Won't be long now until IoT and other crap-ware devices catch on to this trend and start hard-coding DNS servers in code, or worse, using DNS encryption to avoid this sort of routine blocking by end-users. I wonder how people are thinking about solving this problem.
One of many reasons why I don’t even bother with IoT devices. Don’t need all this crap to be connected to wifi. There was nothing wrong with it before.
Not that I’m terribly experienced with it, but a lot of home automation can be done without “IoT” — specifically without the crapware Trojan controllers that come with consumer solutions from Best Buy. ISY994 for example. Easy solutions for remote access via apps (vpn to home) and notifications as well. It’s not as easy to set up as a plug and play controller from Google, but it’s far more private.
This is already happening. The likes of Google Home et al already hardcode their own servers. I noticed that no DNS requests were being made through my Pi Hole, so when I looked, it turned out their DNS servers were hardcoded.
However, I'm more worried about when they start hardcoding DoH servers.
Been using this solution myself for a number of years. Works remarkably well. I do not even use DNS recursion or any remote DNS requests because I can load bulk DNS data into the proxy's memory. There is only ever one nonrecursive request to a localhost authoritative DNS server and the answer is always the same: the address of the proxy. Ironically perhaps, DoH outside the browser can be used to gather the bulk DNS data, thanks to HTTP/1.1 pipelining.
Many years ago I anticipated that "developers" would no longer allow end users to choose DNS servers. The developers' work, i.e., software, was dropping in market value and they began to adopt a Trojan Horse "business model". End users could use the software for free with the expectation that few would notice/complain about increased surveillance and data collection, or injected advertising.
The so-called "MITM proxy" is neither a new nor radical idea. Corporations routinely "MITM" TLS traffic from their networks. Enterprise hardware/software companies have provided turnkey solutions.
The issue is not limited to addresses for DNS servers. For example, WhatsApp hardcodes IP addresses in their mobile app. For that problem I use an application firewall.
The PiHole is essentially a slightly modified version of dnsmasq running on a RPi. It is funny that no one has tried using other DNS software. Given a choice of DNS software, I would not choose dnsmasq. It also still seems that no one has presented a "PiHole" that uses a forward proxy instead of a DHCP/DNS server. Similar to corporations, home users need a turnkey solution for monitoring their home networks.
I have an early one someone gave me and there was a custom ROM that one could flash that let one choose their own DNS servers.[FN1] I actually bought a Teensy 2.0 in order to install the custom ROM, but I never got around to doing it. So now I have an old Chromecast and a Teensy 2.0 I am looking to make use of.
TBH, I always found the Chromecast proposition to be unreasonable: "Look at this neat form factor single board computer you just paid for. Too bad only Google is allowed to have control over it. Sorry, you cannot use this for your own projects because [unspecified]. Google must be allowed to conduct surveilllance and gather data." By comparison, lack of complete control over the RPi GPU is rather easy to ignore. AFAIK, the RPi Foundation is not selling online ad services. Compare the number of cool projects people have done with the RPi versus the Chromecast.
1. I think it used to be possible to force use of different DNS servers via DHCP as well.
In the case of just using a PiHole, a hard-coded server would easily get around it.
But if the network outright blocks random DNS requests, that only leaves DoH, which would require fixed IPs, which should be able to be detected and blocked, right?
Unless I understand incorrectly, this doesn't seem to make the problem any worse. You'd just have to block the proxy rather than the DNS server. Like DoH, only a problem if that's also the web server.
In order for this to be true the device manufacturer would have to send both DNS and web requests through the proxy. They'd also have to "obliviously" encrypt web traffic as well. Otherwise, a MITM could determine which are DoH requests or determine which server is the proxy server and which are web requests.
This means that the DNS response for the web server would always be the proxy itself, or some set of proxies (and it would have to be the same IP for both wanted and unwanted traffic). What does DNS even add at that point? You'd be better off just making your "wanted" and "unwanted" servers the same server.
I believe there was a proposal for something like this a while back, before the DoH we see now. IIRC, the idea was that DNS information could be contained inside the web page, maybe enclosed in a tag. Addresses for ad servers perhaps.
Few of these ideas can be expected to work unless Evil, LLC controls the program the end user chooses to read the web. When an advertsing services company is also the majority share "web browser" vendor, then ideas like this become feasible. Whereas if web users can choose any client to access the web,[FN1] then these ideas would be non-starters. The open source text-only browser I am using is not going to read the IP address of an ad server embedded in a web page and connect to it automatically. Even if it did, I would simply edit the source code to disable that behaviour and re-compile.
1. In theory they can but in practice they generally don't.
I guess if the relationship we have with our devices is full-on adversarial and yet still need them, they should be put on a dedicated subnet with a default deny rule in place.
I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
Even a dedicated subnet won't be enough, because these devices could be made to connect to any open wifi until they can phone home or even use the cell network, without the user even knowing about it.
> I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
Yeah. Assuming this doesn't change, this is the end result for me, at least.
Perhaps, but blocking 53 is better than not, IMHO. I've seen devices fall back once blocked to a hard-coded dns, so it works today. DoH is another that devices will eventually employ, so that's another whack-a-mole situation.
That's what I do with my printer. I love the company (Brother) and they make IMO the best printers and MFPs but I am quite paranoid already and I just block any WAN traffic. The printer is (and should be) really only used from the LAN anyway.
If they're really evil, they'd proxy all traffic through a single host (eg. d2v3i0u0qtn52v.cloudfront.net), so you have to choose between no IOT features, or getting subjected to all the ads/telemetry.
>so you have to choose between no IOT features
I'll bring out the fainting couch. These devices are enough of a poison pill that you're better off without them. You can problem block them with Pihole, but you're one update away from either circumventing the Pihole, or breaking your IoT device because something got changed on the manufacturer's end.
Can you not just block the specific addresses? Sure, you'll probably have to do some log digging to find out which ones, but I'm guessing someone else on the internet has already done it.
Sure, then the devices throw up an error and refuse to function. I noticed that most smart TV streaming apps refused to run if they failed to connect to their ad servers.
> I wonder how people are thinking about solving this problem.
Not sure what potential issues are are being mentioned here, but I'd say a separate VLAN for IoT devices + QoS [0] should rule out most of the concerns.
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
I really like the concept of this approach, I'd say it's worth writing a blog post / article describing the process and details so others can duplicate it.
I would love if there was an open 4K HDR TV but I think only a very niche audience actually cares about this so most manufacturers will not see a market opportunity
I see your point. Real question: In today's world, what is the difference between a TV and a computer monitor + RasPi? I guess the biggest issue will be streaming on services with very strict operating system / browser requirements.
For example, can you stream Netflix @ 4K via RasPi? I assume no, due to super strict DRM.
It is a little bit surprising to me that the big streaming companies have not creating an open source operating system (similar to Android) that can be used by manuf to create TVs. Then, smaller manuf can find ways to offer bloatware- / adware-free options. Maybe this already exists, and this comment makes no sense!
Size, OLED, HDR, and eARC are three things I can't find in a monitor. I don't know of any 55" OLED monitors that support Dolby Vision and can output their audio to my home audio system over eARC. OLED and Dolby Vision are important to me because HDR makes such a huge difference in properly mastered content. eARC is important because my audio system is able to take advantage of Dolby Atmos metadata and I don't want to lose that. I could just pass my HDMI inputs through my receiver, but my receiver doesn't support passing through 4k 120Hz which I appreciate using with my Xbox.
HDR and OLED are available in some monitor models, but to my knowledge there aren't any 55" monitors with HDR and OLED, and especially eARC.
As someone who recently invested in their first AV receiver, surround sound setup, then navigating hacked drivers to get Dolby Atmos, DTS etc working properly on Windows, finding I can't use my Hue strips in Netflix etc because of DRM, realising Plex cannot serve HDR content, having to edit EDID data so my PC would allow 4k/120fps + VRR with my fiber optic cables... I realise that we're living in an unnecessarily complex DRM hell.
Search for "signage displays", some have TV functionality built in and some have no, or more tweakable, smart functions. Cost is a lot higher than consumer sets as is quality: they're built to guarantee 18/24 or even 24/24 operation and are the same screens one sees around at malls, streets, stations, airports, etc that would be simply too costly if they broke as often as consumer devices do.
I couple PiHole with a pfsense router. In pfsense all DNS queries are blocked except to my pihole. This thwarts an IoT device or streaming devices, etc., from bypassing pihole. Then I block known DoH servers on both pfsense and pihole---which is not perfect, since it's really a game of whack-a-mole, but better than not.
On the upside, the endpoints are nicely documented by both MS and independent researchers. Also, Windows enforces packet filtering rules on it's own phoning home so a well configured firewall like SimpleWall will be relatively secure from a spying perspective.
Already happening, Google products like the Chromecast serve up plenty of obnoxious ads these days, and hardcode Google DNS. Even blocking Google DNS still allows ads to get through.
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
> Smart devices manufacturers often “hard-code” in a public DNS server, like Google’s 8.8.8.8, and their devices ignore whatever DNS server is assigned by your router - such as your PiHole.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
Can confirm, pihole is great. I put in two for redundancy, helps make sure nothing gets through. No negative impact on network perf, as it only touches DNS and plenty fast for that.
Yes, exactly. DNS settings on router makes that easy, just give each pihole a static address and point DNS to them. The address are listed in priority.
Yeah. You have a live logging tab and can either put the URL into a whitelist rule by clicking on the plus icon or manually input it into a whitelist setting.
I recommend opnsense [0] over pfsense. I ran pfsense for 5 years and it is great, but there was some bad blood [1] between the two projects and the community.
I am aware of opensense, and while e.g. the GUI looks cleaner and seems to have more plugins, when I started checking it more in depth I think that pfsense has more thorough documentation and things like traffic shaping which i plan to implement seems to be way easier on pfsense
also have you done migration between the two? if so, how hard was it?
> have you done migration between the two? if so, how hard was it?
I tried the auto-migration in OPNsense (backup from PFsense, restore to OPNsense) a couple times. Both times it got it mostly right, but whatever it got wrong blocked pretty much all traffic and was difficult to figure out why because everything looked right. I gave up and stayed with PFsense, but figured if I ever really did want to switch I would start from scratch.
Specifically relating to pihole (as of previous versions) it wasn’t the cleanest install uninstall experience and left a bunch of crap behind on my system.
I now run it in a docker container because of this, but I can’t speak to OPs motivations
I run everything in a Docker container because I have 50+ services running, and I don't want to spend any time on their inner workings. I truly couldn't care less. I only manage the access layers (configuration parameters, volumes, ports and reverse proxy). Using Docker every application is the same from a management perspective.
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Any special setup amongst your network takes excess work to maintain. In the case of Pihole, I gave up on maintaining it because I was running it on a Raspberry Pi, and found that it was annoyingly hard to keep a Pi running stable for a long period of time.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
Yeah, docker simplifies deployment and maintenance/rebuild time. I've stuck to fairly clean/default setups on any computer I use to keep rebuild time down or at least try to use the built in/simple tools of whatever OS I'm using and Docker is the perfect version of that for small services. I say all this of course while running pihole on a pi4 that also serves DHCP so I don't have to mess with it much...
I used to run pihole on various Linux distros I was testing for home server stuff. It used to be that some distros needed a few packages added to support pihole properly but nowadays the app itself is more streamlined and/or most common distros include the minimum components. I think pihole did focus on streamlining to enable easier docker support which is where I should be putting my install whenever I get back to messing with the homelab. I've been working in windows systems for work so everything is currently Win Server based which plex doesn't seem happy with but is easier than running the whole thing as VMs on my older hardware.
Yeah, I'm more comfortable in the Windows space personally. My Sandstorm server is Linux but I don't really want to try running something else side by side with it. It looks like a Linux container on a Windows Server is technically possible, but it looks nontrivial enough that I am not sure I want to do it on my domain controller. :D
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
My experience is that as long as a rule has only one exception, people are pretty good at keeping on top of them. But that always leaves you the question of whether you want to burn that exception on the current project or save it for something better. Which then makes you very nervous when your coworkers start getting clever ideas and trying to volunteer (over-engineered) things as the exception. In the same way the best leaders often didn't want the job, the best exceptions are the ones you accept grudgingly, not enthusiastically.
Much more recently I realized that this phenomenon of One Rule, One Exception falls under the umbrella of - or perhaps explains the effectiveness of - the Rule of Three. Two exceptions are bad, and work is partially pre-empted to correct that problem.
The real advantage is another layer of complexity, so you can write a blog post about running PiHole on a home network, which done by a billion other people (conservative estimate).
It's much simpler. A lot less arcane knowledge is needed to get something running, and even less to clean it up completely if you need to delete it or start over for whatever reason.
I know some folks are anti Ubiquiti Unifi on here, but you can run pihole (along with a bunch of other stuff) right on a UDM/UDM-Pro. IMO it makes the most sense to run this on the router, and you can run it in a docker container. If you're looking for a fun hour or two project, check out:
I run a PiHole and a Tailscale exit node on my Unifi routers (previous generation). The Tailscale exit node lets me do both site-to-site VPNs and site-specific egress. The one thing keeping me from site network nirvana is that I haven't quite figured out how to set up a wifi network on the Ubiquiti device that routes all traffic through a given other exit node, however. Someday!
No expected impact. If for some insane reason a game is also calling as servers your performance will be improved.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
I caught a bug related to this in Project Zomboid in an early multiplayer version.
Often when someone joined a server there would be a tiny bit of lag for all of the users.
I figured out the server was using a java method that indirectly was doing a blocking DNS lookup.
I think it was reverse DNS but I forget which method it actually was, and if it was blocking the main thread or just the networking thread.
(PiHole still wouldn't have created an additional cost though.)
Any recommendation on hardware piholes? I have a UDM Pro but honestly i don't know how much i trust modifying it at all - i've found Ubiquiti software to be iffy... so i'm a bit hesitant to modify anything.
You can run Pihole on any crappy raspberry pi you have around.
I ran mine on a Raspi Model B. You know, the one with the RCA plug and SD card slots. From 2012. At some point the SD was so messed up I couldn't ssh into it any more, but it still worked.
Now Pihole is running on my Thinkcenter minipc as a Socker image along with a good dozen others. I don't have to worry about SD corruption or sudden shutdowns any more.
I run two Pi4s with the filesystem on a usb drive, which is probably a bit overkill but I keep some monitoring on them too. In Unifi Routing, give the piholes a fixed ip and swap your dhcp server to have manual DNS entries - you might need to do this in the classic settings view.
I run 2 raspberry pi zeros connected (and powered) to my router as usb network devices both running pihole. I've been running this for years and have had zero issues.
You will not have any extra latency once the DNS resolution is done.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
I run it on my NAS computer in a ubuntu server vm. It was 20 minutes to set that up and another 5 to install and point my router's DNS to it. Maintenance is a monthly login, and a biannual update after puttying into the box.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
Never heard of smoothwan but I've been running PiHole on LXC on OpenWRT for years. It was never difficult to set it up, I just created a Debian (or Devuan, can't remember now) container and ran the PiHole install on it.
I have another point of view as a non-pro user. The leas thing my router is doing the better. I want my router software be as simple as possible to reduce possible bugs. Plus I want it to put all cpu time onto processing packets.
I would consider using pihole like functionality if it’s baked in firmware. But definitely don’t want to install extra software.
Unless you are doing deep packet inspection, which isn't useful in most home setups anyway, even mediocre hardware is going to be more than powerful enough to process packets while running PiHole or AdGuard home.
I'm afraid to ask, but why are people anti ubiquity? I freaking love my udm-pro and am waiting for their cams to come back in stock so I can ditch my nests.
"On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
"Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January."
No matter how good your security is, a rogue employee with high-level access will always be a threat. Since they now have experience with this situation, I trust that Ubiquiti has dedicated more resources to preventing both employee sabotage and external breaches.
This also shows that not every breach is what it seems, and investigating fully before publicly disclosing can sometimes help prevent disinformation. The “whistleblower” in this case was intentionally lying, and every customer that dedicated time to mitigation had to pay part of the cost.
Yeah, reminiscent of the (apocryphal?) story of the stuntplane mechanic whose negligence almost cost the pilot his life; assuming he'd be fired, the mechanic was shocked when the pilot said he was now the only mechanic allowed to touch his plane, bc he knew, with certainty, there'd never be another such mishap.
Stupid bugs caused me to move away from them, conveniently only days before the breach became public.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
- Synology DS1019+ for storage, Plex, and Pi-hole via Docker
- 2x Rucuks R610 APs running Unleashed firware (off-lease eBay purchases, enterprise grade APs, about $150/ea, both wired/non-mesh)
- Brocade ICX6430-C12 Switch (4x 802.11at PoE, handles the APs, another eBay special, cost around $90)
This is working well for me, and unlike the UniFi stuff I can now pretty easily swap out any piece of it with another brand of the same function and things will be fine. The single ecosystem of Unifi always bothered me a bit.
If I want a new VLAN (or special WLAN) it's a little harder than on UniFi, but it's really just setting it up on OPNsense, defining it on the requisite ports on the switch, and turning up the new SSID (if needed).
I also don't miss Unifi's single pane of glass view either. All the shiny threat stuff isn't particularly actionable, and there's a bunch of gaps (IIRC like how it'd wouldn't have usable timestamps for some things) so I was never able to use it to make decisions.
I run the Synology with a LACP link; that's plenty fast as its more a storage/backup box than anything that needs to be performant. Speeding all that up would just be a matter of replacing the switch and adding a card into the Synology, but I don't need that for now. (I'd probably get a new NAS before that.)
I had six unifi protect cameras for over a year until I replaced them all. Rain at night means motion notifications every 30 seconds, bugs at night, same thing. Unifi cameras are terrible for outdoor applications.
I saw your exact question elsewhere, so I'll reply with my exact same answer:
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware.
• Various features sold as _coming_soon_, that really take several years to come about.
• making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it.
• It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together.
Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
Be aware that UI is planning to consolidate the UDM/UDM Pro software (1.x) into the UDM Pro SE / UDW software branch (2.x) in the near future, and the 2.x software doesn't use Podman and instead runs the software "bare metal".
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
It’s different but has some similarities. This blocks all kinds of configured (DNS) requests from your devices, even from apps and operating systems, whereas Brave browser only blocks ads on the browser. One drawback is that this solution does DNS level blocking, and cannot handle any web page element-level blocking that may be possible in some browsers.
I don’t know how you maintain your hosts list, but with a solution like pi-hole, you can easily subscribe to multiple blocking filters and have them update periodically without any intervention. Of course, you could automate your hosts update too, but pi-hole comes with this built-in.
Like you said, convenience of propagating the blockage to all devices, a central place for configuration, stats/diagnostics built into PiHole dashboard. I do like your DIY approach, though!
This is essentially what pihole does, but automatically, using shared lists of ad networks (you can add your own easily). And it’s available to things on your network where you can’t or don’t want to edit etc/hosts
(My smart tv used to love to shove ads in my home screen)
It’s an elegant and efficient way of taking back control of your network and the content It shows you.
I run it in a pi zero w with a little wooden case and a low power phone charger (500ma) I Velcroed it to my router.
You should have both. One is for network wide effects, so anything on your network will have ads blocked (smart TV, projector, phones etc.), another is for youtube and friends.
If you’re willing to add and maintain an ad-blocker in every single of your browsers (and potentially your family’s) and don’t care about non browser apps it’s virtually the same.
Ad blocker extensions only block ads on the browser they're installed. Pi hole would block ads on all devices they're connected in, in all apps (not just web browser) as long as the ad domains they requested are in the blocklist.
Also, ublock origin can only protect you from CNAME cloaking (a commonly used to evade ad blockers) on firefox. It can't protect against CNAME cloaking in chrome or other browser. But pihole can.
You should still install an adblocker in your browser though as some ads are loaded from the same domain they're serving site contents from, such as youtube ads. Ad blockers can remove ads based on full urls, not just domains.
Not sure about now, but before I'm using pihole, I was using hosts file to block ads and found a significant increase in network latency. Turns out the huge hosts file significantly increased DNS lookup time in my system (>1 seconds).
Every time I've tried pihole it has failed on services like YouTube. Can someone explain this to me and how I solve it? I know it's not just me, it even happened to Linus Tech Tips but I constantly hear responses "works for me" which are unhelpful. If ublock works fine, why can't pihole? I'm actually interested in a technical answer.
Pihole only works if ads are served from a distinct domain name from content. This works in most cases but YouTube serves ads and content from the same place so pihole can’t prevent. As uBlock works client side it does not face this limitation
So wouldn't there be a way to intercept the data and apply the same blocking that uBlock does and then resend it? I know it would have a delay, but that'd probably be worth it to me tbh.
It would be very hard to do so because SSL prevents middlemen from intercepting and modifying data. You'd have to install custom SSL certificates on all devices connected to your network like businesses do. PiHole would then use a copy of that custom certificate to decrypt the SSL, inspect/modify the contents, re-encrypt the contents with a normal SSL certificate, and send it off to its final destination.
I've looked into this and it seems like there is no software out there that makes this easy. For it to be convenient enough to make sense, I think there would have to be some router 'login' page which makes downloading and installing the certificate as easy as possible. But, even 'easy as possible' would probably be too inconvenient for any guests who just want to use your wifi. Maybe it could be optional somehow. Don't install the custom certificate? Fine but you'll still get ads. Install the custom certificate? Awesome, your ads will be blocked.
PiHole blocks at a DNS level, uBlock blocks down to the page element level. If the ads are coming from the same domain as actual content, a DNS block can't be used since you'd be blocking the content that you're trying to view.
PiHole works by blocking domains. Few years ago it was like youtube.com served videos and ad.youtube.com (just an example) served ads.
Back then you could simply block ad.youtube.com and there would be no ads but today Google is serving ads via their main domain. You can't block ads unless you block youtube.com.
So now no DNS based adblocker can block YouTube ads. uBlock is the only option which works inside browser only.
When your device sends out requests to the internet, the vast majority of them are encrypted with SSL. SSL encrypts your requests so that middlemen can't inspect or change the content of your requests. Without SSL, anyone would be able to do anything with your data, which of course would be a massive security problem that just cannot happen. Unfortunately SSL also means middlemen adblockers (like PiHole) can't see or modify the contents of your requests either. The only way for PiHole to block requests is by using the only necessarily unencrypted part of the request: the destination IP address.
Without being able to read the destination IP address, all the middlemen between your device and your destination server, wouldn't know where to forward your request. Your request would never make it to its destination website. The destination IP address is retrieved when you access a website. When you type google.com into the address bar, your computer sends out something called a DNS request to something called a DNS server. That DNS server sends back the destination IP address for the website you're trying to access. This DNS request is unencrypted and so PiHole can simply intercept it before it leaves your network, check if it's an ad domain, and if it is an ad domain, send back trash data to your device instead. Your device, unable to retrieve the destination IP address, is now blocked from accessing that content.
To prevent people from being able to block their ads via DNS, Google hosts ads on domains which are critical to using their services. For example, YouTube ads might come from youtube.com. This way, if you block YouTube ads using PiHole, you are also blocking the entire YouTube service as well.
UBlock Origin and other browser-based adblocking tools are able to block with a more fine-grained approach because they live in your browser and don't have to worry about SSL.
Pihole only see dns query. It doesn't see the full url. On the other hand, ad block extensions can see the whole url and can decide to block them while allowing other requests to the same domain through.
I think you should install both though. Pihole can block ads on apps, and can block CNAME cloaking.
You'll need to make sure that you block popular DNS IPs like 8.8.8.8 because some devices (like Amazon's Fire Tablets) hard code the DNS address as backups.
Our phones and smart devices all use either DoH or hardcode a specific DNS resolver. I haven't spent the time going all the way down to re-routing all port 53 traffic, but I doubt it'll do much.
To me the future of the home network is largely dead as long as I can't reasonably manage the software on these devices.
I'm not sure about Android, but you can disable iCloud Private Relay by returning NXDOMAIN for the domains below. These are Adguard filtering rules, but you can configure something similar using dnsmasq or Pihole.
I use these to automatically disable iCloud private relay, and I also have rules on my edgerouter to force certain devices to use my adguard instances for port 53 traffic, and it works well.
for those who want something effective outside of their home network...
ublock origin works fine as a plugin in firefox on android, and blocks ads just as effectively on firefox on desktop.
the ability to install arbitrarily chosen firefox compatible plugins on firefox on android is a huge deal for me. it makes it almost as powerful and useful as firefox desktop.
the only time I need to touch chrome anymore is when using some rare 1% of online shopping website that seems to think a firefox useragent is a bot.
For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
you can configure to use a self hosted DNS. I do this coupled with a VPN that was very easy to install and configure: https://dietpi.com . this VPN I access with ddns for free.
only fixed cost was the pi to run in (pi version 1 ram if by far enough for just pihole +unbound)
I moved to NextDNS after my SD card died on my Pi. One of the biggest features is that I can enable this on my phone using Android's Private DNS feature, which means it works for mobile data without having to run a VPN. Covers all networks with no extra configuration. Highly recommend.
> ctur - For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
The overhead is very minuscule.. I always forget that I'm using it...
I generally like NextDNS, but the customer service is _literally_ non-existent. About a week after becoming a paying member, I had an issue where requests wouldn't resolve at all, and there was no way to move forward, and there was no way to get help from the NextDNS team. So, a good service, but not so great for your family members who can't track down solutions to issues like that themselves.
This was the kick in the pants I needed to finally set up one of these. It took 20 minutes to get up and running, and half of that time was finding a wall USB adapter to power it. Easy peasy lemon squeezy.
Obviously, people whose products rely on those ads and telemetry, won't be happy and will try to retaliate, for example, by refusing you service. This frequently happens because of my usage of VPNs and ublock. In that case I have an option to quickly turn vpn/ublock off for that specific web site or service. In your case it's not so easy.
Plenty of ad-serving companies have found their way around DNS adblocking, including the top players in that market.
Encrypted DNS looks like any other encrypted stream, there's no reason for subversive apps to rely on DHCP provided DNS servers when they can be guaranteed to serve ads without them.
Wouldn’t pausing pihole allow, say, a Roku box or “smart” TV to exfiltrate data that was previously blocked? This is why I use a VPN for certain websites to bypass pihole filtering.
Given Apple is doing this on their products its a choice they'll have to make. They either put up with it or lose active users along with word of mouth.
I remember seeing an online service that provides the functionality of Pi Hole, blocking ads, protecting privacy and significantly speeding up browsing. Anyone familiar with it? If you’ve tried it, did you like it?
I have both Pi Hole and browser ad blocker plugin, the biggest problem is, sometimes a website does not function well or everything just loads extremely slow, I then have to spend some time debugging my network to know what is going wrong.
248 comments
[ 3.4 ms ] story [ 284 ms ] threadIn my opinion, additional being a curios software engineer I find it quite interesting.
Necessary? Perhaps not but helpful.
Heating valves for example.
The definition of iot from Wikipedia also does it.
But honestly why I hate my iot window blinds device it's the perfect excuse to use vlan at home.
However, I'm more worried about when they start hardcoding DoH servers.
I can’t filter it or redirect it like I can with plain old DNS.
Many years ago I anticipated that "developers" would no longer allow end users to choose DNS servers. The developers' work, i.e., software, was dropping in market value and they began to adopt a Trojan Horse "business model". End users could use the software for free with the expectation that few would notice/complain about increased surveillance and data collection, or injected advertising.
The so-called "MITM proxy" is neither a new nor radical idea. Corporations routinely "MITM" TLS traffic from their networks. Enterprise hardware/software companies have provided turnkey solutions.
The issue is not limited to addresses for DNS servers. For example, WhatsApp hardcodes IP addresses in their mobile app. For that problem I use an application firewall.
The PiHole is essentially a slightly modified version of dnsmasq running on a RPi. It is funny that no one has tried using other DNS software. Given a choice of DNS software, I would not choose dnsmasq. It also still seems that no one has presented a "PiHole" that uses a forward proxy instead of a DHCP/DNS server. Similar to corporations, home users need a turnkey solution for monitoring their home networks.
You'd think thats thr job of the router companies - they sell you hex-core routers for $390 or whatecer, but no usefull functionality
TBH, I always found the Chromecast proposition to be unreasonable: "Look at this neat form factor single board computer you just paid for. Too bad only Google is allowed to have control over it. Sorry, you cannot use this for your own projects because [unspecified]. Google must be allowed to conduct surveilllance and gather data." By comparison, lack of complete control over the RPi GPU is rather easy to ignore. AFAIK, the RPi Foundation is not selling online ad services. Compare the number of cool projects people have done with the RPi versus the Chromecast.
1. I think it used to be possible to force use of different DNS servers via DHCP as well.
But if the network outright blocks random DNS requests, that only leaves DoH, which would require fixed IPs, which should be able to be detected and blocked, right?
Sure, the setup becomes a bit more involved...
This doesn’t work with DNS over https of course.
So you won’t necessarily even get to play this cat and mouse game - the dns requests are indistinguishable from your web requests.
I guess you could mitm your own ssl traffic and strip out dns answers there?
But then … how soon until we see DoHoH?
DoH over Tor already exists, but more importantly, Oblivious DoH (kind of like DoHoH) is being standardized by the IETF: https://datatracker.ietf.org/doc/draft-pauly-dprive-obliviou...
ODoH isn't going to be defeated by TLS MitM afaik.
This means that the DNS response for the web server would always be the proxy itself, or some set of proxies (and it would have to be the same IP for both wanted and unwanted traffic). What does DNS even add at that point? You'd be better off just making your "wanted" and "unwanted" servers the same server.
Few of these ideas can be expected to work unless Evil, LLC controls the program the end user chooses to read the web. When an advertsing services company is also the majority share "web browser" vendor, then ideas like this become feasible. Whereas if web users can choose any client to access the web,[FN1] then these ideas would be non-starters. The open source text-only browser I am using is not going to read the IP address of an ad server embedded in a web page and connect to it automatically. Even if it did, I would simply edit the source code to disable that behaviour and re-compile.
1. In theory they can but in practice they generally don't.
I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
> I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
Yeah. Assuming this doesn't change, this is the end result for me, at least.
The next step in the arms race is DoH. Afaik no one has a generic answer to that beyond "treat devices behaving hostilely as hostile".
If it's running on Win/Mac/Linux/Android/iOS, block the app from talking to the gateway, or even the entire LAN.
Now what ?
Not sure what potential issues are are being mentioned here, but I'd say a separate VLAN for IoT devices + QoS [0] should rule out most of the concerns.
[0] https://en.m.wikipedia.org/wiki/Quality_of_service
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
Works a treat on my IoT devices
https://www.sidnlabs.nl/en/news-and-blogs/dns-resolution-req...
For example, can you stream Netflix @ 4K via RasPi? I assume no, due to super strict DRM.
It is a little bit surprising to me that the big streaming companies have not creating an open source operating system (similar to Android) that can be used by manuf to create TVs. Then, smaller manuf can find ways to offer bloatware- / adware-free options. Maybe this already exists, and this comment makes no sense!
HDR and OLED are available in some monitor models, but to my knowledge there aren't any 55" monitors with HDR and OLED, and especially eARC.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redir...
If the dns request is over 443 and the DoH server is the same host as the served resource, what can be done ?
The next step in the arms race would then be to implement DoHoH.
Sigh.
The DNS queries for these bypass any of your own DNS settings.
They even bypass host file overrides.
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Si...
https://www.henrypp.org/product/simplewall
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
https://labzilla.io/blog/force-dns-pihole
For those devices which ignore DHCP/NDP provided DNS addresses, you could create a firewall to redirect outgoing port 53 traffic to your own server.
https://nicolaslouge.com/post/install-adguard-home-raspberry...
Combined with pfsense's recursive resolved (unbound), it makes for a pretty great home dns setup.
Jokes aside, I'd love a blog post on this. Seriously. Very likely to apply the knowledge as well.
[0] https://opnsense.org/
[1] https://teklager.se/en/pfsense-vs-opnsense/
also have you done migration between the two? if so, how hard was it?
I tried the auto-migration in OPNsense (backup from PFsense, restore to OPNsense) a couple times. Both times it got it mostly right, but whatever it got wrong blocked pretty much all traffic and was difficult to figure out why because everything looked right. I gave up and stayed with PFsense, but figured if I ever really did want to switch I would start from scratch.
- pfSense CE is an EOL product (and its replacement Plus is closed source). https://news.ycombinator.com/item?id=26479725 / https://news.ycombinator.com/item?id=27775408
- The Wireguard fiasco. https://news.ycombinator.com/item?id=30719403
Pi-hole is to pfBlocker as a Raspberry Pi is to a custom-built router
What is the advantage of this in this case?
I now run it in a docker container because of this, but I can’t speak to OPs motivations
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
I used to run pihole on various Linux distros I was testing for home server stuff. It used to be that some distros needed a few packages added to support pihole properly but nowadays the app itself is more streamlined and/or most common distros include the minimum components. I think pihole did focus on streamlining to enable easier docker support which is where I should be putting my install whenever I get back to messing with the homelab. I've been working in windows systems for work so everything is currently Win Server based which plex doesn't seem happy with but is easier than running the whole thing as VMs on my older hardware.
- I download the ISO for my system (Arch Linux)
- I install it on a drive
- I install docker and a (very) few other things
- I recover /etc/docker and data from a backup
- I run my docker-compose
- the server is up
Time: around 30 min to 1 hour without any documentation.
For me - THAT is the real power of docker.
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
Much more recently I realized that this phenomenon of One Rule, One Exception falls under the umbrella of - or perhaps explains the effectiveness of - the Rule of Three. Two exceptions are bad, and work is partially pre-empted to correct that problem.
https://github.com/boostchicken-dev/udm-utilities/tree/maste...
They really solved what has always been a major pain with local hosting and made it really easy to use.
I ended up using NextDNS over pihole, but only because it was just easier to get the same result.
I hope it becomes more ubiquitous (hah) even on lower cost ones eventually.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
Often when someone joined a server there would be a tiny bit of lag for all of the users.
I figured out the server was using a java method that indirectly was doing a blocking DNS lookup. I think it was reverse DNS but I forget which method it actually was, and if it was blocking the main thread or just the networking thread.
(PiHole still wouldn't have created an additional cost though.)
DNS performance is very fast, better than ISP dns usually.
General web usage is much, much more pleasant.
No issues with gaming.
I ran mine on a Raspi Model B. You know, the one with the RCA plug and SD card slots. From 2012. At some point the SD was so messed up I couldn't ssh into it any more, but it still worked.
Now Pihole is running on my Thinkcenter minipc as a Socker image along with a good dozen others. I don't have to worry about SD corruption or sudden shutdowns any more.
If you add a bunch of extra-aggressive blocklists maybe you'll have issues but if you stick with the recommended OOTB lists, you'll be fine.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
https://pi-hole.net/ has more info on the install.
https://github.com/openwrt/packages/blob/master/net/adblock/...
https://openwrt.org/docs/guide-user/services/ad-blocking
https://forum.openwrt.org/t/adblock-support-thread/507
There have been other issues too.
https://krebsonsecurity.com/2021/12/ubiquiti-developer-charg...
"On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
"Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January."
This also shows that not every breach is what it seems, and investigating fully before publicly disclosing can sometimes help prevent disinformation. The “whistleblower” in this case was intentionally lying, and every customer that dedicated time to mitigation had to pay part of the cost.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
I'm curious for solutions to:
- cheap(ish) rackmount fanless switches or routers with SFP+
- cheap(ish) rackmount PoE
- cheap(ish) rackmount low-power servers
What do you use?
But here's my setup in a nutshell:
- Motorola MB7612 Cable Modem
- Protectli FW4B silent PC as router/gateway
- Synology DS1019+ for storage, Plex, and Pi-hole via Docker
- 2x Rucuks R610 APs running Unleashed firware (off-lease eBay purchases, enterprise grade APs, about $150/ea, both wired/non-mesh)
- Brocade ICX6430-C12 Switch (4x 802.11at PoE, handles the APs, another eBay special, cost around $90)
This is working well for me, and unlike the UniFi stuff I can now pretty easily swap out any piece of it with another brand of the same function and things will be fine. The single ecosystem of Unifi always bothered me a bit.
If I want a new VLAN (or special WLAN) it's a little harder than on UniFi, but it's really just setting it up on OPNsense, defining it on the requisite ports on the switch, and turning up the new SSID (if needed).
I also don't miss Unifi's single pane of glass view either. All the shiny threat stuff isn't particularly actionable, and there's a bunch of gaps (IIRC like how it'd wouldn't have usable timestamps for some things) so I was never able to use it to make decisions.
I run the Synology with a LACP link; that's plenty fast as its more a storage/backup box than anything that needs to be performant. Speeding all that up would just be a matter of replacing the switch and adding a card into the Synology, but I don't need that for now. (I'd probably get a new NAS before that.)
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
https://discord.gg/ubiquitiinstock
I've scored a few Protect items via alerts here, but be prepared to be patient.
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware. • Various features sold as _coming_soon_, that really take several years to come about. • making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it. • It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together. Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
We use this at some of our clients in the MSP space
0.0.0.0 trashsite1.com
0.0.0.0 trashsite2.com
The only downside I see is that my approach is not network-wide. Any other reasons I should reconsider?
Previous subthread about it: https://news.ycombinator.com/item?id=22535387
(But it doesn't look like wildcard pattern matching doesn't work for the substring middle part of the string like your example.)
It’s an elegant and efficient way of taking back control of your network and the content It shows you.
I run it in a pi zero w with a little wooden case and a low power phone charger (500ma) I Velcroed it to my router.
I highly recommend that everyone do it.
Also, ublock origin can only protect you from CNAME cloaking (a commonly used to evade ad blockers) on firefox. It can't protect against CNAME cloaking in chrome or other browser. But pihole can.
You should still install an adblocker in your browser though as some ads are loaded from the same domain they're serving site contents from, such as youtube ads. Ad blockers can remove ads based on full urls, not just domains.
I ran in to a similar issue on Windows, which is described here: [1]
After following that article's suggestion to disable the Windows "DNS Client" service name resolution returned to normal.
[1] - https://tinyapps.org/blog/201809300700_large_hosts_file.html
I've looked into this and it seems like there is no software out there that makes this easy. For it to be convenient enough to make sense, I think there would have to be some router 'login' page which makes downloading and installing the certificate as easy as possible. But, even 'easy as possible' would probably be too inconvenient for any guests who just want to use your wifi. Maybe it could be optional somehow. Don't install the custom certificate? Fine but you'll still get ads. Install the custom certificate? Awesome, your ads will be blocked.
Back then you could simply block ad.youtube.com and there would be no ads but today Google is serving ads via their main domain. You can't block ads unless you block youtube.com.
So now no DNS based adblocker can block YouTube ads. uBlock is the only option which works inside browser only.
PiHole works at the DNS level, it can't block things if they're served from the same domain
Without being able to read the destination IP address, all the middlemen between your device and your destination server, wouldn't know where to forward your request. Your request would never make it to its destination website. The destination IP address is retrieved when you access a website. When you type google.com into the address bar, your computer sends out something called a DNS request to something called a DNS server. That DNS server sends back the destination IP address for the website you're trying to access. This DNS request is unencrypted and so PiHole can simply intercept it before it leaves your network, check if it's an ad domain, and if it is an ad domain, send back trash data to your device instead. Your device, unable to retrieve the destination IP address, is now blocked from accessing that content.
To prevent people from being able to block their ads via DNS, Google hosts ads on domains which are critical to using their services. For example, YouTube ads might come from youtube.com. This way, if you block YouTube ads using PiHole, you are also blocking the entire YouTube service as well.
UBlock Origin and other browser-based adblocking tools are able to block with a more fine-grained approach because they live in your browser and don't have to worry about SSL.
I think you should install both though. Pihole can block ads on apps, and can block CNAME cloaking.
Our phones and smart devices all use either DoH or hardcode a specific DNS resolver. I haven't spent the time going all the way down to re-routing all port 53 traffic, but I doubt it'll do much.
To me the future of the home network is largely dead as long as I can't reasonably manage the software on these devices.
My phone uses whatever DNS I configure it to use. When I'm at home, it uses my PiHole.
If you mean individual apps going their own way, that's a different problem.
ublock origin works fine as a plugin in firefox on android, and blocks ads just as effectively on firefox on desktop.
the ability to install arbitrarily chosen firefox compatible plugins on firefox on android is a huge deal for me. it makes it almost as powerful and useful as firefox desktop.
the only time I need to touch chrome anymore is when using some rare 1% of online shopping website that seems to think a firefox useragent is a bot.
I love pihole - but this is still slightly exaggerated. DNS-based sinkholin does have its limitations.
only fixed cost was the pi to run in (pi version 1 ram if by far enough for just pihole +unbound)
The overhead is very minuscule.. I always forget that I'm using it...
But otherwise I concur, I've run pihole for years without any manual intervention needed.
Encrypted DNS looks like any other encrypted stream, there's no reason for subversive apps to rely on DHCP provided DNS servers when they can be guaranteed to serve ads without them.