Hacker News new | past | comments | ask | show | jobs | submit login
Ad blocking with Raspberry Pi and Pi-hole (cri.dev)
241 points by christian_fei 8 months ago | hide | past | favorite | 159 comments

I actually have been doing some work with MaraDNS to have the ability to have a pi-hole sized blacklist. The main source of pi-hole’s blacklist is this Git repo:


That is about 60,000 hosts, so I added MaraDNS support to have up to 500,000 blacklisted names. Since it’s a speed-optimized (not size-optimized) cache, each element takes about a kilobyte of memory, so a blacklist this size takes about 60 megabytes of memory for MaraDNS to store (on a modern Core i7 7600U processor, it only takes about two seconds to load all 60,000 elements in to memory), but it’s very rapid to use.

The script to take that blacklist and convert it in to a MaraDNS compatible format is here:


There are ways to make the memory footprint of the blacklist smaller, but this was a quick and simple way to implement a medium sized blacklist. Finding ways to have, say, 10 million blacklist elements with a small memory footprint is left as an exercise for the reader.

My current project is to make a proper Docker container for MaraDNS.

Will you test the efficiency of the block list.

For example, given a block list of 60,000 how many hosts on the list did your computer actually try to access. Have you ever read through one of those massive blocklists.

I use a whitelist rather than a blocklist. Similar to a firewall, I block everything by default. Then carefully choose what I allow.

This way I can see exactly what hosts I actually need to access. Makes it easy to see attempts to access ad servers, trackers, phone home, etc.

MaraDNS (OK, Deadwood) can handle white lists too:

    upstream_servers = {}
    upstream_servers["."] = "" # Never answers
    upstream_servers["good-domain.example.com."] = ""
    upstream_servers["whitelist-entry.foo."] = ""
    # And so on
The downside is that the code currently only supports 20,000 elements added this way.

I am a djbdns user. I also use nsd and unbound. I do not use "upstream" third party DNS, such as Surprised to hear that anyone still uses MaraDNS.

What I am curious about are these massive blocklists. Does anyone actually read through them. Does it make sense to block 60,000 hosts when only, say 100 or even 1000, ever stand a chance of being accessed by a user's computer -- due to the user's particular usage habits.

Well, why not? 60.000 isn't a huge amount for a modern computer. If they're known to contain ads/trackers you want to block, then why not include them?

It might make sense though to do a periodic run through them to see if they still exist.

In my experience, using an upstream server is faster and more reliable than having a DNS server on a home network recursively solve the name. That said, MaraDNS/Deadwood does have full recursion support, which resolves correctly over 99.9% of domains, but there is that .1% or less of misconfigured domains which only resolve when a recursive DNS server is bug-for-bug identical to BIND.

NSD/Unbound are good DNS servers, as is the newer Knot DNS suite.

djbdns was really good in the early 2000s, but hasn’t been updated since 2001 and its age is starting to show. Yes, there are third party patches, but forks of the djbdns codebase have this annoying way of getting abandoned after a couple of years. I’ll probably end up doing basic maintenance of a djbdns fork just so there’s something getting minimal maintenance available to download.

I do not do recursive lookups at home. I store the DNS data I need in custom zone files. Once I have the data stored, this is faster than recursive lookups, especially with tinydns listening on localhost. djbdns works great for me year after year. I would never use MaraDNS.

What is the optimization gained by having 1KB cache slots when the cacheline size on Intel and ARM is typically 64 bytes?

Each cache entry needs a hash bucket so we can look up the entry in O(1), and we need more hash buckets than entries to minimize cache look up time. The hash bucket needs a copy of the element for each hit (to verify we hit the correct hash bucket), and a possible link to the next hash bucket, just in case we got a hash collision (we still need to store that link in memory as a null pointer regardless). [1]

The strings are special structures which allow binary data to be stored in them and to protect against buffer overflow protection, so they take up more room than a normal string.

Since the cache is a dynamic LRU cache (blacklist entries are not in the circular LRU, of course, but the cache was designed that way) for temporarily storing correct DNS answers (with overhead because, yes, each entry has among other things a 64-bit expire timestamp), each entry is created or removed with multiple malloc() and free() calls, so there’s some page size overhead there.

Like I said, there are ways to make a blacklist have a smaller memory footprint, by using a special data structure which trades speed for size, [2] but for a two-day coding project, it made more sense to just add them to the speed optimized LRU cache the code is built around.

[1] As an aside, the hash compression algorithm came out before SIP Hash, but, like SIP Hash, has protection against an attacker finding hash bucket collisions. If I were to write the code today, I would use SIP Hash.

[2] Here is how I would do it: I would have two blocks of data. One block is an array of offsets (pointers, but not C memory pointers) to data in the second block, and the second block is a bunch of NULL-terminated strings compactly stored. The array of offsets is a sorted list, where the sort key is the string each element points to. I would then do a binary search every time I wanted to see if an element is blacklisted. Memory overhead is, for 10 million entries with an average length of 15 bytes per string (including the NULL) 30 million bytes for the offsets and 150 million bytes for the strings, so we could store 10 million entries in under 200 megs. Speed is O(log2(N)) instead of O(1) but we save a lot of memory. We would need more memory to sort that list, but we could store this block as a binary file which is made on a host with a lot of memory, but read on our Raspberry Pi or old Netbook. Again, doing this is left as an exercise for the reader, and I’m sure there’s a lot of public domain or otherwise open licensed libraries which have already solved this problem. If I were to go down that path; I would probably use sqlite, but am a bit reluctant to add sqlite to a tiny program which can compile to be under 70k in size.

Since you have the complete set of blacklist entries each time distribute it, you could compute a perfect hash (zero collisions, no buckets needed) each time you updated the list.

Yes, we could also store the blacklist as a perfect hash, which would probably give us roughly the same memory usage with O(1) performance. But it would have to be a separate hash than the LRU dynamic hash used for storing DNS entries.

Yes, there are dynamic perfect hashes, but they are too slow when we update the hash with each lookup, a common use case with DNS.

Instead of building hash tables with buckets (and a linked list in case of hash collision), why not use a flat array based hash table and open addressing?

I actually tried that with MaraDNS in the pre-1.0 days (in case of collision, go forward in hash array N elements until there is no collision).

The problem is that it works really great for static data, but doesn’t work for dynamic data as cleanly as using a linked list to handle collisions.

The one thing I would do differently is that Deadwood (MaraDNS’s recursive/blacklist DNS server) adds individual elements with malloc() and removes them with free(); doing things that way is OK for relatively small data sets on a desktop class computer, but some embedded systems don’t handle the stress of a lot of malloc() and free()s very well, and doing it that way uses a significant amount of memory per element.

But the data is fairly static isn't it? You're not constantly updating the blacklists?

We’re using the same hash to both store blacklist data and cache dynamic DNS data. Yes, we could put the blacklist in a separate data structure, but doing it this way made adding blacklist support a one-day instead of a two-month (shorter, if I use something like sqlite) project.

> Finding ways to have, say, 10 million blacklist elements with a small memory footprint is left as an exercise for the reader.

In case the reader is interested (and this may not be what OP had in mind): In trading memory gains with computation, this is how I squeezed ~4M entries in less than 30 MiB:

1. Compress (reversed) individual entries using a dictionary or entropy encoder. I experimented with Shoco [0], Femto [1], and a modified LZ78 [2].

2. Create a bloom filter for membership checks, [3] or any probabilistic structure for that matter, like the xor-filters [4]. This prevents expensive but unnecessary lookups.

3. Insert the compressed (reversed: google.com -> com.google) entries into a radix-tree [5]. You could use a directed-acyclic graph (DAG), if you don't need to store key-value pairs.

4. Compact [6][7] the radix-tree [8] (compacting a DAG might be super complicated).

5. On every search:

5a. Compress (reversed) incoming query (i.e. domain-name).

5b. Check the bloom filter.

5c. Traverse the radix-tree, if necessary.

5d. Cache an eligible entry in a LFU [9] or possibly, using any other suitable algorithm inspired from Linux's page replacement implementations [10].

6. Strive for zero-allocation and zero-gc.


[0] https://news.ycombinator.com/item?id=10060018

[1] https://github.com/gtoubassi/femtozip/wiki/How-femtozip-work...

[2] https://en.wikipedia.org/wiki/LZ78

[3] https://news.ycombinator.com/item?id=12231623

[4] https://news.ycombinator.com/item?id=21840821

[5] https://vincent.bernat.ch/en/blog/2017-ipv4-route-lookup-lin...

[6] https://news.ycombinator.com/item?id=22544718

[7] https://www.youtube-nocookie.com/embed/3Y2weLDiUWw

[8] https://news.ycombinator.com/item?id=2348619

[9] https://github.com/ronomon/hash-table/blob/master/README.md

[10] https://en.wikipedia.org/wiki/Page_replacement_algorithm

Pi-hole has been excellent. I was able to discover that my Samsung TV was reporting minute by minute updates on what I was watching to a local Australian company.

Unplugged it faster than I could swear.

Ever thought about just buying a TV that has no network connectivity capability at all i.e. "dumb" TVs?

Though rare to find a 4k/OLED TV that's "dumb", I managed to grab one.

If I do want certain smart features e.g. chromecast I can always just buy it individually for like $30.

I just don't configure wifi on the TV. I can't use the smart features but I don't need to, I have other devices for that.

Same with my Sony Android TV. That thing trying to phone god knows what home made up almost a third of all DNS requests on my home network, even with 2 adults working from home.

Since you can't buy dumb TVs anymore, you best leave the "smart" ones offline.

Worth mentioning that this is just the domain resolution, not necessarily the real volume of connections. The reason they try every second sometimes (I have devices that do exactly this, ~86000 attempts every day) is because they keep failing. Assuming they resolve once they stop flooding the Pi-hole and will bundle their connections in fewer, larger chunks. Couldn't say what's in those chunks since they're encrypted but I can make a fair guess.

But the bottom line is that the number of attempts to resolve the DNS doesn't say anything about how egregious the activity is. You could have a device try every second because it wants to send an "I'm alive" message home, or you could have a device attempt DNS resolution once per day and send all the traffic it captured from your network. Don't use that number as an indication of how evil the device is, I'm sure the most egregious malware or crappy IoT will be careful not to flood DNS requests.

Fair point, but I'd still prefer my TV doesn't phone home at all, especially to pi-hole blocked domains.

Reading these kind of anecdotes makes me wonder why is this legal or at least opt-in.

My TV made me accept a terms of service agreement on first boot.

That (on its own) doesn't mean that it's legal, I'd imagine. At least in the EU, doesn't GDPR prohibit such non-choices?

It does now but it's possible it was bought before that time.

Modern TVs actually reached such low prices because almost all of them are paying for production post purchase with user data. So that's generally a great idea to lock it up with pi-hole or to not even connect it at all and use an external streaming box. I think this already made the round on HN https://phys.org/news/2019-02-tvs-cheap-smart-tv-extra.html

How does the Pi-hole achieve this? Does it have a blacklist (I assume) or can it use a whitelist? The services my TV needs to reach are easily enumerable, I pay all of them subscriptions. There is no other valid connection for it to make. Maybe firmware/app updates but I'd kinda prefer to do that myself at this point.

Yes, both blacklist and whitelist.

My smart TV remains disconnected from any network. But I use an Android TV box, so I may only be substituting one company's surveillance for another's.

Android TV is a massive improvement upon any Smart TV's UX though, so I'm winning on that count.

I'm sure you know this, but with a reasonable router you can redirect non pihole port 53 traffic back to the pihole. A relatively cheap Edgerouter lite does this for me.

For my home desktop browser, I just use uBlock Origin to block ads.

But for my phone, I set up a PiHole running on an EC2 instance and VPN into it from my phone. Blocks ads in everything, not just my web browser. The VPN is configured to only tunnel DNS lookups, not traffic, so the EC2 bandwidth bill is minimal.

I've been doing the same (using Wireguard for DNS), except PiHole is running inside a Docker container on my Pi4 (I have a FTTH line, with a public/static IPv4 address). My ISP also started assigning /64 IPv6 nets to whoever requests one, so I might try that next

Interesting that DNS look ups go to the Pi-hole in EC2, but the subsequent web requests come from the phone. This effectively nullifies the performance benefit of CDNs. Your phone is where ever it is, but your browser is being instructed to connect to edge servers that are geographically close to the AWS region where Pi-hole instance is running.

That said, the massive performance gains of blocking ads and intrusive 3PC probably more than makes up for it, but something to consider.

Never actually thought of that, to be honest.

But for the most part, I imagine it won't make much of a difference. I live within 300 miles of the data center containing my EC2 instance.

I use https://nextdns.io/, that basically does that

RFC 7871 specifies ECS, in which the DNS forwards the client's subnet to the upstream DNS server in order for CDNs to continue to be useful.

I have no idea if the Pi-hole is configured with this extension.

Probably lightweight enough for the free EC2 tier too!

That is only free for 12 months though. Google Cloud and Oracle Cloud offer one free VM in their "always free" offering. Personally I use a $5/month Digital Ocean box.

I host Pihole on Digital Ocean as well.

Oh, absolutely.

But I have an instance that I already use for other things (IRC bouncer, Mumble server, Taiga task/issue tracker, and test server for a game I was writing) that has plenty of CPU time to spare, so it's not costing me anything.

What VPN are you using?


interesting approach

The move of applications such as Firefox to start using DNS-over-https to hardcoded DNS servers will render such user-modified DNS services useless.

Firefox can have this feature disabled, but more malicious applications will simply not give you the choice.

It's a tragic move. The DHCP/DNS ecosystem made managing devices dead simple. OTOH I suppose we were foolish to ever think our devices were playing nice. Is there a fix to DNS-over-HTTPS as a network operator? Can you MITM your "own" proprietary devices? What dragons live there?

I know this is a crazy idea, but maybe we should stop buying locked-down IOT devices?

Sure, I don't really have any right now. In the long run I think that will be impossible. When my TV dies I have to make a lot of compromises to get a dumb display with(out) all the other neat features.

Also, moving DNS to the application instead of the OS just makes managing my well behaved applications harder. It used to be possible to set this automatically through DHCP, now I have to audit every application and make sure it is using my preferred DNS and also manually configure those applications.

DNS-over-HTTPS in Firefox doesn't really benefit me. DNS-over-HTTPS with a DHCP configured server in my OS would be a beneficial option.

Really I would prefer something like DNS over TLS because that solves everything. DNS keeps working, intermediate parties can't read my DNS requests and I can reason about my network traffic, at least on devices I trust.

You can set a canary domain which currently is used

The only other way would be MITM all https traffic and sign with your own certificate, but many iot devices won’t allow you to install a new certificate store.

I don’t know what a canary domain is. That reddit post isn’t entirely clear but it seems to be some kind of DNS black hole. That would rely on the application using your config.

Will a canary domain on an edge device prevent my smart TV from using DoH to get the IP of a tracking server?


If your smart tv checks to see if it should disable DOH then it would work.

I wouldn’t bank on it doing so though. Best to block all iot devices.

Thanks for clarifying. This only helps for well-behaved applications and is apparently temporary.

> The use of this domain is specified by Mozilla, as a limited-time measure until a method for signaling the presence of DNS-based content filtering is defined and adopted by an Internet standards body.

More than anything I am disappointed in Mozilla for shipping such a half-baked anti-feature. I can't even trust Firefox to do the right thing anymore.

It’s a temporary feature until there’s a standard to replace it.

Intimately DoH isn’t needed to make IoT transparent, an IoT device can establish a TLS tunnel to a CDN, and unless that’s blocked you have no way of knowing what is being sent where.

An in-line https proxy is the only solution, if iot devices fail to check certificates (which wouldn’t surprise me)

If they do check, and you can’t provide your our root, then you can’t trust them. Read GNU manifesto and realise why it’s important.

I am conflicted over DoH. As an end user I want to be protected against rogue networks - especially in hotels. As a network admin I want to be protected against rogue end devices.

As both I want to be able to deploy split dns servers due to Nat, not to force users (including me), but to don’t to them where to go.

DoH should have been implemented at the OS level and driven by DHCP unless overridden, as with normal DNS.

Why can't you run your own DNS-over-HTTP server, just as you run your own DNS server today? There's no particular reason why the server addresses have to be hardcoded...

I can and for well-behaved applications that's good. But how do I know my IoT device is using my DNS-over-HTTPS server and not a hard-coded one? There's no way to know and the only way to block DNS-over-HTTPS is to also block HTTPS.

It's much harder (or impossible) to block only some of the IoT device traffic (like ads). If I want it to function at all I have to let it spy on me and do other rude things.

My solution is to just not have IoT things but in the long run I think that will become impossible. Consumers seem to have made their choice and everything needs an IP address now.

I don't like how DNS-over-HTTPS smells and I wish there was less momentum behind it. This should be solved by OS vendors, not application developers. DNS doesn't belong at this part of the stack.

I think this is rather orthogonal. A non-well-behaved app can use hardcoded DNS servers as well. And if the author is concerned with your ability to intercept and filter it on protocol level, they can always hack their own equivalent of DNS-over-HTTP with a basic REST service.

OTOH I expect non-malicious code to just use the platform/language/framework-standard mechanism to resolve hostnames, and I expect such mechanisms to provide all the necessary customization points, just as they did for DNS.

Agreed, there are multiple issues here.

The solutions are different but a device like a Pi-hole probably has a part to play in both.

This is a concern of mine as well. I like having some semblance of control of what connections my personally owned devices are making to the outside world. As soon as that becomes opaque, and normalized, who knows what data leaks there will be? Given what advertising companies and malicious app developers already try to get away with when it's visible (to motivated technical folks), the opportunities / possibilities are scary.

I avoid phone banking as it is...

You can disable it on your DNS server using canary domain [1]. Last time I checked it was already implemented in Pi-hole.

1) https://support.mozilla.org/en-US/kb/canary-domain-use-appli...

Agreed-- it's particularly egregious since intranet resources will just fail to resolve entirely in many cases (it has no graceful fallback to system DNS as far as I can tell).

Is anyone successfully using PiHole with non-technical users?

My main concern with putting PiHole on my home network is that for example my mother in law might not understand that she can't get to some web page because it's being ad-blocked, nor would she be able to go to the web admin page and temporarily unblock it.

Even as a technical person sometimes it takes a while to figure out that a page isn't working because of adblock or pi-hole.

How do people deal with this?

I've set it up for most of my close family and friends, added a physical button to the top of the Raspberry Pi case that disables it for x minutes (x changes depending who they are and their needs), so if they're having issues they go press the button to access the problematic website.

I keep reading about people having to disable the Pi-Hole so much that it becomes annoying, or constantly butting heads with websites that don't work with Pi-Holes, but I can honestly say that I, and the people I've set them up for, BARELY EVER need to use the Disable button. Not for online banking, not for online shopping, not for any regular content consumed. I can't personally think of the last time I needed to disable the Pi-Hole for anything at all. It just sits there blocking ads invisibly, plugged into the back of my modem/router, and is one of my absolute favourite parts of my tech stack.

What websites are people visiting that the Pi-Hole doesn't work with? I'm genuinely curious, because I've been running mine for a couple years now and can't think of anything off the top of my head, and no one in my family group have ever complained about it, with most telling me it's been flawless and they barely every touch the button.

> What websites are people visiting that the Pi-Hole doesn't work with?

Usually sites where the dev has based functionality on a JS module loaded from an advertise/tracker site, and that is being blocked, resulting in missing functionality.

Two prominent examples that I've personally had to deal with: CVS, and Taco Bell's iOS app.

Edit: Oh, and google's inserted redirects in shopping results lists are blocked by default.

Airline metasearch engines like Skyscanner & Kayak use all kinds of advertisement and tracking trickery.

My wife gets a lot of email, most of it marketing stuff. Most email links will not work with PiHole enabled due to the massive amount of tracking they go through. I always know when she's checking her email if I'm on my phone, cause all of a sudden I start seeing ads for a few minutes.

I get occasional instances. I've let everyone know to let me know if they're experiencing issues and I can check the log and whitelist specific material that needs it.

That comes up now and again, not as much as you'd expect but enough that I needed to give instruction on it. Funny thing is, most of those cases are _me_ doing things like signing into Nvidia's software instead of anyone else here.

This is where Firefox DNS over Https comes in handy. I have 2 Firefox installs - Firefox and Firefox Developer Edition with one set to use DOH so always bypassing pihole.

I like that physical button solution. Do you have a github repo or blog post documenting how you did it anywhere?

I haven't posted anything, but it's pretty simple really. Follow any of the guides to make a physical button run a Python/BASH script[0] and then I wrote a small script that just CURLs the URL to disable the Pi-Hole for a few minutes (eg: curl --silent ).

I've been meaning to make a blog post about it but haven't got around to it yet. I'll try write something up later today/tonight.

[0] https://raspberrypihq.com/use-a-push-button-with-raspberry-p...

Edit: I found this which is a much bigger/fancier version of what I did, but has the associated code you can pull out for a simple button: https://github.com/nickearl/piHoleButtons

I like the button idea... you got a howto for that?

I have an iOS shortcut that hits the disable endpoint, so they have a button on their phone they tap that will disable it for 30 minutes at a time.

Yeah, I found and tweaked this for my needs: https://routinehub.co/shortcut/5005

Works great, even if I dont invoke Siri to trigger it.


They would still have to know that the site isn't working because of blocking, but I suppose developing the habit of "website doesn't work, press the magic button and try again" isn't so bad.

If I do PiHole just for myself I think I'll add this button. Thanks!

Any chance you can share that shortcut? I currently have a bookmark that my roommate can hit, but a shortcut would be better.

I use a modified version of this with hard coded times so there is no user input: https://routinehub.co/shortcut/2904

thank you for sharing

I do the same and use the shortcut at least once a day for things I don't want to permanently unblock but might need occasionally. I set it via a shortlink on bit.ly so it's easy for people to remember/bookmark.

It points to ..../admin/api.php?disable=300&auth=authkey

300: Time in seconds to disable it.

Auth key: You need to have a password set for the Pi-hole installation, and the API key is the salted version of that password. You can find it as the value for the key WEBPASSWORD in your /etc/pihole/setupVars.conf file.

what an automation!

In addition to what other people have said, you'll have a nightmare of a time if the power goes out and your router re-assigns new LAN IPs (nightmare if you're not in the same household as the non-technical user). Try to setup a Pi-Hole with a static IP if you can.

[Edit] Grammar.

That's one of the reasons why I created dnsadblock.com (besides the fact that I couldn't use it while traveling). It shows a page with a message if the request was blocked (ex: http://tracking.blocked.dnsadblock.com/#/) but only for regular http traffic because I don't want to go down the route of playing with certificates to make it work on https.

I think I managed to have the blacklist/whitelist easier though by creating an activity log page that shows exactly what was blocked and allowed and on what device - in near real-time. Fun project at first but I didn't know what I was going into at first.

It is a bit frustrating when starting but, once you start whitelisting what was blocked by mistake, you will see that it gets easier, almost unnoticeable by a week or so.

I always had uBlock and disconnect.me and it still blocks, somewhat consistent, about 16% of the traffic which is a big number considering.

Yep, it's for this reason I had to turn off the pi-hole. Random sites that my wife or friends would use wouldn't work, especially log-ins or authentications for various sites, and there's no easy to surface bypass ability. So now I just rely on browser based blocking.

You say it like its a bad thing. Same person wont understand why putting your password into random website is bad, or why all of those windows and notifications keep popping up, or why you shouldn't click download followed by clicking run on random websites.


I set up DNS-based ad-blocking for my parents via Eero. The app-based ad-blocking toggle is easier than something with a web admin interface for them to manage.

Pi-Hole is a great project, and it's not limited to running on a Raspberry Pi either. I've got it running as a (x86-64 Ubuntu) VM in the same hypervisor that hosts my firewall. It's lightweight, super responsive, and provides great statistics on what it is doing.

> Use it for ad-blocking in your home network and to finally browse the web, watch videos etc. without annoying ads.

It doesn't really do this as well as a browser adblocker, YouTube ads for example can't effectively be blocked with pihole

Actually, it most cases I find it significantly beats what a normal in-browser adblocker will do. More importantly, it does this for my phone, etc.

But yes self-hosted ads, etc. won't be blocked. For that, there are other solutions.

Personally, I use both.

it's not really fair to compare it to an in-browser adblocker that way, especially since using them isn't mutually exclusive. PiHole blocks ads whether you are in a browser or not, an instant benefit for everybody on your WiFi network.

In fact, one of the best things about Pi-hole network wide blocking is the removal of those 5 to 10 second otherwise unskippable ads in apps.

Exactly this. Ads in places like news apps disappear, a big plus for pihole.

Absolutely. Defense in depth; Pi-hole will cover devices that you can't install an ad-blocker on while the ad-blocker will cover some edge cases where Pi-hole can't do it.

It should never be considered an "or" situation; you want "both" as much as possible.

Watching videos with Javascript turned off, there are no ads.

Google tries to force users to turn on JavaScript by needlessly making the YouTube website "require" JS to be turned on to play videos.

However it is easy to play the videos without using JavaScript using just basic HTML.



a lot of in browser ad blockers are based on url and css selector patterns. Meaning that if the developer updates the site which changes the dom, the ad blocker may not work.

I find it amazing how often ad blocking is discussed here, and start to wonder how many peeps hanging out here on the other hand depend indirectly on ad revenue to pay bills? There are obviously the big corps Facebook and Google, but also my own small employer, which is in theory in a different biz, runs ads on the web shop as an additional income source (which I find not very clever, increases page load times and is simply not our core biz). Do we all pay our bills with money made from the pour souls who did not get around to install an ad blocker or advanced setups like a pi hole? I'm on the pro ad blocking camp personally, also worked in the past in a biz that was 100% ad financed for a short period of time. Also there the whole tech department was using ad blockers.

As always, it's not the ads most of us object to- it's the trackers. Google's original idea for monetizing the web, that you would be interested in something related to what you were searching for, apparently failed and now everybody's trying to follow you around to see what you might be interested in purchasing.

It needs to stop.

I know it's a lame solution but I use ff and containers and have a "shopping" container for sites that I don't block trackers on. I also have various other containers for other sites I don't mind knowing about each other. But mostly I block them.

>it's not the ads most of us object to

I would love to see real data on this! Most of my peers don't want to be marketed to, at least when it comes to internet advertising. Definitely when it comes to traditional advertising (ie billboards are an eyesore, TV ads are offensive or irrelevant or just plain annoying).

Depending on how old you are, it used to be the norm in magazines and newspapers. You have an educational product so you buy an ad on the educational feature, for example.

I understand that advertisers pay for the sites I use and I would turn off the ad-blocker if I was promised I wasn't being tracked. But we have no control over those decisions so we do what we can.

You'll be sad to learn that most of wealth is created by taking advantage of people. Most of us agree that advertising is annoying at best and most of us work for companies that make their money from it. Most of the people in this category are knowledgable (see: privileged) enough to stop receiving advertisements.

Learning how to do this is not "hard" per se, but if you haven't had your own computer growing up and been born into an environment that encourages learning, you aren't going to be able to do this.

I can definitely agree with that. You can always explicitly whitelist a site you would like to see ads on and thus support, like I do

This is a great repo. Step by step easy configuration of a pihole on a gcp compute instance with openvpn. I had pihole running on my phone blocking ads in the NYTs app!


The combination of pihole and raspberry pi has impressed me. I just checked and the last reboot of my pi was 180 days ago, and since then things have just worked.

It's in stark contrast with my server, which admittedly has more demanding tasks. For $35 it's the most trustable computer I bought, I now have a lot of respect for the Pi foundation.

Is uptime really desirable in this situation? How do you get security updates for a device that lives near the edge of your network?

You're right that's a fair question. My comment was trying to highlight the robustness of the system more than uptime being a good metric for quality. By that I mean that I didn't _have_ to reboot to keep the system healthy enough to stay alive. That's unfortunately not the case of some other hardware I deal with.

For my Pi I regularly update without a reboot, but that might not be enough for kernel updates. I will look more into it.

I use pi-hole, and it's great, but for browsers you still need something like uBlock Origin installed to properly block ads. The thing I like about pi-hole is it also blocks a long list of trackers that are bundled by various mobile SDKs. There's no way to block those with iOS or Android, except at the network level.

I've been using Pi-Hole for quite a while now too. I also have several in-browser ad blockers. In browser, I'm running Ghostery, uBlock Origin, and Privacy Badger, DuckDuck Go's privacy essentials, and whatever Firefox's does when you turn on all of the privacy respecting stuff. Honestly, I don't really know what does what any more. I recently turned off pi-hole and started to browse the web using Internet Explorer, just to see. Holy Cow... I'd forgotten what the incredible-edible internet was really like.

This is great and I'm glad it is working for you. I think you are about 6 months ahead of me as I now have two Firefox privacy addons and I'm shopping for hardware to build a firewall box.

As I read your comment all I could visualize was an IE6 browser with 8 toolbars. The network stack of the future.

Funny, I did the exact same thing 1 week ago


interesting! nice site

Another alternative is AdGuard Home. They've come a long way since they announced it. I switched to AdGuard Home some 6 months ago and it has been great.

I switched a section of my network over to it a few weeks ago, and I've been having constant random internet issues since, and when I swap back to the Pi-Hole the problems go away.

Is there some trickery to getting AdGuard to run stable? I have it running as an Add-On to Home Assitant, so I'm not sure if that's causing the issues, but I get lots of failed DNS queries, slowdowns, etc when going through AdGuard.

Not that I know of. I'm running on a pi3b and never had issues. I suggest raising a GitHub issue, they're usually pretty quick to respond and quick to fix bugs.

I'm looking for a way to combine the adblocking with a VPN switcher that takes eg NordVPN and routes all my home traffic through a variety of tunnels (they provide a load of openVPN files). Is there a ready-made way to do this? The idea is for anyone in the house to be protected by both the adblock and the VPN.

I'm not aware of an "out of the box" solution, but maybe paying for NordVPN or similar will do this for you.

VPNs typically tunnel your packets thru an encrypted connection to a gateway somewhere else on the internet.

Ad blockers point your DNS to a resolver that blacklists ad domains. You can use a VPN and still set your DNS to whatever you'd like. What works best for you will depend on your threat model (or just privacy concern, as that other term sounds loaded).

pfsense can do this pretty easily, i wouldn't call it out of the box though. the adblocking can be done via pfblocker-ng, and it has an openvpn client of course.

Thanks for the article to remember me of the existence of this project. I decided to do a setup in my home network using an old Raspberry Pi 1 that I had. Mainly because the router of my ISP screwed up really hard in its DHCP server, so I decided to disable it and use Pi-hole's one instead.

I tried to make this setup as robust as possible, using OverlayFS [1] so root is read-only unless I remount it (to change configuration or upgrades) and with a watchdog so it can auto-reboot in case my Raspberry Pi is unresponsive. Pretty happy with this setup and it my internet seems more responsible than ever.

[1]: https://yagrebu.net/unix/rpi-overlay.md/wiki/Setting_up_over...


I'm surprised, that no one here has mentioned Eblocker yet. It works a bit like Pi-hole, but is much easier to install and use. Eblocker used to be a commercial product (with its own hardware), but since this didn't work out the company open-sourced it a few months ago. It's free now, has a good interface and great performance and the former developers are still working on it. You can install it on a raspberry, but also on other SBCs. I'm in no way affiliated with them, just a happy user. https://eblocker.org/en/

I wish it were more effective in removing Youtube ads on my kids' iPads, but I understand it's a tall order. At least it gets rid of ads in most other apps.

I pay google the $10/mo. for no ads on youtubeso the kids don't get exposed.

The extra benefits are - play video with the screen off to listen to lectures - youtube music - specifically good for letting the toddler hear the wiggles without having to watch a wiggles video on youtube

I also pay hulu for no ads. I'm happy for the opportunity to pay directly for entertainment instead of with my eyeballs. No way to opt out of tracking, though, hence the pihole.

> specifically good for letting the toddler hear the wiggles without having to watch a wiggles video on youtube

I like how you phrased this as a solved engineering problem.

Try Microsoft Edge. Its built in ad blocker works for me with Youtube on my iPhone.

I block ads at the application layer, DNS based ad blocking doesn’t really do it anymore and can create another troubleshooting surface to consider when it breaks something.

In response to your comment, I tested Microsoft Edge on my iPad and can confirm that yes, indeed, it does block the ads on youtube.com

-- mostly: out of about 7 videos, an ad was shown to me at the start of one of them, but that is much better than mobile Safari, on which and ad is shown to me at the start of every video I start.

Thanks for the tip.

Thank you! I'll give it a try

cheers, gotta try it too

If you had said Android I would've suggested NewPipe: https://newpipe.schabi.org/

I've been using Lockdown[0] on my iPhone. It blocks everything for me, and is open source.

[0] https://lockdownhq.com/

Have to try this too

Firefox + AdblockPlus?

Does anyone have any good suggestions for blacklists? I've only been using the default and am wondering if I should add some more items to the list.

I set this up a couple of months ago and have been really happy with the results. Ad blockers on our iPhones/iPads are fine, but not always completely effective. I can't install one on my corporate laptop so there's no way around ads there. Using Pi-Hole was a perfect fit. I've only had to whitelist a single site that had problems with it.

I currently use a 3-layered solution: browser blockers -> custom host file on each machine (StevenBlack hosts for linux and windows, nebulo for android) -> nextdns

I'm actually satisfied, but I'm trying to setup pi-hole+unbound on a cloudatcost host I own to reduce the load on nextdns, so far without success.

Pi-hole is just a script wrapper around dnsmasq. On a host or server you might as well just do it straightforwardly:


For OpenBSD users there is unbound-adblock[0]. It's a small shell script that uses only in-base utilities and can be run with minimal privileges.

[0] https://www.geoghegan.ca/unbound-adblock.html

Similarly, there is also void-zone-tools[1] for FreeBSD.

[1]: https://github.com/cyclaero/void-zones-tools

There are dockerised versions as well if you happen to have a docker stack somewhere in your home

i like the pi-hole installer a lot, since it's a damn one-liner. i was amazed by its simplicity

Yeah definitely easier to deploy on a raspberry than docker but means an extra device


I already have a home server so I run the pihole container with Podman. Pretty slick. It started as a quick project and then permanently tied up my raspberry pi because the adblocking was so awesome I didn't want to shut it down.

I actually use NextDNS now, it's been on HN before and got good comments.


Very nice resolver: I've pi-hole at home, but NextDNS as DNS resolver on mobile and as alternative DNS provider on home router. The setup works well, the only real thing the browser's adblocker is still needed is YouTube ads ;) Sure will pay for NextDNS when they will be out of beta.

I've tested pihole for months now, it's working really well.

Set up a VPN to an EC2 with pihole on it, no more ads on Spotify. Even family members wanted the VPN config, they really appreciate it.

  curl -sSL https://install.pi-hole.net | bash

Are you implying everybody is supposed to AUDIT a 2700 line bash script??

Please do note that Android appears to be quite weird in regards to accepting network set DNS.

My observations so far have been that Android tends to ignore any DNS set by either the network via DHCP or statically set. Android instead probes the gateway for, and happily uses that instead.

The only way I have been able to solve this has been to setup a VPN (I prefer wireguard) on the pihole. Android seems to accept this.

The above in combination with say a DDNS hostname means that I now have a permanent adblocked VPN on my android phone which isn't too bad.

If you have a decent router, then you can just forcibly redirect any DNS requests from to your PiHole.

I have had good luck simply blocking any outbound port 53 traffic that doesn't come from pihole.

Although with DoH these days, I'm not confident my firewall rule is still doing a good job :(

If someone was rude enough to bypass DHCP's suggested DNS is it reasonable to assume they were polite enough to use the standard port?

At this point every device on my network is hostile, default deny outbound is starting to feel like the reasonable starting point.

I have blocked port 53 forward and redirect. On my ISP's router (which I am forced to use), you can't block port 53 on the gateway itself.

I don't want to add an extra router because that would add unnecessary latency. The above is not an unusual setup at all.

some note for those want to use pihole

- in windows, if you use primary dns as pihole and secondary dns as another cloud option (cloudflare, google), some ads will go through. secondary dns is not failover dns. try it and you will see.

I don't think this is just Windows. I read the pihole documentation and came to the conclusion that primary/secondary DNS was more "a dns server" and "another dns server".

I mean this is a great project and all but don't most moderns routers already have this built into them and are able to add VPNs.

I haven't tried it, but I'd imagine the Pi performs a lot better. I wonder if anyone has benchmarked it against some common routers for this use case.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact