hosts/


That doesn't work the same as pihole. PiHole blocks ads on ALL devices on your network. Your computer, your laptop, your phone, your kids kindle, etc. As long as they are on your network, they are protected (and browsing web pages on an older phone, things are much faster)


Yup, that's a downside. The advantage is that it's much simpler and will also work when you're not on your home network.


You can also run pi-hole on a tiny VPS and set your DNS statically on all devices.


do you have any links for doing this?


Yeah this is something I've been thinking about lately as well. Pi-Hole seems cool but what about most of the time when I'm somewhere else than my local network?


How do I edit the hosts file on my iPhone?


I use AdBlock https://www.adblockios.com on iOS which runs a local DNS server that can blackhole domains. It doesn't work well on very large host files so I gave up trying to import https://github.com/StevenBlack/hosts, but it does work well for smaller lists.


Probably not the answer you are looking for but:

(1) Install "1Blocker X" -- not free but it's cheap. (2) It has a huge number of rules and protects your Safari pretty damn good. (3) You can disable the existing rules if you so choose. (4) You can add new ones based on URL regexes or CSS rules.

I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.


Jailbreak it, install openssh, ssh in and edit /etc/hosts. There's also packages in Cydia that add adblock lists to your hosts for you.


You fire up vi and load /etc/hosts /s


Well, I'm connected to my home network via VPN when I'm not on my home network, so....


There's also Steven Black's host file:

https://github.com/StevenBlack/hosts


The issue with that is DNS resolution. I noticed that when I disconnect/reconnect my interface, it took >30 seconds for DNS resolution to properly resolve. Why? Because I was using a 65,000 entry host file on my modern Windows 10 machine.

It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.

I'd rather have a separate service to run it.


I also had a performance problem with DNS resolution with a big host file, but disbling the DNS client service helped.


Of course I have deployed it on a Raspberry. I don't have another always-on computer, and while it's not the only supported target, it is the one most Pi-Hole users have, so I get maximum community support.

I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.

So far, I love my Pi-Hole. Absolutely no problems with it.


At 100% power draw the charger I use to power my pi uses 5 watts so you're pretty safe on the power.


A cron job every hour with a slack notification of temp >60C has put me at ease. It goes over occasionally so I suppose I’ll need a fan at some point.


On an RPi I can plug it in to the USB on my router for power and connect with ethernet. Otherwise I have to run a full powered server perpetually to manage DNS for the home network. Made sense to me.

I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.


And if you’re that way inclined, a POE Pi hat can get another cable removed.



I wasn’t aware of that - thanks. I think I’ll be safe as there will be no peripherals plugged in, but that’s something that needs considering it seems.


I've gone the route of using another box to do PoE -> 5V USB, but unfortunately the TP-Link converter is outputting 4.8V instead of 5V (the Pi3b will technically run on this, but it's not a good idea).


Thanks for the link. I guessing this would handle the use case of being able to acess Pi-Hole while traveling or in a coffee shop correct? This seems to be a limitation of having this on a Pi.


The setup script runs perfectly on Ubuntu in an lxd container as well.


I assume DoH is dns over http, what is DoT?


DNS over TLS


> Do you use a popular browser extension? How confident are you that the creator wouldn’t accept a $10k offer to hand it over only to have it then go rogue on you?

What makes the Pi-Hole organization any more trustworthy? (and the software stack it all depends on)

Personally, I'm inclined to trust them both and hope that the long arm of the GDPR will be effective. Optimistic, I know.


Since Pi-Hole is a DNS server running on a separate machine, it just doesn’t have the same level of access as browser extension would. Even if it was rogue, the worst it could do is share the list of domains that you visit, and possibly hijack your HTTP (but not HTTPS) sessions.


You, and the other commentator, are forgetting that the DNS Server handles all connections, not just those from your browser. Are you confident all the self updating software you use has no vulnerabilities? How about the video games that you play?

Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.

I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...


You don't have to be confident has "no vulnerabilities" (an absurd standard) to understand that the worst possible vuln in the DNS server (say CSRFable RCE in dnsmasq) still puts an attacker in a less privileged position than what they get if they control uBlock Origin: UXSS. Now that browsers are serious about mixed content, DNS poisoning just isn't as interesting as it used to be.

Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).


I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.

I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...

Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.

High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.


I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.

Which one of these is worse:

a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,

-- or --

b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?

The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.

I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.


> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.

If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.

My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.

As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer


OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.

I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.


>If PiHole is malicious, there is already an attacker on your network

In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.

A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.


This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

You can also inspect the block lists to ensure they all go to 0.0.0.0 if you’re worried about mitm attacks.


you could do the same with ublock


Not on a network-wide basis, and not on non-browsers. I don’t think anyone here is saying don’t use a browser-based blocker too. I use both a browser plugin on the client and dnsmasq on my network.


I think the blog post is saying that, especially in the quote that started this thread. The post portrays ad-blocking browser extensions as not worth the risk, discussing both the questionable value of blocking all ads and also the possible risk of the extension being sold to a malware creator. It then presents Pi-hole as a safe alternative to browser-based blockers.


when i said

>you could do the same with ublock

that was in response to

>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.


Exactly. This thing is in the best possible location for poisoning DNS for every system on your network. That should be a HUGE concern.


It is an order of magnitude safer than a browser plugin.


Right, neither one of them are great ideas unless you can trust the source. To argue otherwise is a relative privation fallacy.



Then don't do it and wait for taboola or google ads serve you a drive by rootkit?


They could easily do a diagnostics / analytics feature where user stats are posted back to developers


In this case it just acts as a DNS resolver. That's potentially risky when resources don't use SSL, but far less than a browser extension that can change a page in place, inject JavaScript, and record keystrokes on all pages.


> resources don't use SSL

Huh? DNS is hit even if the site is SSL. Unless the site has HSTS, and you've got to the site before; DNS poisoning is very much doable.


Yes, but the hijacker will still need to present a valid cert for that domain, which is much harder.


How would the attacker do anything useful with a SSL connection attempt? They can either send the real certificate, and then not be able to decrypt the data, or send a self-signed cert which the OS/browser wouldn't trust?

Are you thinking of some downgrade attack vector?


https://github.com/pi-hole/pi-hole

Pi Hole is open source, so if someone did try to sneak in some malicious code, it would be seen.


Just as a note, a project being open-source doesn't necessarily provide a 100% guarantee that it doesn't contain any (possibly obfuscated) malicious code. Our community likes to think that someone else would catch it, but enough people thinking that way can (and likely often does) lead to the bystander effect. So it's always good to be wary :)

Edit: Heartbleed was a good example of this -

https://www.csoonline.com/article/3223203/vulnerabilities/wh...

> The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.


Seen by what percentage of users who just download the binaries?


I think a major difference is the update scheme. Browser extensions auto-update. If they switch hands there is no user visibility when getting the updated version. Pi-Hole is installed software and requires manual updates, which gives users more visibility and control.


you can turn auto-updates off. also, you can easily inspect the source for an extension (AMO doesn't allow minified js), you can't easily do that for the multitude of components that make up pi hole.


> you can't easily do that for the multitude of components that make up pi hole

What? The entirety of the project is open source. In fact it's easier to look at the source code that makes up PiHole because it's all in one spot in Github.


Considering that over 20% of https://pi-hole.net is blocked as malicious ads by my browser, I don't really understand why you would trust them to block not only the crap across the wider internet but even against their own self-interest.

Remember the warning signs of craziness with NoScript? It's like you guys never learn!


Could you please not create new accounts for every few comments you post? We ban accounts that do this, and it's in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

HN is a community. Users needn't use their real name, but do need to have some consistent identity for others to relate to. Otherwise we may as well have no usernames and no community at all. That would be a different kind of forum. Anonymity is fine, and throwaways for a specific purpose are ok, just not routinely.

https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...


Someone very concerned about ads whitelists can also use multiple ad blocking extensions.

It would take every creator to accept the bribe for the ads to go through. Well, if the extension starts injecting ads it's another story...


I fundamentally believe we have the right to transform content that comes to our devices.

The idea that we have a moral duty to sit passively and absorb “experiences” in their intended form... I just don’t see how that works long term. It will just mean we get abused more and more and we have to take it.

No, if you want my business you have to find a way into my consciousness that is compatible with the way I arrange information around me. That’s always been the deal. You can put a free circular in my mailbox and I am free to toss it without looking.


You don't have to sit passively, you don't even have to block passively, consider using / contributing to services like AdNauseam or Noiszy.


Why are our devices so far outside our own control that we need to run an additional device on our networks to help prevent them from making unwanted network requests?

The whole approach of Pi-hole feels misguided. Blacklisting domains and hosts should be something easily done on my device locally. Then it comes with me when I visit friends or coffee shops, and it's easy to temporarily disable when it breaks something I'm trying to use.

The fact that I can't do this on things like my phone really illustrates how little control we really have over our own computing devices.


Surprisingly, I've yet to see a service which fronts Pi-Hole or similar and allows you to point your DNS resolver(?) at it, so you can use it on the go -- without having to use a VPN.

I tried to set this up on my own using a VPS and Pi-Hole and it did work for a while. However, bad actors eventually found the server and started using it to perform DNS amplification attacks against, of all things, cricket news websites. I don't know too much about networking, so this may be a limitation of the DNS protocol. However, it seems like Quad9, Cloudflare and the like have figured out a way to prevent this sort of abuse... So, if any provider out there is reading this, please add this capability and I will gladly pay to use your DNS service.


You mean a public Dns server with ad blocking?

https://adguard.com/en/adguard-dns/overview.html

Note that obviously since you are sharing all your dns requests with them, it's terrible for privacy... :'(


> Not that obviously since you are sharing all your dns requests with them, it's terrible for privacy... :'(

Right. I'm not defending this service in any way, but couldn't you say the same about Quad9 or Cloudflare?


True.

You could set up pi-hole as a recursive dns server: https://docs.pi-hole.net/guides/unbound/ That way you don't have to use a public dns server like Cloudflare. However, since (as far as i know) dns requests are not encrypted, this is not perfect either (security wise).

At least when using Cloudflare you can use DNS-Over-HTTPS: https://docs.pi-hole.net/guides/dns-over-https/


https://adfreetime.com does this, as well as proxying location checking (like MLB's video streaming).


Cool! Thanks for sharing this.

Out of curiosity, do you have any idea how they prevent the scenario I outlined (e.g. metadata, traffic analysis)?


>$1.99 US a month, less than a cup of coffee!

At that price, I doubt they do.


Editing the hosts file is a security risk.

You don't want a malicious app do this in your back so that when you type alice.com, you see bob.com instead.

Fortunately, to some extent, HTTPS or GPG come to the rescue.


Firefox for android can run extensions so its trivial to just install ublock origin. You can even use choose to sync extensions across devices and as soon as you login to your Firefox account all your extensions will be installed automatically.


You can edit the hosts file on Android apparently and the Pi-hole is just a shared hosts file.


It's a self-updating hosts file. If you only do it once in a month you'll start seeing ads again. Also you can edit the hosts file if you're rooted, but you definitely can't if you're running a stock unmodified ROM. If you're rooted and you only care about your Android phone, you can also install Adaway, which does pretty much the same thing without the whitelist capability (Get it on F-Droid), but if you have a number of devices to protect, and some of them are iOS devices, TVs or whatever that can't be rooted, jailbroken, or you don't have administrative privileges to, Pi-hole is a good choice (if you run pfSense at home you can also use pfBlockerNG, which is essentially the same thing too).


Host file blocking on mobile devices produces some weird web browsing. I like using browser plugins because it gets rid of the whole chunk of html so it's like the ad was never there in the first place. On android, there are these huge blank spots you have to scroll past to keep reading. I still keep adaway on but I wish I could just use ublock origin with android's chrome.


You can use uBlock Origin in Firefox on Android, and I've found DNS66 to be a good non-rooted adblocker on Android.


Now there's also Blokada which is a little bit better (found it to block some ads that DNS66 actually let through; it was a random discovery, I am not a researcher).


There are devices that are not easy to free up from ads, eg. unmodified WP mobiles. This way they are protected from ads as well when tehy are conmected to the same network with wifi.


I don't use a browser extension, I use Firefox's built-in tracking protection. It is only enabled by default in private browsing mode, but it's easy to enable it for all your browsing. See https://support.mozilla.org/en-US/kb/tracking-protection

I get 126 requests and 2.3 MB transferred on Daily Mail Australia, which seems comparable or better than what Troy saw with Pi-hole. See https://postimg.cc/3WYwZf3b

(Disclosure: I work for Mozilla.)


It's sad. I've so much wanted to go back to Firefox after 10 years on Chrome now but every time I give it a try it just doesn't do it for me. Mostly because I have quite specific habits and I don't remember off-hand what it was specifically the last time I tried it that made me give up, I should really do a write-up the next time I give it a go, as I love Firefox (what it stands for) but there's always that _something_ that makes me go back to Chrome after a week or so. Currently I'm exploring Vivaldi (based on Chromium, which has some awesome power user features).


Also, I get similar results with Daily Mail with Chrome/Vivaldi + Ghostery. But I'm placing a lot of trust in Ghostery that I would rather place in Firefox.


This is great: it has most of the benefits of an extension without the concern the extension gets compromised (you already have to trust your browser). The only downside is it doesn't address ads in things that aren't browsers, like mobile apps and the like.

I wonder how long it's going to take for ads to be implemented server-side entirely.


True. For mobile browsing it works well as long as you use Firefox on your phone too, but it doesn't help for tracking and ads within apps. Pi-hole can help there, but only when you're connected to your home network.


Or when you run openvpn and pi-hole on a server somewhere and VPN your devices via it.


> 82% reduction in the number of bytes transferred

No doubt the reduction is important, however as per screenshots, the reported reduction should be considered somewhat inaccurate as he forgot to check "Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-Hole version. We can see resources pulled from browser cache in the Pi-Hole version.


So I have tried using pi-hole in past and I think one of the problems is - some websites refusing to function if ads are blocked. IIRC - British Airways website uses some javascript that requires ad to be disabled for finishing checking in. It may have changed now but there are other websites too which may or may not work as expected.

With browser extensions it is typically easy to disable the ad blocker one time and check if that fixes it. With pi-hole IIRC, it was much harder to do.


I’ve been running this kind of setup for over 5 years on my home network, and the only complaint I’ve ever gotten was the Google search results that are ads or shopping links don’t work (yes, my wife clicks on these). If a web site didn’t function I wouldnt know it was due to DNS, because I never turn this off. I’d simply chalk it up to it being a defective website and not use it.


Yes - but sometimes you don't have that choice. Would you rather not use a essential service(flight check-in or pay electricity bill) or disable the adblocker temporarily? To each its own I guess and tricky thing with pi-hole is, it is VERY hard to tell if website isn't working because of adblocker or because you are using Linux or it is simply broken.


In the situation I would just disconnect from my wifi and use 4g.


If a site refuses to work when there are network issues, then you can just close the window. British Airways' competitors will be happy to have your business.


It's super easy to turn it off for five minutes in the admin interface.


> some websites refusing to function if ads are blocked

Don't visit those sites!

They want your eyes and/or your money (if a subscription is an option) and you don't want to give it to them. Just stop going there!

Edit: I don’t understand the downvotes. Sites aren’t obligated to give you something for nothing. Why does it feel like that’s the default view here?


but there are other people that live in or visit my home. Maybe they want to visit those sites.

I'd love a pi-hole like solution that was as easy to temporarily disable as a browser extension.



That is why I don't use pi-hole myself.

I wish it would redirect to a different local webpage that allows you to click a button to temporarily unblock the domain for your ip, like the ublock blocked webpage that pops up sometimes:

https://arstechnica.com/civis/viewtopic.php?f=3&t=1424503

If it gets abused, then you can turn it off as an option.


Isn’t that the compromise of roommates or family? Not everyone gets what they want.

Either they’ll move out, resent you, deal with it, or you’ll do what they want?


1. Use Wireguard.

2. It has a DNS option[1]. Set it to your Wireguard server.

3. Setup unbound with a public ad domain list. (No link for this, Google is your friend and there are several different options with minor tradeoffs.)

You're done. Now unless wireguard, a soon to be kernel project, or unbound injects malicious code, you're safe.

Edit: oh and this also works on mobile

[1] wg-quick man page - https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick...


Someone on here recently recommended uMatrix for this purpose and I find that a nice trade-off between usability and request blocking.

It's an extension but given it's less opaque than a generic ad-blocker I feel more in control and that it's less likely to go 'rogue' like adblockers do.


Longtime uMatrix user here.

The most frustrating thing about UM (which is the same problem I had with NoScript back in the day) is that some scripts call other scripts. So, particularly when I'm trying to play an embedded video served by another site served through a CDN, the process for getting the damn video to play is something like:

Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist more scripts being loaded by the first batch of scripts -> reload -> whitelist some XHR references called by new scripts -> reload -> finally whitelist the actual media being served.


90% of the time, I just don't do that dance and not watch the video.


If you do it five times with some intelligence, you have rules that you can apply and have most things work most of the time from then on. It's really not a huge hassle and generally the malware-containing networks aren't the ones you are greylisting.


I copy the URL(CTRL-l CTRL-c), open a new terminal and try youtube-dl $URL


Yep, I do that often. It's apparently a very underrated tool because it can pretty much download most of the video content out there on the internet at large. But many people have no idea about it, even technical people.


I dumped that routine and just started pointing those video URLs at youtube-dl

vlc is a better video viewing experience (and better on battery) than a browser and you can usually start playing a partially downloaded file


Yes, a bit bothersome at times. But if I take the trouble to finetune worthwhile sites I run into, and make the settings permanent, life does get markedly easier after a while.

I rarely see an ad. I didn't see Troy's responsible sponsor message either. I should have and would have if he had chosen to display the thing without the need for scripting. So I don't feel hugely guilty.


I have uMatrix and uBlock. In my case it was uBlock blocking the ad, not uMatrix... or maybe I had whitelisted it before? Not sure.

edit: Okay, it's not blocked by default with uMatrix: https://i.imgur.com/B97lf35.png


uBO can block with pattern-matching URLs of network requests and additionally cosmetic filtering (hide DOM elements), while uMatrix works strictly with hostname of network requests and types of resources.


Keeping those whitelists synced or at least copied across devices can be a challenge. IIRC Noscript could save data to a bookmarklet for that purpose.


Use youtube-dl instead? It's win-win: you don't have to compromise your browser's security, and you get a permanent copy of the video that you can watch whenever you like and that the CDN can't comply with takedown requests on or otherwise maliciously bitrot.


For popular stuff switching to "global" and marking them as enabled helps reduce the song-and-dance for things like YouTube videos or common CDNs (e.g. Bootstrap)


Here's the thing, gorhill maintains uM and uBlock Origin and he is one of the most trusted names in several sec circles to the degree that ubo has been deployed in many enterprise settings. Is the elephant in the room by Troy 'well do you think gorhill will sell out for a measly 10k?' Or is the market for 'adblocking extensions' that inundated with shoddy extensions that simply serve as data mining tools and Troy wants to make us all aware?


I am happy with uMatrix, too, but FWIW, I could not recommend it to non-technical or impatient people. For many pages, I require multiple iterations of stepwise refining of what is and is not allowed before a site works for me.

I do not mind, but I can imagine it easily gets annoying for many people rather quickly. (OTOH, those people would not care to set up Pi-hole, either.)


I would rather spend some time setting up a solution with minimal maintenance than constantly be adjusting and tweaking my solution to get things to work just to browse the web. I use uBo because I rarely have to go in an tweak something and it's mostly just a temporary pause on blocking. A pi-hole might be nice but I like how plugins actually remove the spot where the ad once was so the site looks less like swiss cheese.


I consider myself a pretty savvy user, I'm not a web dev but I understand web technologies, javascript and all that and I simply can't use uMatrix decently. Am I supposed to audit every single external resource to whitelist it? For every website I may want to visit? I don't get it.

Ublock seems to do an okay job of blocking most ads and tracking stuff so I'll stick to that in the meantime but I would be really interested to see a uMatrix tutorial or something like that.


uMatrix takes time to grok. It made no sense to me at first. Overtime I understood it and see it as a beautiful method of presenting data and using controls.

There is very good youtube tutorial of about 7 minutes that explains it use.


I also love uMatrix. Unfortunately its not an option on mobile. You could theoretically install it in Firefox mobile for Android, but it would be so difficult to use. I also use a Pi-Hole. I see my Pi-Hole as the solution for mobile browsing and apps, where uMatrix is the better option for desktop browsing since it can differentiate between image requests vs. scripts, iFrames, cookies, etc


It isn't any harder to use than on the desktop!

Instead of clicking on the uMatrix icon, you click on three dots and then on uMatrix

Rather than bringing up a small window, with all your settings, it brings up a new tab with your settings.

Other than that it is the same! And it will work when you are away from home without needing a VPN to a Pi-Hole.


uMatrix, while having a bit of a dense UI, is what I prefer as well.

I installed a pi-hole in my home network about a week ago, and it survived less than a week.

My wife likes using sites like eBates when she shops online, and it redirects her through a random sequence of tracking sites before landing on a site like the Gap. It caused all sorts of problems for her, as those sites were being blocked.

If I was going to keep the pi-hole running, I would have had to constantly be adding white list entries. Or, I could have manually created a black list from scratch. I was not interested in doing either.

I found that dropping a handful of domains in uMatrix got rid of most ads (but not tracking), and that was good enough for my uses.


> [...] it's also the fact that running an ad blocker means giving a third party an enormous amount of power over your browser.

That's why Safari's content blocker API is so great[0]. Creators of these extension have no access to my data and it's faster than normal extensions to boot.

I'm using Wipr, which seems to work just as well as pi-hole on the example pages. Blocked his advert too, or at least I can't find it cough.

[0] https://developer.apple.com/library/archive/documentation/Ge...


Safari Content Blocker is pretty great but it's restricted to Safari only. So if you use Reeder, for example, to view articles then ads won't get blocked.

As an additional system-wide layer, I subscribe to Peter Lowe's ad block list with Little Snitch. Now I can block all outbound requests to ad servers system-wide.

As much as I like PiHole, I don't think it's a one-stop solution. It's generally easier to manage stuff locally on my system. I think the big advantage is for software that isn't as open (like iOS, tvOS, etc).

I find that working in layers instead of trying to find a singular solution is easier to work with and provides more flexibility.


+1 for this. Reading his whole argument I was like "I don't think this applies to Safari Content Blockers"…

There's no reason to have an ad blocker be anything other than local. Sure, it should be able to pull more rules, but during operation it should just match those rules. There's no need to have it be written in a language with e.g. XHR or whatnot.


Works for most basic ads. Unfortunately basic ads are a thing of the 90's. Does not work for most common ads nowadays, as youtube et. al. run them from the same domain as other important parts for the app/site to run. For these you have to use a different approach, like running an extension in the browser to block them.


I see pi-hole as the first line of defense.

With Pi-hole you can disable an adblocker when something doesn't work and still enjoy a fast web.

But Pi-Hole still blocks the majority of ads, so it is possible to use it exclusively if you just want to make the web usable again.

It's also great at home for family members who just want to surf faster and more private and secure but don't mind a couple of ads here and there. Especially when it comes to mobile Apps.

I also want to highlight that most domains that are blocked are usually tracking services which makes Apps and Websites incredibly slow and increase traffic to a large extent. I think blocking those "services" is the true beauty of Pi-Hole. Ad-Tech is only the tip of the iceberg when it comes to commercialised tracking.


I'm amazed that something that (to me) as simple as an ad and analytics proxy running on the website domain isn't more of a thing yet. That will already circumvent a lot of ad blockers. Well initially anyway, the ones based on blocklists / patterns will probably be updated quickly.


You really think anyone wants to maintain something like that, let alone subsidize the advertisers' bandwidth costs?


If it's their main source of income, they would. Maybe advertisers could offer better rates since you'd be reducing their costs.


I hate ads as much as the next guy. This cat-and-mouse game has been going on for as long as I can remember.

But I have to wonder why the ad networks don't require content creators to place some "ad libraries" into the web servers or CMS systems directly, so that the ads are served exactly the same way as the content (same domain, same pages, etc).

That's my nightmare scenario. I figured it would have happened everywhere by now. I see it in a few places but it seems pretty rare.

Is it the heterogeneous server-side environments that are slowing down this approach?

If it ever takes off, what is the mouse to do?


Wondered that many times myself. I see several reasons:

(1) Their current tech still works on most users so it's not economically justified to invest several times more just to catch a few extra percent of the users (the tech-savvy) in their net.

(2) They are not technically savvy enough to figure it out (thank Cthulhu if that's true!).

(3) They do not want to pay for the extra bandwidth costs and to upgrade their servers. And they will have to do both because looking at any ad inspection article reveals that the ad/tracking bandwidth can be easily anywhere from 3x to 20x the bandwidth needed to serve the content itself. Furthermore, the ad/tracking tech uses elaborate scripting techniques to avoid part of the automated defenses of browsers or network devices. Running those scripts 24/7 increases your electricity bill significantly.

Overall I believe it's a case of "we could probably do better but we get a hell of a deal for the minimal investment we made". Which is really good for us the techies -- because they leave us alone -- but seriously sucks for everybody else.


ML that inspects content for ad-like behavior. Inspecting content of files or code and see if they match known adware, like an antivirus.


> Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog

Uh, sorry, but uBlock Origin blocks it. Also, does anyone else finds themselves jumping straight into `reader view`?


I had a little giggle at him mentioning his ad in an article about pi-holes, since I run a pi-hole and don't see the ad.


It's about time this became a public discussion. Websites have become so horribly bloated, while most discussions seem to revolve around whether ads are acceptable or not.


Software in general has become bloated. The increases in performance, memory etc in consumer hardware has been offset by the bloat.

Android P uses 10x as much memory as it did from Gingerbread, I don't feel as if there's 10x as many features.


To be fair, ads are the reason websites are bloated. I don't mind websites loading 50 MB if I'm in awe of the amazing multimedia presentation it's giving me. 50 MB of ads just... isn't.


That's not always true. Check out the new GMail, my new corporate account has no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.

In this case, the largest resources are Javascript and CSS (yes 1.2MB CSS files!). The weird thing is that it appears to be making requests with different cache-busting strings and getting resources that are the same size.

(32MB now, I haven't done anything on it since starting this post)


> Check out the new GMail, my new corporate account has no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.

The new gmail is the slowest web app I have ever used. It's gotten so bad I've started managing my email on my relatively snappy inbox iOS client.

It wouldn't be so bad if they didn't load so much crap, like the gchat functionality nobody has used since 2008.


The old HTML only version still works. I just refreshed mine and got 19.11 KB transfered with cache disabled. (about half that with cache)


Sadly I like the bundling of inbox far too much to switch back at this point.


Agreed 100%. Just getting it to load takes forever, and Google Calendar sometimes never renders for me (on latest Chrome for OSX-1).


There's been plenty of public discussion, albeit in the tech community [1]. It's a hard issue to sell to people outside because most people don't care if a website is downloading 1mb or 100mb.

[1] http://idlewords.com/talks/website_obesity.htm


Off-topic, but that Vollkron font definitely styles 1s very weirdly. I thought it said I.I.I.I instead of 1.1.1.1 until I copied the text and pasted it somewhere else.


That's a common, traditional form for non-lining numerals (https://en.wikipedia.org/wiki/Text_figures)

Turns out, Al Gore doesn't like it, either: https://www.typotheque.com/blog/gores_choice


FWIW, https://www.fontsquirrel.com/fonts/vollkorn, shows they have a choice of styles for numerals. But the half height I appears to be the default.


It does say I.I.I.I. Awful font.


uBlock Origin allows you to block remote fonts and use system fonts instead. You can selectively enable them on a per-domain basis, and, for cases like this, have them blocked them by default.

With remote fonts enabled on https://www.troyhunt.com/mmm-pi-hole/

  24 requests 3.12 MB / 3.06 MB transferred
And with remote fonts blocked:

  20 requests 2.96 MB / 2.90 MB transferred
It's not just ads you have to worry about.


My only issue is if I haven't been to a site in a while it makes an error showing page not found or something similar, then a reload fixes it.

Otherwise, it's a godsend, especially on mobile. Though some...unscrupulous sites...I visit on mobile on some occasions still manage to redirect me to crazy shit. But I get way less adds pretending I have a virus.


With disabled js dailymail loads 603(6.8MB) files 590 of which are images.


I run uBlock Origin and noscript - even then I'm amazed with how much guff the UK Daily Mail website loads. From their perspective - you would think they would want to reduce the bandwidth to the servers as much as possible...?


I run ublock origin and umatrix. And actually they do kinda care - I've tested their site on Chromium with no addons or blocking and noticed they lazy load most of those images (it loads "only" ~130images) and about 400requests in total (I only opted out from advertising using their GDPR dialog). If I opt in, it constantly pulls data ~6requests/second.


Pi-hole is cool, but only works on your home network unless you use a VPN to connect back home and funnel all traffic over the connection.

I'll continue putting my trust in uBlock Origin on FF for now, until I hear about any malicious PRs that get merged in /shrug/


You can wind up a Linux VDS with dnsmasq and blacklist of domains, then use it on any device everywhere.


If you trust your ability to secure a publicly-accessible DNS server. Pretty attractive target.

Also, you can't usually specify DNS servers on cellular connections. The VPN setup would address that.


As a subscriber to Debian Security mail list from 2013 I'd got 2 emails on vulnerabilities in dnsmasq.

I don't think anyone should trust cellular connections at all for many reasons. Especially because my country (Russia) is the only one in Europe which has an office of CEIEC (chinese surveillance gov company) which as of now makes Orwell's tales come true in Xinjang.


> Also, you can't usually specify DNS servers on cellular connections.

From what I understand this is only iOS.


Don't buy a raspberry pi just for this, chances are you have some old windows machine you can slap Ubuntu server on and set it up easily. That's what I did and I have very little Linux experience.

My favorite thing about it is ad-blocking in mobile apps. I tried to use it with OpenVPN on my android phone for ad-blocking when I'm on cellular data, but the speed it was unbearable. I'm not sure if it was my crappy router or what, everything I read says that DNS routing should be neglibible to speed.

The downside of pi-hole as opposed to a broswer extension is it's more difficult to allow things when needed, and whitelisting specific URLs can be difficult and slow to take effect.


>Don't buy a raspberry pi just for this, chances are you have some old windows machine you can slap Ubuntu server on and set it up easily. That's what I did and I have very little Linux experience.

But this would require having a full-blown PC running 24/7 and increasing your electricity costs by at least a few bucks a month. It would be much wiser to buy a $10 Pi Zero W and put Pi-Hole on it.


I agree. The rpi will pay for itself in electricity cost savings fairly quickly.

Also a reason to use a dedicated NAS appliance. Instead of the 60W minimum idle that desktops have, your at 1-10W idle with rpi zero and NAS appliances.

Small laptops might have a more efficient idle although, so YMMV.


Have had Pi-Hole running on an old 10" netbook for a little over a year now. Set it up just to play around with it, wound up being a perfect machine for it.

Agree about ad-blocking on mobile. The killer feature with Pi-Hole is that you don't have to set anything up on each individual device; anything connected to your network suddenly has near flawless adblocking.


1) What would be the quickest way to get a either a Pi-hole device or a router supporting that level of functionality (ad-blocking, and DNSCrypt) into the hands of normal consumers on a mass scale (e.g. completely non-technical users like my parents or grandparents)?

2) I know my next suggestion goes against net neutrality, but what would stop an ISP from doing something similar at the level of their router (or cluster of routers)?

Update: Actually for 2), some places that provide Internet access to their users who aren't ISP customers (e.g. businesses, malls, municipalities, colleges/universities/schools) could roll this out as well citing bandwidth savings (therefore cost savings).


>What would be the quickest way to get a either a Pi-hole device or a router supporting that level of functionality (ad-blocking, and DNSCrypt) into the hands of normal consumers on a mass scale (e.g. completely non-technical users like my parents or grandparents)?

Sell it as a turn-key appliance in a box with three ports: Network in, router in, and power. Operate as a transparent proxy, automatically update, web interface on the inside port only, etc etc.

Biggest issue is ensuring it's got enough performance on both Ethernet ports to not bog down traffic.


This is excessive. Amazingly so.

I don't mind an ad or two. I don't want you siphoning my network and computational resources without compensation.


I think the news sites are thinking the same thing. "I don't want you to use my network and computational resources (to read the news) without compensation (watching our ads/mining our coin/etc)"


In that case, these news businesses should not be publishing content on the World Wide Web. Users pay for devices, electricity, and monthly network connection, These publishers seem to be stuck in the last epoch. A website is not a finished product like a book or newspaper, it is publicly-accessible data. Users can scrape, restyle, delete, and add content _at will_ whenever they choose to download this content.

So the ideology of capital, which destroyed community morals, is now having it's own tawdry ethics trashed. It's not news that the news is failing. This Author Wrote 7 Reasons Why You Can't Make 20th Century Business Web-Scale.


So what's the impetus for the news business to be available online? If the world wide web should be a free love utopia of data slurping why would these agencies, who have been built on the assumption that the creation and presentation of their data has an inherent worth? How do they get remunerated for their efforts? Or do they just never try to take advantage of this new epoch and die off, leaving us with a billion half-assed citizen journalists?


I would pay for a source of journalism that had any actual effort put in it and wasn't blatantly and hilariously wrong almost all of the time. Sadly news agencies don't fit that bill at all.


Read reuters, you don't have to pay for it.


So do you/would you pay for something like the New York times?


I see nothing wrong with them charging money for their work they just can't depend on being able to exercise absolute control over the presentation because instead of being dumb data to be displayed on a remote device its code to be run on the end users device.

You can't separate all the interesting aspects of this distinction and ignore the ones you don't like.


You are being compensated. You can visit their website and read their content. Feel you're not being compensated enough? Stop visiting that site.


You are being compensated...but you are not being informed for what.

As an example, lets say you borrow my truck. You compensate me for the use of my truck to move some boxes in town.

But then you use my truck to tow a trailer across the country. That is more wear and tear on the vehicle.

And then you take my personal information that is on my vehicle registration with my home address and sell that to an ad company.

Finally you return my truck with all sorts of junk that was collected while the truck was being used.


Except it is nothing like that.


When you go to a website are your informed how much bandwdith will be ad only?

How about what is done with your personal information?

When you visit a website are you shown which tracking cookies will be left behind?

You cannot stop visiting the site, once you have visited the ads have been loaded, the cookies have been dropped and your info has been mined.


For anyone not interested in setting up pi-hole, having a blacklist host file is just as effective for your local machine [0]. I have that full list set as my /etc/hosts file on a Streisand server [1] and run all my devices through that with IPSEC VPN. It's a little more flexible than pi-hole since you can use your mobile devices over LTE with it.

[0] https://github.com/StevenBlack/hosts

[1] https://github.com/StreisandEffect/streisand


For a hardware-free option let me plug my little weekend project called DNS Whisperer:

https://github.com/apankrat/dnswhisperer

It's been quietly spinning on our mail server for a couple of years and it works just as you'd expect it to. Block ratio is around 50%, with no notable effects on browsing experience. It also blocks various in-game ads on the iOS devices. I update the blacklist now and then, may be once every 4-5 months if that, but it's largely maintenance-free.


> And yes, I'll chat to her about the Fox News situation as well!

Highlight of the article right here.


Highlight in terms of sketchiness. I maintain our home network, but I certainly don’t spy on the sites my partner chooses to visit. Or post them on a high traffic blog.


Hopefully he told her beforehand he's going to spy on her…


I don't really see why he had to make mention of it.


Exactly, heaven forbid we read different new sources to view different biases and takes on stories.


I managed to get it running on a few Intel Edison's (no longer supported by Intel) that were lying around. It makes browsing a stress free experience. For anyone looking to get it running on an Edison, check this out https://hello-w0r1d.github.io/Installing-Pi-hole-on-Intel-Ed...


There's an interesting discussion happening in the comments where the fact that Troy's (very low key, topically relevant, non tracking, entirely text based) sponsorship banner is being blocked by some AdBlockers. I've found the same thing with Reddit ads (which also seem quite reasonable).

I'm conflicted, I'd like for there to be some mechanism where reasonably implemented ad systems can flourish.


Isn't this an admission the internet is not safe by default, and you need specialized knowledge and hardware to make the Internet safe(r)?

Xfinity/Comcast hardware (cable and WiFi integrated) works with the Pi-hole how? I can't change the DNS addresses on Xfinity hardware. Ok so I have to buy my own router, in which case Xfinity blames all problems on running by own hardware.

Another ISP with which I'm familiar, when running my own router and assigning DNS of my choosing (any, DNS Watch, Google, Cloudfare, OpenDNS, whatever), and the ISP actually redirects the DNS requests to their own DNS servers anyway. The only two ways I've found to get around this is: always on VPN, or DoH using Firefox+Cloudfare's test they're running. In this case, it's deceptive having a router that permits me to assign DNS addresses of my choosing.

In either case it means distrusting ISP hardware, getting your own cable modem, or getting your own network router, and also a Pi-hole. It's esoteric knowledge. This is a remarkable industry failure.


>Xfinity/Comcast hardware (cable and WiFi integrated) works with the Pi-hole how?

Once the pihole has been setup and has an IP it becomes a DNS server, you just then tell your end devices to use the piholes ip address as the dns server.

DNS requests either go where you want (static IP addressing) or where to the xfinity/Comcast (DHCP addressing).

And no, the internet is not safe by default, by neither is the real world.


> Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all. No images. No video. No script. No HTML tags. No tracking.

Even that is blocked by uBlock Origin with default settings. I wonder how it knows it is an ad?


Been using the pi-hole for a couple of years now. Can only say good things about it, as it also disallow porn and the such (which is good with kids in the family).

Sometime, it's convenient to be able to switch it off quickly (as someone mentioned, certain sites will mulfunction): so I created a simple Alexa task to turn Pi-hole on and off using voice, leveraging the pi-hole api.


Wow, Daily Mail, 2663 requests and 57.6MB transferred... just for visiting the homepage. That is a ludicrous amount of data.


I set up a Pi-hole recently, and its been a good experience. Probably the one thing I always have difficulty with though is online streaming for TV channels. I tried whitelisting domains they used for their ads so that the shows would play, I ended up giving up after a half hour and pressing pause on the Pi-hole to watch.


Pi-Hole is great! Around 30% of the traffic is blocked on all my devices.

However, I would recommend adding a few more decent block lists to the default ones. Also updating these lists through a cron job on a more frequent basis is a good idea. Here's a script that you can use to setup pi-hole and additional block-lists: https://gist.github.com/user501254/1d4c8cb9f22fb51ae970f5fe0...

Also make sure you are using 1.1.1.1 as your secondary DNS service. So this way in case your Pi-hole running RaspberryPi is down, your devices would be still be able to access the internet with some privacy.


Should be noted this is useful not just for ads, but also for devices phoning home and collecting metrics. Things like Win10, Netflix, smart TVs, etc. You don't have to use every blocklist on the planet if you don't want it to screw up normal web browsing.


It can be easy to bypass by having an IP / another DNS server hardcoded as a fallback. I would bet that some devices are already doing it.


I was experimenting with a somewhat similar idea a few years ago, https://github.com/geuis/lead-dns.

I took the most recent block lists that uBlock Origin was using at the time and filtered out all the css-based selectors to just get the domains and urls.

Unfortunately it basically broke nearly every site that I went to, largely in part to blocking some top-tier domains from Google I think.

You could run lead-dns locally on your machine, or on another machine on your network.

I still think its a good approach and will be looking into Pi-hole since its a lot more developed than my early experiment.


The last time I checked, the Raspberry Pi was considered unsuitable for use as an internet middlebox (or router) due to some kind of I/O bottleneck, having to do with (pardon the faded memory) its ethernet controller being attached to its USB controller instead of directly to whatever ARM's PCIe-analogue is, as well as its USB controller being a blob-encumbered Broadcom hunk-o'-jank.

Has this changed recently?

EDIT: Answer: probably not, but that's irrelevant because this Pi-hole appliance apparently just does DNS, not full traffic routing. Makes reasonable performance possible, at the cost of granularity.


There is clearly a mass market for preconfigured plug-&-play versions of this. Reminds me of the little bits they used to (probably still do) sell to go between landline phones & the jack to screen telemarketers.


You have to change DNS on your router or on each device so I don't think it could be entirely plug and play? Preconfigured + some instructions seems doable.


I could definetly see a world where a device like this fronts your home router and is zero config. Maybe a “super” router?


I'm currently using my own solution [1] based on Knot Resolver, a shell script [2] that creates a blacklist from multiple sources and DNS over TLS to 1.1.1.1. It doesn't have a web interface as complete as Pi-hole, but it's very lightweight.

To block ads when I'm not at home, I use WireGuard and pass DNS traffic through it.

[1] https://github.com/hectorm/hblock-resolver

[2] https://github.com/hectorm/hblock


This might be dumb question and me missing something: Is it technically possible for someone to set up a PiHole DNS service similar to how Google has 8.8.8.8 ? It would be much better user experience in my opinion to just set a different DNS than to have to setup a new machine on your network.

Monetizing such service sounds tough as you have very minimal leverage over the users (by design!) but perhaps a Patreon/Foundation would be sustainable, similar to how Wikipedia is? Perhaps it could be bundled to a VPN service?


You really want someone you trust as a dns provider.

It would be easy to exploit people and as you say it's basically impossible to monetize. There would be motivation to do so.


Since he was pointing out scammers buying popular extensions: I would like to mention that this is a chrome specific problem. Something like this isn't common with firefox addons.


I'd also recommend turning off auto-updates for extensions (which is possible in Firefox). You also get a page with pending and recent updates, complete with release notes if the addon author provides them.


Pi-hole is so important to me that I am unwilling to use the web without it. I also will not use Microsoft Windows without it. The Mozilla DNS over HTTP project concerns me because of this. If DNS over HTTP becomes the default for most software then I will have a serious problem.

Don't bother trying to tell me this will be optional. Absolutely nothing will make me trust you after the MR. Robot incident. I would cut off two fingers to use Safari on Linux and Windows.


To address your last: I am rebuilding my career lately and working towards an income where I have several thousand $ free every month so I can just buy a maxed out iMac Pro (~$13,500 I think) in 6-8 months and only use my PC for gaming.

Already fully invested -- a MacBook Pro, an iPhone X, an iPad Pro. Only thing missing is a desktop machine.

The fellow technical crowd in HN and Reddit loves to crap on Apple for "slowing down progress" but Safari is a very solid browser. Between a good ad blocker and reading mode, it actually gives you control and styles pages for... you know, reading. I really like Safari on all my devices because it allows me to consume content how I want and forces the websites to behave.


Are there similar projects but running on DNS-over-HTTPS(/TLS)?

That way one could configure only the browser to use this and it would also work on phones that are using LTE (and not adblocking when using home Wi-Fi only) [0].

[0]: https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1...


You can run argo-tunnel/cloudflared on it and use that. You'd still be taking plain-old-DNS in, but the arguments in favor of DNS-over-HTTPS aren't as strong on a network you control.

I don't think anyone has written custom DoH stuff you can easily run yourself yet.


You don't have to run it on a Rasberry Pi! I have a little server under our stairs, with the Proxmox Hypervisor (KVM + LXC with a lovely GUI) on it. It's free and you can figure up VMs etc. PiHole is a LXC container. Seems silly to "waste" a bit of hardware when most people here will have access to some form of virtualisation. I've given it 256Mb of RAM and it runs fine.


I've been using Privoxy.

Killing two birds with one stone here: proxying access through a VPS to hide the home IP address && blocking ads.

Apart from it occasionally blocking legitimate sites that begin with the word "ad" (something like, say, "adrian.blog.thing"), it works great. Because it's an HTTP proxy, it offers an interface for bypassing these unintended blocks.


Proxomitron, which Privoxy was inspired by, has a few patches which make it filter HTTPS too (you need to install a certificate for MITM, obviously.) As more sites use HTTPS the ability to filter their content becomes more important too.


If it's a dumb string-start check then that could be a lot of false positives. How often has it been wrong?

I personally hate wondering why something's not working and having to go through every extension to debug my browsing session.


Quite rarely in practice.


Pi-Hole is beautiful and open-source. As long as it doesn't get too popular, tech savvy people can continue to enjoy network wide content blocking.

Consider supporting them (but not too much ;): https://www.patreon.com/pihole


Why the "not too much"? IIRC Adblock was "compromised" in a way because it was more profitable for them to make deals with advertisers. If they made more money off of donations they wouldn't need to sell out.


Well, it was kind of humourous, based on the idea that ad-tech will switch to first-party proxies when too many people use Pi-Hole.

But on a more serious note, it is simple products like AdGuard DNS which will probably make Ad-Tech sweat more, because it's so easy to use for average users.

Adblock was compromised due to lack of integrity imho.


Pi-Hole is a bit different too in that they do not maintain any block lists. It does come pre-installed with several lists, but maintained by 3rd parties. Its also very easy to add items to the block lists or import new lists. I think having this separation of powers is wonderful and will aid in the protection of the project.


Is it possible to chain DNS servers or do multiple lookups for one request? For example, a dns server that specializes in malware/antivirus checks, and one that blocks ads etc?

I realize it's not performant, but it makes it hard to choose a dns provider when several have different features you like.


I've been running pi-hole for over a year now, it just works.

To make it easier to install and maintain I used this dockerised version https://hub.docker.com/r/pihole/pihole/


I tried pi-hole but my family couldn't make it work. Pihole blocks a lot of content they want to see, for example, email newsletters from our city gov. I understand why (privacy/tracking concerns) but it was just blocking too much and frustrating non-technical users in my house.


A lot of these list maintainers put a lot of work into not breaking things, but their are just too many websites out their to know if a block breaks one of them or not. Send the list maintainer an email - or if they are on Github/Gitlab open a ticket and have a discussion. I think you'll find many of them are happy to remove breaking domains. Of course whitelist is always an option too if the list maintainer disagrees with the removal of a domain.

Also, there is a popular whitelist project for the Pi-Hole that can make it more user friendly: https://github.com/anudeepND/whitelist


I spoke directly with the pihole maintainers. They took a Hardline position that them blocking email from my city was the right thing to do because it used click tracking or some other metric gathering and was deemed a privacy risk.

I understand the devotion to a cause but it was too myopic for me.


As far as I know, the pi-hole maintainers do not maintain any of the default block lists. I maintain a list [1] that is then feed into the popular host list by Steven Black [2] - which is a default list.

I definitely do not want to break things for people and I'm happy to remove any reasonable domains from the list. I wouldn't consider google analytics a reasonable one to remove - but you get the idea. I hate to hear you had a bad experience of it. If my list had the breaking domains for you, I would of loved to have a ticket opened where we could discuss it. Sometimes it isn't clear cut between ads & tracking and useful services.

[1] https://github.com/lightswitch05/hosts

[2] https://github.com/StevenBlack/hosts


As commented below, we don't actually maintain any of the lists, so that wasn't us you spoke to!

You can configure the lists that you use to suit your needs. You can also whitelist any domains that you need. It's up to you what you ultimately block!


Yes, it was. In fact, I think it was you personally, lol.


Hmmm, not sure I recall. Mind linking back to the conversation? Point is, we don't choose what domains are blocked or not, so there is nothing we can do except ship with a default whitelist. But we're not going to do that either, if we were to start doing that... what's to say we wouldn't whitelist something more nefarious.

It's safest for us, and our reputation, to stay out of the finer points of the actual blocked/not domains and instead defer to individual list maintainers who make that their business.


Can't find it, it may have been on chat.

But I did find a very similar request here with a work around: https://www.reddit.com/r/pihole/comments/49ckht/feature_requ...

So I understand you don't control the lists, but you do control the oobe and it seems like it might not be working for some people.


That post is 2 years old, and the op understood and was ok with the outcome...

Oobe is either 1)leave suggested defaults as is 2)don't use those lists.

Option 2 is available in the installer before you're even up and running. There is only so much hand holding we can do, to be fair. We have an extensive support community, and plenty of documentation, and yes, whilst I agree some users may fall between the cracks, the majority are able to find a solution to their problems.


There is no doubt that pihole works for some people. I'm just giving my honest review: it didn't work for me. It blocked too much. I asked for guidance and got a lecture about privacy.

And I did find a solution, just not with you product :)


Don't they have some kind of whitelist you can use?


Yes, they do. This story is very inaccurate.


You can whitelist but it isn't easy for non-technical users and becomes a huge chore.

And this story is 100% accurate. I'll try and find it.


I found the same thing with emails sent from an airline. It was frustrating because I did actually want to follow the links in the emails as they were to do with a flight I was taking.


You can whitelist domains, you can add to the blacklist or you can temporarily disable pihole (5-10min whatever) while you do something.


Yup, I temporarily disabled it and life was good.

But I can understand how this would frustrate people, especially when they don't know how to disable it or aren't given the password.


What about WS2811s with a pushbutton to temporarily disable, or a pushbutton on one of the GPIO pins, with the switch in a central location?


The included dashboard with the pi-hole is incredibly easy to use, so I just have it bookmarked on all our browsers in case someone in my family needs to pause it or whitelist/blacklist a site. We barely ever have to touch it though, mostly just to update the blocklists occasionally.


I was thinking use-cases for house guests or very non-technical folks (what is a bookmark?).


Arcade button[0] mounted on the RPi that initiates the 5 minute pause script?

[0]https://www.adafruit.com/product/1185


Yes!!!


Guest wifi network which doesn’t go through the pi?


Yes you can. But having non-technical people verbalize the need to whitelist a domain is incredibly painful.


That's interesting. There's another comment further down saying it broke stuff too, but I've honestly never had that happen. The most I've ever seen it "break" anything was formatting issues when people didn't declare the ad div size.

To be fair, we're very light/casual web users as most of my hobbies/entertainment are physical electronics and my wife/kids mostly watch Netflix/Stan or just browse reddit/news sites.

I'm sure there's plenty of stuff it breaks (due to how it works and how complex modern sites/web-apps can be), I've just been lucky that all of the sites we use seem to work fine.


> The most I've ever seen it "break" anything was formatting issues when people didn't declare the ad div size.

Haha, I remember some years back a popular C++ programming site would break if you didn't have an adblocker because someone had put wide header banner ads in both of the side banner areas, shrinking the text to a single word column in the middle. I guess they only tested their website with adblockers on...


They may be suffering in silence. Ask them if any sites or emails seem broken.


I'm very curious why it would block city gov. I've been running it for over a year on my server and I have not heard a peep out of any family members complaining about not reaching anything.


A lot of newsletters use click tracking. These scripts are blocked with a full block list, making everything unusable. It's often affiliate stuff and the newsletters that do this stuff


If you have a router that already uses dnsmasq (or a simple hosts file) there is the dnsgate script that basically does the same thing: https://github.com/jakeogh/dnsgate


There are a couple of downsides to pi hole, anytime a page doesn't work I'll have to turn it off and check the page again. And you only block domains so if you want to block Google analytics you can but you can't access their website without turning it off


This project could be improved by using pi-hole and unbound (docker images available). Unbound is a caching recursive DNS server. In an article all about hijacking and trust of 3rd parties, I find it amusing the author saw fit to point to cloudflare's DNS.


Honestly, considering how cheaply you can implement this (I resurrected an unused OrangePiZero), how easily it can be used (just plug it into a router LAN socket), it's crazy that the creators aren't actively looking to monetize this


I've tried using Pi-hole a few times in the past, but I always end up shutting it down again. It breaks too many things, and it doesn't block as many ads as a browser-based adblocker does. I wanted to believe, though.


Also, you can get dnsmasq block lists from several places.

https://pgl.yoyo.org/as/ has lots of formats.


I've been running this for two years at home and at work and it's a God-send.

I live the ability to block SM on my networks. FB can get to be such a distraction with employees.


It's easier for me to replicate this functionality myself. I run unbound with a domain name blacklist. Same functionality, no need for additional hardware.


One of the great things about using unbound is how easy it is to blacklist entire domains, without having to know the name of each subdomain ahead of time. I've been doing what pihole does for over ten years using pfSense. I'm up to 437,000 fully qualified domain names blocked, and over ten thousand domains blocked outright. It has been years since I've seen an ad.


I run AB-solution.info on my Asus router for the same effect without the need for extra hardware besides a usb stuck. Highly recommend it.


I run a dns server with BIND for my local network. Is there some equivalent way to get this functionality without using a Pi?



The aria.microsoft.com domain is for analytics and client metrics for probably some microsoft produced app you’ve got


If DNS blocking catches on, couldn’t ad networks just do DNS in the cloud and return IPs directly in the JavaScript?


Meanwhile, I use both pi-hole + ublock origin for my browsing experience contrary to Troy's initial statement.


Does this work with Hulu and other things that try to prevent content loading if the ads are blocked?


Does this impact gaming latency performance? I play Quake Live so every ms is important for me.


For DNS? No - it makes no difference. DNS happens generally before you establish the connection.


just an FYI: you can also install this on your rpi if you're using archlinux: https://aur.archlinux.org/packages/pi-hole-server


Edit: I'm an idiot didn't realize hacker news was actually paginated


It isn't silently hidden at all, it's just on the second page because this story has many comments


Thank you I feel silly I don't think I have ever even noticed the more button at the end.


No worries, I think it only gets turned on (sometimes temporarily) for stories with high volume


Are you using linux or did you get this running on a Mac ?


2663 requests over 17 minutes? Is there a Poe's law for the web?


Troy's perspective seems to be lacking in several levels. The first thing is the nature of advertising. Advertising is an attack on the client to convince him to believe and ultimately to act in ways that could not be contrived through honest communication. It is an attempt to manipulate.

Even his very benign banner represents an attempt to manipulate. A company buying such a banner wants an author to speak as he wouldn't naturally to give a degree of attention to the sponsors content that he wouldn't naturally inspiring us to give an unnatural degree of regard to the sponsor by implying that he does by plastering it on the top of his website.

He expresses that blocking this attempt at manipulation is "unjust". Hi Troy as soon as your content leaves your website and runs on my computer there is no moral dimension to how I choose to display or not display elements.

In the larger context he believes that the larger struggle is to find a way to fund creators through acceptable manipulation that merely tries to hack your brain but doesn't hack your computer or take up your whole screen.

Maybe when there are a billion people out there blogging and the infrastructure to reach hundreds of thousands costs $20 per month nobody is going to pay you to blog.

Most of the intellectual property out there isn't scarce and you are going to have to convince at least some of your readers that they ought to take the affirmative step of paying you to create because they value your work. If you can't you'll have to pay the $20 a month yourself and create in your spare time.

Acceptable manipulation isn't an avenue I'm interested in supporting.

Incidentally the pi-hole is an interesting but pretty bad solution. It is just technical enough to discourage 90% of people from ever trying it, worthless outside your home network, and requires even those interested to actually pull out their credit card and wait for shipping. This is enough to convince another 99% not to do it. If the website doesn't work with this dns based blocking OR you want to show ads to support that site this is in theory possible but only if you log in to another machine and edit its list over ssh?

Whereas ublock origin can be installed by anyone in seconds for free, works everywhere, and can be selectively disabled on a particular site in 2 clicks. This is why almost nobody uses a home dns server but adblock extensions are becoming prevalent.

Troy also tries to throw shade at extensions by suggesting that any particular extension could be bought by malware authors. This is a legit threat model we should all think more about but it applies to all software including the developers of pi-hole.

"The last temptation is the greatest treason. To do the right deed for the wrong reason." -- T S Eliot

Troy doesn't want us to avoid extensions so we don't get compromised he wants us not to run adblock extensions because they block his source of revenue.


uBlock Origin in medium mode, to block 3rd party scripts and frames, is much more effective, its not depending on any lists.

I'd also neved point to Cloudflare resolver 1.1.1.1, and to Google's too. Use your VPN's dns or Quad9 9.9.9.9


What is your recommendation based on? Why don't you trust Cloudflare but trust Quad9?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: