I know what the original intent is, but still- I found this quite humorous.
Still, this seems like a very nice noob-friendly guide, and that's a very good thing when VPNs are concerned.
The funny thins is that I’ve been thinking something similar during Christmas. I now know that I’m not the only one thinking about taking days off work to sort out my backups and network :-)
Blocker extensions are nice becuase you can selectively disable them or open an incognito tab in cases when you need to bypass the list. Easier than temporarily changing your DNS server to 188.8.131.52, etc.
Still, nice to have automatic adblocking for all devices in the house.
It seems to be well curated. Breakages are rare, and if there is one, you can file a bug.
If anyone has a good solution for the overprotectiveness of the Pi-Hole, I'd love to hear it!
Then, only on your own phone/laptop/etc, manually configure your pi-hole as the DNS server for the corresponding home Wifi network. So only the devices you manually configure will use the pi-hole.
Also, you can create a shortcut on your phones homescreen to disable pi-hole for x minutes by just a single click (without having to log in.) see: https://discourse.pi-hole.net/t/is-there-an-api-command-to-d...
Another idea might be to remove all blocklists in pi-hole, and only add this list: https://github.com/StevenBlack/hosts
There is one particular website that is extremely popular, I can't remember what it is now but it has blocklists showing which are likely to cause false positives.
Only add the ones with a checkmark.
Jokes aside, it'd be nice if there were easier ways to mark certain groups of ads as okay. For instance, if I'm paying for a streaming service at the "comes with ads" tier, I'd actually prefer to allow those ads, without having to figure out which ad domains Hulu is using.
The biggest reason to go for the network level block though is convenience across many devices, as you said, as well as blocking tracking and ad domains that aren't running in your web browser: Apps themselves now come with ads that tend to be a lot harder to block on the device.
I don't know why you'd want links that you intentionally click to be broken. ;)
This is why a rewrite proxy is better than a simple DNS blackholer. Unfortunately a side effect of https ubiquity is that rewrite proxies are much more complex to deploy, even on your own local machines.
The greatest offenders were phone apps and roku TV. Also roku tv scans your HDMI data stream (if you connect your laptop to the Roku TV) which is purely evil!
Also worth to note that to have pi-hole to recognize and block over 50% of the requests, constant gravity updates are required (i have over 3.5M unique domains in block-list)
Also get VPN for your phone. All traffic on my iPhone goes though pi-hole (check OpenVPN and DNS Override iPhone apps in store)
"When you use a Roku TV with the Smart TV experience enabled, we also receive information about what you watch via the Roku’s TV’s antenna, and devices connected to your Roku TV, including cable and satellite set top boxes. Using technology such as Automatic Content Recognition (ACR) technology, we receive information such as the programs, commercials, and channels you view, the date, time and duration of the viewing, and how you use the on-screen TV guide. When you use a Roku TV with the Smart TV experience enabled, we use this information to personalize your TV viewing experience and advertisements. Please visit Settings > Privacy > Smart TV experience on your Roku TV to learn how you can enable or disable the Smart TV experience. To understand your choices, see Part IV, Section F below."
2) steve blacks hosts file
3) ublock origin
3 = most conservative filtering configuration that can easily be tweaked from the browser
2 = use modules (-e gambling -e porn etc)
1 = most basic blocking configuration
protip: if you can live with not accessing unicode domains at all (counter measure to avoid domain squatters and some phishermen) patch your dnsmasq and add this in dnsmasq.conf:
EDIT: for mobile I used to have a VPS running openvpn. Make Android connect to the vpn by default routing all traffic through it. Run something like opensnitch to MiTM and whitelist the mobile traffic and sinkhole shit you want to get rid off. This isn't for the fainthearted since new versions of apps might make different API calls and break your rules. Apps will just stop working. If you only have 2 or 3 apps and want to kill traffic from built-in carrier spyware it works nicely and is well worth the effort. Nice way to study what your device does. https://github.com/evilsocket/opensnitch
I also set up my home pfSense router to route all traffic through it (via an IPSec/IKEv2 tunnel). This works great, except when we're using Netflix or Amazon video -- I have to turn it off since those services block DigitalOcean IPs. Still haven't figured out how to configure the pfSense tunnel to route requests to those services through my ISP instead.
I'm using a similar setup. I have my ISP's router in bridge modus, an ERLite‑3 router by Ubiquiti, and a NAS server by Synology. It could've been a router by PC Engines, a Router7, an unRAID, or a Pi too. Ever since I got the Synology NAS (which can run Docker) my Pi is gathering dust.
The NAS runs Docker and uses PiHole(dnsmasq)/Unbound to take the main traffic. The ERLite‑3 router is second choice and uses PiHole/Unbound as well. The setup provides redundancy. All DNS traffic not generated by the router and not coming from the NAS is redirected to the NAS. Both PiHoles have each other as redundant server as well. Both utilize Quad9's DNSSEC servers with DNS over TLS . Though I suppose ideally you want DNSCrypt  this should also be possible with Quad9. The advantage this is going to work on any client. Since the ERLite‑3 allows WireGuard (and only that; no OpenVPN or OpenSSH or anything) clients such as my smartphone or laptop have secure and ad-free internet. Since I'm also using Quad9's blocklist, things such as porn are also blocked. The only caveat is that these clients have access to my LAN. While that's intentional, it increases the attack surface of my devices. I shouldn't trust my wife's devices on the LAN remotely. Then again, all internal LAN services are behind strong passwords.
With AT&T I can’t do a true bridge mode or use my own modem. Their gateway has to do the authentication to the network and I’m stuck with it if I want gigabit fiber. People on dslreports lost a good bit of bandwidth on a gigbit connection writing rules on the edge router to authenticate back through the gateway.
If you put your ISP's router in bridge mode: no.
If you put the Ubiquiti router in bridge mode: yes (but it allows you to have bridging between WLAN and LAN whilst still on separate ports).
For instance I used to run a VPN on a free tier micro instance, and I remember not being able to hit Yelp or StackOverflow from a VPN.
The bonus is my girlfriend noticed the coloring app on iOS she uses doesn't have banner ads and after she's done with a picture, there is no longer popup advertisements.
I only had to make one whitelist so far and it was graph.instagram.com otherwise the app completely doesn't work.
For the lazy, someone other than me made scripts to both pi-hole (dns) setup and pf (firewall) setup to block on network level too.
The scripts themselves are very easy to read and vet for bad stuff.
But thanks for the link to the openbsd port, I'll definitively look into that! For some reason I thought it was only implemented as a linux kernel module.
If you're running OpenWRT, you can install adblock via opkg and there's even a LuCI extension for the web interface.
This blocks the majority of ads on my Roku TV, though YouTube is almost impossible.
And what kind of workarounds/remediations are available to deal with this, ideally in a user-friendly way for non-technical users?
As for what is seen when a site fails - well, it could vary. If a JS file fails to load, the site will either look bad or not at all. ANd yeah, some apps may have issues, but pihole comes wiht a built in query log so you can see which devices just made which DNS queries, along with an easy-to-click whitelist button.
There are different blocking modes you can choose from that return different response codes, so you can choose what works best for your environment: https://docs.pi-hole.net/ftldns/blockingmode/
I would recommend checking out the pihole discourse(https://discourse.pi-hole.net/) or subreddit. The community is very active
For working around it when it does happen, the UI is easy to use - go to http://pi.hole, login, and then you can disable it for 10s/30s/5m, or whitelist it if it is something you are going to use a lot.
When you talk about turning it off briefly, is that for all sites and users?
Typically you go into your your router's DHCP settings and populate DNS with the pihole DNS, or disable DHCP on your router and let pihole do DHCP. The gotcha is if you have an ISP supplied router which has no DHCP interface at all: no way to disable it, no way to customize DNS. All of Xfinity's hardware now does this for residential, you have to pay for business service to set DNS servers.
So when a device in my network connects it gets an IPv4 and the pihole DNS for IPv4, but also gets an IPv6 and my ISP's DNS for IPv6.
As I've noticed, all OSes prefer resolving names over IPv6, making the pihole useless.
The only solutions so far are disabling IPv6 which is a shame or setting DNS manually on each device which is impossible on Android.
The way I get around this is by putting all of my devices behind another router, and treating the ISP router as if it is part of an external network. It introduces a second layer of NAT (ISP router gives my router a 192.168.0.x address, which it treats as its WAN IP; devices get a 192.168.1.x address), but in practice it's caused me no problems. I've been running a similar setup for close to a decade now.
For me it was worth it to spend the money and have full control over my hardware.
Presumably you'd need a way to inject a cert into the Apple TVs trust store as well, and I'm unclear if that is possible. Perhaps with a developer license?
I use the service so much I don't really mind paying for it.
I'm curious what this means. AFAIK the only way your ISP could make network requests that appear in Pi Hole is if they're running some kind of software within your network.
I can still use the Pi-hole, but I have to set up the DNS manually for every device. Quite a pain in the ass.
Disclosure: I work at ba.net
TOS is here https://ba.net/adblockvpn/privacy1.html
It has worked well for my home network for months and requires a single one-time configuration (change DNS settings on router).
1. git clone the pihole repo.
2. run automated install/basic install.
3. configure router's DHCP to assign a static IP to the pihole server, and distribute its IP for DNS.
4. release/renew some other device's IP.
5. browse to a site, then check the pihole console to see if it worked!