Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Pi-hole: A black hole for Internet advertisements (pi-hole.net)
472 points by DanielRibeiro 53 days ago | hide | past | web | favorite | 249 comments



Previous discussion from a few months ago: https://news.ycombinator.com/item?id=19258717


Also, owners or routers able to run OpenWRT (which is actively maintained and in great shape since the merge with LEDE), you have access to several packages providing the same technical solution (DNS-based blocking). As far as I know, the most common and maintained is https://github.com/openwrt/packages/tree/master/net/adblock/... .

Super easy to install, full-featured, lots of lists to pick from, auto-updates lists, no need for an additional device, and you will benefit from router features produced by the openwrt community and maybe unavailable in your router proprietary firmware. Much recommended.

If that sounds attractive and it sounds like a good opportunity to change your crumbling unpatched router, the question "what's today's good cheap router running openwrt without trouble?" is frequently answered by https://www.reddit.com/r/openwrt/ :) .


Owners of Ubiquiti routers can use this Pi-Hole guide [1]

[1] https://community.ubnt.com/t5/EdgeRouter/DNS-Adblocking-amp-...


On similar note there are scripts which will enable host-based ad blocking via DNS for other open source router firmware like DDWRT, Tomato, Asus WRT etc.[1]

But I presume Pi-hole has automatic updates to lists, data visualisations, better community support than the routers with open source firmwares which are often quite bug-ridden (not to belittle the effort though).

[1]:https://wiki.dd-wrt.com/wiki/index.php/Ad_blocking


> "data visualisations"

Those visualizations on the pi-hole look great indeed!

> "Pi-hole has automatic updates to lists, [...] better community support than the routers with open source firmwares which are often quite bug-ridden (not to belittle the effort though)."

OpenWRT/adblock auto-updates lists too, and I can't speak for DD-WRT or Tomato, but I've been pleasantly surprised by the support and quality I met using OpenWRT. About support, my few questions got answered quickly on their forum and r/openwrt. On the software quality side, apart from the UI being slow (which seems reasonable, it's running on a cheap router), sometimes complicated by lots of options (but at least they're available, and an effort is usually made to hide the exotic options under an "Advanced" tab), and blandly bootstrap-y, I don't remember hitting any bug.


Thanks, my experience is with DDWRT & Tomato; though the developers had done a great job at bringing features found in expensive routers to cheap ones the bug fixes (especially security vulnerabilities) elude older models.

Where as 100$ routers with factory firmware nowadays get security updates quite regularly.


Curious about anyone's experience with adblock for OpenWRT.

I use Pi-hole now, and it works great. The one feature that I use quite a lot is the ability to disable it for a short period of time -- when I'm shopping for something, Google ads are sometimes actually useful!

I'd say I use that feature about once a month. That's the sum value of advertising for me.


OpenWRT's adblock package has a "Suspend" button too. Also, domain whitelisting.


OpenWRT ships with dnsmasq. You just need to edit /etc/hosts to have all the unwanted domains resolve to 0.0.0.0

I like to get my host list from https://github.com/StevenBlack/hosts


That's interesting, Where do you see relevant Google Ads while shopping; is it on some product review blogs?

Did you check the 'Shopping' tab of Google search?


One example I've run into...

When you google search for something (like say a product or service that you want to purchase), you'll see a couple ads at the top of the results.

Pi-hole usually prevents most ads from even displaying, but those always show up. If the ad was useful and you want to click through, it will generally block the request. I think the click through sends you to doubleclick or something.

I've never disabled pi-hole in that situation, but there have been times when it was an annoyance because the ad was actually relevant.


Understood, I think Google features those products in the shopping tab. But the results may vary depending upon the country you're in as I think they ran into some trouble for that in EU.


pfSense based routers can use pfBlockerNG which can be installed from the Package Manager.


Took a bit of effort to set up but it works great and is mostly set-it-and-forget-it.


Pi-hole is my most prized addition to my connected home. It was simple to set up, easy to manage, and easy to access for whitelisting. Now, all of my devices throughout my network benefit from the service, as opposed to relying on locally installed solutions.

If you aren't using it, you should!


I see it as an advantage for all the devices on your network. I mean, to block trackers from Windows computers, or Roku devices or android apps.

But as an adblocker - I feel like I'm missing something. It acts as a DNS server for your local network and blocks what's essentially a host file.

So how does it handle ads served through websockets?

How does it handle ads that come from the same domain as legitimate content (which is increasingly common)?

The complexity of rulesets by addons like ublock origin or PrivacyBadger seem to far surpass what PiHole is capable of.

I think PiHole has it's place on a network - obviously, but people have been promoting this thing like you can just get rid of your adblocker on your browser now.

People also downplay that this can be a pain in a home with a handful a streaming devices, each with a handful of apps. You end up whitelisting so much for those devices, you might as well whitelist the whole device just so the apps can work.

Your wife downloads a game on her phone, and you get that look like "ok, why isn't this working.. what did you do now?"

It just seems like a lot of effort for fairly imperfect results.

Sure installation is easy, but long term maintenance (the OS, the app, constantly whitelisting or troubleshooting when a new service or app breaks for someone in the house).


> Your wife downloads a game on her phone, and you get that look like "ok, why isn't this working.. what did you do now?"

THISSSSSS. The only thing stopping me from using Pi-hole at home are my family members and the inevitable "this isn't working!?!?" rant and then I need to figure out how and what to whitelist. No thanks. I have ad blockers on the kids' PC and when something doesn't work, it's one click to temporarily turn it (browser extension) off.


I've been running it for months now and so far none of my family has come back with any 'major' issues. The only ones, which I could whitelist are when they use something like google shopping that has affiliate links and they're blocked.


>The only ones, which I could whitelist are when they use something like google shopping that has affiliate links and they're blocked.

If you have impatient shoppers in your household, the blocked affiliate(s) might be a benign issue at first, but when you miss out on a buying opportunity and then an algorithm prices it higher (while you are conducting a 'whitelisting' exercise) - things can escalate very quickly..


There are tradeoffs in all solutions of course.

The pi-hole asks you to choose security over convenience, and you must accept that not all apps and services will work.

That's a personal choice you can make for your own setup in your own home.

I've never seen anyone say this _replaces_ your browser's ad blocker though.


>The pi-hole asks you to choose security over convenience,

This is an easy choice for myself.

it's not an easy choice for one person to make for a family of others.


It's not much effort. You basically write an image to an SD card, put it into a pi and you're up and running. Although it doesn't block everything that ubo does, it does a darn good job and it's also effective for devices where ubo isn't an option. It updates the list on its own. I occasionally update it when I happen to log in to check something and I notice the software is out of date.

I don't think it's a situation where you can ditch your ad blocker if you are dead set on never seeing an ad. It may be good enough for most people though. Personally, I still run ad blockers on my devices. Other people in the household do not.

I seldom have to whitelist anything. I may not have whitelisted anything at all. I have blacklisted a few extra domains - things like analytics requests for IoT devices. I don't recall a time that something didn't work and I had to fiddle with the pi-hole to fix it. It's been very low maintenance and very effective in my experience.


What is "ubo"?


uBlock Origin, an ad-blocking add-in for browsers.

https://en.wikipedia.org/wiki/UBlock_Origin


Thanks, haven't seen it abbreviated that way before.


uBlock Origin


It's a layer of defense, to be used with other layers. It should not be used as the sole solution. I don't use PiHole but I use a similar manual setup using dnsmasq, but also employ browser-based adblocking.


Your fourth sentence is what strikes me as really important. All this discussion about adblockers will not work if Google develops technologies to embed their ads directly inside content providers. It's going to be a race to see if ad blockers and the reliant technologies are faster than Google.


Over 50% of my DNS queries get blocked by the pihole [0]; and I've seen it much higher. Like you said, it's one of the most prized devices on my network.

[0] https://i.imgur.com/dPZzYjL.png


That's fascinating.. I would love to know what the averages are across a wider range of users..

In contrast, For my home network, it's just under 15% of queries that get blocked. I've got 3 Macs, a Windows 10 machine, an Apple TV (all connected 24/7) and a handful of iOS devices that hop on and off the network.

My blocklist contains ~114k domains I believe.


I get about 15% of queries blocked with 3 Windows laptops, 2 Android phones, 1 iPhone, and a smart TV. I do run most of the traffic generated for work through work VPN though, and that tends to be the largest source of traffic (about 80% by data volume), which completely ignores local DNS.


Some of it may be various IoT devices that are aggressive in retrying when they can't reach their census servers.


28-30% here about ~114k domains also, 5 devices


60+% blocked here - mostly do to my Roku tv and all its logging.


Haven't you noticed any drastic reductions in speed?

My rpi 3b (not 3b+) just couldn't handle it. It had 2 users. Our DNS resolution times increased by about 200ms. It was awful. I stripped it back out and haven't bothered trying to set it up again.

(Other details: the RPI was hardwired, wireless disabled, and it was a fresh raspbian install with zero customization outside of adding pihole.)


I would say that you may have a setup issue with your router. My resolution times decreased when the pi-hole is providing DNS responses. I have 30+ devices on a 3b+. I'm using a UniFi setup and both WAN and LAN point to the pi-hole local ip address.


I'm running a pfsense setup with cloudflare as my DNS (DNS-over-TLS, in specific). As soon as I had the rpi in the middle, it jacked up resolution times like crazy (rpi was set to use my SG as its DNS, so <clients>->rpi->pfsense->1.1.1.1

It's good to know you guys haven't been having problems; I thought everyone was just fucking nuts or something, but no; local problem. Sigh.


If you're using pfsense, why not just use pfBlockerNG-dev?


Ugh. I tried. Somehow when I first configured it, I configured something incorrectly - and it literally stopped all connections to or from the router entirely. I had to physically connect to it and uninstall the pkg to get it to work again.

I wanted to try it again and NOT do what I had done previously, but I think a conf file is still floating around because the second I install pfBlockerNG(maybe -dev too? I actually can't remember now), my entire network instantly goes down and won't come back until I remove the pkg again.

I don't know enough about BSD's package manager or where pfsense puts package conf files to try to track this down and stop clean it out. I'm sure I COULD figure it out, but I have other projects that are higher priority :)

Edit: I should also note when I was trying to figure this out I had a very angry spouse standing behind me burning holes into the back of my head because the network was down, so I didn't make a priority of really looking through logs and trying to properly diagnose things. I just wanted things to be up so that I wasn't slain.


Same here. Absolutely fine.


I have my router setup to act as a dns resolver and cache, with the pi-hole (rpi 3b) upstream. This fixed my speed issues as only a few queries actually make it to the pi-hole.

The router has a secondary dns server as well in case the rpi goes down (which has happened ~2 in the last year or so) or I need to fiddle with it.


I just run it on an ubuntu lxc guest on my home server. Works like a treat, gets backed-up like the other services and easy to replicate.


I have an old desktop in my basement running Ubuntu with PiHole (and some other things). My router is still the DHCP server, but distributes the PiHole machine as the first DNS server. I haven't noticed anything being slow.


Agreed, I combined this with Cloudflare's DNS service (1.1.1.1). A great combo.


What are the advantages of using Cloudflare's DNS as opposed to say Google DNS or your ISP? Tracking?


Due to the architecture of DNS, DNS is not end-to-end encrypted. There is a potential solution (djb's DNSCurve), but it will not be deployed. As a result, let's do an assessment.

Using Google DNS, self-hosted resolver, or your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Using CloudFlare's DNS w/ DNS-over-HTTPS: only NSA (via a NSL or subpoena), Cloudflare and CloudFlare's upstream can track and see your requests. And I guess 10%-20% of the domain names already use CloudFlare, so for some domain, it's end-to-end encrypted, nobody but NSA and CloudFlare can track you. Even better, Cloudflare is experimenting with peering to upstreams (e.g. Facebook) using private encrypted connections, so the point-to-point encryption ratio would be even higher in the future.

Therefore, using CloudFlare is a net positive.

But one also needs to consider its second-order effect: is giving CloudFlare more leverage over the Internet infrastructure in the long run an acceptable choice over unencrypted DNS? I guess everyone has a different opinion.


Wait a minute... First Google DNS provide both DNS-over-HTTPS and DNS-over-TLS, second Pihole (or should I say dnsmasq, or FTL the name of their dnsmasq fork) does not support forwarding DNS query request to upstream using neither DNS-over-HTTPS and DNS-over-TLS.

In any case, if you really want a full solution, build your own https://github.com/yegle/your-dns


> Using ... your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Technically speaking the NSA wouldn’t be seeing your DNS requests, they would be seeing your ISP’s, for all its users anonymised.

If you use Cloudflare or Google DNS directly from home (or your own resolver), then yes, the NSA and anyone else can track your individual DNS requests directly.

In that regard using your own ISP’s DNS is clearly superior.


*if you are using plaintext DNS query. Both Google DNS and Cloudflare DNS support encrypted DNS query over TLS and HTTPS.


What threat model does concealing DNS but not indirecting traffic via Tor address, given that Tor can also tunnel DNS? Cloudflare's not wrong that the DNS requests are hidden, but many classes of observer who could read your DNS request could also see you connect to the resting host?

Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?


Cloudflare has also rolled out ESNI (https://www.cloudflare.com/ssl/encrypted-sni/) which would mean someone reading your traffic would only be able to tell that you're connecting to a cloudflare IP address.

However be unable to determine which specific site you were accessing.


What does that accomplish?

As opposed to Tor use, specifically?


Well it to me has a few use cases that are reasonable.

a) Used where Tor is unacceptable, such as some university networks, and workplaces where using anonymization such as Tor/VPN is prohibited by policy.

b) When using Tor protecting yourself from the Tor endpoint collecting information / statistics on what you are visiting.


Why do you want to present a false sense of improved privacy by only obfuscating your DNS queries in these networks?

It seems to me like these DNS tricks are parlor tricks in a security sideshow. Any attacker that could see your packets can also see who you are connecting to. It's pretty rare that SNI does anything relevant to a real threat model.

I think a false sense of privacy is at least as dangerous as the alternative.


>Any attacker that could see your packets can also see who you are connecting to.

Yes they'd see that you're connecting to one of the largest reverse proxies in the world.


Cloudflare scaled up massively so quickly when they started offering cdns a decade ago.

I judged the company in a negative light when their ceo or cfo wrote an open letter rationalizing their ban silencing some obnoxious website over political belief virtue signaling.

A company that crushes free speech cannot be trusted.

I don’t even remember what the obnoxious or offensive website was but I know that offensive speech is protected speech.

Autocratic technocracy centralized into a few digital monopolies wrap our wrists into digital slave chains labeled “free”.


The first amendment applies to government censorship only.

Cloudflare is not the government. A business can choose not to service someone based on almost any criteria, that's not "crushing free speech". You can then choose not to patronize the business based on that policy. This is an important part of a free market.


Speed and tracking. Cloudflare claims they don't keep logs


>Cloudflare claims that they don't keep logs

Emphasis on 'claims', sadly we have no way of verifying that they don't actually keep logs.


Speed.


I would like to use Cloudflare DNS but they have a bug open with archive.is so you can't see archived links if you use them.

https://community.cloudflare.com/t/1-1-1-1-does-not-resolve-...


The problem I have with Pi-Hole is that it is sometimes a pain for the end user. It's impossible to fine tune it on the user side, like one can do with ublock origin.


is there any security concerns with the pi itself? say your computer is infected with a really bad malware. it takes over your host, ignores your right to block out noise, and then the idea that pi-hole will be able to as a last resort block it out?


Some devices use hard coded DNS (looking at you G). You can force devices to use the pi-hole via masqurading. In you example, you'd be able to see the malware requests show up in the pi-hole interface.


[tinfoilhat] Given that Chrome now became Google's weapon against adblocking, how long until it starts refusing to use Pi-hole specifically?

https://news.ycombinator.com/item?id=20044430 [/tinfoilhat]


This is the dark side of DNS-over-HTTPs: it prevents the network operator from changing what is received by browsers. Sometimes this is legitimate, as in Pi-hole.

Paul Vixie got very upset when he discovered that his chromecast bypasses local DNS settings to go directly to Google: https://news.ycombinator.com/item?id=19170671

I wouldn't be surprised if soon Chrome defaults to DNS-over-HTTPs direct to base, except for the corporate intranet version. They just need to work out how to deal with wifi captive portals.


The problem is two mutually incompatible use cases:

1) trusted endpoint / untrusted network (laptop in a coffee shop)

2) untrusted endpoint / trusted network (chromecast/alexa/other corporate zombie on your home network)

Which category a given scenario falls under depends on who you ask - to Google, Chromecast is in the first category. I don't know if it's possible to design a system that somehow always favors the rights of the individual.


Damn, this is a good point. Just because of network architecture, ultimately somebody-- either the client or the network-- has to have the Final Word on where DNS requests go, and either way opens people up to attacks depending on the scenario. If the client has the Final Word, you can't stop your Chromecast from talking to 8.8.8.8; if the network has the Final Word, you can't trust DNS on foreign networks or use your own resolver.


> I don't know if it's possible to design a system that somehow always favors the rights of the individual.

This is why people keep objecting to technological solutions to social problems. Adblocking is a stopgap technological solution (although very effective at the moment); properly protecting the rights of the individual requires a social and legal process.


I disagree. Technical solutions are largely preferable. Political solutions are feeble and can be changed on a whim.

If the NSA has the capability to sniff vast amounts of network traffic, encrypting that traffic is a much stronger defense than telling the NSA they aren't allowed to deploy the capability for the time being.

If Chrome insists on using its own DNS or removing the adblocking API for add-ons, one can just use another browser like Firefox that has the desired technical capabilities. Managing DNS lookups and HTTP requests are not "stopgap" solutions, they are basic functionality that any one entity can't eradicate.


It's a big concern. I can block DNS on my network (except for pihole), but I can't block QUIC, and certainly not HTTPS or TLS. If I know about an IP ahead of time, I can block those, but who's to guarantee that Google or any other nefarious service would always use a well known IP for DoH?


How would devices use the obscure DoH IPs, there would have to be a method to update/lookup said IPs. That same method could be used to keep an up to date block list.

Alternatively, the traffic could be subject to heuristics to identify DoH connections.


could setup a small firewall (pfSense) that routes all DNS queries from connected devices to your own DNS server.


Not with DNS-over-HTTPs and certificate pinning you can't, because the certificate check would fail.

(That would be a very annoying thing to do in a device or browser, but it's certainly possible)


Exactly, the only choice is to root the device or return it as defective.


How would a web browser know which DNS it's using?

You set your DNS preference to point to the PI-hole and it should behave like any other DNS server. I guess it could attempt to resolve some spam domain like doubleclick.net and if it was incorrect it could complain...


There is a clear and definite trend of taking DNS out of the user's control, see all the hype with DNS over HTTPS etc etc.

Firefox is working on using DoH (opt-in at the beginning, but who knows) from "select" providers. Chrome has a similar switch, surely. Same with Android 9, opt-in DoH, but maybe it'll become opt-out or no-opt in the future.

In the name of privacy and security of course, but with the totally unintended side effect of users unable to dodge ads via DNS/hosts. Interesting, no?


The argument you are making is a huge stretch.. Cloudflare is one of the bigger driving forces for DoH and they have nothing to do with ad revenue. Claiming that DoH is some sneaky way to get rid of things like pi-hole is just ridiculous.


DoH in itself is not sneaky, no more than ping is. The push to centralise DNS resolution in the hands of a few questionable actors is and this is what is happening.

Cloudflare for example would absolutely love to know what you're up to all day; and because they can now correlate data from their "omnipresent" WAF with the data from 1.1.1.1 they could get some interesting information... And believe you me, they're not sending it to /dev/null.


Cloudflare makes a pretty specific statement against what you are saying:

"1.1.1.1 does not mine any user data. Logs are kept for 24 hours for debugging purposes, then they are purged."

Are you claiming they are lying?


I'm all for assuming the people who work there are good eggs with the best intentions, but Cloudflare, Inc. is a U.S. company. As I understand the U.S. legal landscape with regards to data and privacy protection, they could be forced to lie at a moment's notice and not talk about it.


So far as I know there is no legal way for the US to make a company lie about its activities. That is the basis of warrant canaries, which have not been tested in court yet. You can find cloudflares https://www.cloudflare.com/transparency/.

They could be forced to not talk about something via a gag order.


I'm not claiming their lying or doing anything internally that is different. There is just nothing stopping the change from happening, now that the possibility exists


I'm claiming I don't believe them. They could write on their page whatever they see fit and do a completely different thing internally.


> There is a clear and definite trend of taking DNS out of the user's control, see all the hype with DNS over HTTPS etc etc.

It seems absurd that these companies are blurring the line between software and malware.

Software vendors are going to have to start paying for the bandwidth they use on networks against the will of the network operator.


some of their products already have hardcoded Google DNS. see

https://www.reddit.com/r/googlehome/comments/8917ci/google_h...


They could force Chrome to use Google's DNS over HTTPS.


Sure, but what's to stop any application from choosing some other DNS to use?

There was a bit of controversy about FireFox doing exactly that. https://yro.slashdot.org/story/18/08/05/2353249/security-res...


While you're at it, add Blokada to your Android device and it too will eliminate the need for uBlock Origin or Ghostery in Chrome on Android since it's operating outside of the browser's sandbox. Or use Firefox on Android and continue using the ad block plugins it provides. Hopefully Firefox doesn't go away anytime soon...



Conceivably we could take a harder line on this, if we get a little deeper into the routing. We could make it so we only whitelist IP addresses outbound if we saw them come back through our DNS server, and network block everything else. Then if you bypass my DNS server, you don't get to talk to the Internet, unless you directly pick an address that something else has whitelisted that way.

I'm thinking about this, and feeling like the PiHole is a nice start, and I mean that sincerely, not sarcastically or dismissively, but what we need is a whole-house reverse firewall with that sort of capabilities, including everything the PiHole already does. If you did TLS interception, you could also pretty much implement uMatrix at the household level, for instance.


Interesting, interesting. Note that long DNS TTLs will break this: your DNS server needs to hand out artificially short TTLs so that clients will keep re-querying (within the local network).


I was also considering going the opposite direction and given extremely long permissions to the IP in question, i.e., longer than any practical DNS TTL. In general, I'm not too worried about a good IP becoming bad, and if an IP can be both "good" and "bad" this way I'm not going to block it with this technique anyhow. It'd be a potential hole, but if this non-existent project got to the point that it was being that directly targeted, that'd only mean we got pretty successful to even get to that point. :)

I should probably make an explicit point that I left implicit; I'm interested in anyone popping up and telling me "Hey, this thing exists already and it's http://...".

(I find myself wondering if I finally found my Rust project...)


It already does. This is the purpose of putting a DNS-over-HTTPS resolver into the browser, so you can't bypass it with local resolvers.


So you block access to Google's DNS (except for your local DNS server) on your router.

And so the arms race continues.


Couldn't I sign my own pi-hole and add the certificate to my phone/computer?


No use if e.g. Chrome hardcodes Google's servers and ignores the system ones.


Could you hardcode the ip addresses in your own NAT?


This is, in fact, already sometimes necessary since there are things that will hard code 8.8.8.8.


Chrome's future crippled adblocking support is still more powerful than pi-hole.


Why hasn't anyone, or pi-hole themselves, made a public DNS that does this? Pass everything not on the blocklist thru to 1.1.1.1.

The fact that this requires special hardware, bash commands, etc is severely limiting the audience. The more people blocking ads the quicker the internet changes.

Edit: thanks for the replies!


They have: nextdns.io

There was discussion a few days ago: https://news.ycombinator.com/item?id=20012687


I'm slightly concerned about routing my traffic through a non-major player in Anycast when I don't control the routing or software. I'd be worried it's quite an easy target for someone to do some DNS hijacking or packet sniffing.

There's a certain level of trust when I use 1.1.1.1 or 8.8.8.8. I'm unwilling to take the risk for this solution. I'm not sure what would help in the trust department to legitimize a solution like this.


This is why you should use their DNS-over-TLS or DNS-over-HTTPS service instead of standard DNS.

Route hijacks can happen to anyone, even Cloudflare or Google. If anything they're more likely to be targetted than a smaller player like Nextdns.


The difference is one has a dedicated security team and the other does not.


What does a security team have to do with network routing?


There are a few services that are public DNS with ad blocking, but now you're trusting them with private data. The plus side is that you don't have to run anything yourself.

I run my own knot-resolver server that forwards everything to 1.1.1.1 over TLS and I generate an .rpz that is basically the same filter list as pihole. Most DNS traffic ends up at Cloudflare, so you may as well go straight to the source.

https://gist.github.com/jzelinskie/3d2b11830224993fc8a7441b3...


It doesn't require special hardware. Anyone running their own resolving nameserver can do it with two parts:

include "/etc/bind/ad-blacklist";

/etc/cron.daily/update-ad-blacklist

or equivalent for unbound, maradns.... whatever.


AdGuard DNS does something like this.


Just to be clear, what change are you expecting to happen? Not /s.


This is a good question.

I am not the relevant commenter, but what things would you expect to not change in a scenario where a majority of websites lost all ad revenue. (As admittedly unrealistic as it sounds the same was once true re moon landing and here we are, debating viability of not ruining our lives with advertising.)


Most of the blogs and content aggregation sites shrivel up and die. A bunch of pay walls go up around the good content ppl would actually pay for. There's less crap on the internet because there's less spying to make the crap profitable. Everyone claps.


I think your vision just concentrates the spying power into the hands of a few. Is that ideal? Additionally, a pay-to-play model would essentially make the internet only relevant to those with privilege and money.


pi-hole as a service. How much would that cost / month?

Or could fund it with some targeted ads. Oh, wait.


I have a Vultr instance that costs me $2.5 per month. Pi-hole doesn’t consume too many resources. While I’ve not done any math, assuming I can handle 10 ppl browsing at the same time, my cost per person is 25 cents a month. Assuming other overheads(my time etc.) and some margin , I’d say a dollar a month ? For better effect , I’ll say 1.49 per month ;-)


If you're running some type of hypervisor (ESXi, Proxmox, etc.), you can create a tiny VM running Debian and load Pi-hole on it. No need for extra hardware and wires.


I run mine on exactly that: a Dell R720 sitting on a rack next to my desk from within a Debian 9 virtual machine inside ESXi.

I actually want to do the opposite: transition this to dedicated hardware (like a Pi, but worried about performance) that is a little less noisy. This is shockingly quiet for a 2U but I am a stickler for silence.

Some pix: https://imgur.com/a/0xwcfNN


I use ESXi and one of the VMs is pfSense. pfSense has an additional software package called pfBlocker, which is highly configurable and just plan awesome for blockings ads/trackers/etc for the LAN. pfSense has tons of other options - I setup a vLAN and all of my IoT devices are segregated onto it. That way they can't interact with the rest of the devices on the LAN.


Yep... my pfSense is virtualized, too. I need to get pfBlocker configured, but pi-hole works so well, I'm too lazy to do anything about it! I'm also working on an IoT VLAN - that Ring doorbell is a chatty Kathy!


With all the fervor around ad-blocking what I fail to see is how do you propose those sites that you visit, read their content to make money ? Are you willing to pay every site you visit or encourage them to put up pay walls ??


What's wrong with the "old" way, where you visit a Mopar automotive related website and saw Mopar car part ads? Or when you visit a computer magazine and saw ads for computer parts? Or when you went to NYT and saw basic shit like paper towels and fall fashion?

It became a problem when everyone and their sister started needing to know what kinds of kinks I'm into just to sell me dish detergent.


This is hilariously accurate.

I've been predicting for a while now that sites would fall back to the old television show model "RockAuto presents MustangForums.com" or something to that effect.

Instead, we get a dancing Albert Einstein begging us to take IQ tests.


This is in fact very popular among both YouTube channels and podcast producers. It makes a lot of sense for an advertiser to pick a producer who matches their market and have that producer create an in content advertisement. I am fine with this. The content producer wins, the advertiser wins, and the viewer wins by getting better ads by someone they want to support.


One big problem with entirely static ads is that websites are global but the ads running on them are for brands that are likely local (at least to a specific country.) If I visit the NYT website in e.g. Norway, should I still see ads for an American brand of paper towel that doesn’t exist here; or should I see ads for Norway paper towel brands?

The flip-side of this is that I’ve noticed that YouTube shows me PSAs from my own municipal government (“there’s an election soon” ads, “we’re building a new piece of civil infrastructure” ads, etc.) I actually kind of like that; I don’t have cable, so it’s not like I would see them anywhere else.

The entirely-static ads model does work when the consumption of the media is entwined with the consumption of the advertised brands, though. For example, a podcast can certainly advertise its own tour, since—given that you’re listening to the podcast—you likely want to see the podcaster speak in person, even if you can’t make it there.

Or, of course, if a (global) website is just advertising another (global) website. The NYT can advertise Amazon just fine.


> If I visit the NYT website in e.g. Norway, should I still see ads for an American brand of paper towel that doesn’t exist here; or should I see ads for Norway paper towel brands?

That's still possible with static ads. The server can simply lookup your country from your IP address and serve the relevant ad, without tracking you at all.


Geotargeting can be done on the server-side without involving any trackers, 3rd-party javascript and what-not.


This is a good question that I've thought about a lot because the services who advertise with us are regional.

We fully control and host our static ads and try to keep them high quality, so I've decided that minimally using IP to loosely serve a more relevant ad is okay. MaxMind offers a downloadable Geo IP database that we use to do this and are not needing a 3rd party service for this.


This not necessarily a problem. There's nothing to stop the website operator calling out to an ad provider, with the ip/location of the user, and getting an ad to embed.

The upside for the user is that location and whatever the one site is able to determine about the user is all that can be shared. If the user hasn't logged in with their real name - that probably isn't much.


The issue is that you can make considerably more money using ads that 'track' you.

So instead of one ad being enough to pay for your content, you have to fill your website with banner ads, embedded ads, scroll over ads, animated ads, etc etc.

It's a slippery slope, more people use adblockers causing content creators to add more advertisements to generate the same amount of income. More people are bothered by the increase in ads, and download adblockers themselves. Rinse and repeat until ad supported content is unrealistic for all but the biggest of websites.

And I'm pretty sure even checking location is controversial. I've at least seen it included as part of tracking in the past.


> (“there’s an election soon” ads, “we’re building a new piece of civil infrastructure” ads, etc.) I actually kind of like that; I don’t have cable, so it’s not like I would see them anywhere else.

I don't have cable, either, but I do have a pair of rabbit ears to keep up with local news via OTA broadcasts.


Ads can still be geo-customised entirely from the server side, although that's a bit more work than just throwing an image in a directory.


This is what we do at Office Snapshots (https://officesnapshots.com).

We post about office design and our ads are primarily for office furniture or other services related to the industry. We also self-host the ads which are non-animated jpgs and sell them without using any ad networks.

What you describe works well for us :)


We started doing that too, in addition to Google ads. We deal directly with the advertiser, self host a specific ad for them. It's MUCH more profitable than Google ads. Will phase out the Google Ads soon.

Minimal work involved. A bunch of emails back and forth, where we tell them our ad size if they provide an image. Or they provide a logo and we manually ad the text if they aren't technical enough to provide a custom image.


What type of overhead is associated with this? Are you experiencing an increase in server costs? What about the resources it takes to build those relationships, maintain the content, or manage the infrastructure?

I'm very interested in learning more...


We use WordPress and plugins which offer these features so hosting and server costs are pretty minimal.

It definitely takes time and work to develop and maintain relationships, but we also get to keep 100% of the revenue. In some ways we've just decided that ownership of the relationship and process is more important than being able to quickly slap some Adsense code up on the site.

That said, we also used Adsense early on, but have been doing this for ~5 years.


I'm also wondering how revenue compares. Every one clearly seems to think that "perosnalized" ads are worth more; can you offer any insight into if you make more or less with personalized vs your approach?

People seem to have forgotten that users are most likely to be interested in what they are currently reading, because it is what their mind is currently focused on.


You can get a sense of advertising fees by looking at comparable newspaper ads and industry trade magazines. Even take a look at billboard or radio ads. Custom ads will be an order of magnitude higher that what you get from Google.


I wish I had a deep and thoughtful answer, but a simplistic one is that we do get to keep 100% of the revenue for the ads we sell so in that sense we make more.

Because our content is so specific, ads which are relevant to the content end up targeting the user because you wouldn't be spending time on the site unless you care about the content.


So how do you know how much to charge? Do you relate it to AdSense's cost plus Google's profit or you follow some other practice?


Initially I just set a price I thought was fair and have adjusted accordingly as we've grown. I do recall that the amount we received from Adsense was less than what we ended up choosing to charge for the same space.

We also sell the space per month as opposed to based on impressions or clicks so it makes it a little more straightforward.


> What's wrong with the "old" way

A couple things:

1. It facilitates a world in which only large content providers, who can afford to individually sell ads to advertisers, to exist.

There's a lot of overhead to ad sales and individual companies do not want to work with 1,000,000 providers, they want to work with 10-100.

2. It's substantially less efficient and only works for brand advertising or mass-market direct-response advertising.

One of the greatest things that Facebook and ad retargeting enabled was the rise of direct-response brands. Previously if you were selling a niche product - and most larger brands started out with a niche product - it was very difficult to reach an early audience who would be interested in purchasing your product. Facebook and Google flipped this on it's head, enabling millions of businesses to more efficiently reach customers. Facebook alone made the direct-to-consumer brand explosion we've seen over the last 10 years possible.


Tracking ads are collecting data on people without their explicit consent or knowledge. The trade in bulk personal data is a stain on the internet.

I am quite content to block these sorts of adverts and I'm not worried by the site's loss of revenue. I am not responsible for their slimy choice in business model.

Let's get back to context based adverts like DuckDuckGo use. There was no need for the internet to take this path - it only did so to rapidly monetise after the dot-com bust blew their VC funded rapid growth plans out of the water.


> There was no need for the internet to take this path - it only did so to rapidly monetise after the dot-com bust blew their VC funded rapid growth plans out of the water.

No need, aside from the trillions of dollars of economic value it created and hundreds of thousands of previously impossible businesses it created.


I don't have to care about if they make money or not.

That's not my business. If they want to make money, they'll shift to other profit models that don't involve intrusive tracking and annoying advertisements.


would you support paywalls ?


I support them, in the sense that they don't particluarly bother me. When a site asks me for money to read an article or to subscribe I tend to just close the browser tab and do something else.

The thing is, most articles are a distraction, a diversion. Something I do instead of the thing I should be doing and as such they are very very low value to me.


If the site maintains a standard level of quality of content where their paywall is worth paying, sure. But I think the vast majority of sites (think your average Medium blog, many 'news' sites, or tabloid sites) don't meet that standard, and are probably terrified of the thought of nobody willingly signing up for their subscriptions.


Patreon-paywalls are becoming increasingly popular, with bits of free content as advertising. It seems like a reasonable way to do business.


The "fervor" you mention has more to do with ads becoming ever more intrusive, third party content slowing down page loads, consuming bandwidth, and potentially being used for malware distribution than it does with wanting to take food off another person's table.

I regularly try browsing without adblocking on, and it's a constant nightmare. If sites held their advertising networks accountable to any reasonable set of standards, they wouldn't be in this situation.

The content I appreciate, I have found ways to support it.


Few of the important things on the Web are spyvertising-supported, or wouldn't promptly be replaced by something community-driven and free if they went away or became paid-only (stackoverflow, for instance). It's mostly junk.

[EDIT] to expand, I think the piles of spyvertising money funding sites & services is a big part of the decline of truly free sites and open protocols, and make running a paid site (or app, or whatever) harder since you're competing with "free" (but spying on you). Less incentive to use them, less incentive to contribute to them. The whole system's perverse and harmful and it would 100% not be the end of the world, or the end of nice things for free/cheap, if it just disappeared tomorrow.


I bought a TV that, because of the pihole, I know phones home approximately once every thirty seconds about my viewing habits.

In the world we live in something like a pihole isn't an ideological position, it's a necessity to not have everything we do end up rolling into someone else's ad profile on my household.


blocking your TV from dialing home is reasonable. You have paid for the TV and thats the end of the transaction. It would be another story if you took the TV for free in exchange for ads :)


I disable my adblocking for sites that use reasonable ads.

If I go to a site and am bombarded with pop ups, auto playing video ads, etc., then yeah why wouldn't I block them? With the malware and tracking that is often injected into ads I have no problem using my adblocker at all times and disabling it for pages that ask politely.

I'm happy to click on ads on sites that I frequent and would like to support. I think there's absolutely a balance here, and for many years the advertising industry has abused their stay.


Problem is you don’t know what’s reasonable and what’s not. It’s not based on how it looks. If may look reasonable and harmless but still send your IP and browser fingerprint to surveillance ads networks.


That's true. I suppose there's a certain amount of trust required. I really only ever disable it on sites that have a good track record with security and provide me enough value. There is risk involved though.


when they will stop abusing ad, delivering malware through unchecked ad (https://www.geoedge.com/meetus_university/65/what-is-malvert...) and respect the "do not track" then I'll rethink about ad blocking.


Have ads that relate to content, not to visitor. Like it was back in the days. When I visit a sci-fi site I'd like to see ads for sci-fi movies, books and paraphernalia. Not an ad for a pair of shoes I happened to search a week ago. Profiling is spooky and it's an offend to privacy. Not to mention that it doesn't work that well. Just because I search something on Google doesn't mean it's the only thing I'm interested in buying.


I'll turn off my ad blockers when sites stop serving intrusive CPU burning malware laden memory hogging shit to me, which will be never.


If sites actually curated the ads they display instead of saying "Give us money and we'll let you and whoever's paid you show whatever you want and run whatever scripts you want" they wouldn't get blocked by the pi-hole. I'm sick of malicious ads on even major sites because everyone's too lazy to give a damn.


Do not use tracking ads. I whitelist any site which is not using tracking/profiling ads.


I dont believe locally hosted ads are blocked.


In what other industry is the customer responsible for the company’s business model?

I choose who deserves my attention carefully. Internet ads have not earned it.


I have no idea how Netflix, HBO, PBS and C-SPAN make money without advertising, but I do know this: it's not my problem, it's theirs.


They should just find a new business model, if their currently one can be bypassed so easily.

giantbomb.com sells premium subscriptions and merch and does okay


Yes, absolutely. Let me pay them exactly the revenue they lose from my use of an ad blocker, in exchange for no ads.


Those websites designed a bad model for collecting revenue; it was based on the assumption that viewers would watch their ads out of some misplaced sense of guilt, while the ads and data collection become more and more intrusive.

It is not our responsibility to prop up their poor model. If these sites want to make their case that they won't survive without our eyes on their ads, then they can open their books for us to look at the costs and revenues and decide for ourselves whether or not we should help them. But at the end of the day, it is their problem, not ours.


you can pretty easily whitelist those sites.


Pi-Hole is a very simple DNS based blocker. You can not whitelist ad providers on a origin basis.


They didn't say whitelist ad providers, they said sites. Which you can do with pi-hole.


How does a DNS blocker know what requests are caused by what site? It's a stateless protocol.


Yeah, that was a misunderstanding on my part.

I suppose for their whitelist/blacklist to work with regex matching the ads would have to be served from a similarly named domain. Like facebook.com vs ads.facebook.com, and you'd have to whitelist *facebook.com. And if they were getting ads externally you'd have to whitelist those ads for every site that you visit.


Ad blocking via DNS is relatively easy right now because a content provider like CNN.com will use a domain like “ads.evil-surveillance-media.com” to load their ads into your browser. But what happens if all these companies switch to just using their own domain to load ads? If the ads as well as the content BOTH come from CNN.com then there will be no easy way to filter the ads out. This will be the next stage in this war between ads and adblockers.


With the prevelence of ad blocking tech, the question becomes why haven't they already?

The answer being that content providers can't be trusted to self report metrics that determine how much advertises pay. At least not for pay per view/client/etc models.

The people that self select themselves from viewing advertisements might be doing advertisers a favor. They're perhaps less likely to make purchases based on impressions//click ads on purpose; per dollar, ad campaigns might be more effective without said people.


This has been warned about for a while now and it's not actually terribly difficult for sites to implement. Why don't they? Simple - click fraud. The ad networks don't trust the sites to accurately report click numbers, so they insist on running their own code. For this reason, the number of truly first-party ads will be limited for a long while.


Adblocker plugins already do content-level filtering because of this, not just for ads but various tracking and other annoyances.

I do that for the sites that have the banner that hides if you scroll down, but pops out the moment you scroll one pixel back, or sites that put up "please don't leave me" modals the moment your cursor strays out of the window.


I'm already seeing this happen in some cases. Or they serve it from an opaque CDN alongside the functional site code.


This. Router-level blocking will become impossible without intercepting https, and endpoint blocking also gets harder.


Is it easy to disable adblocking on sites that won't work with adblockers? I like to have the option to disable adblocking in my toolbar. For example, certain bank websites, business websites, etc.


People here are gushing amazing over pihole but I don't find it that amazing in the least. In fact what you're describing is one of the most annoying parts of it. I still use it and I did donate to it but it's hardly without it's annoyances. In fact if I didn't already own one I wouldn't build another.

There isn't a chrome extension or anything to white list a site quickly. You have to go back into the interface, login, and whitelist, go back and load the page then you'll find that you needed to whitelist a few subdomains/cdns as well. This is really fun when you've got all your devices using the Pihole for DNS and you can't load something on your phone/TV and need to run to your laptop to deal with it.

If you just got your pihole you probably threw in a bunch of community generated lists and you'll find a good amount of stuff you do visit gets blocked. You can get to Google but not Google drive, so you whitelist it. And you do this over and over again until you finally get annoyed because you just want to make a car payment so you permanently disable it for 5 minutes, or 60 minutes if you've gotten annoyed enough.

Sometimes weeks will go by and you'll forget you even had it disabled at all.

FWIW, I also don't use NoScript because I find it incredibly annoying. This is one step further from the NoScript annoyance because you have to go into the webUI and make your changes.

If you don't mind NoScript you'll probably be fine with Pihole. Or if you have the time to curate and pick lists that fit exactly within your browsing habits.


Yes, there are both manual whitelists and blacklists. There are also easily accessible options for disabling the adblocker permanently or temporarily, in the latter case on a timer of your choosing e.g. for 5 minutes.


Yes, pihole has an easy to use Web interface that allows you to whitelist individual sites. You can also disable adblocking for 5 minutes, or 10 minutes, or until you tell it to start blocking again.


you can add them to your whitelist. It's available through the web interface.


File this away for the holidays, too: Pi-holes and NAS backup devices make good gifts.

I know it doesn’t sound very sentimental, but the first time I showed my relatives what the Internet looks like without ads, I think those were the strongest hugs I ever got from family members.


Are these devices maintained by someone or are they sitting there running years-old crumbling stacks?


I've just tried it via the install script they provide and it was amazing. Took me through a simple checklist of stuff automating everything it could and giving me nice Curses interfaces for stuff where it needed me. Up and running within 5 mins!


I keep meaning to set one up one of these days. Does anyone know what effect a Pi-hole has on internet speed? I play a few games where latency is a big deal, and don't really want to artificially throttle my internet.


It actually has a positive impact on the Internet speed! Your DNS results are cached locally so the latency is very low, plus blocking ads at the DNS level means you're not even downloading the ad creatives, resulting in a higher speed as well.


It shouldn't have any impact on internet speed as it only comes into the picture for DNS requests. It doesn't sit in line with your internet traffic.


It helps a great deal for web browsing. Having a DNS cache on LAN at 1ms reach speeds up browsing noticeably.


Echoing other posters. I had the same concern about throttling internet, but realized that your traffic doesn't flow through the pi-hole, just DNS requests (and those are cached). I've noticed no throttling.


Mine is both the DNS resolver and the DHCP server, due to limitations on my router, and I haven't noticed any big problems with latency/speed.


I love pi-hole. It's very passive and easy to use. My only issue was when the pi hosting it went down for whatever reason and I didn't know immediately, so I thought my ISP connection went down. I just had to restart the pi to get it going again. It's only happened once in around 6 months. And it's running on one of my older pi!


Specify a secondary DNS server to avoid your network going down due to a DNS failure. The downside to this will be that you won't know if the Pi-Hole instance goes down other than possibly seeing Ads.


I haven’t tried Pi-Hole yet but this was the impetus I needed to decide to set it up tonight.

I commented on a different post last night, that I was a bit shocked and saddened to see their Patreon is only pulling in $1,700/mo.

Do they have another significant revenue stream? Is it just too much hassle to bother signing up to Patreon to commit to even $1/mo? Do they have something on the Admin panel where users can click to pay directly?

I’m not judging, I don’t even have a Patreon account. I’m curious how such an apparently crucial and useful piece of software — one that no doubt is responsible for providing millions of dollars of value to its users, and perhaps blocking tens of millions of dollars in ads — how can the project be sustainable after 53 releases and 2,700 issues on Github while pulling in less than $24k/yr?


> only pulling in $1,700/mo.

This is an astonishingly huge amount of money for an open source project to raise directly from its users. Most open source projects get basically nothing.


I like Pi-hole but it ended up causing more trouble than it was worth for me.

First, certain streaming websites would fail and it was too much trouble to try to find the URL to whitelist.

Then after I had disabled it from the Pi-hole interface everything was fine but it wasn't actually active. No problem...until I forgot my router was using it as a DNS server and I moved and didn't set my Pi up yet. Then it took me a couple weeks going back and forth with Comcast to find out that my router was still pointing to a DNS server that wasn't running.

Somehow my FireTV bypassed the bad DNS server at one point (still no idea how this happened cause my router was routing all traffic through the IP for pi-hole) and that made me realize that I can get data from Comcast somehow so maybe it really was my router.


The pages you use the most serve some ads from their own domain. E.g. Youtube et. al.

Also beware as most ads in your phone apps come from ad intermediaries that are either dynamic or constantly change.

Pi-Hole is a cool project but please take in consideration those two when using it. We are far from the 90's in ad-tech.


Yes, this isn't the ultimate solution, but what you said is an overstatement. The biggies like YouTube, Facebook, Instagram, etc serve ads from their own domains, but almost everything else uses an ad network which can be blocked.

> most ads in your phone apps come from ad intermediaries

I don't know about the intermediaries you are talking about, but all the ad-ridden proprietary mobile apps that I use (the ones that don't self host ads) are blocked by DNS based ad blockers.

The one thing that these DNS based ad blockers can't do however, is block in page annoyances which is why using an extension like uBlock Origin is still necessary.


It depends on the ad unit in question. Ad-tech is a very tricky world with a ton of meanders and intermediaries/mediators.

