253 comments

[ 5.4 ms ] story [ 79.9 ms ] thread
Pi-Hole has made my home browsing experience so much better since setting it up. Minimal resource overhead, maximum results - and if you care about stats those are available too but I just turned all logging off.

Now if it could just filter out YouTube ads...

> Now if it could just filter out YouTube ads...

Ive heard that the problem is that the native YT apps come with a big list of IP addresses for the ad servers, instead of doing lookups.

If true, it would be pretty easy to grab those ip addresses from the binary and add them to a firewall.

A firewall is a little more than what I would trust to a raspberry pie, though...

I thought it was streaming the ads right along with the main content making it impossible to block.
> vanced.app
I'd rather recommend this one:

https://newpipe.schabi.org/

At least it is opensource and works great.

it broke down for me after 10min of use. no amount of reinstall or cleaning cache helped.
it has frail feet but it does work more often than not
Interestingly it's been working perfectly for me with no issues for almost 1 year. A bit surprised to learn that it is not stable for a bunch of people.
Well I think it's just a matter of lag between bugfix and updates on my side. Which means from time to time I get a guru error. Other than that it's quite stable.
Maybe coincidentally after the 10 minutes YouTube changed something? Once or twice NewPipe stopped working for me suddenly but an update helped. BTW F-Droid gets updates of NewPipe a bit later than GitHub it seems.
I used NewPipe for a while and it was very nice, enjoyed how well it works. However I started wanting to see videos on my TV (Chromecast), and that's where the abilities of NewPipe fell short.

They have an open issue [0] since a couple years ago, but so far it is not a feature yet.

[0]: https://github.com/TeamNewPipe/NewPipe/issues/668

Ditto. Exact same experience. It is great for what it is.

For me on top of that, my wife and I often join chromecast together, and she has an iPhone. Vanced is pretty much fully compatible with the official YouTube app.

They very recently moved to require an special additional app just for installing their new .apks file (which is a file containing multiple .apk inside), called SAI.

That would be fine by me, if it wasn't because SAI requires Android 5.0, while my Nvidia Tegra -like tablet (Xiaomi MiPad 1) is stuck on Android 4.4 :-(

(no, Lineage and friends is not a good replacement, they all break the camera, and yet worse, suck battery like crazy)

AdGuard DNS works well for YouTube ads IME. https://adguard.com/en/adguard-dns/overview.html
I’m pretty sure that the on-device app blocks youtube ads, not the DNS filtering.

Although I think it is indeed possible to block youtube ads through DNS filtering, it’s just really difficult & only works temporarily before needing to block new domains.

I actually looked into this a bit after posting that comment, since it occurred to me that I don't actually know exactly what's blocking YouTube ads for me. (I'm still not sure, which is why I didn't edit my previous comment after doing that research.)

Empirically, I don't get YouTube ads in the iOS app. I do use Firefox Focus as a content blocker, in addition to AdGuard DNS. I don't use the AdGuard app, and it was my understanding that Firefox Focus only blocked ads in Safari, so I assumed it was AdGuard DNS. The documentation for AdGuard DNS seems to indicate that it shouldn't work for this, but it seems like either that documentation or the documentation for iOS content blockers is missing something. Unless YouTube has just decided not to serve me ads for some reason. (I'm not complaining either way.)

If you're on Android, you can use the YT site instead of the app and Firefox with uBlock Origin will block the ads.
I had something working a while ago for YT ad blocking in chromecast; the underlying problem there is that the chromecast is hard-coded to use Google's DNS servers (8.8.8.8, etc) instead of your networks. So you need to set up your network to intercept DNS requests to 8.8.8.8 and 8.8.4.4 and instead send these to your own ad-blocked DNS server. My network setup no longer lets me do this, and I don't care enough to make it work.

Just pay for YT premium if you don't want ads (to all those people complaining about wanting an option to pay and not be tracked/advertised to/etc - this is a great opporunity to put your money where your mouth is)

Just don’t allow outbound DNS except from your pihole, and the Chromecast will use whatever DNS server you give it.

Also, make sure to block UDP and TCP on port 53, as well as UDP on port 443 (Chrome snitching).

I imagine at some point, Chromecast will start using DNS-over-HTTPS and move the goalposts elsewhere.
Pi-hole is very easy to set up, and it works so well you can basically forget about it from that point on. Blocking ads is nice, but it’s also a huge boon for privacy. I run uBlock origin on all my browsers, but Pi-hole still blocks 30-50% of requests on my network. It’s also really nice to be able to glance at the logs and get an idea of what’s going on on your network, or if there’s any unusual activity.

I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.

>I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.

Is there a good explainer for CNAME inspection? I'm not finding anything good with my Google Fu.

(comment deleted)
Some ad agencies starting asking hosters to add a CNAME record to one of their domains.

Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.

As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!

So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.

When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.

What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.

This CNAME method is also a huge security issue, but I'm not gonna go into that.

> This CNAME method is also a huge security issue, but I'm not gonna go into that.

I will. The CNAME method could potentially allow a malicious actor to harvest user cookies, gain access to their accounts, and utterly destroy them.

This. At my previous job we had to serve content from Salesforce and Marketo from subdomains of our main domain. Rather than use CNAMEs direct to those companies, we proxied the requests so we could strip cookies etc.
How does this work exactly? asking for a friend.. (like the requests from browser to definitely-not-an-ad-subdomain.dastx.me also include cookies set by *.dastx.me content?)
Yep. Cookies frequently pass from parent domain (edoceo.com) to child (ads.edoceo.com)
That's how Microsoft Teams accidentally gave away their customers' credentials to hackers, right?
Yep, that combined with an orphaned DNS record
>What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.

So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?

> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?

Right

> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?

Yeah, uBlock Origin recently added a new permission request just to allow that.

From my understanding, it only works in Firefox and not Chrome though as an FYI.
Correct. Chrome doesn't have such mechanism and if I'm not mistaken, they've already shot down the idea of adding this API.
cdn.goodsite.com -> tracker.badsite.com

cdn used to mean - serve the same static content all over the world and speed things up.

cdn now means - serve up different content to every single person and track them.

take a look at stack overflow and it's cdn.

Just because bad guys use a CDN doesn't mean CDNs are bad
Thanks! I hadn't heard of this method. One question though: What will prevent the ad providers from asking their customers to add an A/AAAA record to one of their IPs? That'll be much harder to combat for an adblocker especially because those IPs will usually be shared with actual content services.

Of course this'll add overhead to the visited website manager because the IPs will probably change regularly as they're pointing to cloud services. But I'm sure they'll manage to automate this.

I bet this will be the next step in this cat & mouse game.

I think it would be only marginally harder to combat, since now you just need a list of IPs to block. Someone would have to maintain the (likely ever changing) list of IPs used, but that's not so different from what's happening now.
> Someone would have to maintain the (likely ever changing) list of IPs used

What if the ad-network is domain-fronting via a CDN? Either ways, can't block IPs since http-domain <-> IP isn't supposed to be a one-to-one mapping, each belong to different layers of the TCP/IP stak.

(comment deleted)
Here's an example from the feature request:

Here is an example (the domains are fake, it’s for demonstration purpose only): The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:

$ host adcompany.com adcompany.com has address 192.168.1.10

But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:

$ host ad.newspaper.com ad.newspaper.com is an alias for adcompany.com. adcompany.com has address 6.6.6.6

What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).

Source: https://discourse.pi-hole.net/t/apply-pi-hole-blocking-to-cn...

One of a trick a website operator can use to evade hostname-based adblockers is by putting the ad-serving domain as a cname entry in one of their subdomain. Since the ad now served from a subdomain of their website, it won't get blocked unless the dns adblocker did deep inspection on nested cname entries.
If you run Windows, it blocks a lot of stuff that isn't browser related. That's why ublock does not get it down to 0 percent.
Right, I didn’t mean to make it sound like uBO was letting stuff through the cracks (it’s actually far more thorough than dns filtering). But the amount of tracking requests that come from outside of the browser and from other devices is no joke.
I set up a pihole and literally forgot about it. Like I was cleaning out a closet on moving day and found it plugged in. Took a moment to even realise what it was doing there.
I’m reminded almost every day that I have a pi-hole since it is not my dns provider when on my company’s vpn. It’s absolutely night and day on so much of the web. Some sites have so many ads now it’s just shocking to be frank.
Why not use a client based content filter such as uBlock Origin?
Not them, but you can’t do that at every company.
Also maybe they use their phone and many combinations of PhoneType + BrowserType don't support the same quality of adblocking as PiHole.
Mobile Firefox Supports ublock Origin nowadays.

I'd encourage anyone to try that out

On iOS too?
No, but there are plenty of other content filtering solutions on iOS, including Mozilla’s own Firefox Focus that can be installed as a system-level content filter.
NextDNS is pretty good especially on iOS where you can’t install adblockers (unlike on rooted android)
I could (and heck, probably should). But I don't browse websites all that often on the vpn. Just on the occasion that I do, I'm blown away at all the ads :) So just lazy.
Obviously will depend on your company, but some corporate VPN clients will still let you use a local or alternate DNS. Then just add the machines you need to connect to on your work network to your hosts file.
Won't fix your issue but I run a Wireguard VPN on my PiHole that allows me to get onto my local network. The other upside is that once connected you get the PiHole blocking from anywhere....
Finding a years abandoned Linux server on your home network m ight be a good leasson to always treat your home network as if it was compromised.
Honestly curious: how would you exploit it? If the pi isn't exposed to the www by your router, what can you do?
The PiHole interacts with DNS servers. Theoretically - imagine a crafted TXT Record which is somehow improperly handled by dnsmasq.

Essentially - it's reading user-defined data - which is probably enough to be really bad, incase of a malicious exploit in the wild.

Typically a pi-hole is used as a DNS resolver. In order to work it must connect to the internet.

Scenario for attack: Laptop looks up a website, DNS request is made to pi-hole, pi-hole sends request to internet. Response packet received back is actually from an attacker, that uses a known vulnerability in the handling of the packet to take over the machine.

Attacker can now see what DNS requests are being made, and by returning custom responses, it can MITM any HTTP request you make from your laptop. Let's hope everything is encripted via TLS, and hope that some piece of software that just asked for admin permission didn't just install a new TLS trust root.

That is definitely a bad situation. Thanks for the reply. Unnerving to think there'd be even a possibility of getting root just from processing a DNS response!
It was really easy to set-up, but on first day it actually broke an Android TV-app on default settings (meaning it blocked some call that stopped the app from loading through).

Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).

YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.

Which to me is a good thing - smart TV's are garbage. Dumb TV + AppleTV will do just fine.
My TV is not on the internet. I have an Nvidia Shield, Android TV is the name of the OS.
I guess, but Dumb TV + Roku can be quite terrible from a privacy perspective.
Logging messages sent by Roku comprise the 2nd largest blocked domain on my pihole. But - they are blocked.

In any case, I don't see that a smart TV is going to be any better in this respect.

does anybody know how to properly secure the the DNS server from replay attacks with iptables.

i have a pihone running on a cheap vps on internet, but i connect to it with a vpn and that's draining my smartphone battery. i want to be able to change only the dns settings and point to my pi-hole. but at that time the recommendation was to not run the dns part on the internet because it could be used for dns replay attacks. i found some iptables rules on the net at time but was not sure are they ok. i did not want the ip address blacklisted because i was running some other services on that server.

The official documentation includes a tutorial on how to use pi-hole with OpenVPN. This section describes how to use the VPN for only DNS requests:

https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/

A Wireguard setup would probably be even less resource intensive if you know how to set it up (there’s no official tutorial for Wireguard).

Do not open your pi to the internet, I doubt the iptables rules would be sufficient to protect it.

> ...there’s no official tutorial for Wireguard

To run a split wireguard-tunnel to a DNS server, add its IP to the allowed-IPs list: https://www.reddit.com/r/WireGuard/comments/bqccdz/split_tun...

If you're on an Android phone, apps like Blokada (plain old DNS), Nebulo (DoH and DoT), Intra (DoH) can split tunnel traffic to a DNS server of your choice. Note that, Android 9+ supports DoT, out of the box. Look for the Private DNS setting.

I have migrated wireguard since several months ago and the battery life improvements is tremendous compared to openvpn. Previously I can't enable vpn 24/7 as my phone's battery will be drained before the end of the day, but now with wireguard I can enable it all day without draining the battery too much.
I host pihole on Digital Ocean. Updated DNS on all my home clients. Smooth and adfree
I do it on a PoE powered raspberry pi. Minimal effort, zero maintenance, no fees other than the initial purchase.
Do you use a PoE switch for this?
Either a switch or an injector.
I use a ubiquiti switch. I've decided to build my network with PoE in mind and one central location to power it all, backed up by a UPS.
I do this too. After throwing around a bunch of other ideas, I realized that a Pi is cheap enough and the one-shot cost is nice. If it dies, I just update the MAC address for its DHCP reservation to the new pi, spend 10 minutes setting up a new instance, and that's that. It just ends up working.
The dream is to network boot the thing, so you literally plug a new pi in to network+power and it automatically boots and starts running stuff:) (Well, a Pi also needs a 1-time step to enable network boot, but still)
Can't you just move the microSD card over so all the configuration is in place and you just need to power it?
That should work as long as SD card is okay. Unfortunately, it's my understanding that SD cards remain the most likely thing to fail in the entire system, hence my interest in not using them.
Is there a way to protect it, or is there no security concern with this? I run a pi zero, but I've been using nextdns recently to compare.
Protect it how exactly? You can create firewall rules on DigitalOcean and limit the IP addresses from which the DNS server is accessible.
that works only if you have a static ip home (which you usually don't have) or on your smartphone (which you don't have)

> https://www.calyptix.com/top-threats/3-common-dns-attacks-an...

I have a ‘dynamic’ IP address at home that hasn’t changed for a few years. I have a slew of firewall rules based on it that are reliable in practice.
If you're that concerned about it, Wireguard is easy enough to set up on all those endpoints.
Per client blocking is clearly the biggest change. I am excited about this.
What is the use case of per client blocking?
Blocking Facebook stuff on every device except my wife’s phone.
Why not just tell your DHCP server to give her the regular DNS servers? Is this situation where she wants ad blocking but still wants to use FB?
Yeah, ad blocking in general is what makes the web tolerable.
Not OP, but in my case, most of my VLANs can’t perform DNS requests to WAN. Only the pi.hole server is able to do that (and other devices in the DMZ).

Reasoning: appliances like Chromecast/Apple TV/whatever will often ignore DHCP DNS settings if it doesn’t resolve, and they’ll reach out to 8.8.8.8/8.8.4.4 directly.

I have several users and multiple devices in our household. FB is not allowed anywhere near my PC, but wife has to currently switch between piholed and not piholed wifi. It just allows for a much better control. Heavens know not everyone is like me.
Families and shared accommodations.
Server is down, right? Not for this case (which I assume is caused by the HN effect) but one downside of this kind of blockers (I also use uBlock in the browser) is that when something doesn't work well in a website, I'm never confident that it's because the site is broken and not because my blockers are breaking it :-)

I know, you can just disable the blocker and try again, but doing so from my phone is not very convenient...

When i uninstalled it broke my linux dns, keeps getting changed to localhost automatically. And om not expert enough on linux to fix it.
Woohoo been waiting for this for months.

I host pihole on a home server in a docker container and spend 5 mins a month just updating it. No other administration. Definitely use it to get rid of trackers and ads.

(I should add that I also pay for about dozen publications/newspapers that I read frequently in lieu of not seeing ads)

Is there a way to quickly disable/re-enable pihole for the network?

With AdGuard DNS or uBlock Origin I still get into situations where occasionally they break a site completely and I have to temporarily disable the plugin (or switch to cell tower dns) to get the site working, so I’d want a quick way out of pi-holing traffic as well

You can navigate to the admin console (easily done on any machine on your network) and disable it for a certain amount of time very easily

https://i.imgur.com/K6VgV2G.png

Note this is from pihole 4.3, but I can't image 5 would remove this feature.

The Web UI has a Disable button, and also quick options for permanent, 10 seconds, 30 seconds, 5 minutes, custom, etc. I think there's also an API as well. I can toggle it via Alexa and Home-Assistant.

It's a feature that's been around for 2 years or more

“Alexa, shut pihole”

Thanks for the tip, I don’t have any home assistants but this would be the first integration I’d set up

I just noticed that the home assistant addon has been deprecated: https://github.com/hassio-addons/addon-pi-hole. I hope that it comes back eventually.
They recommend the AdGuard Home one now... That's why they have replaced it.

I also don't like it as AdGuard is a commercial company, and I have zero need for the added features like parental control.

But I don't really care, I run all the dockers that have nothing to do with home assistant outside of hassio anyway.

To be fair, AdGuard Home is an open source project under GPL, so there's that.
I know. But still I would prefer something a non-profit or volunteer-driven project over one from a for-profit company. Especially in the adblocking business where investor concerns are very likely not going to be aligned with consumer interests. It's not about it being free, I support several free open source projects with donations. I just don't like the clashing interests.

For me that means Firefox, uBlock Origin and pihole (though I ran dnsmasq myself for a while, I like what they've made of pihole now, it's come a long way!)

there is a chrome extension that quickly let's you disable pihole blocking with 1-click. default is 10 minutes. But you can set a custom time in the toolbar popup.
>there is a chrome extension

oh, good to know! This concerned has stopped me from going out of way to setup pihole

> Is there a way to quickly disable/re-enable pihole for the network?

Bookmark the following URL

  http://pi.hole/admin/api.php?disable=120&auth=PWHASH
Replace PWHASH with the value of your WEBPASSWORD in setupVars.conf

  cat /etc/pihole/setupVars.conf | grep 'WEBPASSWORD=' | cut -c13-
and '120' with the number of seconds you want to disable the Pi-hole filtering for.
Thank you, I’ve been needing to do this frequently.
What kind of sites, if you don't mind sharing?

I've been using pi-hole for 4 years now and I can remember two situations when I had to disable it - and one of those was cloudflare's fault (PS4 cloud saves don't work with 1.1.1.1 DNS)

I needed to do this recently for eflorist.co.uk. I was unable to complete checkout without disabling pihole.
If you download minecraft mods they are often hosted behind some forced ad-showing website (ad-fly or something). That can be a problem with pi-hole.
Working from home - running reports on google analytics and other marketing tools :)
Do you know if its possible to disable pihole only for the client requesting this, or a specific ip?
Alternatively for MAX_lazyness and convenience I've been using https://nextdns.io, does all the same stuff and is the alternative to cloudflare in Firefox for DNS-over-Https (DOH)
Is there an advantage in sending all of your DNS queries to a for-profit company vs. setting up your own Pi-hole?

Their privacy policy seems legit[0] but why trust them at all when Pi-hole is an option?

[0] https://nextdns.io/privacy

max laziness and convenience ;)
^^ this

though they do also have some additional security protections for typosquatting, safebrowsing, homoglyphs, threat-intelligence which is also nice. All of which could be done on a pihole though not out of the box when I last used it ~2 years ago.

Also, unless you go through the trouble of setting up unbound, your requests would need to go to an upstream server anyway, so might as well send them to one with the best privacy policy.
No additional hardware required, you can use it to provide some protection to your family without having to worry about remote access to the Pi-Hole to configure things, works for your devices on the go, cheaper than running pi-hole in the cloud yourself unless.

Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.

The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.

Interesting, thanks!

I've been thinking about running a Pi-hole at home and redirecting all my phone traffic through it via WireGuard.

I do exactly that, though I run my VPN in the cloud (a scaleway instance which is only 3 euro per month). Using algo for the vpn: https://github.com/trailofbits/algo . I can highly recommend it! Though I had some issues with play store updates being blocked but that's resolved now. Unfortunately google play services are essentially one big spyware collection so it makes sense for it to block them.

I also had to manually provision my Android phone on IKEv2 (ipsec), Algo used to provide a strongswan config but unfortunately they dropped this in favour of wireguard. But you can still set it up manually (and on Samsung devices you don't even need strongswan). Wireguard is faster, yes, but my work blocks pretty much every port they don't know, except IKEv2/ipsec because many contractors use it to connect to their work :)

FWIW, pihole is not tied to any particular hardware. For example:

https://github.com/pi-hole/docker-pi-hole

And in addition you can do other stuff on the pi/device.

One should always have a spare Pi around.

I know I mentioned you can run it in the cloud/hosted, however for most home installations unless you have a dedicated VM server that is always on it does requires additional hardware.

I run pi-hole on my qnap nas at home since it’s always on anyhow.

(comment deleted)
Yeah that docker is great! Though it lags behind a bit, it's still on 4.2.2.
v5.0 image was released minutes after the main v5.0 release. I've personally not tried :latest, but I am told that works. I prefer to use named tags
I don't think it's live on latest. I just did a fresh pull again (I did it a couple hours ago too) but I don't see the new bar graphs nor the local DNS option.

Edit: Oops I didn't wipe the container. Works now!

I use a smart DNS to unblock streaming web sites that are geo-locked.
Too bad in my country all ISPs are required by the government to intercept (or block) all dns requests except their own dns server to block any domain listed in the national domain blocklist database. DNS on port other than 53 is still working though, so I have set up my pihole to use an upstream dns server that accept connection on a higher port and a cloudflare DoH server as a fallback (not sure why but DoH is really slow here).
Out of curiosity, which country is that (if you're comfortable sharing)? That's a surprising policy I'd not heard of before.
Indonesia. The blocklist mostly contains porn sites, but the government often use it to force foreign companies to comply with their requests (e.g. putting whatsapp on the block list until they comply with the new censorship rule, etc), and also used to censor any websites that offend the government (mostly communist and anti-islamist sites). Even websites that remotely contains nsfw contents end up getting blocked. Reddit and Vimeo is still blocked, tumblr was blocked (until they banned nsfw content recently), and most surprisingly, readthedocs.org was blocked for quite a while before (I'm not even sure why it was blocked in the first place).

The block list database can be accessed here, you can query a domain to see if they're blocked in Indonesia: https://trustpositif.kominfo.go.id/

They could've at least intercepted the requests and applied their blacklist while leaving unblacklisted requests pass through as-is (so you can still use a custom server for the non-banned domains). Not saying I'm in favour of these shenanigans at all but at least if you are forced to do it then better do it with the minimum level of interference possible.
Then you can have your client lookup blacklistedsite.com.yourdomain.com and have yourdomain.com return the record of blacklistedsite.com to bypass filtering.
Just like you could register your own domain and return the record of a blacklisted website?
Of course, but presumably the censoring dns server would never return a censored ip, regardless of domain. Whereas if you were to passthrough all non-blacklisted queries you wouldn't be able to block that, which is why no censor would ever implement it that way.
Which is why you'd end up implementing tunneling for your DNS requests like cloudflared provides.
Presumably you can just VPN through to a VPS with pihole on it?
It’s a great service but only the first 300k queries are free, then you are no longer offered any of the benefits unless you pay $1.99 per month
Is that not a trivial amount for hands off DNS recursion services? Consider the cost to purchase a Raspberry Pi, set it up, electricity, wear and tear on flash storage, etc

If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!

Price-wise it'll probably be a no-brainer. Even though a pi can come as cheap as 2 or 3 coffees. A zero is sufficient for pi-hole.

But it's about taking control too. Personally I wouldn't like taking a service even if it were free, over hosting something myself, especially when it's made as easy as Pi-hole does.

> Think about your time!

Pi-hole is a tool to improve your privacy. Handing all your DNS requests to a 3rd party is the exact opposite. Now you have to deal with their privacy policy, track whether that company got hacked or bought etc.

Installing and maintaining pi-hole takes very little time.

Where do you think pi-hole sends your DNS queries?
Nextdns pings are bad for me in south India. Like 8x slower than Cloudflare and 10x slower than Google. So sticking with PiHole at home setup for now and Windscribe VPN outside home.
I have never used this but how does it block ads on https pages? Or am I misunderstanding pi-hole?
Browsing sites served over HTTPS still requires querying a DNS server to figure out what IP address to connect to. Pi-hole acts as a DNS server and returns invalid results when asked for the IP of a blocked site. Ads are served from a separate domain from content, so they can be blocked without affecting the content.
Oh great point. Thanks for the explanation.
Pi-hole on Apple Watch - just ran up a quick proof of concept. Would there be any use/interest in this?

https://www.reddit.com/r/pihole/comments/gathus/pihole_on_ap...

That’s pretty neat! Do you plan on open sourcing it? I’m hesitant to trust an application with my pi-hole api token (and with it, all of my browsing/network data).
It's not my project. I am using it from within Test Flight. It is great for non-technical people who just need to temporarily disable Pi-Hole in order to get some sort of functionality to work that wouldn't otherwise.

One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.

I don't have a link handy but someone mentioned in an HN comment a few days ago that they created a "shortcut" on iOS that simply hits the Pi-hole URL to temporarily disable blocking.

Seemed like a great way to handle that problem -- especially for the non-technical people on your network.

My pihole blocks about 20% of queries. I have noticed literally 0 changes in my internet or computer using experience since installing it.

It's baffling how much useless telemetry and other crap there is, slowing internet down and wasting cpu cycles.

There's one thing i noticed: When I click on a twitter link, the first request goes via twitter analytics and gets blocked. I have to click it again, the second time it doesn't go to twitter analytics and the request goes through.
haha, just got around to setting up my pi-hole again this weekend... I was wondering why it didn't install 5.0

Just jumped onto it and kicked off a "pihole -up" and off it goes upgrading beautifully.

pihole is a massively underrated project.

Is the cert on pi-hole.net broken for anyone else? It's returning a cert for CN = *.sucuri.net
I get SSL_ERROR_BAD_CERT_DOMAIN -

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for pi-hole.net. The certificate is only valid for the following names: *.sucuri.net, sucuri.net

(comment deleted)
> Much more efficient memory use.

This is more impressive than it sounds. My pihole currently uses about 25MB of RAM with over half a million blocked domains and around 20 clients.

I'm curious what lists you're using that gets you to 500k blocked domains?
That's nothing... I have 2 million.
They decided to go with a whitelist approach.
I set up pihole on docker on Windows and it worked great until I rebooted and then the pihoke server (both ports 53 and 80) was unreachable from outside docker even though docker claimed to be forwarding the ports.

So I switched to AdGuard DNS on my devices.

"Javascript is required. Please enable javascript before you are allowed to see this page."

Required to read the text of the announcement. No. Required to make donations via Stripe. Yes.

RSS does not require Javascript. Looks like the full text announcement.

https://pi-hole.net/feed/

Alternatively:

   echo 159.203.180.3 pi-hole.net >> /etc/hosts
Looks like they fixed the issue.

The above is no longer needed to avoid the Sucuri interstitial page.

Just did a `pihole -up` from 4.x and it went off without a hitch. Love the UX of the entire Pihole stack!
PSA: A RPi running Pi-hole is not a fire-and-forget item. The networked software on it, including pi-hole, sometimes has security holes discovered and exploited, and has to be kept up to date. See eg https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi... & https://www.reddit.com/r/pihole/comments/73tvdq/cve201714491... & https://www.cvedetails.com/vulnerability-list.php?vendor_id=... (afaik Pi-hole is built on dnsmasq)
Setting up automatic updates is probably a good idea.
Can you recommend a good way to make sure the Pi and Pi-hole are always up to date? I imagine a simple cron with pihole -up is not sufficient?
The default way would be to install the package unattendedupgrade which will install security updates on your system every day.

Depending on how pihole is installed, this may not upgrade it. I personally have it installed with docker and uses watchtower for updates, but the risk with this mechanism is that it can break things.

I've set a cron job on the raspberry pi at my parents' house. It's a debian based system with only PiHole running so I just pihole -up and apt update && upgrade every month or so.
I run this on a cron to auto update PiHole:

    #!/bin/sh

    LOG_FILE=/var/log/update_pihole.log

    echo "Starting upate" >> $LOG_FILE
    date >> $LOG_FILE
    pihole -up >> $LOG_FILE
    pihole -g >> $LOG_FILE

    exit 0
I don’t see the issue with this? Anyone who’s able to install Pihole in the first place will be more than capable of keeping the system up to date. I’d generally trust the underlying software and the maintainers to address security issues in a timely manner, security vulnerabilities on home routers on the other hand...
Installing PiHole is copy pasting a shell script. Raspi is introducing a lot of new users to the linux community.