I think the news sites are thinking the same thing. "I don't want you to use my network and computational resources (to read the news) without compensation (watching our ads/mining our coin/etc)"
In that case, these news businesses should not be publishing content on the World Wide Web. Users pay for devices, electricity, and monthly network connection, These publishers seem to be stuck in the last epoch. A website is not a finished product like a book or newspaper, it is publicly-accessible data. Users can scrape, restyle, delete, and add content _at will_ whenever they choose to download this content.
So the ideology of capital, which destroyed community morals, is now having it's own tawdry ethics trashed. It's not news that the news is failing. This Author Wrote 7 Reasons Why You Can't Make 20th Century Business Web-Scale.
So what's the impetus for the news business to be available online? If the world wide web should be a free love utopia of data slurping why would these agencies, who have been built on the assumption that the creation and presentation of their data has an inherent worth? How do they get remunerated for their efforts? Or do they just never try to take advantage of this new epoch and die off, leaving us with a billion half-assed citizen journalists?
I would pay for a source of journalism that had any actual effort put in it and wasn't blatantly and hilariously wrong almost all of the time. Sadly news agencies don't fit that bill at all.
I see nothing wrong with them charging money for their work they just can't depend on being able to exercise absolute control over the presentation because instead of being dumb data to be displayed on a remote device its code to be run on the end users device.
You can't separate all the interesting aspects of this distinction and ignore the ones you don't like.
Highlight in terms of sketchiness. I maintain our home network, but I certainly don’t spy on the sites my partner chooses to visit. Or post them on a high traffic blog.
It's about time this became a public discussion. Websites have become so horribly bloated, while most discussions seem to revolve around whether ads are acceptable or not.
To be fair, ads are the reason websites are bloated. I don't mind websites loading 50 MB if I'm in awe of the amazing multimedia presentation it's giving me. 50 MB of ads just... isn't.
That's not always true. Check out the new GMail, my new corporate account has no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.
In this case, the largest resources are Javascript and CSS (yes 1.2MB CSS files!). The weird thing is that it appears to be making requests with different cache-busting strings and getting resources that are the same size.
(32MB now, I haven't done anything on it since starting this post)
There's been plenty of public discussion, albeit in the tech community [1]. It's a hard issue to sell to people outside because most people don't care if a website is downloading 1mb or 100mb.
I run uBlock Origin and noscript - even then I'm amazed with how much guff the UK Daily Mail website loads. From their perspective - you would think they would want to reduce the bandwidth to the servers as much as possible...?
I run ublock origin and umatrix. And actually they do kinda care - I've tested their site on Chromium with no addons or blocking and noticed they lazy load most of those images (it loads "only" ~130images) and about 400requests in total (I only opted out from advertising using their GDPR dialog). If I opt in, it constantly pulls data ~6requests/second.
Off-topic, but that Vollkron font definitely styles 1s very weirdly. I thought it said I.I.I.I instead of 1.1.1.1 until I copied the text and pasted it somewhere else.
uBlock Origin allows you to block remote fonts and use system fonts instead. You can selectively enable them on a per-domain basis, and, for cases like this, have them blocked them by default.
> Do you use a popular browser extension? How confident are you that the creator wouldn’t accept a $10k offer to hand it over only to have it then go rogue on you?
What makes the Pi-Hole organization any more trustworthy? (and the software stack it all depends on)
Personally, I'm inclined to trust them both and hope that the long arm of the GDPR will be effective. Optimistic, I know.
In this case it just acts as a DNS resolver. That's potentially risky when resources don't use SSL, but far less than a browser extension that can change a page in place, inject JavaScript, and record keystrokes on all pages.
How would the attacker do anything useful with a SSL connection attempt? They can either send the real certificate, and then not be able to decrypt the data, or send a self-signed cert which the OS/browser wouldn't trust?
Since Pi-Hole is a DNS server running on a separate machine, it just doesn’t have the same level of access as browser extension would. Even if it was rogue, the worst it could do is share the list of domains that you visit, and possibly hijack your HTTP (but not HTTPS) sessions.
You, and the other commentator, are forgetting that the DNS Server handles all connections, not just those from your browser. Are you confident all the self updating software you use has no vulnerabilities? How about the video games that you play?
Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.
I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...
This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.
You can also inspect the block lists to ensure they all go to 0.0.0.0 if you’re worried about mitm attacks.
Not on a network-wide basis, and not on non-browsers. I don’t think anyone here is saying don’t use a browser-based blocker too. I use both a browser plugin on the client and dnsmasq on my network.
I think the blog post is saying that, especially in the quote that started this thread. The post portrays ad-blocking browser extensions as not worth the risk, discussing both the questionable value of blocking all ads and also the possible risk of the extension being sold to a malware creator. It then presents Pi-hole as a safe alternative to browser-based blockers.
>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.
You don't have to be confident has "no vulnerabilities" (an absurd standard) to understand that the worst possible vuln in the DNS server (say CSRFable RCE in dnsmasq) still puts an attacker in a less privileged position than what they get if they control uBlock Origin: UXSS. Now that browsers are serious about mixed content, DNS poisoning just isn't as interesting as it used to be.
Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).
I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.
I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...
Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.
High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.
I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.
Which one of these is worse:
a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,
-- or --
b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?
The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.
I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.
> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.
If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.
My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.
As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer
OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.
I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.
>If PiHole is malicious, there is already an attacker on your network
In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.
A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.
I think a major difference is the update scheme. Browser extensions auto-update. If they switch hands there is no user visibility when getting the updated version. Pi-Hole is installed software and requires manual updates, which gives users more visibility and control.
you can turn auto-updates off. also, you can easily inspect the source for an extension (AMO doesn't allow minified js), you can't easily do that for the multitude of components that make up pi hole.
> you can't easily do that for the multitude of components that make up pi hole
What? The entirety of the project is open source. In fact it's easier to look at the source code that makes up PiHole because it's all in one spot in Github.
Just as a note, a project being open-source doesn't necessarily provide a 100% guarantee that it doesn't contain any (possibly obfuscated) malicious code. Our community likes to think that someone else would catch it, but enough people thinking that way can (and likely often does) lead to the bystander effect. So it's always good to be wary :)
> The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.
Considering that over 20% of https://pi-hole.net is blocked as malicious ads by my browser, I don't really understand why you would trust them to block not only the crap across the wider internet but even against their own self-interest.
Remember the warning signs of craziness with NoScript? It's like you guys never learn!
HN is a community. Users needn't use their real name, but do need to have some consistent identity for others to relate to. Otherwise we may as well have no usernames and no community at all. That would be a different kind of forum. Anonymity is fine, and throwaways for a specific purpose are ok, just not routinely.
As a subscriber to Debian Security mail list from 2013 I'd got 2 emails on vulnerabilities in dnsmasq.
I don't think anyone should trust cellular connections at all for many reasons. Especially because my country (Russia) is the only one in Europe which has an office of CEIEC (chinese surveillance gov company) which as of now makes Orwell's tales come true in Xinjang.
Someone on here recently recommended uMatrix for this purpose and I find that a nice trade-off between usability and request blocking.
It's an extension but given it's less opaque than a generic ad-blocker I feel more in control and that it's less likely to go 'rogue' like adblockers do.
The most frustrating thing about UM (which is the same problem I had with NoScript back in the day) is that some scripts call other scripts. So, particularly when I'm trying to play an embedded video served by another site served through a CDN, the process for getting the damn video to play is something like:
Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist more scripts being loaded by the first batch of scripts -> reload -> whitelist some XHR references called by new scripts -> reload -> finally whitelist the actual media being served.
Yes, a bit bothersome at times. But if I take the trouble to finetune worthwhile sites I run into, and make the settings permanent, life does get markedly easier after a while.
I rarely see an ad. I didn't see Troy's responsible sponsor message either. I should have and would have if he had chosen to display the thing without the need for scripting. So I don't feel hugely guilty.
uBO can block with pattern-matching URLs of network requests and additionally cosmetic filtering (hide DOM elements), while uMatrix works strictly with hostname of network requests and types of resources.
If you do it five times with some intelligence, you have rules that you can apply and have most things work most of the time from then on. It's really not a huge hassle and generally the malware-containing networks aren't the ones you are greylisting.
Yep, I do that often. It's apparently a very underrated tool because it can pretty much download most of the video content out there on the internet at large. But many people have no idea about it, even technical people.
For popular stuff switching to "global" and marking them as enabled helps reduce the song-and-dance for things like YouTube videos or common CDNs (e.g. Bootstrap)
Use youtube-dl instead? It's win-win: you don't have to compromise your browser's security, and you get a permanent copy of the video that you can watch whenever you like and that the CDN can't comply with takedown requests on or otherwise maliciously bitrot.
Here's the thing, gorhill maintains uM and uBlock Origin and he is one of the most trusted names in several sec circles to the degree that ubo has been deployed in many enterprise settings. Is the elephant in the room by Troy 'well do you think gorhill will sell out for a measly 10k?' Or is the market for 'adblocking extensions' that inundated with shoddy extensions that simply serve as data mining tools and Troy wants to make us all aware?
I am happy with uMatrix, too, but FWIW, I could not recommend it to non-technical or impatient people. For many pages, I require multiple iterations of stepwise refining of what is and is not allowed before a site works for me.
I do not mind, but I can imagine it easily gets annoying for many people rather quickly. (OTOH, those people would not care to set up Pi-hole, either.)
I would rather spend some time setting up a solution with minimal maintenance than constantly be adjusting and tweaking my solution to get things to work just to browse the web. I use uBo because I rarely have to go in an tweak something and it's mostly just a temporary pause on blocking. A pi-hole might be nice but I like how plugins actually remove the spot where the ad once was so the site looks less like swiss cheese.
I consider myself a pretty savvy user, I'm not a web dev but I understand web technologies, javascript and all that and I simply can't use uMatrix decently. Am I supposed to audit every single external resource to whitelist it? For every website I may want to visit? I don't get it.
Ublock seems to do an okay job of blocking most ads and tracking stuff so I'll stick to that in the meantime but I would be really interested to see a uMatrix tutorial or something like that.
uMatrix takes time to grok. It made no sense to me at first. Overtime I understood it and see it as a beautiful method of presenting data and using controls.
There is very good youtube tutorial of about 7 minutes that explains it use.
I also love uMatrix. Unfortunately its not an option on mobile. You could theoretically install it in Firefox mobile for Android, but it would be so difficult to use. I also use a Pi-Hole. I see my Pi-Hole as the solution for mobile browsing and apps, where uMatrix is the better option for desktop browsing since it can differentiate between image requests vs. scripts, iFrames, cookies, etc
uMatrix, while having a bit of a dense UI, is what I prefer as well.
I installed a pi-hole in my home network about a week ago, and it survived less than a week.
My wife likes using sites like eBates when she shops online, and it redirects her through a random sequence of tracking sites before landing on a site like the Gap. It caused all sorts of problems for her, as those sites were being blocked.
If I was going to keep the pi-hole running, I would have had to constantly be adding white list entries. Or, I could have manually created a black list from scratch. I was not interested in doing either.
I found that dropping a handful of domains in uMatrix got rid of most ads (but not tracking), and that was good enough for my uses.
Why the "not too much"? IIRC Adblock was "compromised" in a way because it was more profitable for them to make deals with advertisers. If they made more money off of donations they wouldn't need to sell out.
Well, it was kind of humourous, based on the idea that ad-tech will switch to first-party proxies when too many people use Pi-Hole.
But on a more serious note, it is simple products like AdGuard DNS which will probably make Ad-Tech sweat more, because it's so easy to use for average users.
Adblock was compromised due to lack of integrity imho.
Pi-Hole is a bit different too in that they do not maintain any block lists. It does come pre-installed with several lists, but maintained by 3rd parties. Its also very easy to add items to the block lists or import new lists. I think having this separation of powers is wonderful and will aid in the protection of the project.
I'm surprised this is the top slot right now. Troy, generally, puts out interesting info on security related news however this feels a bit minimal. Since the project has been around a number of years now, and it's not relegated to only a RPi I would have expected him to delve into things a bit more. Pi-hole will also break things. I think the common one I always heard from users on my network at home were that Google click-thrus for products always fail. But... Don't deploy it on an RPi. It's not worth the inconvenience of maintaining another entire device for a network service. There's an actively maintained container I'd recommend, or it's very easy to deploy as a VM. Troy also didn't hit on anything like DoH or DoT, surprisingly.
It’s essentially dnsmasq which can be run directly on your wireless router if you are using custom firmware. No separate hw needed, no need to horse around with dockers or containers or any of that stuff. I’d guess a lot of people are already running dnsmasq for other purposes, so adding the blocklist and periodically updating it should be trivial.
Do you know if it’s possible to deploy it on a virtual AP? E.g. have “MyNetwork” and “MyNetworkWithAds” - so that it is easier for nontechnical users to switch, and also doesn’t deactivate for everyone when just one user needs to (even if only for 5 mins)?
Possible but not that simple actually, as there is little to no documentation or shortcut for such a case available using dnsmasq. Afaik you can only realize this by running multiple instances.
Can anyone recommend a "2018 good choice" for a consumer router that can run custom firmware (including dnsmasq), or a trustworthy recommendation website? Wirecutter for example doesn't note third party firmware: https://thewirecutter.com/reviews/best-wi-fi-router/
I buy my routers from flashrouters.com. A little overpriced, but I trust them and their testing. I have the Asus N16rt (I think) running shibby tomato and it's great.
Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.
It’ll be more involved for you to set up, but pfSense is what I use. I basically forget it’s there until I want to change something (add a new VPN user, monitor bandwidth usage). I’ve set up an IPSec VPN that works well with my Apple devices, especially with a configuration profile that enables on demand VPN (connect via VPN when certain conditions are met, like not on my home WiFi). For hardware I use a cheapish “industrial” computer from AliExpress. Probably not the best thing security-wise (no firmware updates in the past few years, it feels like it’s just shipped directly from a random factory in China), but it’s been great so far.
How do you instruct an iPhone or iPad to use VPN when you are not connected to your home Wi-Fi? I used their former Workflow automation app (now dubbed Shortcuts in iOS12) and it did allow reacting to such an event (going out of range of 1 or more wi-fi networks) but did not realize one of the possible actions was to be able to enable VPN.
I’ve been running the mid to high end Asus routers for years now and am very happy with them. Running wrt-Merlin firmware and AB-Solution via entware is everything I need and doesn’t complicate things with additional devices like pi-hole.
Yes, this is my preference as well. You can also run a vpn with this setup (as you can with other custom firmwares) so you can take advantage of this adblocking from outside your home.
Netgear R7800 and any other router with the same Qualcomm chipset work great with OpenWRT.
Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).
Not really an off-the shelf consumer router, but since you want to install custom firmware anyways, you might want to consider the PC-Engines APU2 board [1]. You can either install any "normal" desktop x86_64 Linux distribution or a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports hardware virtualisation, so you're able to run several VMs via KVM to isolate the services the router is providing.
Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.
I second this. I've been running PC engines stuff for a few years and it's great. I currently have an APU and it handles my gigabit fiber no problem. I use a separate off-the-shelf wireless router in bridge mode which let's me upgrade that independent of the PC engines (wireless hardware tech moves faster than router hardware tech).
I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.
It may be more full-featured than you are looking for, but have a look at the Turris Omnia. It is extremely customisable and you can add an internal SSD to run LXC containers on (including one running Pi-hole, which is what I do).
Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.
This happened to me too, and what I learned is that the Omnia uses the Knot DNS resolver, which re-enables itself after updates and this breaks everything if you have made certain customisations.
The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).
I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.
I'd argue Pi-hole is quite a bit more than dnsmasq (it's actually a fork of dnsmasq called ftldns) out of the box. It's also very much more approachable by the majority and the web interface gives people immediate feedback and configurability without having to understand configurations for the services directly.
Assuming I'm only interested in blocking ads in one computer, is there a software solution for this on Linux or Windows? (I know that Mac has Little Snitch).
Why not use a browser extension? uBlock Origin is pretty good from what I hear. I use uMatrix by the same dev, and it serves me well. Both work on major browsers (FF, Chrome, Opera, etc..).
I was doing this using Tomato and it introduced serious stability issues in the two routers (both Asus) I tried it on.
Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.
My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.
Use a different root filesystem. Ext4 is not robust against power loss, as I've discovered in multiple embedded Linux systems where Ext4 was used.
The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.
Back in the day (also before ext4) we solved this by mounting the root filesystem read-only. Depending on any other application for the machine, you may not need filesystem writes at all once it is set up. Bonus: it’s even friendlier to the flash.
This is how I've solved the problem in the past. Too bad systemd discourages this. It also doesn't protect the partition where your database and log files are kept.
I got cheap SSDs in cheap USB cases for my 2 Pis after getting annoyed with SD corruption. SSD prices have dropped recently after being flat for a long time. If you are really cheap the cases often go for $1 or free after rebate at newegg.
That doesn't work the same as pihole. PiHole blocks ads on ALL devices on your network. Your computer, your laptop, your phone, your kids kindle, etc. As long as they are on your network, they are protected (and browsing web pages on an older phone, things are much faster)
Yeah this is something I've been thinking about lately as well. Pi-Hole seems cool but what about most of the time when I'm somewhere else than my local network?
I use AdBlock https://www.adblockios.com on iOS which runs a local DNS server that can blackhole domains. It doesn't work well on very large host files so I gave up trying to import https://github.com/StevenBlack/hosts, but it does work well for smaller lists.
(1) Install "1Blocker X" -- not free but it's cheap.
(2) It has a huge number of rules and protects your Safari pretty damn good.
(3) You can disable the existing rules if you so choose.
(4) You can add new ones based on URL regexes or CSS rules.
I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.
The issue with that is DNS resolution. I noticed that when I disconnect/reconnect my interface, it took >30 seconds for DNS resolution to properly resolve. Why? Because I was using a 65,000 entry host file on my modern Windows 10 machine.
It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.
Of course I have deployed it on a Raspberry. I don't have another always-on computer, and while it's not the only supported target, it is the one most Pi-Hole users have, so I get maximum community support.
I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.
So far, I love my Pi-Hole. Absolutely no problems with it.
Thanks for the link. I guessing this would handle the use case of being able to acess Pi-Hole while traveling or in a coffee shop correct? This seems to be a limitation of having this on a Pi.
Troy's skill is taking security and privacy topics and translating them with practical tips to an IT enthusiast audience that is much broader than hn
Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing
On an RPi I can plug it in to the USB on my router for power and connect with ethernet. Otherwise I have to run a full powered server perpetually to manage DNS for the home network. Made sense to me.
I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.
I wasn’t aware of that - thanks. I think I’ll be safe as there will be no peripherals plugged in, but that’s something that needs considering it seems.
I've gone the route of using another box to do PoE -> 5V USB, but unfortunately the TP-Link converter is outputting 4.8V instead of 5V (the Pi3b will technically run on this, but it's not a good idea).
Works for most basic ads. Unfortunately basic ads are a thing of the 90's. Does not work for most common ads nowadays, as youtube et. al. run them from the same domain as other important parts for the app/site to run. For these you have to use a different approach, like running an extension in the browser to block them.
With Pi-hole you can disable an adblocker when something doesn't work and still enjoy a fast web.
But Pi-Hole still blocks the majority of ads, so it is possible to use it exclusively if you just want to make the web usable again.
It's also great at home for family members who just want to surf faster and more private and secure but don't mind a couple of ads here and there. Especially when it comes to mobile Apps.
I also want to highlight that most domains that are blocked are usually tracking services which makes Apps and Websites incredibly slow and increase traffic to a large extent. I think blocking those "services" is the true beauty of Pi-Hole. Ad-Tech is only the tip of the iceberg when it comes to commercialised tracking.
I'm amazed that something that (to me) as simple as an ad and analytics proxy running on the website domain isn't more of a thing yet. That will already circumvent a lot of ad blockers. Well initially anyway, the ones based on blocklists / patterns will probably be updated quickly.
Killing two birds with one stone here: proxying access through a VPS to hide the home IP address && blocking ads.
Apart from it occasionally blocking legitimate sites that begin with the word "ad" (something like, say, "adrian.blog.thing"), it works great. Because it's an HTTP proxy, it offers an interface for bypassing these unintended blocks.
Proxomitron, which Privoxy was inspired by, has a few patches which make it filter HTTPS too (you need to install a certificate for MITM, obviously.) As more sites use HTTPS the ability to filter their content becomes more important too.
So I have tried using pi-hole in past and I think one of the problems is - some websites refusing to function if ads are blocked. IIRC - British Airways website uses some javascript that requires ad to be disabled for finishing checking in. It may have changed now but there are other websites too which may or may not work as expected.
With browser extensions it is typically easy to disable the ad blocker one time and check if that fixes it. With pi-hole IIRC, it was much harder to do.
I wish it would redirect to a different local webpage that allows you to click a button to temporarily unblock the domain for your ip, like the ublock blocked webpage that pops up sometimes:
I’ve been running this kind of setup for over 5 years on my home network, and the only complaint I’ve ever gotten was the Google search results that are ads or shopping links don’t work (yes, my wife clicks on these). If a web site didn’t function I wouldnt know it was due to DNS, because I never turn this off. I’d simply chalk it up to it being a defective website and not use it.
Yes - but sometimes you don't have that choice. Would you rather not use a essential service(flight check-in or pay electricity bill) or disable the adblocker temporarily? To each its own I guess and tricky thing with pi-hole is, it is VERY hard to tell if website isn't working because of adblocker or because you are using Linux or it is simply broken.
If a site refuses to work when there are network issues, then you can just close the window. British Airways' competitors will be happy to have your business.
Should be noted this is useful not just for ads, but also for devices phoning home and collecting metrics. Things like Win10, Netflix, smart TVs, etc. You don't have to use every blocklist on the planet if you don't want it to screw up normal web browsing.
There's an interesting discussion happening in the comments where the fact that Troy's (very low key, topically relevant, non tracking, entirely text based) sponsorship banner is being blocked by some AdBlockers. I've found the same thing with Reddit ads (which also seem quite reasonable).
I'm conflicted, I'd like for there to be some mechanism where reasonably implemented ad systems can flourish.
Been using the pi-hole for a couple of years now. Can only say good things about it, as it also disallow porn and the such (which is good with kids in the family).
Sometime, it's convenient to be able to switch it off quickly (as someone mentioned, certain sites will mulfunction): so I created a simple Alexa task to turn Pi-hole on and off using voice, leveraging the pi-hole api.
Since he was pointing out scammers buying popular extensions: I would like to mention that this is a chrome specific problem. Something like this isn't common with firefox addons.
I'd also recommend turning off auto-updates for extensions (which is possible in Firefox). You also get a page with pending and recent updates, complete with release notes if the addon author provides them.
It's easier for me to replicate this functionality myself. I run unbound with a domain name blacklist. Same functionality, no need for additional hardware.
One of the great things about using unbound is how easy it is to blacklist entire domains, without having to know the name of each subdomain ahead of time. I've been doing what pihole does for over ten years using pfSense. I'm up to 437,000 fully qualified domain names blocked, and over ten thousand domains blocked outright. It has been years since I've seen an ad.
> 82% reduction in the number of bytes transferred
No doubt the reduction is important, however as per screenshots, the reported reduction should be considered somewhat inaccurate as he forgot to check "Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-Hole version. We can see resources pulled from browser cache in the Pi-Hole version.
420 comments
[ 2.9 ms ] story [ 303 ms ] threadI don't mind an ad or two. I don't want you siphoning my network and computational resources without compensation.
So the ideology of capital, which destroyed community morals, is now having it's own tawdry ethics trashed. It's not news that the news is failing. This Author Wrote 7 Reasons Why You Can't Make 20th Century Business Web-Scale.
You can't separate all the interesting aspects of this distinction and ignore the ones you don't like.
As an example, lets say you borrow my truck. You compensate me for the use of my truck to move some boxes in town.
But then you use my truck to tow a trailer across the country. That is more wear and tear on the vehicle.
And then you take my personal information that is on my vehicle registration with my home address and sell that to an ad company.
Finally you return my truck with all sorts of junk that was collected while the truck was being used.
How about what is done with your personal information?
When you visit a website are you shown which tracking cookies will be left behind?
You cannot stop visiting the site, once you have visited the ads have been loaded, the cookies have been dropped and your info has been mined.
Highlight of the article right here.
In this case, the largest resources are Javascript and CSS (yes 1.2MB CSS files!). The weird thing is that it appears to be making requests with different cache-busting strings and getting resources that are the same size.
(32MB now, I haven't done anything on it since starting this post)
The new gmail is the slowest web app I have ever used. It's gotten so bad I've started managing my email on my relatively snappy inbox iOS client.
It wouldn't be so bad if they didn't load so much crap, like the gchat functionality nobody has used since 2008.
Android P uses 10x as much memory as it did from Gingerbread, I don't feel as if there's 10x as many features.
[1] http://idlewords.com/talks/website_obesity.htm
Turns out, Al Gore doesn't like it, either: https://www.typotheque.com/blog/gores_choice
With remote fonts enabled on https://www.troyhunt.com/mmm-pi-hole/
And with remote fonts blocked: It's not just ads you have to worry about.What makes the Pi-Hole organization any more trustworthy? (and the software stack it all depends on)
Personally, I'm inclined to trust them both and hope that the long arm of the GDPR will be effective. Optimistic, I know.
Huh? DNS is hit even if the site is SSL. Unless the site has HSTS, and you've got to the site before; DNS poisoning is very much doable.
Are you thinking of some downgrade attack vector?
Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.
I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...
You can also inspect the block lists to ensure they all go to 0.0.0.0 if you’re worried about mitm attacks.
>you could do the same with ublock
that was in response to
>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.
Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).
I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...
Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.
High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.
Which one of these is worse:
a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,
-- or --
b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?
The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.
I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.
If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.
My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.
As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer
I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.
In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.
A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.
What? The entirety of the project is open source. In fact it's easier to look at the source code that makes up PiHole because it's all in one spot in Github.
Pi Hole is open source, so if someone did try to sneak in some malicious code, it would be seen.
Edit: Heartbleed was a good example of this -
https://www.csoonline.com/article/3223203/vulnerabilities/wh...
> The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.
It would take every creator to accept the bribe for the ads to go through. Well, if the extension starts injecting ads it's another story...
Remember the warning signs of craziness with NoScript? It's like you guys never learn!
HN is a community. Users needn't use their real name, but do need to have some consistent identity for others to relate to. Otherwise we may as well have no usernames and no community at all. That would be a different kind of forum. Anonymity is fine, and throwaways for a specific purpose are ok, just not routinely.
https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...
I'll continue putting my trust in uBlock Origin on FF for now, until I hear about any malicious PRs that get merged in /shrug/
Also, you can't usually specify DNS servers on cellular connections. The VPN setup would address that.
From what I understand this is only iOS.
I don't think anyone should trust cellular connections at all for many reasons. Especially because my country (Russia) is the only one in Europe which has an office of CEIEC (chinese surveillance gov company) which as of now makes Orwell's tales come true in Xinjang.
https://news.ycombinator.com/item?id=15608052
It's an extension but given it's less opaque than a generic ad-blocker I feel more in control and that it's less likely to go 'rogue' like adblockers do.
The most frustrating thing about UM (which is the same problem I had with NoScript back in the day) is that some scripts call other scripts. So, particularly when I'm trying to play an embedded video served by another site served through a CDN, the process for getting the damn video to play is something like:
Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist more scripts being loaded by the first batch of scripts -> reload -> whitelist some XHR references called by new scripts -> reload -> finally whitelist the actual media being served.
I rarely see an ad. I didn't see Troy's responsible sponsor message either. I should have and would have if he had chosen to display the thing without the need for scripting. So I don't feel hugely guilty.
edit: Okay, it's not blocked by default with uMatrix: https://i.imgur.com/B97lf35.png
vlc is a better video viewing experience (and better on battery) than a browser and you can usually start playing a partially downloaded file
I do not mind, but I can imagine it easily gets annoying for many people rather quickly. (OTOH, those people would not care to set up Pi-hole, either.)
Ublock seems to do an okay job of blocking most ads and tracking stuff so I'll stick to that in the meantime but I would be really interested to see a uMatrix tutorial or something like that.
There is very good youtube tutorial of about 7 minutes that explains it use.
Instead of clicking on the uMatrix icon, you click on three dots and then on uMatrix
Rather than bringing up a small window, with all your settings, it brings up a new tab with your settings.
Other than that it is the same! And it will work when you are away from home without needing a VPN to a Pi-Hole.
I installed a pi-hole in my home network about a week ago, and it survived less than a week.
My wife likes using sites like eBates when she shops online, and it redirects her through a random sequence of tracking sites before landing on a site like the Gap. It caused all sorts of problems for her, as those sites were being blocked.
If I was going to keep the pi-hole running, I would have had to constantly be adding white list entries. Or, I could have manually created a black list from scratch. I was not interested in doing either.
I found that dropping a handful of domains in uMatrix got rid of most ads (but not tracking), and that was good enough for my uses.
Consider supporting them (but not too much ;): https://www.patreon.com/pihole
But on a more serious note, it is simple products like AdGuard DNS which will probably make Ad-Tech sweat more, because it's so easy to use for average users.
Adblock was compromised due to lack of integrity imho.
Container link: https://hub.docker.com/r/pihole/pihole/
Edit: word
https://github.com/openwrt/packages/tree/master/net/adblock/...
The childproof network example is the fitting how-to you can learn from: https://forum.openwrt.org/t/kidsafe-or-guest-wifi-forced-saf...
Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.
edit: link to OpenWRT with a list of supported hardware that is relevant to the parent's question
Was that what you used? Or was it something else?
Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).
Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.
[1] http://pcengines.ch/apu2.htm [2] https://openwrt.org/toh/pcengines/apu2
I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.
Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.
https://omnia.turris.cz/en/
Ironically, went to Unifi after reading Troy's blogs about it - now regretting it immensely as the hardware is nowhere near as powerful as the Omnia.
The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).
I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.
And to come back to your original question, to do your own research, I recommend you search/ask on https://www.reddit.com/r/openwrt/ and https://forum.openwrt.org/ , it's a question that pops up frequently.
https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ft...
https://docs.pi-hole.net/ftldns/
(I.e. https://en.wikipedia.org/wiki/Arc_(programming_language) )
Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.
My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.
The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.
(1) Install "1Blocker X" -- not free but it's cheap. (2) It has a huge number of rules and protects your Safari pretty damn good. (3) You can disable the existing rules if you so choose. (4) You can add new ones based on URL regexes or CSS rules.
I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.
https://github.com/StevenBlack/hosts
It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.
I'd rather have a separate service to run it.
I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.
So far, I love my Pi-Hole. Absolutely no problems with it.
I wasn't familiar with these terms and they are a bit ungooglable. :-/
DoH = DNS-over-HTTPS
DoT = DNS-over-TLS
If you read this, please click “vouch”, upvote, and then click “unvouch.”
My hypothesis is that very few people read dead comments. How few? Let’s measure it.
It costs nothing to participate, and it won’t harm the site since unvouching a comment will cause it to revert to [dead].
If you don’t know how to vouch a comment, click on this comment’s timestamp and click “vouch.”
Thank you for helping.
Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing
I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.
With Pi-hole you can disable an adblocker when something doesn't work and still enjoy a fast web.
But Pi-Hole still blocks the majority of ads, so it is possible to use it exclusively if you just want to make the web usable again.
It's also great at home for family members who just want to surf faster and more private and secure but don't mind a couple of ads here and there. Especially when it comes to mobile Apps.
I also want to highlight that most domains that are blocked are usually tracking services which makes Apps and Websites incredibly slow and increase traffic to a large extent. I think blocking those "services" is the true beauty of Pi-Hole. Ad-Tech is only the tip of the iceberg when it comes to commercialised tracking.
Uh, sorry, but uBlock Origin blocks it. Also, does anyone else finds themselves jumping straight into `reader view`?
Killing two birds with one stone here: proxying access through a VPS to hide the home IP address && blocking ads.
Apart from it occasionally blocking legitimate sites that begin with the word "ad" (something like, say, "adrian.blog.thing"), it works great. Because it's an HTTP proxy, it offers an interface for bypassing these unintended blocks.
I personally hate wondering why something's not working and having to go through every extension to debug my browsing session.
With browser extensions it is typically easy to disable the ad blocker one time and check if that fixes it. With pi-hole IIRC, it was much harder to do.
Don't visit those sites!
They want your eyes and/or your money (if a subscription is an option) and you don't want to give it to them. Just stop going there!
Edit: I don’t understand the downvotes. Sites aren’t obligated to give you something for nothing. Why does it feel like that’s the default view here?
I'd love a pi-hole like solution that was as easy to temporarily disable as a browser extension.
Either they’ll move out, resent you, deal with it, or you’ll do what they want?
I wish it would redirect to a different local webpage that allows you to click a button to temporarily unblock the domain for your ip, like the ublock blocked webpage that pops up sometimes:
https://arstechnica.com/civis/viewtopic.php?f=3&t=1424503
If it gets abused, then you can turn it off as an option.
https://pgl.yoyo.org/as/ has lots of formats.
I'm conflicted, I'd like for there to be some mechanism where reasonably implemented ad systems can flourish.
Sometime, it's convenient to be able to switch it off quickly (as someone mentioned, certain sites will mulfunction): so I created a simple Alexa task to turn Pi-hole on and off using voice, leveraging the pi-hole api.
No doubt the reduction is important, however as per screenshots, the reported reduction should be considered somewhat inaccurate as he forgot to check "Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-Hole version. We can see resources pulled from browser cache in the Pi-Hole version.