Anyway good luck with that if the app is using a mediator from a big known name as it will likely block all of their services as well.


for those constantly changing ones, like youtube, we could grep all the youtube's ads-serving DNS.. see details here https://discourse.pi-hole.net/t/how-do-i-block-ads-on-youtub...

it worked pretty well


Anyone else seeing:

  [] Root user check

        \e[1;32m.;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 \e[1;31m.. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.\e[0m

  [] OS distribution not supported


I haven't moved mine off of the Pi personally, but I've read positive reports of people using Digital Ocean or similar to host PI-Hole. That could also, in theory, allow it to be used while remote or for mobile devices.


I love the idea of pi-hole. However, I run my own local DNS server already. And my DNS server is actually serving some local domains for various servers, etc. on the network. Can I in any way get the list of domains to block from the pi-hole project and use them in my own regular Bind DNS server?


Apparently it blocks some domains necessary for the Washington Post articles to load. Whitelisting washingtonpost.com doesn't remove the adblock notice :(


Can you check which domains don't resolve using dev tools and check if they are on the pi-hole block lists?


I'm running pi-hole in a docker container on an Intel NUC; no need for an actual-factual Raspberry Pi. Works great.


Pi-hole users should know that in the default configuration it allows your ISP to reconfigure your blocklists at will due to lack of authentication:

https://github.com/pi-hole/pi-hole/issues/2704


Does anyone have a recipe for using pihole via OpenVPN using docker?

I'm using this[1] but I'm surprised there isn't something more official/baked.

[1] https://github.com/mr-bolle/docker-openvpn-pihole


I just set this up yesterday, was quite easy.

https://hub.docker.com/r/linuxserver/openvpn-as/


I was looking at their github repo and couldn't immediately see where pihole gets its block lists, just a very large soup of shell scripting that seems to make a lot of assumptions about your Linux distro.

Anybody familiar with this code able to point out where it does the "interesting" work?


Can you tell from the command line what version Pi you're running? I think mine's an original B+, but not sure. I typically get sub-millisecond DNS resolution (presumably from cache).

>root@pihole:~# uptime > 17:02:51 up 587 days, 22:34, 1 user, load average: 0.03, 0.03, 0.05


cat /proc/cpuinfo


I love the pi-hole, but I can't seem to figure out how to get resolving of .local hostnames back when I use it. Like, I can no longer ping my media server at media.local, I have to use the exact IP address. Not a deal breaker, but annoying.


If you point the PiHole Upstream DNS to your router's DNS (Or whatever DNS server is hosting the .local domains) it should resolve .local hostnames again. I think by default it uses 8.8.8.8 or 8.8.4.4

https://discourse.pi-hole.net/t/change-upstream-dns-server-i...


Thanks! I've tried that, but then got switched around with what was pointing where. DNS is definitely a part of the stack that still confuses me, despite on the surface seeming somewhat simple!


Make sure Pihole has your local DHCP/DNS server setup as the first resolver. So it will check your router for example before checking externally. Then again, you might be using Pihole as your DHCP server?

Explain your setup some more and I can add more details.


Yes, there are few things like that. I think this project is a good start but needs some features like local zone support (being the authoritative NS for you local domain).


I thought .local names used mDNS. Not sure why pi-hole would interfere with that.


I was planning on installing this on my RPi3B but I wonder due to its low compute power could result in a somewhat slower experience in my home network. Could anyone comment on what his experience has been in this case?


I have set up a Siri Shortcut on my phone so that I can disable the blocking for 5 minutes very easily. Highly recommended if you have family members that occasionally need something unblocked.


How does one acquire this kind of magic?


I run pihole on Raspberry Pi with recommended block lists and it’s been an absolute pleasure. Raspberry Pi runs with a static IP I changed DNS settings the devices I want to go through pihole.


A router that I can install Pi-hole and host a VPN on would be a dream.


If your run a NAS on your network that has some extra horsepower, most of them can run containers now.

I run both pi-hole and my own DNS server inside my network as containers on the NAS. I then have my router configured to default to the pi-hole and then the DNS server.

Advantage of my own DNS server is it exclusively resolves using DNS-over-TLS so my queries are private.

Final fallback for resolution is 1.1.1.1 but based on logs my setup hasn’t hit the fallback.

I imagine you could also use a container to host VPN.


Most MIPS or ARM router CPUs are significantly underpowered to handle OpenVPN, and high-end routers are expensive now.

If you're intending to use OpenVPN, you could easily justify a basic x86 pfSense or linux router: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...


Not just a dream, but a reality: https://www.pfsense.org/. (pfBlockerNg rather than pi-hole, but I think those are equivalent in functionality; someone correct me if I'm wrong)


You don't need to run pihole and VPN from your router. With port forwarding you can use your home lab to do both.


Given how Google has, literally this morning, informed me that they're discontinuing text-only AdSense units, I can't think of a more appropriate time.


Pro-tip: pi-hole will eat SD cards in a rpi if you enable logging. Use industrial flash (e.g., seissbit) to avoid a headache every six months.


If you don't care about persistent logs, you can mount the /var/log directory on tmpfs. For example, add to your /etc/fstab:

tmpfs /var/log tmpfs nosuid,nodev 0 0


i am very much intrigued by this, atleast from consumer prespective. I am completed noob, is it "simple" enought to set up?


You'll need to be able to install Raspbian, run the install script, give it a static ip address and configure your router to use that ip address as its DNS server.


have a nanopc-t4 laying around that i wanna try for a pi-hole + opnsense install. looks like i'll need to add a usb3 ethernet card unless i want to live with 50% the line speed and putz around with tagged vlans using a single nic...although 50% of 1GBit is a lot more throughput than i can get through my isp.

anyone have this type of setup?


Anyone doing a pi-hole version for android? We all have an old phone that could be used instead of a rpi.


The issue with that is that WiFi is a lot higher latency than Ethernet (even rPi Ethernet which goes over USB) and DNS is one of those things that hurts a bit with higher latency.


You’re right, but there’s nothing stopping you from installing Pi-hole in Termux, I would think, aside from having to run a DNS resolver as a normal user and doing some messy DNS and network configuration. It’d probably be easier to set up by hand than to use Pi-hole.


Interesting. How would this integrate into a network running DNS Resolver (i.e. Unbound) in pfSense?


I assume, like everything else, Pi-Hole usage can be detected and used to fingerprint users?


Pi-hole is fantastic! I run it on my Rockpro64 at home.

Previous discussions =>

https://news.ycombinator.com/item?id=19258717

https://news.ycombinator.com/item?id=13857887


Is this available as a Synology package I could install on my Synology NAS?


Not directly but, depending on your Synology model, you can install it via Docker. I've been using it in that fashion and has been extremely stable.


Couldn't apps start hard coding DNS servers to avoid pi-holes?


Some already do (Chromecast, Google Home devices).


Pi-hole is fantastic and I will gladly donate to them.


if only pi-hole could block the in-app ads that served from the same host :( sneaky youtube, the ads are becoming more and more


Love the name and the product looks amazing.



content is blocked in non-browser locations, such as ad-laden mobile apps and smart TVs


can this block Hulu ads and maintain access?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: