420 comments

[ 2.9 ms ] story [ 303 ms ] thread
This is excessive. Amazingly so.

I don't mind an ad or two. I don't want you siphoning my network and computational resources without compensation.

I think the news sites are thinking the same thing. "I don't want you to use my network and computational resources (to read the news) without compensation (watching our ads/mining our coin/etc)"
In that case, these news businesses should not be publishing content on the World Wide Web. Users pay for devices, electricity, and monthly network connection, These publishers seem to be stuck in the last epoch. A website is not a finished product like a book or newspaper, it is publicly-accessible data. Users can scrape, restyle, delete, and add content _at will_ whenever they choose to download this content.

So the ideology of capital, which destroyed community morals, is now having it's own tawdry ethics trashed. It's not news that the news is failing. This Author Wrote 7 Reasons Why You Can't Make 20th Century Business Web-Scale.

So what's the impetus for the news business to be available online? If the world wide web should be a free love utopia of data slurping why would these agencies, who have been built on the assumption that the creation and presentation of their data has an inherent worth? How do they get remunerated for their efforts? Or do they just never try to take advantage of this new epoch and die off, leaving us with a billion half-assed citizen journalists?
I would pay for a source of journalism that had any actual effort put in it and wasn't blatantly and hilariously wrong almost all of the time. Sadly news agencies don't fit that bill at all.
So do you/would you pay for something like the New York times?
Read reuters, you don't have to pay for it.
I see nothing wrong with them charging money for their work they just can't depend on being able to exercise absolute control over the presentation because instead of being dumb data to be displayed on a remote device its code to be run on the end users device.

You can't separate all the interesting aspects of this distinction and ignore the ones you don't like.

You are being compensated. You can visit their website and read their content. Feel you're not being compensated enough? Stop visiting that site.
You are being compensated...but you are not being informed for what.

As an example, lets say you borrow my truck. You compensate me for the use of my truck to move some boxes in town.

But then you use my truck to tow a trailer across the country. That is more wear and tear on the vehicle.

And then you take my personal information that is on my vehicle registration with my home address and sell that to an ad company.

Finally you return my truck with all sorts of junk that was collected while the truck was being used.

Except it is nothing like that.
When you go to a website are your informed how much bandwdith will be ad only?

How about what is done with your personal information?

When you visit a website are you shown which tracking cookies will be left behind?

You cannot stop visiting the site, once you have visited the ads have been loaded, the cookies have been dropped and your info has been mined.

(comment deleted)
> And yes, I'll chat to her about the Fox News situation as well!

Highlight of the article right here.

Hopefully he told her beforehand he's going to spy on her…
I don't really see why he had to make mention of it.
Exactly, heaven forbid we read different new sources to view different biases and takes on stories.
Highlight in terms of sketchiness. I maintain our home network, but I certainly don’t spy on the sites my partner chooses to visit. Or post them on a high traffic blog.
It's about time this became a public discussion. Websites have become so horribly bloated, while most discussions seem to revolve around whether ads are acceptable or not.
To be fair, ads are the reason websites are bloated. I don't mind websites loading 50 MB if I'm in awe of the amazing multimedia presentation it's giving me. 50 MB of ads just... isn't.
That's not always true. Check out the new GMail, my new corporate account has no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.

In this case, the largest resources are Javascript and CSS (yes 1.2MB CSS files!). The weird thing is that it appears to be making requests with different cache-busting strings and getting resources that are the same size.

(32MB now, I haven't done anything on it since starting this post)

> Check out the new GMail, my new corporate account has no ads but it still weighs in at 25MB (well 28MB now - still asyncing stuff!) for the inbox.

The new gmail is the slowest web app I have ever used. It's gotten so bad I've started managing my email on my relatively snappy inbox iOS client.

It wouldn't be so bad if they didn't load so much crap, like the gchat functionality nobody has used since 2008.

Agreed 100%. Just getting it to load takes forever, and Google Calendar sometimes never renders for me (on latest Chrome for OSX-1).
The old HTML only version still works. I just refreshed mine and got 19.11 KB transfered with cache disabled. (about half that with cache)
Sadly I like the bundling of inbox far too much to switch back at this point.
Software in general has become bloated. The increases in performance, memory etc in consumer hardware has been offset by the bloat.

Android P uses 10x as much memory as it did from Gingerbread, I don't feel as if there's 10x as many features.

With disabled js dailymail loads 603(6.8MB) files 590 of which are images.
I run uBlock Origin and noscript - even then I'm amazed with how much guff the UK Daily Mail website loads. From their perspective - you would think they would want to reduce the bandwidth to the servers as much as possible...?
I run ublock origin and umatrix. And actually they do kinda care - I've tested their site on Chromium with no addons or blocking and noticed they lazy load most of those images (it loads "only" ~130images) and about 400requests in total (I only opted out from advertising using their GDPR dialog). If I opt in, it constantly pulls data ~6requests/second.
Off-topic, but that Vollkron font definitely styles 1s very weirdly. I thought it said I.I.I.I instead of 1.1.1.1 until I copied the text and pasted it somewhere else.
uBlock Origin allows you to block remote fonts and use system fonts instead. You can selectively enable them on a per-domain basis, and, for cases like this, have them blocked them by default.

With remote fonts enabled on https://www.troyhunt.com/mmm-pi-hole/

  24 requests 3.12 MB / 3.06 MB transferred
And with remote fonts blocked:

  20 requests 2.96 MB / 2.90 MB transferred
It's not just ads you have to worry about.
> Do you use a popular browser extension? How confident are you that the creator wouldn’t accept a $10k offer to hand it over only to have it then go rogue on you?

What makes the Pi-Hole organization any more trustworthy? (and the software stack it all depends on)

Personally, I'm inclined to trust them both and hope that the long arm of the GDPR will be effective. Optimistic, I know.

In this case it just acts as a DNS resolver. That's potentially risky when resources don't use SSL, but far less than a browser extension that can change a page in place, inject JavaScript, and record keystrokes on all pages.
> resources don't use SSL

Huh? DNS is hit even if the site is SSL. Unless the site has HSTS, and you've got to the site before; DNS poisoning is very much doable.

How would the attacker do anything useful with a SSL connection attempt? They can either send the real certificate, and then not be able to decrypt the data, or send a self-signed cert which the OS/browser wouldn't trust?

Are you thinking of some downgrade attack vector?

Yes, but the hijacker will still need to present a valid cert for that domain, which is much harder.
Since Pi-Hole is a DNS server running on a separate machine, it just doesn’t have the same level of access as browser extension would. Even if it was rogue, the worst it could do is share the list of domains that you visit, and possibly hijack your HTTP (but not HTTPS) sessions.
You, and the other commentator, are forgetting that the DNS Server handles all connections, not just those from your browser. Are you confident all the self updating software you use has no vulnerabilities? How about the video games that you play?

Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.

I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...

Exactly. This thing is in the best possible location for poisoning DNS for every system on your network. That should be a HUGE concern.
Then don't do it and wait for taboola or google ads serve you a drive by rootkit?
This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

You can also inspect the block lists to ensure they all go to 0.0.0.0 if you’re worried about mitm attacks.

you could do the same with ublock
Not on a network-wide basis, and not on non-browsers. I don’t think anyone here is saying don’t use a browser-based blocker too. I use both a browser plugin on the client and dnsmasq on my network.
I think the blog post is saying that, especially in the quote that started this thread. The post portrays ad-blocking browser extensions as not worth the risk, discussing both the questionable value of blocking all ads and also the possible risk of the extension being sold to a malware creator. It then presents Pi-hole as a safe alternative to browser-based blockers.
when i said

>you could do the same with ublock

that was in response to

>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

You don't have to be confident has "no vulnerabilities" (an absurd standard) to understand that the worst possible vuln in the DNS server (say CSRFable RCE in dnsmasq) still puts an attacker in a less privileged position than what they get if they control uBlock Origin: UXSS. Now that browsers are serious about mixed content, DNS poisoning just isn't as interesting as it used to be.

Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).

I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.

I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...

Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.

High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.

I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.

Which one of these is worse:

a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,

-- or --

b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?

The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.

I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.

> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.

If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.

My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.

As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer

OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.

I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.

>If PiHole is malicious, there is already an attacker on your network

In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.

A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.

They could easily do a diagnostics / analytics feature where user stats are posted back to developers
I think a major difference is the update scheme. Browser extensions auto-update. If they switch hands there is no user visibility when getting the updated version. Pi-Hole is installed software and requires manual updates, which gives users more visibility and control.
you can turn auto-updates off. also, you can easily inspect the source for an extension (AMO doesn't allow minified js), you can't easily do that for the multitude of components that make up pi hole.
> you can't easily do that for the multitude of components that make up pi hole

What? The entirety of the project is open source. In fact it's easier to look at the source code that makes up PiHole because it's all in one spot in Github.

https://github.com/pi-hole/pi-hole

Pi Hole is open source, so if someone did try to sneak in some malicious code, it would be seen.

Just as a note, a project being open-source doesn't necessarily provide a 100% guarantee that it doesn't contain any (possibly obfuscated) malicious code. Our community likes to think that someone else would catch it, but enough people thinking that way can (and likely often does) lead to the bystander effect. So it's always good to be wary :)

Edit: Heartbleed was a good example of this -

https://www.csoonline.com/article/3223203/vulnerabilities/wh...

> The most ironic thing here is that OpenSSL is open source software. Anyone could look at the code, and presumably hundreds did, but nobody noticed the fairly elementary coding error.

Seen by what percentage of users who just download the binaries?
Someone very concerned about ads whitelists can also use multiple ad blocking extensions.

It would take every creator to accept the bribe for the ads to go through. Well, if the extension starts injecting ads it's another story...

Considering that over 20% of https://pi-hole.net is blocked as malicious ads by my browser, I don't really understand why you would trust them to block not only the crap across the wider internet but even against their own self-interest.

Remember the warning signs of craziness with NoScript? It's like you guys never learn!

Could you please not create new accounts for every few comments you post? We ban accounts that do this, and it's in the site guidelines: https://news.ycombinator.com/newsguidelines.html.

HN is a community. Users needn't use their real name, but do need to have some consistent identity for others to relate to. Otherwise we may as well have no usernames and no community at all. That would be a different kind of forum. Anonymity is fine, and throwaways for a specific purpose are ok, just not routinely.

https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...

Pi-hole is cool, but only works on your home network unless you use a VPN to connect back home and funnel all traffic over the connection.

I'll continue putting my trust in uBlock Origin on FF for now, until I hear about any malicious PRs that get merged in /shrug/

You can wind up a Linux VDS with dnsmasq and blacklist of domains, then use it on any device everywhere.
If you trust your ability to secure a publicly-accessible DNS server. Pretty attractive target.

Also, you can't usually specify DNS servers on cellular connections. The VPN setup would address that.

> Also, you can't usually specify DNS servers on cellular connections.

From what I understand this is only iOS.

As a subscriber to Debian Security mail list from 2013 I'd got 2 emails on vulnerabilities in dnsmasq.

I don't think anyone should trust cellular connections at all for many reasons. Especially because my country (Russia) is the only one in Europe which has an office of CEIEC (chinese surveillance gov company) which as of now makes Orwell's tales come true in Xinjang.

(comment deleted)
Someone on here recently recommended uMatrix for this purpose and I find that a nice trade-off between usability and request blocking.

It's an extension but given it's less opaque than a generic ad-blocker I feel more in control and that it's less likely to go 'rogue' like adblockers do.

Longtime uMatrix user here.

The most frustrating thing about UM (which is the same problem I had with NoScript back in the day) is that some scripts call other scripts. So, particularly when I'm trying to play an embedded video served by another site served through a CDN, the process for getting the damn video to play is something like:

Click video -> Open uMatrix -> whitelist some scripts -> reload -> whitelist more scripts being loaded by the first batch of scripts -> reload -> whitelist some XHR references called by new scripts -> reload -> finally whitelist the actual media being served.

Yes, a bit bothersome at times. But if I take the trouble to finetune worthwhile sites I run into, and make the settings permanent, life does get markedly easier after a while.

I rarely see an ad. I didn't see Troy's responsible sponsor message either. I should have and would have if he had chosen to display the thing without the need for scripting. So I don't feel hugely guilty.

I have uMatrix and uBlock. In my case it was uBlock blocking the ad, not uMatrix... or maybe I had whitelisted it before? Not sure.

edit: Okay, it's not blocked by default with uMatrix: https://i.imgur.com/B97lf35.png

uBO can block with pattern-matching URLs of network requests and additionally cosmetic filtering (hide DOM elements), while uMatrix works strictly with hostname of network requests and types of resources.
Keeping those whitelists synced or at least copied across devices can be a challenge. IIRC Noscript could save data to a bookmarklet for that purpose.
90% of the time, I just don't do that dance and not watch the video.
If you do it five times with some intelligence, you have rules that you can apply and have most things work most of the time from then on. It's really not a huge hassle and generally the malware-containing networks aren't the ones you are greylisting.
I copy the URL(CTRL-l CTRL-c), open a new terminal and try youtube-dl $URL
Yep, I do that often. It's apparently a very underrated tool because it can pretty much download most of the video content out there on the internet at large. But many people have no idea about it, even technical people.
I dumped that routine and just started pointing those video URLs at youtube-dl

vlc is a better video viewing experience (and better on battery) than a browser and you can usually start playing a partially downloaded file

For popular stuff switching to "global" and marking them as enabled helps reduce the song-and-dance for things like YouTube videos or common CDNs (e.g. Bootstrap)
Use youtube-dl instead? It's win-win: you don't have to compromise your browser's security, and you get a permanent copy of the video that you can watch whenever you like and that the CDN can't comply with takedown requests on or otherwise maliciously bitrot.
Here's the thing, gorhill maintains uM and uBlock Origin and he is one of the most trusted names in several sec circles to the degree that ubo has been deployed in many enterprise settings. Is the elephant in the room by Troy 'well do you think gorhill will sell out for a measly 10k?' Or is the market for 'adblocking extensions' that inundated with shoddy extensions that simply serve as data mining tools and Troy wants to make us all aware?
I am happy with uMatrix, too, but FWIW, I could not recommend it to non-technical or impatient people. For many pages, I require multiple iterations of stepwise refining of what is and is not allowed before a site works for me.

I do not mind, but I can imagine it easily gets annoying for many people rather quickly. (OTOH, those people would not care to set up Pi-hole, either.)

I would rather spend some time setting up a solution with minimal maintenance than constantly be adjusting and tweaking my solution to get things to work just to browse the web. I use uBo because I rarely have to go in an tweak something and it's mostly just a temporary pause on blocking. A pi-hole might be nice but I like how plugins actually remove the spot where the ad once was so the site looks less like swiss cheese.
I consider myself a pretty savvy user, I'm not a web dev but I understand web technologies, javascript and all that and I simply can't use uMatrix decently. Am I supposed to audit every single external resource to whitelist it? For every website I may want to visit? I don't get it.

Ublock seems to do an okay job of blocking most ads and tracking stuff so I'll stick to that in the meantime but I would be really interested to see a uMatrix tutorial or something like that.

uMatrix takes time to grok. It made no sense to me at first. Overtime I understood it and see it as a beautiful method of presenting data and using controls.

There is very good youtube tutorial of about 7 minutes that explains it use.

I also love uMatrix. Unfortunately its not an option on mobile. You could theoretically install it in Firefox mobile for Android, but it would be so difficult to use. I also use a Pi-Hole. I see my Pi-Hole as the solution for mobile browsing and apps, where uMatrix is the better option for desktop browsing since it can differentiate between image requests vs. scripts, iFrames, cookies, etc
It isn't any harder to use than on the desktop!

Instead of clicking on the uMatrix icon, you click on three dots and then on uMatrix

Rather than bringing up a small window, with all your settings, it brings up a new tab with your settings.

Other than that it is the same! And it will work when you are away from home without needing a VPN to a Pi-Hole.

uMatrix, while having a bit of a dense UI, is what I prefer as well.

I installed a pi-hole in my home network about a week ago, and it survived less than a week.

My wife likes using sites like eBates when she shops online, and it redirects her through a random sequence of tracking sites before landing on a site like the Gap. It caused all sorts of problems for her, as those sites were being blocked.

If I was going to keep the pi-hole running, I would have had to constantly be adding white list entries. Or, I could have manually created a black list from scratch. I was not interested in doing either.

I found that dropping a handful of domains in uMatrix got rid of most ads (but not tracking), and that was good enough for my uses.

Pi-Hole is beautiful and open-source. As long as it doesn't get too popular, tech savvy people can continue to enjoy network wide content blocking.

Consider supporting them (but not too much ;): https://www.patreon.com/pihole

Why the "not too much"? IIRC Adblock was "compromised" in a way because it was more profitable for them to make deals with advertisers. If they made more money off of donations they wouldn't need to sell out.
Well, it was kind of humourous, based on the idea that ad-tech will switch to first-party proxies when too many people use Pi-Hole.

But on a more serious note, it is simple products like AdGuard DNS which will probably make Ad-Tech sweat more, because it's so easy to use for average users.

Adblock was compromised due to lack of integrity imho.

Pi-Hole is a bit different too in that they do not maintain any block lists. It does come pre-installed with several lists, but maintained by 3rd parties. Its also very easy to add items to the block lists or import new lists. I think having this separation of powers is wonderful and will aid in the protection of the project.
2663 requests over 17 minutes? Is there a Poe's law for the web?
I'm surprised this is the top slot right now. Troy, generally, puts out interesting info on security related news however this feels a bit minimal. Since the project has been around a number of years now, and it's not relegated to only a RPi I would have expected him to delve into things a bit more. Pi-hole will also break things. I think the common one I always heard from users on my network at home were that Google click-thrus for products always fail. But... Don't deploy it on an RPi. It's not worth the inconvenience of maintaining another entire device for a network service. There's an actively maintained container I'd recommend, or it's very easy to deploy as a VM. Troy also didn't hit on anything like DoH or DoT, surprisingly.

Container link: https://hub.docker.com/r/pihole/pihole/

Edit: word

It’s essentially dnsmasq which can be run directly on your wireless router if you are using custom firmware. No separate hw needed, no need to horse around with dockers or containers or any of that stuff. I’d guess a lot of people are already running dnsmasq for other purposes, so adding the blocklist and periodically updating it should be trivial.
Yeah, on openwrt you just install the adblock package

https://github.com/openwrt/packages/tree/master/net/adblock/...

That is what I did. I used a TP-Link Archer C7 router and installed adblock and few other useful packages. Works like a charm so far.
(comment deleted)
Do you know if it’s possible to deploy it on a virtual AP? E.g. have “MyNetwork” and “MyNetworkWithAds” - so that it is easier for nontechnical users to switch, and also doesn’t deactivate for everyone when just one user needs to (even if only for 5 mins)?
Can anyone recommend a "2018 good choice" for a consumer router that can run custom firmware (including dnsmasq), or a trustworthy recommendation website? Wirecutter for example doesn't note third party firmware: https://thewirecutter.com/reviews/best-wi-fi-router/
I buy my routers from flashrouters.com. A little overpriced, but I trust them and their testing. I have the Asus N16rt (I think) running shibby tomato and it's great.

Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.

I’ve been also searching for recommendations, particularly on a custom firmware router that allows me to host a VPN server.
It’ll be more involved for you to set up, but pfSense is what I use. I basically forget it’s there until I want to change something (add a new VPN user, monitor bandwidth usage). I’ve set up an IPSec VPN that works well with my Apple devices, especially with a configuration profile that enables on demand VPN (connect via VPN when certain conditions are met, like not on my home WiFi). For hardware I use a cheapish “industrial” computer from AliExpress. Probably not the best thing security-wise (no firmware updates in the past few years, it feels like it’s just shipped directly from a random factory in China), but it’s been great so far.
How do you instruct an iPhone or iPad to use VPN when you are not connected to your home Wi-Fi? I used their former Workflow automation app (now dubbed Shortcuts in iOS12) and it did allow reacting to such an event (going out of range of 1 or more wi-fi networks) but did not realize one of the possible actions was to be able to enable VPN.

Was that what you used? Or was it something else?

I’ve been running the mid to high end Asus routers for years now and am very happy with them. Running wrt-Merlin firmware and AB-Solution via entware is everything I need and doesn’t complicate things with additional devices like pi-hole.
Yes, this is my preference as well. You can also run a vpn with this setup (as you can with other custom firmwares) so you can take advantage of this adblocking from outside your home.
Netgear R7800 and any other router with the same Qualcomm chipset work great with OpenWRT.

Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).

Not really an off-the shelf consumer router, but since you want to install custom firmware anyways, you might want to consider the PC-Engines APU2 board [1]. You can either install any "normal" desktop x86_64 Linux distribution or a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports hardware virtualisation, so you're able to run several VMs via KVM to isolate the services the router is providing.

Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.

[1] http://pcengines.ch/apu2.htm [2] https://openwrt.org/toh/pcengines/apu2

I second this. I've been running PC engines stuff for a few years and it's great. I currently have an APU and it handles my gigabit fiber no problem. I use a separate off-the-shelf wireless router in bridge mode which let's me upgrade that independent of the PC engines (wireless hardware tech moves faster than router hardware tech).

I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.

Unfortunately it does not come with 3 mPCIe slots, the one furthest to the left is an mSATA port.
It may be more full-featured than you are looking for, but have a look at the Turris Omnia. It is extremely customisable and you can add an internal SSD to run LXC containers on (including one running Pi-hole, which is what I do).

Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.

https://omnia.turris.cz/en/

Have you had any issues with the auto updater? I got rid of my Omnia after an auto-update broke DNS while I was away from home.

Ironically, went to Unifi after reading Troy's blogs about it - now regretting it immensely as the hardware is nowhere near as powerful as the Omnia.

This happened to me too, and what I learned is that the Omnia uses the Knot DNS resolver, which re-enables itself after updates and this breaks everything if you have made certain customisations.

The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).

The TP-Link Archer C7 AC1750. https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.

And to come back to your original question, to do your own research, I recommend you search/ask on https://www.reddit.com/r/openwrt/ and https://forum.openwrt.org/ , it's a question that pops up frequently.

I'd argue Pi-hole is quite a bit more than dnsmasq (it's actually a fork of dnsmasq called ftldns) out of the box. It's also very much more approachable by the majority and the web interface gives people immediate feedback and configurability without having to understand configurations for the services directly.

https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ft...

https://docs.pi-hole.net/ftldns/

Interesting, didnt realize the “pi-hole” branded package was more than vanilla dnsmasq glued together with shell scripts.
Go back in the project history and you'll see that it originally was! It's matured a lot since then.
Assuming I'm only interested in blocking ads in one computer, is there a software solution for this on Linux or Windows? (I know that Mac has Little Snitch).
Why not use a browser extension? uBlock Origin is pretty good from what I hear. I use uMatrix by the same dev, and it serves me well. Both work on major browsers (FF, Chrome, Opera, etc..).
I was doing this using Tomato and it introduced serious stability issues in the two routers (both Asus) I tried it on.

Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.

My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.

Use a different root filesystem. Ext4 is not robust against power loss, as I've discovered in multiple embedded Linux systems where Ext4 was used.

The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.

Back in the day (also before ext4) we solved this by mounting the root filesystem read-only. Depending on any other application for the machine, you may not need filesystem writes at all once it is set up. Bonus: it’s even friendlier to the flash.
This is how I've solved the problem in the past. Too bad systemd discourages this. It also doesn't protect the partition where your database and log files are kept.
Yet another reason to not run systemd. (Also, systemd? On a router? That's excessively overkill. Why not a sane init, like SysV?)
I'm running a Rpi with 64bit kernel & runit as init via Void Linux, so you're not necessary stuck with systemd as the only option for Rpis.
Do you use YAFFS2 or ETFS on a raspberry pi? I'd be interested to know more about setting something like this up.
I got cheap SSDs in cheap USB cases for my 2 Pis after getting annoyed with SD corruption. SSD prices have dropped recently after being flat for a long time. If you are really cheap the cases often go for $1 or free after rebate at newegg.
The simplest approach is to use a hosts file: https://someonewhocares.org/hosts/
That doesn't work the same as pihole. PiHole blocks ads on ALL devices on your network. Your computer, your laptop, your phone, your kids kindle, etc. As long as they are on your network, they are protected (and browsing web pages on an older phone, things are much faster)
Yup, that's a downside. The advantage is that it's much simpler and will also work when you're not on your home network.
Well, I'm connected to my home network via VPN when I'm not on my home network, so....
You can also run pi-hole on a tiny VPS and set your DNS statically on all devices.
do you have any links for doing this?
Yeah this is something I've been thinking about lately as well. Pi-Hole seems cool but what about most of the time when I'm somewhere else than my local network?
How do I edit the hosts file on my iPhone?
You fire up vi and load /etc/hosts /s
Jailbreak it, install openssh, ssh in and edit /etc/hosts. There's also packages in Cydia that add adblock lists to your hosts for you.
Probably not the answer you are looking for but:

(1) Install "1Blocker X" -- not free but it's cheap. (2) It has a huge number of rules and protects your Safari pretty damn good. (3) You can disable the existing rules if you so choose. (4) You can add new ones based on URL regexes or CSS rules.

I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.

The issue with that is DNS resolution. I noticed that when I disconnect/reconnect my interface, it took >30 seconds for DNS resolution to properly resolve. Why? Because I was using a 65,000 entry host file on my modern Windows 10 machine.

It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.

I'd rather have a separate service to run it.

I also had a performance problem with DNS resolution with a big host file, but disbling the DNS client service helped.
Of course I have deployed it on a Raspberry. I don't have another always-on computer, and while it's not the only supported target, it is the one most Pi-Hole users have, so I get maximum community support.

I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.

So far, I love my Pi-Hole. Absolutely no problems with it.

At 100% power draw the charger I use to power my pi uses 5 watts so you're pretty safe on the power.
A cron job every hour with a slack notification of temp >60C has put me at ease. It goes over occasionally so I suppose I’ll need a fan at some point.
Thanks for the link. I guessing this would handle the use case of being able to acess Pi-Hole while traveling or in a coffee shop correct? This seems to be a limitation of having this on a Pi.
> DoH or DoT

I wasn't familiar with these terms and they are a bit ungooglable. :-/

DoH = DNS-over-HTTPS

DoT = DNS-over-TLS

Hello. I have recently been banned and would like to run an experiment.

If you read this, please click “vouch”, upvote, and then click “unvouch.”

My hypothesis is that very few people read dead comments. How few? Let’s measure it.

It costs nothing to participate, and it won’t harm the site since unvouching a comment will cause it to revert to [dead].

If you don’t know how to vouch a comment, click on this comment’s timestamp and click “vouch.”

Thank you for helping.

Troy's skill is taking security and privacy topics and translating them with practical tips to an IT enthusiast audience that is much broader than hn

Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing

I assume DoH is dns over http, what is DoT?
(comment deleted)
On an RPi I can plug it in to the USB on my router for power and connect with ethernet. Otherwise I have to run a full powered server perpetually to manage DNS for the home network. Made sense to me.

I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.

And if you’re that way inclined, a POE Pi hat can get another cable removed.
I wasn’t aware of that - thanks. I think I’ll be safe as there will be no peripherals plugged in, but that’s something that needs considering it seems.
I've gone the route of using another box to do PoE -> 5V USB, but unfortunately the TP-Link converter is outputting 4.8V instead of 5V (the Pi3b will technically run on this, but it's not a good idea).
The setup script runs perfectly on Ubuntu in an lxd container as well.
Works for most basic ads. Unfortunately basic ads are a thing of the 90's. Does not work for most common ads nowadays, as youtube et. al. run them from the same domain as other important parts for the app/site to run. For these you have to use a different approach, like running an extension in the browser to block them.
I see pi-hole as the first line of defense.

With Pi-hole you can disable an adblocker when something doesn't work and still enjoy a fast web.

But Pi-Hole still blocks the majority of ads, so it is possible to use it exclusively if you just want to make the web usable again.

It's also great at home for family members who just want to surf faster and more private and secure but don't mind a couple of ads here and there. Especially when it comes to mobile Apps.

I also want to highlight that most domains that are blocked are usually tracking services which makes Apps and Websites incredibly slow and increase traffic to a large extent. I think blocking those "services" is the true beauty of Pi-Hole. Ad-Tech is only the tip of the iceberg when it comes to commercialised tracking.

I'm amazed that something that (to me) as simple as an ad and analytics proxy running on the website domain isn't more of a thing yet. That will already circumvent a lot of ad blockers. Well initially anyway, the ones based on blocklists / patterns will probably be updated quickly.
You really think anyone wants to maintain something like that, let alone subsidize the advertisers' bandwidth costs?
If it's their main source of income, they would. Maybe advertisers could offer better rates since you'd be reducing their costs.
> Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog

Uh, sorry, but uBlock Origin blocks it. Also, does anyone else finds themselves jumping straight into `reader view`?

I had a little giggle at him mentioning his ad in an article about pi-holes, since I run a pi-hole and don't see the ad.
I've been using Privoxy.

Killing two birds with one stone here: proxying access through a VPS to hide the home IP address && blocking ads.

Apart from it occasionally blocking legitimate sites that begin with the word "ad" (something like, say, "adrian.blog.thing"), it works great. Because it's an HTTP proxy, it offers an interface for bypassing these unintended blocks.

If it's a dumb string-start check then that could be a lot of false positives. How often has it been wrong?

I personally hate wondering why something's not working and having to go through every extension to debug my browsing session.

Proxomitron, which Privoxy was inspired by, has a few patches which make it filter HTTPS too (you need to install a certificate for MITM, obviously.) As more sites use HTTPS the ability to filter their content becomes more important too.
So I have tried using pi-hole in past and I think one of the problems is - some websites refusing to function if ads are blocked. IIRC - British Airways website uses some javascript that requires ad to be disabled for finishing checking in. It may have changed now but there are other websites too which may or may not work as expected.

With browser extensions it is typically easy to disable the ad blocker one time and check if that fixes it. With pi-hole IIRC, it was much harder to do.

> some websites refusing to function if ads are blocked

Don't visit those sites!

They want your eyes and/or your money (if a subscription is an option) and you don't want to give it to them. Just stop going there!

Edit: I don’t understand the downvotes. Sites aren’t obligated to give you something for nothing. Why does it feel like that’s the default view here?

but there are other people that live in or visit my home. Maybe they want to visit those sites.

I'd love a pi-hole like solution that was as easy to temporarily disable as a browser extension.

Isn’t that the compromise of roommates or family? Not everyone gets what they want.

Either they’ll move out, resent you, deal with it, or you’ll do what they want?

That is why I don't use pi-hole myself.

I wish it would redirect to a different local webpage that allows you to click a button to temporarily unblock the domain for your ip, like the ublock blocked webpage that pops up sometimes:

https://arstechnica.com/civis/viewtopic.php?f=3&t=1424503

If it gets abused, then you can turn it off as an option.

I’ve been running this kind of setup for over 5 years on my home network, and the only complaint I’ve ever gotten was the Google search results that are ads or shopping links don’t work (yes, my wife clicks on these). If a web site didn’t function I wouldnt know it was due to DNS, because I never turn this off. I’d simply chalk it up to it being a defective website and not use it.
Yes - but sometimes you don't have that choice. Would you rather not use a essential service(flight check-in or pay electricity bill) or disable the adblocker temporarily? To each its own I guess and tricky thing with pi-hole is, it is VERY hard to tell if website isn't working because of adblocker or because you are using Linux or it is simply broken.
In the situation I would just disconnect from my wifi and use 4g.
If a site refuses to work when there are network issues, then you can just close the window. British Airways' competitors will be happy to have your business.
It's super easy to turn it off for five minutes in the admin interface.
Should be noted this is useful not just for ads, but also for devices phoning home and collecting metrics. Things like Win10, Netflix, smart TVs, etc. You don't have to use every blocklist on the planet if you don't want it to screw up normal web browsing.
It can be easy to bypass by having an IP / another DNS server hardcoded as a fallback. I would bet that some devices are already doing it.
There's an interesting discussion happening in the comments where the fact that Troy's (very low key, topically relevant, non tracking, entirely text based) sponsorship banner is being blocked by some AdBlockers. I've found the same thing with Reddit ads (which also seem quite reasonable).

I'm conflicted, I'd like for there to be some mechanism where reasonably implemented ad systems can flourish.

Been using the pi-hole for a couple of years now. Can only say good things about it, as it also disallow porn and the such (which is good with kids in the family).

Sometime, it's convenient to be able to switch it off quickly (as someone mentioned, certain sites will mulfunction): so I created a simple Alexa task to turn Pi-hole on and off using voice, leveraging the pi-hole api.

Since he was pointing out scammers buying popular extensions: I would like to mention that this is a chrome specific problem. Something like this isn't common with firefox addons.
I'd also recommend turning off auto-updates for extensions (which is possible in Firefox). You also get a page with pending and recent updates, complete with release notes if the addon author provides them.
It's easier for me to replicate this functionality myself. I run unbound with a domain name blacklist. Same functionality, no need for additional hardware.
One of the great things about using unbound is how easy it is to blacklist entire domains, without having to know the name of each subdomain ahead of time. I've been doing what pihole does for over ten years using pfSense. I'm up to 437,000 fully qualified domain names blocked, and over ten thousand domains blocked outright. It has been years since I've seen an ad.
> 82% reduction in the number of bytes transferred

No doubt the reduction is important, however as per screenshots, the reported reduction should be considered somewhat inaccurate as he forgot to check "Disable cache" for the Pi-Hole version, while it is checked for the non-Pi-Hole version. We can see resources pulled from browser cache in the Pi-Hole version.

Wow, Daily Mail, 2663 requests and 57.6MB transferred... just for visiting the homepage. That is a ludicrous amount of data.