Hacker News new | past | comments | ask | show | jobs | submit login
Pi-Hole – A black hole for Internet advertisements (github.com/pi-hole)
492 points by tosh on Feb 26, 2019 | hide | past | favorite | 205 comments

I absolutely love the DNS based solution for ad-blocking and preventing tracking. I use AdGuard DNS on my PC (DNSCrypt) [0] and phone (DoTLS) [1], and it has improved performance of apps (not just websites), 'cause I guess there's a lot less going on under the hood now (trackers like new-relic and segment might be consuming a good percentage of resources which they wouldn't now since their domains are NX'ing?).

What am I worried about is DNS based black-holing is trivial to workaround against (as an ad-provider, one could simply force use a custom DNS client and pin to a DNS resolver of choice) [2][3][4]. What's next for pi-hole and solutions like AdGuard DNS short of re-writing packets going through UDP/53? Not sure how one would intercept the DoTLS / DoHTTPS connections, to rewrite those.

I'd like to hear if anyone has some thoughts on this, or if this has been discussed elsewhere.

[0] https://simplednscrypt.org/

[1] https://news.ycombinator.com/item?id=18788410

[2] https://news.ycombinator.com/item?id=19170671

[3] https://news.ycombinator.com/item?id=19106023

[4] Firefox 64 for PC, by default, was configured to ignore OS/Network Interface provided DNS resolver and used CloudFlare's over HTTPS.

DoTLS and DoHTTPS can be intercepted on your own devices by adding a privately generated certificate to your root store and MITMing the traffic. By design this is the only way to filter this traffic based on content.

Regardless name resolution based ad blocking is relatively futile against even naive workarounds. For instance what is to stop someone from using a custom DoHTTPS format on any webpage to resolve the name directly in browser? What's to prevent them from obfuscating it in a way your MITM couldn't realistically detect?

In the end ad blocking is best done directly on the client through something like uBlock Origin. Not only does this allow you to create a network request block list (now with the added capability of reading/filtering on the whole URI) but it also allows for style based blocks where the ad content could even be blocked if it comes from the same server and resources serving the actual page.

You honestly need both.

Of course, a pihole will not be able to block someone who goes to the length of developing and using a custom DNS-over-TLS or DNS-over-HTTPS webpage.

Similarly uBlock origin is not available for anything else except browsers. There is nothing preventing native apps from using or pinning different nameservers. On a scale of hardness, using or pinning a specific DNS server is easy and is known to be used in wild. Custom DoT or DoH is still rare but I am aware that there will be a time when a significant chunk of internet will use it.

Name-resolution based ad-blocking is not futile yet. My pihole has alone blocked 5k+ queries in the past 24h.

What native apps are you running have advertising built in?

That sounds horrifying.

Windows 10?

That sounds horrifying

Almost all "free" mobile apps?

Like Vixie said, route and answer He is complaining that he has to do it. He is not saying that there is no solution.

Putting a DNS client in Chrome (I think they removed it but who knows), or Chromecast, or whatever is "evolutionary pressure".

It forces users to evolve the solution to work around it. This is good.

If users are forced to learn to use an RPi for DNS (and we can see they are doing that with Pi-Hole), and eventually another pocket-sized computer with open-source software for routing, that benefits the community of users who want to avoid ads.

If avoiding ads is the goal, then using a pocket-sized computer with a user-installed OS is better than a solution marketed by a commercial third-party, as almost always those third parties rely partially/wholly/directly/indirectly on the ad business.

I don't understand Vixie. I have a Chromecast Ultra. On my Firewall at all, I reject all requests to .4.4) with a ICMP unreachable. This forces the CC Ultra to use the DHCP allocated DNS Server (a pihole) which works just fine.

I don't understand why he says you have to route and answer You really don't.

If his point is you can't override the built in DNS without some sort of FW hackery though, then yea his point stands.

Does the dest unreach solution work on the original Chromecast?

Yup, I have a CC original, 2 CC Audio and a CC Ultra. This trick works for them all

How about Roku, AppleTV, Amazon Fire whatever? (I do not know all the correct brand names but I am presuming other companies are trying to hardcode DNS servers too.)

I don't own any of those. But given those devices don't have ties to Google, I doubt they're trying to force people to use their own DNS. I don't even think Roku, Apple or Amazon run public DNS servers.

Like you, I do not have these to test, but I have read that at least Roku have been hardcoding GoogleDNS servers.

Re #4: really?! I missed that news. Sounds horrible. So instead of using my ISP, that I chose and trust, all my DNS queries now go to some foreign megacorp?!

This is also the first time I heard about it, but my immediate reaction was "sounds amazing".

- Removes all DNS leak privacy issues, for all Firefox users, automatically

- Removes all possibility for a MitM to view or corrupt DNS queries or responses, for all Firefox users, automatically

And Cloudflare claims to delete all DNS-related logs of Firefox users within 24 hours: https://developers.cloudflare.com/

Even if you distrust Cloudflare or think they're not secure against breaches, it's still a massive security and privacy upgrade over using your ISP's DNS servers, which will pretty much always leak sensitive information about your connection (potentially leading to deanonymization while using an anonymizing service) and send/receive everything in unauthenticated plaintext.

And in addition, your ISP likely is less trustworthy and less secure against breaches (even if you aren't using Comcast, Verizon, or AT&T) than Cloudflare. But again, even if you don't trust them, this would still be the best move for security.

Plus it's a big latency decrease and performance boost for most or all users.

Sure it has some advantages, but it has disadvantages too. It really erodes my trust in Mozilla that they did this without notification upon upgrade, and as opt-out instead of opt-in.

My ISP is trustworthy and is in my own city/country. Today I've discovered that all my DNS queries now go to a foreign company that I know nothing about, and did not consent to communicate with.

I'm all for encrypted DNS, but I'm not for my DNS server choice being silently overridden.

Unless I've missed something, Firefox still uses the system resolver. DNS over HTTPS is available but not enabled by default.

Disclosure: I work at Mozilla but not on this.

How do you feel that even with your isp your data still passes through servers in multiple countries before it gets to you? When you request to view a site it’s not a single hope from you to the server the site is hosted on.

Is that not the point of SSL?

DNS is in the clear by default.

I thought that once DNS is resolved the DNS request doesn't go any further and the actual request is sent to the IP address...

Yes, but the parent comment you replied to was, I believe, referring to data leakage via DNS, not data leakage over HTTP requests. Two different things. What they were getting at is your ISP's DNS servers--and every DNS server hit along the path of resolution--know something about every request made by one of your devices when your devices route DNS through them. Assuming every request to domain.com is encrypted, your ISP may not know what you're sending to domain.com, but they do know you are sending data to domain.com because DNS is in the clear by default. This has led a number of ISPs to capture this information and use it for purposes a customer often does not know about, understand, or may object to--such as selling that information, using it for injecting advertising or hijacking requests, and other actions. What's worse is that many ISPs (in the US, at least) ensure this behavior can occur by requiring customers to use gateways/routers that are locked down to ISP DNS servers, and many of these devices prevent users from modifying the DNS servers used.

Encrypted DNS and devices like the Pi-hole provide end users a means of bypassing this behavior by avoiding ISP DNS servers entirely so even where you're trying to go isn't known by them.

This is one of the many concerns, yes.

Another big concern is privacy from the other side: if you're using Tor or an anonymizing VPN while visiting a website looking to deanonymize users, and the website owners see a DNS query to their nameserver from a Comcast DNS server somewhere in a midwestern state timed perfectly before your HTTP request coming from a Tor exit node or anonymizing VPN, they can potentially infer your broad location and ISP, and potentially narrow your identity down from there (especially if you ever visited that site, or an affiliated site or site that shares data with them, in the past without using an anonymizer), negating the purpose of the anonymizer.

If all they see is a query from or, you could be anywhere in the world, using any ISP.

And your ISP can do this in an even more precise way. Customer makes DNS query for siteispsdontlike.com and then immediately sends a lot of traffic to a server registered to an anonymizing VPN company. That tells the ISP "this customer is visiting this 'suspicious' website, and also covering it up by using this specific anonymizer".

And the original GP was pointing out that they had carefully selected an ISP that they trust and wanted to use as their DNS provider and did not want the browser ignoring that...

We basically seem to both agree with the original GP. Things just got a little confused.

Who said the router on the network I'm connected to handed out a DNS server that was from my ISP? And why are you so sure my ISP is less secure & trustworthy than Cloudflare?

At least in the US nearly all ISP are either directly selling their customer data or own outright publishing arms that rely on advertiser revenue.

Even in Europe big telcos like Telenor have adtech holdings.

It doesn’t mean you can’t trust your ISP but certainly there are red flags.

Although Joe Average won't know how to, most/all OSes let you pretty easily change your DNS server, you don't have to use your ISP's. But Firefox's UI to _not_ use Cloudflare is _way_ less straightforward.

Most/all routers let you change the DNS that's handed out, too, even the all-in-ones given out by the major ISPs still let you change the default DNS for the entire network.

But also somewhat common[1] is the router handing out itself as the DNS server, which is really important if you want local domains to resolve correctly. Firefox skipping straight to means it won't be able to resolve my local network servers via name, which is stupid.

1: Maybe not common/used in home use sure, but definitely common in anything run by an IT staff.

AFAIK this is not activated by default in FF65; the about:config key for it is 'network.trr.mode'. The default is currently 0 (off). 5 is also off, but explicitly user-set to be off (opt-out). See https://wiki.mozilla.org/Trusted_Recursive_Resolver

Yeah, a European ISP will always be preferable to ANY US corporation I'm afraid to say.

I have a pfsense box. It's quite arbitrary to block DNS request that are anywhere except to your pfsense box. eg. https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-...

If I'm not mistaken, that will work only for regular old DNS, not DNS over HTTPS (DoH), which, I presume, uses port 443, not 53.

Seems like blocking Firefox and Chrome from usurping your DNS choices is going to be much harder going forward. :(

It’s going to have to work though. For example, corporate users absolutely require the ability to access private internal domains that are not served by public DNS servers. The browser vendors aren’t going to be able to enable DoH directly from the browser by default and break that.

I think the main reason the browsers have added support is so they can get the data they need to make encrypted SNI work. They’re going to have to get operating system APIs to be able to do this from the OS’s resolver or else it will screw all sorts of things up.

TLS it seems it actually uses port 853 (which I didn't know). https://tools.ietf.org/html/rfc7858

So I guess in theory you can block that port outbound to all hosts to handle TLS's use case.

HTTPS is tougher, but just block all traffic to those hostnames with a DNS blacklist.

That's DNS-over-TLS which, while similar, is something completely different than DNS-over-HTTPS (DoH).

DoH does, in fact, use 443/TCP, just like regular HTTPS traffic.

Could just point to an IP directly as well. That could be blacklisted as well but in today's tech stack it is really easy to change variables so that a block would have a short term effect on the client.

I bought the Pi-Hole kit for ~$US100 but was never able to get it to work properly with SSL/TLS sites despite some (admittedly cursory) Googling. It's a great idea in theory.


Somebody is overcharging you on this one. I installed it on my Raspberry Pi B from like 2012. I installed Raspbian, input a small one liner and it was installed.

WAIT, just updated to the latest version and it's working great now. All I had to do was set my Airport to use the Pi-Hole for DNS and now every device on my home network is 99% ad-free. Very impressive.

Is that a raspberry pi and some cables sold for $100?

No, there's also a 16GB SD card with the software preloaded, and a plastic cover.


You got swindled.

Just got a RPi3B+ with all of that from Microcenter for 53 dollars

That is official pi-hole in a nice box preloaded with software. It is not a swindle, it is a way to help project: https://pi-hole.net/shop/

What is "Firefox 64 for PC"? Does this mean non-mobile Firefox?

If you want to test pihole you can just run it in a docker container to see what it's like. You don't need to buy a Raspberry Pi!


I'm running the Docker image for my home network, it is really convenient.

Right now I use AdBlock plus. Occasionally, to get a webpage to work, I have to disable it.

How does Pi-hole mitigate this issue for non-expert users? My main concern is that if I set this up at home, my wife will get annoyed when her web pages don't work and won't have the patience to learn how to add to the whitelist.

Not directly related, but uBlock Origin is a better ad blocker than AdBlock Plus. From what I understand the uBlock Origin uses fewer resources; but more importantly, doesn't take money from advertisers to allow certain ads: https://adblockplus.org/en/about#monetization

It's more trusted nowadays and very easy to switch to.

I’m actually using ublock origin. I don’t know why I said Adblock plus. :/

There’s a simple pause button on the web interface. I bookmarked it on my wife's phone and showed her how to disable and she's had no trouble since. At first she was skeptical about the pi-hole but after seeing the difference it made, she's totally on board. We don't need to disable it often though, maybe once every month or two.

Alright that sounds fairly reasonable. I’ll give it a shot. I’ll probably start by just putting my devices on it and see how it goes.

Off-topic: but cheers to all the HN partners who put up with all the tech experiments.

Ha! At least once a week I tell the family "the wifi/internet will be wonky for a bit". Luckily we have unlimited LTE so my wife just switches to that until I'm done.

As a year+ long user, I attest to its greatness. Set it up on the cloud, set your router to distribute the dns and presto-blamo ad-free apps, internet and streaming.

Very occasionaly I might come across something not working. I could go to the pi-hole interface and whitelist, but I find it easier and so infrequent that I usually just turn off WiFi for a minute to load the page over cellular.

Right now, I've set up my Pi-Hole at home with this curated whitelist: https://github.com/anudeepND/whitelist

I haven't had any issues come from me or anyone in my family using it thus far. Although, there's an active discussion which that whitelist pulls mostly from here: https://discourse.pi-hole.net/t/commonly-whitelisted-domains...

I am using pfsense with pfblockerng for ad/tracking protection. My wife spents a good amount of time on a mobile fashion game. In addition to the forced in app purchases once a month, it makes her watch plenty of video ads every day. She has to watch those ads to get virtual currency that can be used to purchase things that is a must for playing the game. With the protection enabled, the ads won't show and she can't play. So I had to whiteliste her mobile in pfblockerng. She still complains that it doesn't work. So she uses mobile data to play the game. I am not sure what else in pfsense is breaking it for her, I haven't looked further into it. One good thing is it helps me save bandwidth. My home internet has 500gb limit after which it drops to 1/10th of the speed. She seems to be using up close to her 1.5gb daily limit almost always, just from this game and facebook. So I get more bandwidth to download stuff!

If she has Android she can download DNSfilter or similar and disable it for her game. It's a local DNS / VPN to block ads with it's own local white / blacklist. I rarely see ads on my phone, except from some game apps that I guess use networks not yet on the blacklist, but I'm not bothered by those, I usually play games I can fully own / pay to remove ads.

Jesus that game sounds like a big trap

It is. I have been trying to get her to stop playing it by introducing to other games. But no. She spents a good chunk of her free time on this. Since she is a teacher, she gets a lot of free time at work too. It hasn't affected either of us negatively that I know off, so I sometimes think let her do what she enjoys. I hope it is not indicative of her being unsatisfied with something in our life.

The game's name is Covet Fashion. They have a huge following in Facebook. The main theme of the game is to dress up models and others vote on it. Whoever gets the "top look" wins (winner gets virtual currency to buy more dress I think). I think they even form teams through Facebook. Sometimes people get kicked out for not helping the team and so on, so I guess there is some drama like reality TV.

So I did experience this. I eventually just moved my wife's phone over to a static IP/external dns so she didn't have to deal with it. But at least the rest of the network (IoT in particular) had less tracking.

I've unexpectedly nice thing was the Roku screensaver went back to a simple bouncing logo instead of the ad-filled scrolling billboard thing.

On a mac, you can set up Network Locations. I have one set up with the pihole dns server, and have the Automatic one set to normal defaults. There's a simple script[0] that will change your Network Location based on the wifi network you connect to, so I don't have to worry about switching it manually when I leave home and I don't have access to the pi as a DNS server.

Granted, none of this answers your question directly, but a manual Network Location switch from System Preferences is a somewhat simple change that's a little less friction than a whitelist. The auto changer should switch it back next time your wife's computer reconnects to the network in case she forgets.

[0] https://github.com/eprev/locationchanger

You'd have to show her how to login to the web GUI and temporarily disable it I think, but I wonder if it's the use case.

If you're enabling ad filtering on the DNS level on your router, its more along the lines of forced ad filtering on your entire network, so you're kind of sacrificing user configurability for global ad filtering on your network.

Personally, I've only had the experience of a broken webpage once in two and a half years of using it.

> Personally, I've only had the experience of a broken webpage once in two and a half years of using it.

Is there a reason DNS-based filtering is much better than normal ad-blocking in this respect?

I think it is basically that a website would want to work if an external service failed. DNS blocking looks like that, whereas editing the page content is obviously detectable.

I had to divert a bunch of devices (Samsung TV, Switch, etc.) around the pi-hole because it was easier than trying to figure out what they needed whitelisting.

A trick for mobile is to just turn off WiFi for a minute to load the page over cellular.

You know I have to do this all the time, and I don't understand why I have to. It's kind of obnoxious.

It doesn't. I stopped using it when one of their default lists started blocking Microsoft.com. I get some people don't like Ms, but that kind of default is just plain negligent. Blocking updates silently is never ok in my book.

I have default (and custom) lists and have never had a problem with Microsoft domains. You sure it wasn’t a temporary issue with MS itself?

There are some good discussions on Pi-Hole over on this thread: https://news.ycombinator.com/item?id=18075159

sorry, didn’t realize it was already on 5 months ago

No problem, since people upvote it you're apparently not the only one who thought the content is useful to the site. Reposts are fine (heck, posts that are decades old come up from time to time), though it's somewhat customary to link previous discussions.

I wonder why there is no public official dns-server with the pi-hole blockings included. This would allow me to just insert the dns-ip into my fritzbox without having to setup and run a raspberry.

You're probably going to want to whitelist a domain here and there relative to the default blacklist. And the pi-hole has a few blacklists that aren't enabled by default, since they are much more strict.

So pi-hole-as-a-service doesn't make too much sense.

PiHole as a service will definitely happen and I would be willing to pay a monthly fee for it.

My setup has been running for over a year and it has completely transformed the Internet for me.

Pihole / VPN as service https://ba.net/adblockvpn

That site looks sketchy

Ok thats a good argument. But the few pihole-users i know do not have a single whitelisted domain and likely will never have one. Also I could still whitelist most domains by adding the ip to my etc/hosts

I'm a long time pi-hole user and follow the subreddit and discourse regularly. You'll find many a pi-hole user with whitelists. The following are pretty common.

* https://discourse.pi-hole.net/t/commonly-whitelisted-domains...

* https://github.com/anudeepND/whitelist

I have ~2.2M domains blocked. There's just no way that I wouldn't have false positives in that big of a list.

1 million here - nothing whitelisted or knowingly broken.

Unfortunately some of the more extreme blacklists can block legitimate error-reporting software among others that I commonly use for work. Same goes if you work in analytics you'll have to open up some just to access your dashboard.

I work in the cryptocurrency space and a several legit sites and APIs are blocked in more than one list.

most people would be happy with the default settings... and if everyone would be using it, websites would make sure that they work with pi-hole users

Cue corporations spamming takedown requests because "it deprives them of ad revenue".

Seems like there is: https://adguard.com/en/adguard-dns/overview.html

However, as it's been said, you might want to easily whitelist some domains.

Should the URL be https://pi-hole.net instead of one of their GitHub repos?

I find the Github readme easier to parse (often the case with open source projects actually)

If you're interested in Pi-hole you might want to check out AdGuard Home:


Pi-hole isn't difficult to setup but AdGuard Home is much easier. Just download the binary and run it. If you want it to start on boot run it with the `--install` flag. Works on Linux, Mac, and Windows.

Pi-hole replaces your DNS on the local network so one device is protecting all your other devices without you having to do anthing else. Yes, even that Wii or whatever :-)

Same with AdGuard Home. :)

Except it stops running the second I turn off my computer :-)

Then don't install it on your computer? :P

You can install it on a Pi just like Pi-hole.

Can it be set up on a Pi in a similar way? Or is it designed just to run on each machine?

It's a drop-in replacement for Pi-hole. You can install it on a Pi and use it as a DHCP or DNS server.

I've been running an instance of this on a DigitalOcean VM for a couple of years now. Keeping my instance external is nice so I can use it from home, work, and for friends and family, with all of my devices. Fantastic project, highly recommended.

How do you stop the general public from finding it and using it? Strict firewall rules?

I have a pihole at home (not a Rasperry Pi, gosh I wish they'd ditch the marrying of the two) but to access it I establish a VPN.

I set up a simple python server that listens on a specific (highly unlikely to be guessed) url and when visited runs a shell script to add the visiting ip to iptables dns whitelist. So I can visit a relatives house, go to that page then add my dns ip to their router (if they want me to). Also helps for when traveling or when isp renews dhcp lease.

This is a beautiful solution. I love it, bravo!

You might consider adding a VPN tunnel on top of that setup so that your DNS isn't just hanging out in the wild for anyone to find.

Will you share high level steps of how to accomplish this, please? I'm a novice and haven't played with Raspberry Pi, but recently set up a Droplet running Ubuntu on DigitalOcean. Sharing with family intrigues me.

The steps should be the same regardless if running on a Pi or VPS: https://github.com/pi-hole/pi-hole/#one-step-automated-insta...

On a machine that isn't behind a firewall already you will want to set up strict firewall rules, including blocking inbound DNS from anywhere except trusted addresses. Other hardening steps should be taken as well but they're not specific to DNS resolvers.

Recursive DNS resolvers on the open Internet start getting abused really fast for DNS amplification DDoS attacks (for anyone unaware reading this).

I recently talked about Pi-Hole in another thread[0]: I'm using Wireguard in combination with Pi-Hole on a cheap VPS as a VPN on my iPhone, it's blazingly fast and super stable. Will be trying this on my Mac as well now. I only allow access to the console from a fixed IP-address to add whitelists when needed. Everything loads much faster, websites, even apps I feel, though it might just be wishful thinking that last one.

[0] https://news.ycombinator.com/item?id=19186795

I tried this with OpenVPN a while back and it was a spectacular failure because keeping the tunnel open also kept the cellular connection active and that sent battery consumption through the roof. I'm talking about 8-10 hours "standby" time on a modern iPhone. Is that not a problem with your setup?

I looked into on-demand but is required a mdm profile and that seemed more trouble than it's worth.

What VPS and how much is it costing you?

About 3 Euro per month using a CX11 over at Hetzner[0]


How pi-hole works and what is FTLDNS, if anyone is interested: https://pi-hole.net/2018/06/09/ftldns-and-unbound-combined-f...

I came across this article last month: https://ifelse.io/2019/01/12/secure-ad-free-internet-anywher...

It was surprisingly very easy and straightforward to setup, and working very well! It's most useful on Android/iOS.

One small change I've done is to set the Pi-hole DNS server only on a specific set of VPN connections (using specific ports) in order to have a full, unfiltered VPN if necessary.

Forgive my ignorance on the matter, but:

1) Are the DNS request sent to oblivion or a fake address is returned instead? If the former, wouldn't a failed DNS request generate some sort of timeout?

2) Would a failed DNS request generate multiple retries to load a resource that is not available? (I can imagine this for application other than browsers).

3) How long until pages with ads will start solving addresses through some sort of script? Like in the section of the page responsible for showing an ad, manually crafting and sending a DNS request to or whatever.

edit: for clarity

As far as I can tell the default blocking method in current builds is NXDOMAIN. You can read the details directly from the PiHole official page [0]. Short version, it just returns a no such domain.

More info on blocking modes [1]. This says the default (and recommended) blocking mode is NULL but it wasn't the case when I recently did my last install. Not sure if it was something with my build or maybe the docs need to be updated.

You will find that failing to access the resource on the other side will make many clients try and try again. On my PiHole I see Philips Hue, Microsoft, or Sonos with tens of thousands of retries triggered by previous failures to contact their destinations.

[0] https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-wi...

[1] https://docs.pi-hole.net/ftldns/blockingmode/

Clear and concise. Thank you very much.

The pages you use the most serve some ads from their own domain. E.g. Youtube et. al.

Also beware as most ads in your phone apps come from ad intermediaries that are either dynamic or constantly change.

Pi-Hole is a cool project but please take in consideration those two when using it. We are far from the 90's in ad-tech.

This isn't my area so I'm going off cobbled together knowledge.

Surely Youtube being the size it is has a few Github issues against it saying 'I can't load images because I block the ads'?

I guess what I'm saying is, what is the negative impact of your first point? That some content you want won't come through because the content you don't comes from the same domain?

What HugoDaniel is saying is: PiHole won't let you watch Youtube ad-free. To do this you need an ad-blocking browser extension like uBlock Origin.

This is because Youtube serves content and ads from the same domain, so you can't domain-block ad content without blocking all content.

It runs a local DNS server and a local http host.

You make a DNS query to badsite.com, your local DNS responds with your local http host and you load a pixel image instead of whatever it should have been.

So in that regard, what does a page look like with Pi-Hole running? As 'aesthetic' as uBlock? Or does it still show the ad's dimensions - just not the ad?

In my experience I don't notice things being different when I'm using the Pi-Hole. It just seems like regular functional internet. When I'm not connected is when I'm surprised by how many ads there are and where and when they appear.

Probably depends on the underlying CSS, but obviously CSS that comes with the and won't be downloaded, and I generally don't notice massive empty spaces.

I actually use pfblockerng, it does the same thing without the pretty UI.

I set this up on an RPi last weekend and this is not how it works for me. Trying to resolve blacklisted domains from any network device resolves to

I run it at home and have use the dhcp server, too. All the numerous family PCs, Kindles, phone, etc, use it and it works great. For a family of four with two teen-age kids, it blocks about 20% of the DNS traffic we create.

Love it.

As much as I like the Pi, I think a better solution would be to use OpenWRT on a regular router.

Well, I disagree. OpenWRT is great at being a router, let it be that. pihole is great at being an adblocker, let it be that.

I think you're better off to fire up a Docker instance!


But why do you think OpenWRT is better? Because it has a (somewhat clunky and not as feature rich) adblock solution built it?

So does pfSense with pfBlocker-NG which is also another common adblock solution people use.

But for a basic user to just augment their home network with ad-filtering, way better off to just have add a pihole, than to totally replace their router.

Yes, OpenWRT does have an adblock solution. It might not be as shiny as the PiHole but it works. Also, you can buy a decent router for less than you would pay for Pi+Cables+Case+Power Source.

I use a tp-link wr842nd. I even have a Telegram bot on it to interact with it. A Pi would be more powerful, sure, but the router serves my needs.

Right, I was more curious why you thought OpenWRT was a better solution.

Although PiHole doesn't need a huge amount of power, it does need seem to need more resources than the average router has, unfortunately - it has components written in PHP, at least if you want the web frontend, and runs some SQlite DBs which might not work well unless your router has some "real" storage attached to it. It's also a pain to get working unless you give it its own local IP address. While it might work, it would be kind of defeating the point of it being "plug and play".

If you have any kind of local server running "proper" Linux (not necessarily a pi) it's pretty easy to run pihole on it though - there's a docker image or you can fire up your favourite other Debian-based VM/container image and install using a shell script.

A friend and I just launched an MVP a couple of weeks ago so people in New Zealand (and kiwis abroad) could have a VPN with PiHole hosted here in NZ: https://expatvpn.co.nz - however from the early users it seems everyone's just been using it for their phone mainly. I'm thinking I might rebrand it to be more for secure mobile browsing or something...

I use it also on my iPhone with WireGuard VPN, it's super easy with the app from WireGuard and it's blazingly fast, so I can definitely recommend this. Would be interested to know how you'd approach this and provide some insights if needed.

If any contributors are reading this: please consider adding separate blocklists per IP range. The use case is very simple: adults in the house get to see things kids don't get to see (and get their Youtube and games shut off if homework is not done), yet ads and tracking are still blocked for everybody.

This will almost certainly never get implemented because the community has a more or less accepted workaround. Run more than 1 pi-hole.

It's a common-ish practice in the community to have a restrictive pi-hole running in your guest/kids network and a more permissive pi-hole running in the trusted/adults network. Pi-holes require so few resources and maintenance that it's not much burden to run more than one.

It would be a pretty large feature to support separate blocklists per IP range.

That's what I do, but it's a maintenance burden to run several instances. I run three PiHole VMs: one for parents (banning ads only), one for little kids (banning ads and mature content), and one for teenagers (banning ads and temporarily banning "time drain" sites until homework is done). I'd like to further customize the one for teenagers based on whether or not they have missing homework in school, but not quite to the level of spinning up (and maintaining) yet another instance.

My concern is that this kind of solutions, while neat, may push advertisers to start requiring content owners to host the advertisement content and/or directly communicate with advertiser api. In other words, Pi-Hole will only work while not terribly popular.

> may push advertisers to start requiring content owners to host the advertisement content

Good luck with that. There is a reason they want you to load directly from their ad-network. It's the surest way they have to accurately track valid clicks.

I tried this out over a weekend but decided to abandon it due to some of the sites I frequent being blocked. Whitelisting isn't a viable solution here as I would then need to teach my girlfriend how to do it and any family members who decide to visit.

PiHole has the option to have blackholed domains show a "This was blocked by PiHole, click here to whitelist this domain". It doesnt work perfectly (ex. Hulu just craps out for me with PiHole because of some domain under the hood being blocked), but it is something.

And for guests you can disable PiHole for any time period with a click of the button on its web page.

Or kick your guests/roomates/gf onto a different subnet.

That said though, it is clearly not perfect and could use some work and TLC to take care of. But in case you (or the nest person reading this) wanted some ideas, I thought I'd offer.

There are other blocklists you can use besides the default. Some quick googling turned up half a dozen that folks like. Some more restrictive, some less.

keeping your own devices on pi-hole and using google dns by default could work.

this. it's a cool concept, but not good for roommates.

I am starting to be concerned that the ability to use DNS to block tracking, malware, and advertisements is only going to prove temporary.

There appears to be more effort generally to secure and encrypt the entire DNS system. This is really good and should be applauded and supported. But it will come with a downside... once we reach a future in which DNS records are encrypted end to end, and DNS records are only valid when signed by certain keys, and authenticated NXDOMAIN records... then things like Pi-Hole start to become more difficult as for security of DNS we'll have lost the convenience of changing the answers.

There would be a market for a DNS provider to provide a PKEY setup for the user to blacklist ad domains or whatnot similar to what the pi-hole does.

There is always a technical solution, that's the beauty of it :)

I have been running a pi-hole server in my home for almost a year now, and I love it. We usually have around 30 devices (including IoT devices), and have never had any issues. Adding/removing sites, disabling (when necessary), updating...its all there and very easy to operate. The logs are just ok, and the blacklist/whitelist is handy.

It was quick and easy to setup on an existing Ubuntu server install.

All the issues I've had were related to the DHCP server that ships with pihole. Once I replaced that with a different DHCP server - smooth sailing.

ahhhhhh...ok. I have never used pi-hole for DHCP. I already had some static routes and firewall rules setup when I added the pi-hole. So I left the builtin DHCP server disabled.

Can any of the DNS wizards here explain the potential performance implications of using this? I have been meaning to install this and begin using it but the latency of a Cloudflare DNS request is so low (and reliable) that I don't know if I want to risk introducing this into my network stack.

I have an R720 and a few old RPi's... so either major overkill hardware or major weaksauce hardware.

DNS wizard checking in. This stuff was designed in the 80s and I ran BIND on the kind of potato that has a quarter of the RAM that a raspberry pi has, together with apache, mysql, php, vnc, utorrent, and some other stuff, and it still performed great. I don't know by heart which dns server pihole uses, but no, the latency added by a server on your LAN is negligible. Case in point, most (all?) routers do dns forwarding by default (is that not common in the USA? Since you mention cloudflare, which got to be slower than the default option unless you have some really cheapo isp).

"and I ran BIND on the kind of potato that has a quarter of the RAM that a raspberry pi has"

256MB RAM? - bloody luxury!

A very quick and a bit rubbish experiment:

  $ ping
   5 packets transmitted, 5 received, 0% packet loss, time 10ms
  rtt min/avg/max/mdev = 9.982/10.838/12.531/0.888 ms

  $ dig @ www.google.com A
   ;; Query time: 13 msec
DNS is pretty quick. Note how I mistakenly use ICMP and a UDP service response time to imply something. If I'd tried to claim that DNS adds about 5ms overhead, I would have been first to put the boot in. The basic result stands though - DNS is quick. The above results are from: my laptop -> wifi -> switch -> switch -> APU2c based pfSense box with quite a lot going on -> modem (FTTC in UK - PPPoE/A) -> ISP .... etc.

> 256MB RAM?

Oh, an eighth then, I didn't know the raspi had that much RAM.

And this was on a ~2002 laptop in 2011 or so, I'm not old enough to have run it in the 80s on a real potato :(

only the first revision (and the A/A+ until the 3A+ came out) had 256Mb. It was soon upgraded to 512 as one of the first design changes (before moving to the "plus" form factor with 40 pin GPIO header) the early A's even had 128Mb but they are a rare thing as the original A was not promoted much before the first upgrade cycle.

:D Yea I don't think anyone in the 80's was running 256 MB ram. Correct me if I'm wrong?

640k ought to be enough for anybody.

They have forked dnsmasq to power their project[1].

1. https://pi-hole.net/2018/02/22/coming-soon-ftldns-pi-holes-o...

You'd be surprised how slow our ISP's DNS servers can be.

you can configure what dns servers to use for the “upstream”. you can choose between a series of ones included by default (gooogle, etc) or specify your own

It's pretty quick. If it's running on your local network it can cache your DNS resolvers of choice and only add a few ms at most. On your network make sure to setup backup DNS resolvers when your pi-hole is updating etc.

Currently I'm running it as a docker image on my local server.

You should always run a local caching DNS server on your home network if you care about latency etc. That way when your iphone requests apple.com and then your laptop requests it 3 minutes later, the dns query time will be sub millisecond, instead of maybe 5-15ms.

will you notice that? No, you will not. But you seem to be concerned about levels of latecy it's impossible to notice anyway, so you need this to get even more (unnoticeable) decreases in latency :)

Then the pihole just queries for you, so your DNS privacy etc is still kept.

2 things to consider: 1) any additional latency is on the 1st request and after that the response is cached for the duration if the record’s ttl 2) because it’s blocking all the crap you have more bw

so overall in my experience it actually speeds things up considerably (even in the scenario of an already fast dns resolver)

One question I have is when we block ads and especially analytics/tracking, won't it decrease the battery life of mobile devices? Apps could be written in such a way that if a request gets blocked or dropped, it will keep on retrying which would impact battery life.

It's usually pretty quick. Unless the SD card of the Pi breaks randomly. Then, you've suddenly got inexplicable slow/unavailable internet because the Pi may not respond to DNS requests any more.

I have a Pi-hole running on a Raspberry Pi Zero. The Pi is connected to my home router using the USB Ethernet gadget features. The home router handles local DNS requests from those forwarded by Pi-hole, but the rest of my DNS just flows through the Pi.

It's pretty nice. Never had an issue with the router's DNS, but OpenWRT also doesn't have the ease of Pi-hole.

I love this project. I also donated to it. I've been using it now for about 6 months and it blocks about 15% of my traffic.

Me too, i've been using it in combination with CloudFlareD (DNS over HTTPS daemon) and it works like a charm. Except when my ISP changes my public IP and CloudFlareD hangs so i have to restart the service. There is a bug for it, but the Pi-Hole itself works really well.

I setup a Pi hole about 6 months ago and I love it. It has never caused me grief and it has never gone down.

One of my favorite parts is being able to show people who come over to visit all the queries their cell phones make to ad networks while we're just carrying on a typical conversation.

Is there an option to buy a raspberry pi with this pre-installed? Asking for a non-technical friend.

A user linked in this thread the shop https://pi-hole.net/shop/

I bought a Raspberry Pi specifically for this, then I realized the obvious, it's useless outside of the house :) It was good for the old Wi-Fi-only iPad the little one was using, but pointless for my needs. I like having the Pi to play with though.

Setup a VPN tunnel for your DNS traffic and benefit from your Pi-hole wherever you go. I use Tasker on Android to automatically detect when I'm not on home wifi and then trigger OpenVPN to connect to my home VPN for Pihole and local network access.

On my phone I use Firefox and uBlock Origin and I don't install ad funded apps, or any closed source apps I'm not forced to have, so I haven't really felt the need to go that route. The only ad supported app my kids use on their devices is YouTube but, last I checked, Pi-Hole isn't able to block those ads.

Does anyone know any alternative projects (that are still dns based)? I don't need all the web interface parts. I think I just want a good, recent dnsmasq config. If it does new crypto dns stuff, that'd be cool too. I'm not up to date.

I use Unbound[1] for DNS caching and local DNS. I have Unbound configured to forward queries to a local Stubby[2] instance that does DNS over TLS to CloudFlare.

Stubby does keep-alives and not restricted to a single thread and opening a new connection per query like Unbound which is why I used it as a forwarder as a few more features than Unbound.

In my Unbound config I have an include to a blocklist generated from https://github.com/StevenBlack/hosts, essentially I pipe the data from that repo through awk [3]

I have an Android TV box so also have a firewall rule to redirect all queries to and port 53 to my local DNS server.

No GUI's, solid and stable. Only thing missing is I need to write a cron job to fetch the latest block list, validate, convert to Unbound format and reload the daemon. It's only a 10 minutes job just something I haven't got round to yet.

OpenBSD is really good for running this stuff.

[1] https://www.nlnetlabs.nl/projects/unbound/about/ [2] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+... [3] https://deadc0de.re/articles/unbound-blocking-ads.html

I simply use plain old dnsmasq running on my router device. Configure DHCP to hand out my gateway IP as the LAN's DNS server. Then configure dnsmasq to point it to the block list:

Then, once a week, cron updates the block lists, invoking something like:

  wget -qO- "http://winhelp2002.mvps.org/hosts.txt" "http://someonewhocares.org/hosts/zero/hosts" "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&startdate[day]=&startdate[month]=&startdate[year]=&mimetype=plaintext&useip=" | grep -w ^ | sed $'s/\r$//' | sort -u >> /path/to/dns_blocklist
You can pick your favorite blocklists to be more or less aggressive, and you also don't have to update directly from the Internet if you don't inherently trust those blocklist sources. No web UI or Pi-Hole branding. Been working great for years and years.

Before PI-hole I would download Privoxy to my router. One of the features I really like was that you set it up to default to blocking everything network-wide and have a local proxy you could set up to remove blocking.

https://openwrt.org/docs/guide-user/services/proxy/privoxy http://www.privoxy.org

I run dnscrypt-proxy on a Pi on my LAN. It's set to pick a random resolver from a preset list and then it encrypts and forwards incoming requests to this resolver. Naturally, my DHCP server dishes out the IP address of the Pi to my devices.

I also use the DNS66 app on Android devices to set my DNS and block ads when I'm using a mobile network.

dnscrypt-proxy on VPS with some blocklists updated twice a day. Nginx+letsencrypt for providing dns-over-http and dns-over-tls (so I can use my own DNS on mobile). And few iptables rules.

Setting this up takes half an hour.

Additionally I am also running strongswan for VPN on the same server.

I am paying 10$ per year for VPS.

Does it make sense to make it run on a small virtual server box?

If you're already running one, absolutely.

RPis are popular and the namesake because they're relatively cheap, low power consumption, but powerful enough - so a good choice for people that don't already have some always-on hardware to run it.

Great project, but unfortunately doesn’t block YouTube ads.

I use Windscribe VPN. In the online settings menu you can alter the DNS to block Malware & Phishing, Ads & Trackers and even Social Networks.

Are there any technologies that can reinforce ads on a site?

I know a site owner can track visitors with ad-blockers and show them warnings, but that is not it.

How many of you would pay for a paid adblocker? Where the funds go to content owners?

Like Brave? https://brave.com/

Ish. Not exactly.

How do you do this without tracking us?

A client/extension that you can build yourself, that can report the time you use an app. Sadly, you need to reveal some data. But most can stay on device.

All that is needed is really total hour each app is jsed and calculate the ratio.

This assumes equal weights for apps, but can be changed.

You can create bundles for different content types like news vs games as price tiers.

If it is all client based someone could chose to use a patched version that e.g. donated all their money to charity. NB "never trust the client".

You will never get the big websites that monetise with advertising on board with client side analytics. That would need e.g. server side analytics or DRM on the client side app. Either way I wouldn't touch your app and nor would most that block adverts - and the big websites would probably not be that interested either.

Maybe with reproducible builds you could have a trusted build that people could build at home that also signed the requests with the analytics data. I don't think that the technology to do this exists yet.

Hey - thanks for the response.

-> Donated all money to charity: i don't see how that' possible. Money gets to the company, and gets distributed. If you wanna give money to charity, just do so, and install an ad blocker it's the same idea. You'd miss out on the premium content bundles that I am thinking of.

-> Apps and websites will do so. Many news papers (albeit a losing market in general) offer premium subscription. You are literally making that easier.

-> I do not need trusted builds. People advanced enough to do what you said already can install ad blocker. They still won't get premium content access, and clients can always choose to "verify" -> this actually will happen using public/private key cryptography.

I just don't think that content owners will get on board without asking you to implement DRM or invasive severside analytics.

Good luck though.

How is it any better or more efficient than host blocking à la [1], if at all? I'm a brainlet, use baby language if you're going to explain.

[1]: http://winhelp2002.mvps.org/hosts.htm

It's network wide. Anyone joining your network and being given the PiHole as its DNS server means it gets the ad blocking benefits.

It also updates the hosts files itself on a regular basis, you don't have to remember to do it as a manual task.

It gives you a nice webgui to show you what devices are accessing what hosts, how often they try to access them (at least, how often they request their DNS name) and has different modes of blocking (vs a hosts file has to return

One (big) reason: it works over the entire network. Sure, I used a hosts file on my desktop, but setting it up and keeping it synced across multiple laptops & phones is a PITA. Plus, this is effectively the only method for something like a smart TV.

Blocking with host files requires you to create the file on every device. You don't even have access on some device (smartphone, TVs..)

DNS blocking is configured once for your whole network.

So, it's 1) automatic; 2) for an entire network. No more ads getting burned on your toast in your network-enabled toaster, I guess.

Also comes in docker form for those so inclined. Useful for home servers

What is the advantages of using pi-hole vs uBlock origin?

pi-hole covers all of the machines on your network, not just the browser. That said, I didn't uninstall uBlock Origin. They can be complimentary.

You can’t use unblock origin on iOS

pi-hole is amazing. It blocks ~20% of my network traffic, based on ~1M domains.

I'm still amazed that they recommend piping curl to bash though...

Also consider obfuscation like AdNauseam.

What makes this better than Adguard DNS?

What if it is a scam to get the free content of the site without watching its ads?

does it work on a gigabit network yet?

Yes, easily. What problem did you have using it on a gigabit network?

I'm using it for two years now on my gigabit FTTH connection, running in a LXC container on my router. No problems to report.

Yes. I haven't run it personally, but I've seen lots of positive stories over on /r/pihole with people running pi-hole on reasonably sized SMB and EDU networks.

Here is a Unicorn idea for a successful startup!

Develop a technology that protects ad-supported web sites from ad-blocking scammers ;)

There are a lot of people, myself included, who just want to be able to use websites. I am trying to avoid two major things when I block advertisements online:

1. Dangerous ads - Cryptominers, viruses/whatever, and the like.

2. Wasteful resource usage - I also block most scripts and unneeded fonts because the value to me of downloading all these add-ons is very low compared to the cost to me through network congestion and possible vulnerabilities.

I pay to support content creators I get value from, and if more creators followed a reasonable, proportional, fee I would support more.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact