Pi-Hole has made my home browsing experience so much better since setting it up. Minimal resource overhead, maximum results - and if you care about stats those are available too but I just turned all logging off.
Interestingly it's been working perfectly for me with no issues for almost 1 year. A bit surprised to learn that it is not stable for a bunch of people.
Well I think it's just a matter of lag between bugfix and updates on my side. Which means from time to time I get a guru error. Other than that it's quite stable.
Maybe coincidentally after the 10 minutes YouTube changed something? Once or twice NewPipe stopped working for me suddenly but an update helped. BTW F-Droid gets updates of NewPipe a bit later than GitHub it seems.
I used NewPipe for a while and it was very nice, enjoyed how well it works. However I started wanting to see videos on my TV (Chromecast), and that's where the abilities of NewPipe fell short.
They have an open issue [0] since a couple years ago, but so far it is not a feature yet.
Ditto. Exact same experience. It is great for what it is.
For me on top of that, my wife and I often join chromecast together, and she has an iPhone. Vanced is pretty much fully compatible with the official YouTube app.
They very recently moved to require an special additional app just for installing their new .apks file (which is a file containing multiple .apk inside), called SAI.
That would be fine by me, if it wasn't because SAI requires Android 5.0, while my Nvidia Tegra -like tablet (Xiaomi MiPad 1) is stuck on Android 4.4 :-(
(no, Lineage and friends is not a good replacement, they all break the camera, and yet worse, suck battery like crazy)
I’m pretty sure that the on-device app blocks youtube ads, not the DNS filtering.
Although I think it is indeed possible to block youtube ads through DNS filtering, it’s just really difficult & only works temporarily before needing to block new domains.
I actually looked into this a bit after posting that comment, since it occurred to me that I don't actually know exactly what's blocking YouTube ads for me. (I'm still not sure, which is why I didn't edit my previous comment after doing that research.)
Empirically, I don't get YouTube ads in the iOS app. I do use Firefox Focus as a content blocker, in addition to AdGuard DNS. I don't use the AdGuard app, and it was my understanding that Firefox Focus only blocked ads in Safari, so I assumed it was AdGuard DNS. The documentation for AdGuard DNS seems to indicate that it shouldn't work for this, but it seems like either that documentation or the documentation for iOS content blockers is missing something. Unless YouTube has just decided not to serve me ads for some reason. (I'm not complaining either way.)
I had something working a while ago for YT ad blocking in chromecast; the underlying problem there is that the chromecast is hard-coded to use Google's DNS servers (8.8.8.8, etc) instead of your networks. So you need to set up your network to intercept DNS requests to 8.8.8.8 and 8.8.4.4 and instead send these to your own ad-blocked DNS server. My network setup no longer lets me do this, and I don't care enough to make it work.
Just pay for YT premium if you don't want ads (to all those people complaining about wanting an option to pay and not be tracked/advertised to/etc - this is a great opporunity to put your money where your mouth is)
Pi-hole is very easy to set up, and it works so well you can basically forget about it from that point on. Blocking ads is nice, but it’s also a huge boon for privacy. I run uBlock origin on all my browsers, but Pi-hole still blocks 30-50% of requests on my network. It’s also really nice to be able to glance at the logs and get an idea of what’s going on on your network, or if there’s any unusual activity.
I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.
Some ad agencies starting asking hosters to add a CNAME record to one of their domains.
Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.
As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!
So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.
When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.
What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
This CNAME method is also a huge security issue, but I'm not gonna go into that.
This. At my previous job we had to serve content from Salesforce and Marketo from subdomains of our main domain. Rather than use CNAMEs direct to those companies, we proxied the requests so we could strip cookies etc.
How does this work exactly? asking for a friend..
(like the requests from browser to definitely-not-an-ad-subdomain.dastx.me also include cookies set by *.dastx.me content?)
>What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
Yeah, uBlock Origin recently added a new permission request just to allow that.
Thanks! I hadn't heard of this method. One question though: What will prevent the ad providers from asking their customers to add an A/AAAA record to one of their IPs? That'll be much harder to combat for an adblocker especially because those IPs will usually be shared with actual content services.
Of course this'll add overhead to the visited website manager because the IPs will probably change regularly as they're pointing to cloud services. But I'm sure they'll manage to automate this.
I bet this will be the next step in this cat & mouse game.
I think it would be only marginally harder to combat, since now you just need a list of IPs to block. Someone would have to maintain the (likely ever changing) list of IPs used, but that's not so different from what's happening now.
> Someone would have to maintain the (likely ever changing) list of IPs used
What if the ad-network is domain-fronting via a CDN? Either ways, can't block IPs since http-domain <-> IP isn't supposed to be a one-to-one mapping, each belong to different layers of the TCP/IP stak.
Here is an example (the domains are fake, it’s for demonstration purpose only):
The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:
$ host adcompany.com
adcompany.com has address 192.168.1.10
But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:
$ host ad.newspaper.com
ad.newspaper.com is an alias for adcompany.com.
adcompany.com has address 6.6.6.6
What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).
One of a trick a website operator can use to evade hostname-based adblockers is by putting the ad-serving domain as a cname entry in one of their subdomain. Since the ad now served from a subdomain of their website, it won't get blocked unless the dns adblocker did deep inspection on nested cname entries.
Right, I didn’t mean to make it sound like uBO was letting stuff through the cracks (it’s actually far more thorough than dns filtering). But the amount of tracking requests that come from outside of the browser and from other devices is no joke.
I set up a pihole and literally forgot about it. Like I was cleaning out a closet on moving day and found it plugged in. Took a moment to even realise what it was doing there.
I’m reminded almost every day that I have a pi-hole since it is not my dns provider when on my company’s vpn. It’s absolutely night and day on so much of the web. Some sites have so many ads now it’s just shocking to be frank.
No, but there are plenty of other content filtering solutions on iOS, including Mozilla’s own Firefox Focus that can be installed as a system-level content filter.
I could (and heck, probably should). But I don't browse websites all that often on the vpn. Just on the occasion that I do, I'm blown away at all the ads :) So just lazy.
Obviously will depend on your company, but some corporate VPN clients will still let you use a local or alternate DNS. Then just add the machines you need to connect to on your work network to your hosts file.
Won't fix your issue but I run a Wireguard VPN on my PiHole that allows me to get onto my local network. The other upside is that once connected you get the PiHole blocking from anywhere....
Typically a pi-hole is used as a DNS resolver. In order to work it must connect to the internet.
Scenario for attack: Laptop looks up a website, DNS request is made to pi-hole, pi-hole sends request to internet. Response packet received back is actually from an attacker, that uses a known vulnerability in the handling of the packet to take over the machine.
Attacker can now see what DNS requests are being made, and by returning custom responses, it can MITM any HTTP request you make from your laptop. Let's hope everything is encripted via TLS, and hope that some piece of software that just asked for admin permission didn't just install a new TLS trust root.
That is definitely a bad situation. Thanks for the reply. Unnerving to think there'd be even a possibility of getting root just from processing a DNS response!
There are lots of ways. A basic vector is CSRF (like eg https://tools.cisco.com/security/center/content/CiscoSecurit...), or the server side variant (SSRF). Then there's the DNS vector already mentioned. There are others too. Generally it's a bad idea to rely on home network boundary protections.
It was really easy to set-up, but on first day it actually broke an Android TV-app on default settings (meaning it blocked some call that stopped the app from loading through).
Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).
YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.
does anybody know how to properly secure the the DNS server from replay attacks with iptables.
i have a pihone running on a cheap vps on internet, but i connect to it with a vpn and that's draining my smartphone battery. i want to be able to change only the dns settings and point to my pi-hole. but at that time the recommendation was to not run the dns part on the internet because it could be used for dns replay attacks. i found some iptables rules on the net at time but was not sure are they ok. i did not want the ip address blacklisted because i was running some other services on that server.
If you're on an Android phone, apps like Blokada (plain old DNS), Nebulo (DoH and DoT), Intra (DoH) can split tunnel traffic to a DNS server of your choice. Note that, Android 9+ supports DoT, out of the box. Look for the Private DNS setting.
I have migrated wireguard since several months ago and the battery life improvements is tremendous compared to openvpn. Previously I can't enable vpn 24/7 as my phone's battery will be drained before the end of the day, but now with wireguard I can enable it all day without draining the battery too much.
I do this too. After throwing around a bunch of other ideas, I realized that a Pi is cheap enough and the one-shot cost is nice. If it dies, I just update the MAC address for its DHCP reservation to the new pi, spend 10 minutes setting up a new instance, and that's that. It just ends up working.
The dream is to network boot the thing, so you literally plug a new pi in to network+power and it automatically boots and starts running stuff:) (Well, a Pi also needs a 1-time step to enable network boot, but still)
That should work as long as SD card is okay. Unfortunately, it's my understanding that SD cards remain the most likely thing to fail in the entire system, hence my interest in not using them.
Not OP, but in my case, most of my VLANs can’t perform DNS requests to WAN. Only the pi.hole server is able to do that (and other devices in the DMZ).
Reasoning: appliances like Chromecast/Apple TV/whatever will often ignore DHCP DNS settings if it doesn’t resolve, and they’ll reach out to 8.8.8.8/8.8.4.4 directly.
I have several users and multiple devices in our household. FB is not allowed anywhere near my PC, but wife has to currently switch between piholed and not piholed wifi. It just allows for a much better control. Heavens know not everyone is like me.
Server is down, right? Not for this case (which I assume is caused by the HN effect) but one downside of this kind of blockers (I also use uBlock in the browser) is that when something doesn't work well in a website, I'm never confident that it's because the site is broken and not because my blockers are breaking it :-)
I know, you can just disable the blocker and try again, but doing so from my phone is not very convenient...
I host pihole on a home server in a docker container and spend 5 mins a month just updating it. No other administration. Definitely use it to get rid of trackers and ads.
(I should add that I also pay for about dozen publications/newspapers that I read frequently in lieu of not seeing ads)
Is there a way to quickly disable/re-enable pihole for the network?
With AdGuard DNS or uBlock Origin I still get into situations where occasionally they break a site completely and I have to temporarily disable the plugin (or switch to cell tower dns) to get the site working, so I’d want a quick way out of pi-holing traffic as well
The Web UI has a Disable button, and also quick options for permanent, 10 seconds, 30 seconds, 5 minutes, custom, etc. I think there's also an API as well. I can toggle it via Alexa and Home-Assistant.
It's a feature that's been around for 2 years or more
I know. But still I would prefer something a non-profit or volunteer-driven project over one from a for-profit company. Especially in the adblocking business where investor concerns are very likely not going to be aligned with consumer interests. It's not about it being free, I support several free open source projects with donations. I just don't like the clashing interests.
For me that means Firefox, uBlock Origin and pihole (though I ran dnsmasq myself for a while, I like what they've made of pihole now, it's come a long way!)
there is a chrome extension that quickly let's you disable pihole blocking with 1-click. default is 10 minutes. But you can set a custom time in the toolbar popup.
I've been using pi-hole for 4 years now and I can remember two situations when I had to disable it - and one of those was cloudflare's fault (PS4 cloud saves don't work with 1.1.1.1 DNS)
Alternatively for MAX_lazyness and convenience I've been using https://nextdns.io, does all the same stuff and is the alternative to cloudflare in Firefox for DNS-over-Https (DOH)
though they do also have some additional security protections for typosquatting, safebrowsing, homoglyphs, threat-intelligence which is also nice. All of which could be done on a pihole though not out of the box when I last used it ~2 years ago.
Also, unless you go through the trouble of setting up unbound, your requests would need to go to an upstream server anyway, so might as well send them to one with the best privacy policy.
No additional hardware required, you can use it to provide some protection to your family without having to worry about remote access to the Pi-Hole to configure things, works for your devices on the go, cheaper than running pi-hole in the cloud yourself unless.
Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.
The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.
I do exactly that, though I run my VPN in the cloud (a scaleway instance which is only 3 euro per month). Using algo for the vpn: https://github.com/trailofbits/algo . I can highly recommend it! Though I had some issues with play store updates being blocked but that's resolved now. Unfortunately google play services are essentially one big spyware collection so it makes sense for it to block them.
I also had to manually provision my Android phone on IKEv2 (ipsec), Algo used to provide a strongswan config but unfortunately they dropped this in favour of wireguard. But you can still set it up manually (and on Samsung devices you don't even need strongswan). Wireguard is faster, yes, but my work blocks pretty much every port they don't know, except IKEv2/ipsec because many contractors use it to connect to their work :)
I know I mentioned you can run it in the cloud/hosted, however for most home installations unless you have a dedicated VM server that is always on it does requires additional hardware.
I run pi-hole on my qnap nas at home since it’s always on anyhow.
I don't think it's live on latest. I just did a fresh pull again (I did it a couple hours ago too) but I don't see the new bar graphs nor the local DNS option.
Edit: Oops I didn't wipe the container. Works now!
Too bad in my country all ISPs are required by the government to intercept (or block) all dns requests except their own dns server to block any domain listed in the national domain blocklist database. DNS on port other than 53 is still working though, so I have set up my pihole to use an upstream dns server that accept connection on a higher port and a cloudflare DoH server as a fallback (not sure why but DoH is really slow here).
Indonesia. The blocklist mostly contains porn sites, but the government often use it to force foreign companies to comply with their requests (e.g. putting whatsapp on the block list until they comply with the new censorship rule, etc), and also used to censor any websites that offend the government (mostly communist and anti-islamist sites). Even websites that remotely contains nsfw contents end up getting blocked. Reddit and Vimeo is still blocked, tumblr was blocked (until they banned nsfw content recently), and most surprisingly, readthedocs.org was blocked for quite a while before (I'm not even sure why it was blocked in the first place).
The block list database can be accessed here, you can query a domain to see if they're blocked in Indonesia: https://trustpositif.kominfo.go.id/
They could've at least intercepted the requests and applied their blacklist while leaving unblacklisted requests pass through as-is (so you can still use a custom server for the non-banned domains). Not saying I'm in favour of these shenanigans at all but at least if you are forced to do it then better do it with the minimum level of interference possible.
Then you can have your client lookup blacklistedsite.com.yourdomain.com and have yourdomain.com return the record of blacklistedsite.com to bypass filtering.
Of course, but presumably the censoring dns server would never return a censored ip, regardless of domain. Whereas if you were to passthrough all non-blacklisted queries you wouldn't be able to block that, which is why no censor would ever implement it that way.
Is that not a trivial amount for hands off DNS recursion services? Consider the cost to purchase a Raspberry Pi, set it up, electricity, wear and tear on flash storage, etc
If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!
Price-wise it'll probably be a no-brainer. Even though a pi can come as cheap as 2 or 3 coffees. A zero is sufficient for pi-hole.
But it's about taking control too. Personally I wouldn't like taking a service even if it were free, over hosting something myself, especially when it's made as easy as Pi-hole does.
Pi-hole is a tool to improve your privacy. Handing all your DNS requests to a 3rd party is the exact opposite. Now you have to deal with their privacy policy, track whether that company got hacked or bought etc.
Installing and maintaining pi-hole takes very little time.
Nextdns pings are bad for me in south India. Like 8x slower than Cloudflare and 10x slower than Google. So sticking with PiHole at home setup for now and Windscribe VPN outside home.
Browsing sites served over HTTPS still requires querying a DNS server to figure out what IP address to connect to. Pi-hole acts as a DNS server and returns invalid results when asked for the IP of a blocked site. Ads are served from a separate domain from content, so they can be blocked without affecting the content.
That’s pretty neat! Do you plan on open sourcing it? I’m hesitant to trust an application with my pi-hole api token (and with it, all of my browsing/network data).
It's not my project. I am using it from within Test Flight. It is great for non-technical people who just need to temporarily disable Pi-Hole in order to get some sort of functionality to work that wouldn't otherwise.
One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.
I don't have a link handy but someone mentioned in an HN comment a few days ago that they created a "shortcut" on iOS that simply hits the Pi-hole URL to temporarily disable blocking.
Seemed like a great way to handle that problem -- especially for the non-technical people on your network.
There's one thing i noticed: When I click on a twitter link, the first request goes via twitter analytics and gets blocked. I have to click it again, the second time it doesn't go to twitter analytics and the request goes through.
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for pi-hole.net. The certificate is only valid for the following names: *.sucuri.net, sucuri.net
Pi-Hole maintains a gravity list (list of domains to block), which is constructed from all the block lists to which you subscribe (public lists), along with your whitelist. [0]
I set up pihole on docker on Windows and it worked great until I rebooted and then the pihoke server (both ports 53 and 80) was unreachable from outside docker even though docker claimed to be forwarding the ports.
The default way would be to install the package unattendedupgrade which will install security updates on your system every day.
Depending on how pihole is installed, this may not upgrade it. I personally have it installed with docker and uses watchtower for updates, but the risk with this mechanism is that it can break things.
I've set a cron job on the raspberry pi at my parents' house. It's a debian based system with only PiHole running so I just pihole -up and apt update && upgrade every month or so.
I don’t see the issue with this? Anyone who’s able to install Pihole in the first place will be more than capable of keeping the system up to date. I’d generally trust the underlying software and the maintainers to address security issues in a timely manner, security vulnerabilities on home routers on the other hand...
253 comments
[ 5.4 ms ] story [ 79.9 ms ] threadNow if it could just filter out YouTube ads...
Ive heard that the problem is that the native YT apps come with a big list of IP addresses for the ad servers, instead of doing lookups.
A firewall is a little more than what I would trust to a raspberry pie, though...
https://newpipe.schabi.org/
At least it is opensource and works great.
They have an open issue [0] since a couple years ago, but so far it is not a feature yet.
[0]: https://github.com/TeamNewPipe/NewPipe/issues/668
For me on top of that, my wife and I often join chromecast together, and she has an iPhone. Vanced is pretty much fully compatible with the official YouTube app.
That would be fine by me, if it wasn't because SAI requires Android 5.0, while my Nvidia Tegra -like tablet (Xiaomi MiPad 1) is stuck on Android 4.4 :-(
(no, Lineage and friends is not a good replacement, they all break the camera, and yet worse, suck battery like crazy)
Although I think it is indeed possible to block youtube ads through DNS filtering, it’s just really difficult & only works temporarily before needing to block new domains.
Empirically, I don't get YouTube ads in the iOS app. I do use Firefox Focus as a content blocker, in addition to AdGuard DNS. I don't use the AdGuard app, and it was my understanding that Firefox Focus only blocked ads in Safari, so I assumed it was AdGuard DNS. The documentation for AdGuard DNS seems to indicate that it shouldn't work for this, but it seems like either that documentation or the documentation for iOS content blockers is missing something. Unless YouTube has just decided not to serve me ads for some reason. (I'm not complaining either way.)
Just pay for YT premium if you don't want ads (to all those people complaining about wanting an option to pay and not be tracked/advertised to/etc - this is a great opporunity to put your money where your mouth is)
Also, make sure to block UDP and TCP on port 53, as well as UDP on port 443 (Chrome snitching).
I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.
Is there a good explainer for CNAME inspection? I'm not finding anything good with my Google Fu.
Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.
As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!
So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.
When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.
What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
This CNAME method is also a huge security issue, but I'm not gonna go into that.
A security issue for the website with the CNAME, or a security risk for Pi-hole implementing this feature?
I will. The CNAME method could potentially allow a malicious actor to harvest user cookies, gain access to their accounts, and utterly destroy them.
So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
Right
Yeah, uBlock Origin recently added a new permission request just to allow that.
cdn used to mean - serve the same static content all over the world and speed things up.
cdn now means - serve up different content to every single person and track them.
take a look at stack overflow and it's cdn.
Of course this'll add overhead to the visited website manager because the IPs will probably change regularly as they're pointing to cloud services. But I'm sure they'll manage to automate this.
I bet this will be the next step in this cat & mouse game.
What if the ad-network is domain-fronting via a CDN? Either ways, can't block IPs since http-domain <-> IP isn't supposed to be a one-to-one mapping, each belong to different layers of the TCP/IP stak.
Here is an example (the domains are fake, it’s for demonstration purpose only): The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:
$ host adcompany.com adcompany.com has address 192.168.1.10
But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:
$ host ad.newspaper.com ad.newspaper.com is an alias for adcompany.com. adcompany.com has address 6.6.6.6
What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).
Source: https://discourse.pi-hole.net/t/apply-pi-hole-blocking-to-cn...
I'd encourage anyone to try that out
https://www.imore.com/how-block-ads-your-iphone-or-ipad
Pihole is a system wide Adblocker and so is NextDNS on iOS. So are the ones you can install on Android rooted.
Relevant adventure with iOS update rejection: https://adguard.com/en/blog/adguard-pro-is-back.html
Essentially - it's reading user-defined data - which is probably enough to be really bad, incase of a malicious exploit in the wild.
Scenario for attack: Laptop looks up a website, DNS request is made to pi-hole, pi-hole sends request to internet. Response packet received back is actually from an attacker, that uses a known vulnerability in the handling of the packet to take over the machine.
Attacker can now see what DNS requests are being made, and by returning custom responses, it can MITM any HTTP request you make from your laptop. Let's hope everything is encripted via TLS, and hope that some piece of software that just asked for admin permission didn't just install a new TLS trust root.
Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).
YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.
In any case, I don't see that a smart TV is going to be any better in this respect.
i have a pihone running on a cheap vps on internet, but i connect to it with a vpn and that's draining my smartphone battery. i want to be able to change only the dns settings and point to my pi-hole. but at that time the recommendation was to not run the dns part on the internet because it could be used for dns replay attacks. i found some iptables rules on the net at time but was not sure are they ok. i did not want the ip address blacklisted because i was running some other services on that server.
https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/
A Wireguard setup would probably be even less resource intensive if you know how to set it up (there’s no official tutorial for Wireguard).
Do not open your pi to the internet, I doubt the iptables rules would be sufficient to protect it.
To run a split wireguard-tunnel to a DNS server, add its IP to the allowed-IPs list: https://www.reddit.com/r/WireGuard/comments/bqccdz/split_tun...
If you're on an Android phone, apps like Blokada (plain old DNS), Nebulo (DoH and DoT), Intra (DoH) can split tunnel traffic to a DNS server of your choice. Note that, Android 9+ supports DoT, out of the box. Look for the Private DNS setting.
> https://www.calyptix.com/top-threats/3-common-dns-attacks-an...
Reasoning: appliances like Chromecast/Apple TV/whatever will often ignore DHCP DNS settings if it doesn’t resolve, and they’ll reach out to 8.8.8.8/8.8.4.4 directly.
I know, you can just disable the blocker and try again, but doing so from my phone is not very convenient...
I host pihole on a home server in a docker container and spend 5 mins a month just updating it. No other administration. Definitely use it to get rid of trackers and ads.
(I should add that I also pay for about dozen publications/newspapers that I read frequently in lieu of not seeing ads)
[0] https://containrrr.github.io/watchtower/
With AdGuard DNS or uBlock Origin I still get into situations where occasionally they break a site completely and I have to temporarily disable the plugin (or switch to cell tower dns) to get the site working, so I’d want a quick way out of pi-holing traffic as well
https://i.imgur.com/K6VgV2G.png
Note this is from pihole 4.3, but I can't image 5 would remove this feature.
It's a feature that's been around for 2 years or more
Thanks for the tip, I don’t have any home assistants but this would be the first integration I’d set up
I also don't like it as AdGuard is a commercial company, and I have zero need for the added features like parental control.
But I don't really care, I run all the dockers that have nothing to do with home assistant outside of hassio anyway.
For me that means Firefox, uBlock Origin and pihole (though I ran dnsmasq myself for a while, I like what they've made of pihole now, it's come a long way!)
oh, good to know! This concerned has stopped me from going out of way to setup pihole
Bookmark the following URL
Replace PWHASH with the value of your WEBPASSWORD in setupVars.conf and '120' with the number of seconds you want to disable the Pi-hole filtering for.I've been using pi-hole for 4 years now and I can remember two situations when I had to disable it - and one of those was cloudflare's fault (PS4 cloud saves don't work with 1.1.1.1 DNS)
Their privacy policy seems legit[0] but why trust them at all when Pi-hole is an option?
[0] https://nextdns.io/privacy
though they do also have some additional security protections for typosquatting, safebrowsing, homoglyphs, threat-intelligence which is also nice. All of which could be done on a pihole though not out of the box when I last used it ~2 years ago.
Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.
The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.
I've been thinking about running a Pi-hole at home and redirecting all my phone traffic through it via WireGuard.
I also had to manually provision my Android phone on IKEv2 (ipsec), Algo used to provide a strongswan config but unfortunately they dropped this in favour of wireguard. But you can still set it up manually (and on Samsung devices you don't even need strongswan). Wireguard is faster, yes, but my work blocks pretty much every port they don't know, except IKEv2/ipsec because many contractors use it to connect to their work :)
https://github.com/pi-hole/docker-pi-hole
One should always have a spare Pi around.
I run pi-hole on my qnap nas at home since it’s always on anyhow.
Their install script is at https://install.pi-hole.net
Docs: https://docs.pi-hole.net/main/basic-install/
Edit: Oops I didn't wipe the container. Works now!
The block list database can be accessed here, you can query a domain to see if they're blocked in Indonesia: https://trustpositif.kominfo.go.id/
If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!
But it's about taking control too. Personally I wouldn't like taking a service even if it were free, over hosting something myself, especially when it's made as easy as Pi-hole does.
Pi-hole is a tool to improve your privacy. Handing all your DNS requests to a 3rd party is the exact opposite. Now you have to deal with their privacy policy, track whether that company got hacked or bought etc.
Installing and maintaining pi-hole takes very little time.
https://www.reddit.com/r/pihole/comments/gathus/pihole_on_ap...
One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.
Seemed like a great way to handle that problem -- especially for the non-technical people on your network.
It's baffling how much useless telemetry and other crap there is, slowing internet down and wasting cpu cycles.
Not sure what that page holds but you can find out all about Pi-hole here:
https://github.com/pi-hole/pi-hole
Just jumped onto it and kicked off a "pihole -up" and off it goes upgrading beautifully.
pihole is a massively underrated project.
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for pi-hole.net. The certificate is only valid for the following names: *.sucuri.net, sucuri.net
Side note: it was working for me about an hour ago, but not anymore
[0] https://discourse.pi-hole.net/t/does-pi-hole-keep-the-lists-...
This is more impressive than it sounds. My pihole currently uses about 25MB of RAM with over half a million blocked domains and around 20 clients.
So I switched to AdGuard DNS on my devices.
Required to read the text of the announcement. No. Required to make donations via Stripe. Yes.
RSS does not require Javascript. Looks like the full text announcement.
https://pi-hole.net/feed/
Alternatively:
The above is no longer needed to avoid the Sucuri interstitial page.
Good luck guys!
Depending on how pihole is installed, this may not upgrade it. I personally have it installed with docker and uses watchtower for updates, but the risk with this mechanism is that it can break things.
However note that the developers of PiHole do not recommend automated upgrades, or at least be aware of the implications