I actually have been doing some work with MaraDNS to have the ability to have a pi-hole sized blacklist. The main source of pi-hole’s blacklist is this Git repo:
That is about 60,000 hosts, so I added MaraDNS support to have up to 500,000 blacklisted names. Since it’s a speed-optimized (not size-optimized) cache, each element takes about a kilobyte of memory, so a blacklist this size takes about 60 megabytes of memory for MaraDNS to store (on a modern Core i7 7600U processor, it only takes about two seconds to load all 60,000 elements in to memory), but it’s very rapid to use.
The script to take that blacklist and convert it in to a MaraDNS compatible format is here:
There are ways to make the memory footprint of the blacklist smaller, but this was a quick and simple way to implement a medium sized blacklist. Finding ways to have, say, 10 million blacklist elements with a small memory footprint is left as an exercise for the reader.
My current project is to make a proper Docker container for MaraDNS.
For example, given a block list of 60,000 how many hosts on the list did your computer actually try to access. Have you ever read through one of those massive blocklists.
I use a whitelist rather than a blocklist. Similar to a firewall, I block everything by default. Then carefully choose what I allow.
This way I can see exactly what hosts I actually need to access. Makes it easy to see attempts to access ad servers, trackers, phone home, etc.
MaraDNS (OK, Deadwood) can handle white lists too:
upstream_servers = {}
upstream_servers["."] = "192.168.253.253" # Never answers
upstream_servers["good-domain.example.com."] = "9.9.9.9"
upstream_servers["whitelist-entry.foo."] = "9.9.9.9"
# And so on
The downside is that the code currently only supports 20,000 elements added this way.
I am a djbdns user. I also use nsd and unbound. I do not use "upstream" third party DNS, such as 9.9.9.9. Surprised to hear that anyone still uses MaraDNS.
What I am curious about are these massive blocklists. Does anyone actually read through them. Does it make sense to block 60,000 hosts when only, say 100 or even 1000, ever stand a chance of being accessed by a user's computer -- due to the user's particular usage habits.
Well, why not? 60.000 isn't a huge amount for a modern computer. If they're known to contain ads/trackers you want to block, then why not include them?
It might make sense though to do a periodic run through them to see if they still exist.
In my experience, using an upstream server is faster and more reliable than having a DNS server on a home network recursively solve the name. That said, MaraDNS/Deadwood does have full recursion support, which resolves correctly over 99.9% of domains, but there is that .1% or less of misconfigured domains which only resolve when a recursive DNS server is bug-for-bug identical to BIND.
NSD/Unbound are good DNS servers, as is the newer Knot DNS suite.
djbdns was really good in the early 2000s, but hasn’t been updated since 2001 and its age is starting to show. Yes, there are third party patches, but forks of the djbdns codebase have this annoying way of getting abandoned after a couple of years. I’ll probably end up doing basic maintenance of a djbdns fork just so there’s something getting minimal maintenance available to download.
I do not do recursive lookups at home. I store the DNS data I need in custom zone files. Once I have the data stored, this is faster than recursive lookups, especially with tinydns listening on localhost. djbdns works great for me year after year. I would never use MaraDNS.
Each cache entry needs a hash bucket so we can look up the entry in O(1), and we need more hash buckets than entries to minimize cache look up time. The hash bucket needs a copy of the element for each hit (to verify we hit the correct hash bucket), and a possible link to the next hash bucket, just in case we got a hash collision (we still need to store that link in memory as a null pointer regardless). [1]
The strings are special structures which allow binary data to be stored in them and to protect against buffer overflow protection, so they take up more room than a normal string.
Since the cache is a dynamic LRU cache (blacklist entries are not in the circular LRU, of course, but the cache was designed that way) for temporarily storing correct DNS answers (with overhead because, yes, each entry has among other things a 64-bit expire timestamp), each entry is created or removed with multiple malloc() and free() calls, so there’s some page size overhead there.
Like I said, there are ways to make a blacklist have a smaller memory footprint, by using a special data structure which trades speed for size, [2] but for a two-day coding project, it made more sense to just add them to the speed optimized LRU cache the code is built around.
[1] As an aside, the hash compression algorithm came out before SIP Hash, but, like SIP Hash, has protection against an attacker finding hash bucket collisions. If I were to write the code today, I would use SIP Hash.
[2] Here is how I would do it: I would have two blocks of data. One block is an array of offsets (pointers, but not C memory pointers) to data in the second block, and the second block is a bunch of NULL-terminated strings compactly stored. The array of offsets is a sorted list, where the sort key is the string each element points to. I would then do a binary search every time I wanted to see if an element is blacklisted. Memory overhead is, for 10 million entries with an average length of 15 bytes per string (including the NULL) 30 million bytes for the offsets and 150 million bytes for the strings, so we could store 10 million entries in under 200 megs. Speed is O(log2(N)) instead of O(1) but we save a lot of memory. We would need more memory to sort that list, but we could store this block as a binary file which is made on a host with a lot of memory, but read on our Raspberry Pi or old Netbook. Again, doing this is left as an exercise for the reader, and I’m sure there’s a lot of public domain or otherwise open licensed libraries which have already solved this problem. If I were to go down that path; I would probably use sqlite, but am a bit reluctant to add sqlite to a tiny program which can compile to be under 70k in size.
Since you have the complete set of blacklist entries each time distribute it, you could compute a perfect hash (zero collisions, no buckets needed) each time you updated the list.
Yes, we could also store the blacklist as a perfect hash, which would probably give us roughly the same memory usage with O(1) performance. But it would have to be a separate hash than the LRU dynamic hash used for storing DNS entries.
Yes, there are dynamic perfect hashes, but they are too slow when we update the hash with each lookup, a common use case with DNS.
Instead of building hash tables with buckets (and a linked list in case of hash collision), why not use a flat array based hash table and open addressing?
I actually tried that with MaraDNS in the pre-1.0 days (in case of collision, go forward in hash array N elements until there is no collision).
The problem is that it works really great for static data, but doesn’t work for dynamic data as cleanly as using a linked list to handle collisions.
The one thing I would do differently is that Deadwood (MaraDNS’s recursive/blacklist DNS server) adds individual elements with malloc() and removes them with free(); doing things that way is OK for relatively small data sets on a desktop class computer, but some embedded systems don’t handle the stress of a lot of malloc() and free()s very well, and doing it that way uses a significant amount of memory per element.
We’re using the same hash to both store blacklist data and cache dynamic DNS data. Yes, we could put the blacklist in a separate data structure, but doing it this way made adding blacklist support a one-day instead of a two-month (shorter, if I use something like sqlite) project.
> Finding ways to have, say, 10 million blacklist elements with a small memory footprint is left as an exercise for the reader.
In case the reader is interested (and this may not be what OP had in mind): In trading memory gains with computation, this is how I squeezed ~4M entries in less than 30 MiB:
1. Compress (reversed) individual entries using a dictionary or entropy encoder. I experimented with Shoco [0], Femto [1], and a modified LZ78 [2].
2. Create a bloom filter for membership checks, [3] or any probabilistic structure for that matter, like the xor-filters [4]. This prevents expensive but unnecessary lookups.
3. Insert the compressed (reversed: google.com -> com.google) entries into a radix-tree [5]. You could use a directed-acyclic graph (DAG), if you don't need to store key-value pairs.
4. Compact [6][7] the radix-tree [8] (compacting a DAG might be super complicated).
Pi-hole has been excellent. I was able to discover that my Samsung TV was reporting minute by minute updates on what I was watching to a local Australian company.
Same with my Sony Android TV. That thing trying to phone god knows what home made up almost a third of all DNS requests on my home network, even with 2 adults working from home.
Since you can't buy dumb TVs anymore, you best leave the "smart" ones offline.
Worth mentioning that this is just the domain resolution, not necessarily the real volume of connections. The reason they try every second sometimes (I have devices that do exactly this, ~86000 attempts every day) is because they keep failing. Assuming they resolve once they stop flooding the Pi-hole and will bundle their connections in fewer, larger chunks. Couldn't say what's in those chunks since they're encrypted but I can make a fair guess.
But the bottom line is that the number of attempts to resolve the DNS doesn't say anything about how egregious the activity is. You could have a device try every second because it wants to send an "I'm alive" message home, or you could have a device attempt DNS resolution once per day and send all the traffic it captured from your network. Don't use that number as an indication of how evil the device is, I'm sure the most egregious malware or crappy IoT will be careful not to flood DNS requests.
Modern TVs actually reached such low prices because almost all of them are paying for production post purchase with user data. So that's generally a great idea to lock it up with pi-hole or to not even connect it at all and use an external streaming box.
I think this already made the round on HN https://phys.org/news/2019-02-tvs-cheap-smart-tv-extra.html
How does the Pi-hole achieve this? Does it have a blacklist (I assume) or can it use a whitelist? The services my TV needs to reach are easily enumerable, I pay all of them subscriptions. There is no other valid connection for it to make. Maybe firmware/app updates but I'd kinda prefer to do that myself at this point.
My smart TV remains disconnected from any network. But I use an Android TV box, so I may only be substituting one company's surveillance for another's.
Android TV is a massive improvement upon any Smart TV's UX though, so I'm winning on that count.
I'm sure you know this, but with a reasonable router you can redirect non pihole port 53 traffic back to the pihole. A relatively cheap Edgerouter lite does this for me.
For my home desktop browser, I just use uBlock Origin to block ads.
But for my phone, I set up a PiHole running on an EC2 instance and VPN into it from my phone. Blocks ads in everything, not just my web browser. The VPN is configured to only tunnel DNS lookups, not traffic, so the EC2 bandwidth bill is minimal.
I've been doing the same (using Wireguard for DNS), except PiHole is running inside a Docker container on my Pi4 (I have a FTTH line, with a public/static IPv4 address). My ISP also started assigning /64 IPv6 nets to whoever requests one, so I might try that next
Interesting that DNS look ups go to the Pi-hole in EC2, but the subsequent web requests come from the phone. This effectively nullifies the performance benefit of CDNs. Your phone is where ever it is, but your browser is being instructed to connect to edge servers that are geographically close to the AWS region where Pi-hole instance is running.
That said, the massive performance gains of blocking ads and intrusive 3PC probably more than makes up for it, but something to consider.
That is only free for 12 months though. Google Cloud and Oracle Cloud offer one free VM in their "always free" offering. Personally I use a $5/month Digital Ocean box.
But I have an instance that I already use for other things (IRC bouncer, Mumble server, Taiga task/issue tracker, and test server for a game I was writing) that has plenty of CPU time to spare, so it's not costing me anything.
It's a tragic move. The DHCP/DNS ecosystem made managing devices dead simple. OTOH I suppose we were foolish to ever think our devices were playing nice. Is there a fix to DNS-over-HTTPS as a network operator? Can you MITM your "own" proprietary devices? What dragons live there?
Sure, I don't really have any right now. In the long run I think that will be impossible. When my TV dies I have to make a lot of compromises to get a dumb display with(out) all the other neat features.
Also, moving DNS to the application instead of the OS just makes managing my well behaved applications harder. It used to be possible to set this automatically through DHCP, now I have to audit every application and make sure it is using my preferred DNS and also manually configure those applications.
DNS-over-HTTPS in Firefox doesn't really benefit me. DNS-over-HTTPS with a DHCP configured server in my OS would be a beneficial option.
Really I would prefer something like DNS over TLS because that solves everything. DNS keeps working, intermediate parties can't read my DNS requests and I can reason about my network traffic, at least on devices I trust.
You can set a canary domain which currently is used
The only other way would be MITM all https traffic and sign with your own certificate, but many iot devices won’t allow you to install a new certificate store.
I don’t know what a canary domain is. That reddit post isn’t entirely clear but it seems to be some kind of DNS black hole. That would rely on the application using your config.
Will a canary domain on an edge device prevent my smart TV from using DoH to get the IP of a tracking server?
Thanks for clarifying. This only helps for well-behaved applications and is apparently temporary.
> The use of this domain is specified by Mozilla, as a limited-time measure until a method for signaling the presence of DNS-based content filtering is defined and adopted by an Internet standards body.
More than anything I am disappointed in Mozilla for shipping such a half-baked anti-feature. I can't even trust Firefox to do the right thing anymore.
It’s a temporary feature until there’s a standard to replace it.
Intimately DoH isn’t needed to make IoT transparent, an IoT device can establish a TLS tunnel to a CDN, and unless that’s blocked you have no way of knowing what is being sent where.
An in-line https proxy is the only solution, if iot devices fail to check certificates (which wouldn’t surprise me)
If they do check, and you can’t provide your our root, then you can’t trust them. Read GNU manifesto and realise why it’s important.
I am conflicted over DoH. As an end user I want to be protected against rogue networks - especially in hotels. As a network admin I want to be protected against rogue end devices.
As both I want to be able to deploy split dns servers due to Nat, not to force users (including me), but to don’t to them where to go.
DoH should have been implemented at the OS level and driven by DHCP unless overridden, as with normal DNS.
Why can't you run your own DNS-over-HTTP server, just as you run your own DNS server today? There's no particular reason why the server addresses have to be hardcoded...
I can and for well-behaved applications that's good. But how do I know my IoT device is using my DNS-over-HTTPS server and not a hard-coded one? There's no way to know and the only way to block DNS-over-HTTPS is to also block HTTPS.
It's much harder (or impossible) to block only some of the IoT device traffic (like ads). If I want it to function at all I have to let it spy on me and do other rude things.
My solution is to just not have IoT things but in the long run I think that will become impossible. Consumers seem to have made their choice and everything needs an IP address now.
I don't like how DNS-over-HTTPS smells and I wish there was less momentum behind it. This should be solved by OS vendors, not application developers. DNS doesn't belong at this part of the stack.
I think this is rather orthogonal. A non-well-behaved app can use hardcoded DNS servers as well. And if the author is concerned with your ability to intercept and filter it on protocol level, they can always hack their own equivalent of DNS-over-HTTP with a basic REST service.
OTOH I expect non-malicious code to just use the platform/language/framework-standard mechanism to resolve hostnames, and I expect such mechanisms to provide all the necessary customization points, just as they did for DNS.
This is a concern of mine as well. I like having some semblance of control of what connections my personally owned devices are making to the outside world. As soon as that becomes opaque, and normalized, who knows what data leaks there will be? Given what advertising companies and malicious app developers already try to get away with when it's visible (to motivated technical folks), the opportunities / possibilities are scary.
Agreed-- it's particularly egregious since intranet resources will just fail to resolve entirely in many cases (it has no graceful fallback to system DNS as far as I can tell).
Is anyone successfully using PiHole with non-technical users?
My main concern with putting PiHole on my home network is that for example my mother in law might not understand that she can't get to some web page because it's being ad-blocked, nor would she be able to go to the web admin page and temporarily unblock it.
Even as a technical person sometimes it takes a while to figure out that a page isn't working because of adblock or pi-hole.
I've set it up for most of my close family and friends, added a physical button to the top of the Raspberry Pi case that disables it for x minutes (x changes depending who they are and their needs), so if they're having issues they go press the button to access the problematic website.
I keep reading about people having to disable the Pi-Hole so much that it becomes annoying, or constantly butting heads with websites that don't work with Pi-Holes, but I can honestly say that I, and the people I've set them up for, BARELY EVER need to use the Disable button. Not for online banking, not for online shopping, not for any regular content consumed. I can't personally think of the last time I needed to disable the Pi-Hole for anything at all. It just sits there blocking ads invisibly, plugged into the back of my modem/router, and is one of my absolute favourite parts of my tech stack.
What websites are people visiting that the Pi-Hole doesn't work with? I'm genuinely curious, because I've been running mine for a couple years now and can't think of anything off the top of my head, and no one in my family group have ever complained about it, with most telling me it's been flawless and they barely every touch the button.
> What websites are people visiting that the Pi-Hole doesn't work with?
Usually sites where the dev has based functionality on a JS module loaded from an advertise/tracker site, and that is being blocked, resulting in missing functionality.
Two prominent examples that I've personally had to deal with: CVS, and Taco Bell's iOS app.
Edit: Oh, and google's inserted redirects in shopping results lists are blocked by default.
My wife gets a lot of email, most of it marketing stuff. Most email links will not work with PiHole enabled due to the massive amount of tracking they go through. I always know when she's checking her email if I'm on my phone, cause all of a sudden I start seeing ads for a few minutes.
I get occasional instances. I've let everyone know to let me know if they're experiencing issues and I can check the log and whitelist specific material that needs it.
That comes up now and again, not as much as you'd expect but enough that I needed to give instruction on it. Funny thing is, most of those cases are _me_ doing things like signing into Nvidia's software instead of anyone else here.
This is where Firefox DNS over Https comes in handy.
I have 2 Firefox installs - Firefox and Firefox Developer Edition with one set to use DOH so always bypassing pihole.
I haven't posted anything, but it's pretty simple really. Follow any of the guides to make a physical button run a Python/BASH script[0] and then I wrote a small script that just CURLs the URL to disable the Pi-Hole for a few minutes (eg: curl --silent http://192.168.2.2/admin/api.php?disable=600&auth=PASSWORD ).
I've been meaning to make a blog post about it but haven't got around to it yet. I'll try write something up later today/tonight.
Edit: I found this which is a much bigger/fancier version of what I did, but has the associated code you can pull out for a simple button: https://github.com/nickearl/piHoleButtons
They would still have to know that the site isn't working because of blocking, but I suppose developing the habit of "website doesn't work, press the magic button and try again" isn't so bad.
If I do PiHole just for myself I think I'll add this button. Thanks!
I do the same and use the shortcut at least once a day for things I don't want to permanently unblock but might need occasionally. I set it via a shortlink on bit.ly so it's easy for people to remember/bookmark.
It points to ..../admin/api.php?disable=300&auth=authkey
300: Time in seconds to disable it.
Auth key: You need to have a password set for the Pi-hole installation, and the API key is the salted version of that password. You can find it as the value for the key WEBPASSWORD in your /etc/pihole/setupVars.conf file.
In addition to what other people have said, you'll have a nightmare of a time if the power goes out and your router re-assigns new LAN IPs (nightmare if you're not in the same household as the non-technical user). Try to setup a Pi-Hole with a static IP if you can.
That's one of the reasons why I created dnsadblock.com (besides the fact that I couldn't use it while traveling). It shows a page with a message if the request was blocked (ex: http://tracking.blocked.dnsadblock.com/#/) but only for regular http traffic because I don't want to go down the route of playing with certificates to make it work on https.
I think I managed to have the blacklist/whitelist easier though by creating an activity log page that shows exactly what was blocked and allowed and on what device - in near real-time. Fun project at first but I didn't know what I was going into at first.
It is a bit frustrating when starting but, once you start whitelisting what was blocked by mistake, you will see that it gets easier, almost unnoticeable by a week or so.
I always had uBlock and disconnect.me and it still blocks, somewhat consistent, about 16% of the traffic which is a big number considering.
Yep, it's for this reason I had to turn off the pi-hole. Random sites that my wife or friends would use wouldn't work, especially log-ins or authentications for various sites, and there's no easy to surface bypass ability. So now I just rely on browser based blocking.
You say it like its a bad thing. Same person wont understand why putting your password into random website is bad, or why all of those windows and notifications keep popping up, or why you shouldn't click download followed by clicking run on random websites.
I set up DNS-based ad-blocking for my parents via Eero. The app-based ad-blocking toggle is easier than something with a web admin interface for them to manage.
Pi-Hole is a great project, and it's not limited to running on a Raspberry Pi either. I've got it running as a (x86-64 Ubuntu) VM in the same hypervisor that hosts my firewall. It's lightweight, super responsive, and provides great statistics on what it is doing.
it's not really fair to compare it to an in-browser adblocker that way, especially since using them isn't mutually exclusive. PiHole blocks ads whether you are in a browser or not, an instant benefit for everybody on your WiFi network.
Absolutely. Defense in depth; Pi-hole will cover devices that you can't install an ad-blocker on while the ad-blocker will cover some edge cases where Pi-hole can't do it.
It should never be considered an "or" situation; you want "both" as much as possible.
a lot of in browser ad blockers are based on url and css selector patterns. Meaning that if the developer updates the site which changes the dom, the ad blocker may not work.
I find it amazing how often ad blocking is discussed here, and start to wonder how many peeps hanging out here on the other hand depend indirectly on ad revenue to pay bills?
There are obviously the big corps Facebook and Google, but also my own small employer, which is in theory in a different biz, runs ads on the web shop as an additional income source (which I find not very clever, increases page load times and is simply not our core biz). Do we all pay our bills with money made from the pour souls who did not get around to install an ad blocker or advanced setups like a pi hole?
I'm on the pro ad blocking camp personally, also worked in the past in a biz that was 100% ad financed for a short period of time. Also there the whole tech department was using ad blockers.
As always, it's not the ads most of us object to- it's the trackers. Google's original idea for monetizing the web, that you would be interested in something related to what you were searching for, apparently failed and now everybody's trying to follow you around to see what you might be interested in purchasing.
It needs to stop.
I know it's a lame solution but I use ff and containers and have a "shopping" container for sites that I don't block trackers on. I also have various other containers for other sites I don't mind knowing about each other. But mostly I block them.
I would love to see real data on this! Most of my peers don't want to be marketed to, at least when it comes to internet advertising. Definitely when it comes to traditional advertising (ie billboards are an eyesore, TV ads are offensive or irrelevant or just plain annoying).
Depending on how old you are, it used to be the norm in magazines and newspapers. You have an educational product so you buy an ad on the educational feature, for example.
I understand that advertisers pay for the sites I use and I would turn off the ad-blocker if I was promised I wasn't being tracked. But we have no control over those decisions so we do what we can.
You'll be sad to learn that most of wealth is created by taking advantage of people. Most of us agree that advertising is annoying at best and most of us work for companies that make their money from it. Most of the people in this category are knowledgable (see: privileged) enough to stop receiving advertisements.
Learning how to do this is not "hard" per se, but if you haven't had your own computer growing up and been born into an environment that encourages learning, you aren't going to be able to do this.
This is a great repo. Step by step easy configuration of a pihole on a gcp compute instance with openvpn. I had pihole running on my phone blocking ads in the NYTs app!
The combination of pihole and raspberry pi has impressed me. I just checked and the last reboot of my pi was 180 days ago, and since then things have just worked.
It's in stark contrast with my server, which admittedly has more demanding tasks. For $35 it's the most trustable computer I bought, I now have a lot of respect for the Pi foundation.
You're right that's a fair question. My comment was trying to highlight the robustness of the system more than uptime being a good metric for quality. By that I mean that I didn't _have_ to reboot to keep the system healthy enough to stay alive. That's unfortunately not the case of some other hardware I deal with.
For my Pi I regularly update without a reboot, but that might not be enough for kernel updates. I will look more into it.
I use pi-hole, and it's great, but for browsers you still need something like uBlock Origin installed to properly block ads. The thing I like about pi-hole is it also blocks a long list of trackers that are bundled by various mobile SDKs. There's no way to block those with iOS or Android, except at the network level.
I've been using Pi-Hole for quite a while now too. I also have several in-browser ad blockers. In browser, I'm running Ghostery, uBlock Origin, and Privacy Badger, DuckDuck Go's privacy essentials, and whatever Firefox's does when you turn on all of the privacy respecting stuff. Honestly, I don't really know what does what any more. I recently turned off pi-hole and started to browse the web using Internet Explorer, just to see. Holy Cow... I'd forgotten what the incredible-edible internet was really like.
This is great and I'm glad it is working for you. I think you are about 6 months ahead of me as I now have two Firefox privacy addons and I'm shopping for hardware to build a firewall box.
As I read your comment all I could visualize was an IE6 browser with 8 toolbars. The network stack of the future.
Another alternative is AdGuard Home. They've come a long way since they announced it. I switched to AdGuard Home some 6 months ago and it has been great.
I switched a section of my network over to it a few weeks ago, and I've been having constant random internet issues since, and when I swap back to the Pi-Hole the problems go away.
Is there some trickery to getting AdGuard to run stable? I have it running as an Add-On to Home Assitant, so I'm not sure if that's causing the issues, but I get lots of failed DNS queries, slowdowns, etc when going through AdGuard.
Not that I know of. I'm running on a pi3b and never had issues. I suggest raising a GitHub issue, they're usually pretty quick to respond and quick to fix bugs.
I'm looking for a way to combine the adblocking with a VPN switcher that takes eg NordVPN and routes all my home traffic through a variety of tunnels (they provide a load of openVPN files). Is there a ready-made way to do this? The idea is for anyone in the house to be protected by both the adblock and the VPN.
I'm not aware of an "out of the box" solution, but maybe paying for NordVPN or similar will do this for you.
VPNs typically tunnel your packets thru an encrypted connection to a gateway somewhere else on the internet.
Ad blockers point your DNS to a resolver that blacklists ad domains. You can use a VPN and still set your DNS to whatever you'd like. What works best for you will depend on your threat model (or just privacy concern, as that other term sounds loaded).
pfsense can do this pretty easily, i wouldn't call it out of the box though. the adblocking can be done via pfblocker-ng, and it has an openvpn client of course.
Thanks for the article to remember me of the existence of this project. I decided to do a setup in my home network using an old Raspberry Pi 1 that I had. Mainly because the router of my ISP screwed up really hard in its DHCP server, so I decided to disable it and use Pi-hole's one instead.
I tried to make this setup as robust as possible, using OverlayFS [1] so root is read-only unless I remount it (to change configuration or upgrades) and with a watchdog so it can auto-reboot in case my Raspberry Pi is unresponsive. Pretty happy with this setup and it my internet seems more responsible than ever.
I'm surprised, that no one here has mentioned Eblocker yet. It works a bit like Pi-hole, but is much easier to install and use. Eblocker used to be a commercial product (with its own hardware), but since this didn't work out the company open-sourced it a few months ago. It's free now, has a good interface and great performance and the former developers are still working on it. You can install it on a raspberry, but also on other SBCs. I'm in no way affiliated with them, just a happy user. https://eblocker.org/en/
I wish it were more effective in removing Youtube ads on my kids' iPads, but I understand it's a tall order. At least it gets rid of ads in most other apps.
I pay google the $10/mo. for no ads on youtubeso the kids don't get exposed.
The extra benefits are
- play video with the screen off to listen to lectures
- youtube music
- specifically good for letting the toddler hear the wiggles without having to watch a wiggles video on youtube
I also pay hulu for no ads. I'm happy for the opportunity to pay directly for entertainment instead of with my eyeballs. No way to opt out of tracking, though, hence the pihole.
Try Microsoft Edge. Its built in ad blocker works for me with Youtube on my iPhone.
I block ads at the application layer, DNS based ad blocking doesn’t really do it anymore and can create another troubleshooting surface to consider when it breaks something.
In response to your comment, I tested Microsoft Edge on my iPad and can confirm that yes, indeed, it does block the ads on youtube.com
-- mostly: out of about 7 videos, an ad was shown to me at the start of one of them, but that is much better than mobile Safari, on which and ad is shown to me at the start of every video I start.
I set this up a couple of months ago and have been really happy with the results. Ad blockers on our iPhones/iPads are fine, but not always completely effective. I can't install one on my corporate laptop so there's no way around ads there. Using Pi-Hole was a perfect fit. I've only had to whitelist a single site that had problems with it.
I currently use a 3-layered solution: browser blockers -> custom host file on each machine (StevenBlack hosts for linux and windows, nebulo for android) -> nextdns
I'm actually satisfied, but I'm trying to setup pi-hole+unbound on a cloudatcost host I own to reduce the load on nextdns, so far without success.
I already have a home server so I run the pihole container with Podman. Pretty slick. It started as a quick project and then permanently tied up my raspberry pi because the adblocking was so awesome I didn't want to shut it down.
Very nice resolver: I've pi-hole at home, but NextDNS as DNS resolver on mobile and as alternative DNS provider on home router. The setup works well, the only real thing the browser's adblocker is still needed is YouTube ads ;) Sure will pay for NextDNS when they will be out of beta.
Please do note that Android appears to be quite weird in regards to accepting network set DNS.
My observations so far have been that Android tends to ignore any DNS set by either the network via DHCP or statically set. Android instead probes the gateway for 8.8.8.8, and happily uses that instead.
The only way I have been able to solve this has been to setup a VPN (I prefer wireguard) on the pihole. Android seems to accept this.
The above in combination with say a DDNS hostname means that I now have a permanent adblocked VPN on my android phone which isn't too bad.
- in windows, if you use primary dns as pihole and secondary dns as another cloud option (cloudflare, google), some ads will go through. secondary dns is not failover dns. try it and you will see.
I don't think this is just Windows. I read the pihole documentation and came to the conclusion that primary/secondary DNS was more "a dns server" and "another dns server".
https://github.com/StevenBlack/hosts
That is about 60,000 hosts, so I added MaraDNS support to have up to 500,000 blacklisted names. Since it’s a speed-optimized (not size-optimized) cache, each element takes about a kilobyte of memory, so a blacklist this size takes about 60 megabytes of memory for MaraDNS to store (on a modern Core i7 7600U processor, it only takes about two seconds to load all 60,000 elements in to memory), but it’s very rapid to use.
The script to take that blacklist and convert it in to a MaraDNS compatible format is here:
https://github.com/samboy/MaraDNS/blob/master/deadwood-githu...
There are ways to make the memory footprint of the blacklist smaller, but this was a quick and simple way to implement a medium sized blacklist. Finding ways to have, say, 10 million blacklist elements with a small memory footprint is left as an exercise for the reader.
My current project is to make a proper Docker container for MaraDNS.