Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there anything in this field that actually doesn't block DNS but hijacks it and serves up 1x1 GIF for any image requests, 1 frame videos, empty HTML, CSS, JS, fake VAST/VPAID files so that requests don't have to timeout and fail? I setup a pi-hole a couple of years ago and the kids begged me to shut it off because it screwed up with games on their phones (crashed if they couldn't load ads or got stuck because there was no reply).


I think you can configure PiHole to return whatever IP you want for blocklisted domains. I guess you could set up a box with nginx that inspects the request content type header and returns generic content. But, TLS will cause problems here. You’d need to MITM all the traffic and serve up your own root certs, install them on devices etc.


you could just -j REJECT the traffic, that makes the connection fail immediately because it sends an icmp port-unreachable packet back.


Yeah TLS will be the headache. Just did a quick test with a self-signed, that works fine but I'll need to create one for each TLD (wildcard doesn't seem to be allowed as root, at least in browsers). That's easy to script, hard to install. So the only issue are devices that I can't install certs on like our Apple TV's and Rokus.


You should be able to install a single CA (installed on devices) and then use the key for that to sign individual domain (wildcard) certs?


https://docs.pi-hole.net/ftldns/blockingmode/

Pihole has many options for different blocks, but all have downsides.


Don't remember different modes being available the last time, I'll give it another spin.


PiHole & AdGuard are DNS blockers. Those tools are only serving/blocking domain mame requests. So they are not aware of the actual request your client is sending to those servers (to for example download a file). So no, by the nature of the DNS protocol this is not possible with those tools. What you probably wanna do is to use some kind of proxy which does deep package inspection (be aware that this is very resource intensive since you have to break up encryption and stuff).

Properly not worth it for the task you described. Simply add a DNS whitelist to AdGuard or manually unblock those domains causing issues.


If people can figure out which names resolve to ads and block them, people can figure out which names resolve to tracking pixels and send it to a server that will hand back a pixel.


AdGuard develops many products, some of them supports TLS MiTM


You can override settings for specific clients.


Which proxies break encryption for you?


Why timeout? Point them to 0.0.0.0 and there will be an instant failure. This is precisely what NextDNS does when not using their blocking page.


PiHole doesn't normally time things out, it returns 0.0.0.0 as the result.

The few apps I use, I haven't experienced time out or crashing issues as a result of PiHole. You might have other network or DNS issues.


https://www.ex-parrot.com/pete/upside-down-ternet.html ?


I think nextdns will do this.


Or you could buy your kids some decent games rather than training them to suffer through ads or pay-to-win in-app purchases? This is the best feature of Apple Arcade in my opinion.


Why not teach your kids to play real games instead of ad-ridden mobile garbage?


We'll I decided to teach them they have to pay for stuff themselves, and at least it taught them to be rather frugal. The real problem is that they mostly play what the other kids are playing.


"other kids" are idiots. ;-) Or, at least, their parents are, for not saying No to stupid shit. :-)




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: