> Uses random upstream resolvers from the configuration - increases your privacy through the distribution of your DNS traffic over multiple provider
The whole project is really interesting but this line caught my eye.
For spreading DNS providers, would randomly routing to different ones be more or less private than rotating providers every X minutes? It feels like so many sites request so many different resources that if you make DNS resolution distributed across providers, you might be exposing your "trail" to multiple companies at the same time, compared to an alternative approach of switching every X minutes so that any individual company only sees a snapshot of your queries in time rather than your whole journey.
> For spreading DNS providers, would randomly routing to different ones be more or less private than rotating providers every X minutes.
Less private for the simple fact that now you'd have to rely on multiple upstream resolvers to respect your privacy. Stick to one; ideally the one with better privacy guarantees like the Mozilla endpoints to Cloudflare DNS.
Or, use anonymizing protocols like Oblivious DNS over HTTP and DNSCrypt v3.
First thing I thought about was the reasoning behind why Tor uses Entry Guards (a limited set of relays chosen by your client to use as the first entry point rather than a random one each time). I'd imagine the same arguments apply for why you don't want to randomize which servers your DNS queries go to. If you're making hundreds or thousands of queries, as people tend to do while using the same set of sites over time, then eventually all servers will end up with the names of all the sites you visit, as opposed to just choosing one server and only that server having the names. So yeah, that definitely seems like the opposite of a privacy feature.
> Uses random upstream resolvers from the configuration - increases your privacy through the distribution of your DNS traffic over multiple provider
Is that the consensus? I thought this would just increase the amount of parties that have insight. eg if today it sends my CNN news reading to cloudflare and tomorrow it sends it to 9999 resolver then that seems worse than sending both to cloudflare.
Why would I use Blocky vs. Pi-Hole? It seems like a nice project but pi-hole is really mature; I'd love to see a feature comparison or a brag sheet showing what it's better at.
It's a bit faster, yet it lacks a web UI. I prefer it, because I use it directly on the PC/ Laptop via Docker and I like text files more than binding web UIs to ports..
If you have a PFSense or OPNSense firewall/router, PFblockerNG also does a great job https://docs.netgate.com/pfsense/en/latest/packages/pfblocke.... PFSense comes with a DNS Resolver with option to forward to these other resolvers. It has also too many other features to list especially useful to a homelab.
I had used Pi-hole and blocky. Pi-hole is nice for the non-expert who just wants to block ads, with a neat web interface. But with blocky, instead of a web interface you can fully configure blocky in a single nice-documented extensive YAML file. Metrics are retrieved per Prometheus and can be visually shown in something like Gragfana. It has A LOT of features and is faster. :)
It looks like it's much easy to setup DoH with blocky. Blocky's DoT doesn't work for me but it's a pain to setup with Pi-hole and it's impossible to make DoH work in Pi-hole.
For me single binary and single config file is a big one. Much easier to deploy and share configs for example. I have a PiHole running but I kind of dread setting up a second one for redundancy.
My problem with network-level adblockers, also PiHole is that they break a lot of services (yeah it's mostly sloppy or malicious intent from service provider but still). On a browser you can quickly disable uBlock for that site, it is much more tedious for these services - also because it's not even clear that the filtering is causing the problem, also because it maybe someone else on the network experiencing the problem.
I have a handful of different wifi SSIDs set up on my network at home to help with this, some route their DNS queries through a pihole instance and others (say, without the “AB” for ‘adblock’ suffix on their ssid names), don’t. Each ssid is their own vlan and each has their own dhcp listening that doles out the pihole instance address on the Adblock-enabled nets.
It’s easy enough to just connect to a different ssid if I see anything breaking, but it’s rare enough that I keep it connected to the pihole/adblock network at all times. Works super well.
I use some of the lower-end wifi 6 APs, coupled with an AC (controller), from fs.com, they work solidly, and with seamless roaming around the house, after figuring out some of the rather odd translation in the AC web interface. After some annoying small steps, the ssh consoles on both the AC and the APs are all that I use.
They’re mated to a Juniper EX switch running stock JunOS over PoE, primarily one AP for each floor and another one or two to fill in dead spots. I haven’t had to touch it since I’ve set it up, just keeps chugging along.
Slight over-kill for the environment, but I’m so damn tired of using bad wifi I just wanted to do it right!
I have a silly "trick" for this. In Firefox you can add a SOCKS5 proxy and click "Proxy DNS with SOCKS5 proxy". This bypasses the system DNS.
So for example, if you make a container with this, then you can just quickly open the URL that's blocked in the other container and it will bypass the network-level DNS adblock.
There are other ways to do it without a container, I'm sure, maybe with an add-on/toggle or something.
My VPN provider gives free SOCKS5 access to a few servers, so it didn't cost me anything more.
How are you using a different proxy per container tab? I've tried FoxyProxy but it leaked DNS requests through the local network resolver even with SOCKS5 proxies.
Go into the main extension settings of 'Firefox Multi-Account Containers' that lists your containers and click on 'Manage containers'. Select any container and the last option on the new page is 'Advanced Proxy Settings'. This setting is per container.
Home Assistant can definitely do this. I just now successfully got my HA connected to an Aqara Zigbee button (which, hilariously, only briefly functioned when I was using it with Aqara's garbage hub).
What annoyed me the most is actually clicking on ads from Google Search. Sometime I searched a product and I couldn't clicked on the first result because they are advertisements.
I'm in the same boat as you, but taking it a step further, I'm completely blind to the first 1/3rd of google search results. The first 3 are already ads, and then there's the "quick info" card on most searches. I've subconsciously trained myself to just flat out skip over those results.
So in my case, I don't know that an ad blocker really even helps me on google, because I'm ignoring those first results anyway.
Yup, skip all sponsored and ad content. I do the same on Amazon and ebay - even when the advertised product is _exactly_ what I want, and the best price available, I refuse to purchase from a sponsored listing.
> Are you using Pihole to block ads at a network level, but not also using a browser extension to block them at the client?
A lot of Pihole users don't bother with browser extensions. In extension-only use cases, these results would just not show up. With Pihole, you have to copy and paste the URL and just enter directly in the browser. It's not like a huge roadblock.
I've had the most luck with OISD as the blocklist; others have the exact problems you describe (in fact all other blocklists I've tested have had frequent issues).
Since changing, I've had maybe 2 sites that didn't play nice with the filtering. These issues are not inherent to network-level blockers, but the configuration of those blockers.
PiHole has an API that can be used to enable and disable the ad blocker.
I have a bunch of home automation set up, and through the use of HomeBridge and a plug-in I have a button in my Apple Home app on my iPhone to enable or disable the ad blocker. Since it's exposed as a smart home thing, you could hook it up to a voice assistant like Siri or Alexa.
I built an integration once for an Elgato StreamDeck.
You can also download apps that do the same thing; I have one called "Pi-Hole Remote" that works great.
Yes, ad blocker blockers are annoying, but they are trivially worked around.
Is that your experience? Honest question, because only yesterday, after several years with PiHole and uBlock Origin, I found that a Shopify shop wasn't working for me. But that's probably the only issue I encountered after all those years...
Unfortunately yes, there are features on big websites which just don't work.
Now every time, I have an issue with any website, my first instinct is to turn off pi-hole. Most of the time, pi-hole is not the even the issue, but sometimes it is. It's annoying to browse the internet while constantly thinking "Maybe there is an issue on my side".
> Unfortunately yes, there are features on big websites which just don't work.
It is very rare that I find something stalker-blocking (pihole on my local network & VPN) causes to break that I care enough to turn blocking off for. It might have happened as little as twice, one of those occurrences predating PiHole. Information is usually in many other places or I really don't care that much, and shopping sites that break are waving a red flag by being broken so I'll go look elsewhere.
I do have a bookmarklet on my devices to turn it off for a few minutes, but that was used more when testing it then it has been since.
I mostly live alone so don't have the problem of other users, such as a spouse or kids, having trouble. Guests always have the option of using their normal mobile access instead of the local wireless if they experience insurmountable problems.
Home Depot is the most fragile website I'm forced to deal with. It regularly breaks in novel ways for me when it can't load some random dependency that it doesn't actually need the functionality from.
And it doesn’t load at all from outside the US! I once wanted to purchase before coming back, to learn I need to vpn back in to the US to order something. Crazy.
I use both Pihole and ublock. While ublock is fine for desktop browser , pihole is useful for mobile devices, as well as blocking access for devices and apps that tend to be chatty with data it sends out. For example - I unfortunately bought a few Eufy security cams long before it was found that Eufy was sending user data out to its AWS instance. It was easy to block that access via AWS in Pihole. Of course, it doesn't always work. I've found some devices absolutely need to call home before they'll function.
Pretty cool. If you have adguard home and google assistant, you have access to a switch that can enable/disable adguard home protection. So with the homeassistant app you can add that as a quick tile as well. The only caveat is that this will disable it across all devices.
After disabling it on the UI, your device may still cache the DNS records for a few minutes. There's no immediate feedback on whether disabling adblocking changed anything. It is extremely tedious especially for non-technical users, and adds "tech-support" burden to their technical friend/family who set it up in the first place.
Yes, I ran into these issues when I installed PiHole in my family home.
Most issues were with Google Ads inside Google Search. Often these are relevant and actually what you're looking for. But they don't work.
I tried rewriting the "this is blocked" page that PiHole would serve so it included a button to temporarily disable blocking for said url but it turned out to be harder than I thought.
Yeah, this is always my hurdle implementing house wide. I can toggle it on and off when I have the stubborn link but my girlfriend just gets utterly annoyed. I just manually point some of my devices at my local server and leave it at that. Guess I should look into aws free tier and set it up there as well or just say screw it and use dns.adguard.com again.
Can't block Youtube shorts with these DNS adblockers, I know I can use browser extensions on a computer (and I do), but I really want to block shorts on iOS/Android apps. Tried the squid https proxy rabbit hole, but could not get it to work with mobile devices.
I use revanced for this on Android. Pretty cool, adblocker, sponsor block, customization like removing shorts. It patches YouTube APK, so you retain same UX, no need to use a new app.
I did create a self signed root cert, it works as expected when accessing net from my Mac. But mobile devices refuse to work, zero network requests succeed. I did trust the root cert on both mac and mobile. ¯\_(ツ)_/¯
On newer versions of android it can be hard to install a root cert and trust it; mitmproxy and httptoolkit both have some great guides though. On iOS its easier - but yeah unfortunately/fortunately certificate pinned applications wont work
Depending on how much time you are willing to put in you could create a list of apps that dont PIN and selectively MiTM apps that dont
> May want to include a time series database, like InfluxDB
Seems to have native support for Prometheus, so that seems to be the TSDB to use for the project. That said, if you're at the point where your record density takes advantage of the benefits of a time series DB vs a well indexed RDBMS, I'd also imagine that you're beyond the scope of this little service.
One thing I like about AdGuard Home is that it supports normal AdGuard's block list, similar to the ones used in browsers. Of course, it ignores the items that it is unable to block (e.g. cosmetic, or third-party etc), but it is nice being able to take the lists I use in uBlock Origin, and just feeding it into AdGuard Home.
super useful for being able to use cloudflare dns but still resolve the archive.* domains using a different resolver (because archive.* blocks cloudflare for ideological reasons):
Blocky is best adblocker its lightweight unlike adguard just a simple yml file its dns queries are faster than adguard imo i run it as a container on VYOS (best router software imo)
The whole project is really interesting but this line caught my eye.
For spreading DNS providers, would randomly routing to different ones be more or less private than rotating providers every X minutes? It feels like so many sites request so many different resources that if you make DNS resolution distributed across providers, you might be exposing your "trail" to multiple companies at the same time, compared to an alternative approach of switching every X minutes so that any individual company only sees a snapshot of your queries in time rather than your whole journey.