Pi-hole is a bloated mess compared to this IMO. At the end of the day pi-hole is still just a fork of dnsmasq with a load of scripts and a bootstrap gui whacked on top. You need to add on extra bits and pieces to get anything like modern tech whereas AGH has https gui, multi-user support, DoH/DoT/dnscrypt/etc, toggles for quick blocks, access to a 'realtime' blocklist for emergent threats all baked in. It's also a single self-updating binary with a single config file instead of spraying bits all over your OS. Runs on pretty much anything you can think of, too.
pi-hole was great back in the day but unless you're just keeping on keeping on with an existing install there's better options available now.. AdGuard Home, Blocky, Technitium DNS etc.
I often compare pi-hole to DD-WRT inasmuch as it was awesome back in the day but times have changed and you probably wouldn't use it as first choice these days given what else is now available to you.
You can be fully protected just using vanilla dnsmasq and downloading fresh blocklists from time to time. It seems all the more ‘marketed’ flavors of adblockers are just web bling on top of dnsmasq. What else do they really offer?
Anecdotally, I’ve been a sysadmin for 20 years, been around computers since I was a toddler (apparently slept on top of a Data General something-or-other as a baby..). I have the skills to learn how to do dnsmasq-based blocking from scratch, write the scripts to fetch blocklists, init scripts etcetera. However, I run AdGuardHome on my OpenWRT router because I want to spend my time elsewhere. It was a case of install the package, fiddle the DNS routing slightly, pick my blocklists, and pick my up streams.
If I want metrics, I just open a browser and see what clients have been the noisiest, what’s being blocked a lot and so on. Generally I don’t even think about it.
Well 'the alternatives' are many so there's no quick answer to this, but restricting to just AGH as per this post then...
Encrypted upstream lookups.
Responding to encrypted lookups made to themselves.
Realtime threat protection via API.
Quick toggle of blocks instead of rebuilding lists.
Ability to quickly change blocking of individual devices.
Decent Metrics.
Probably more.
But if you just want something with no web bling then there's other alternatives to dnsmasq which would be worth looking at which give some of the above features whilst keeping it commandline and manual blocklist building.
dnscrypt-proxy is wonderful, for example, and can do most of the stuff you can do in dnsmasq.
I can easily see what domains are blocked in the web ui and see that Adobe products are trying to phone home so often and which clients are trying to resolve what domains.
I keep both on my network running on two different raspberry pis.
AdGuard Home is a lot cleaner to use. In particular it makes it much easier to control routing for queries by domain and supports forwarding over DNS over TLS, DoH, and DoQ natively. SSL support is a breeze. This means that my ISP can see the IP addresses of hosts but not their domain names unless they get aggressive with snooping. The single binary and clean configuration is nice.
PiHole seems to have a better landing page for analytics out of the box. It also works a little better for configuration for some devices.
I’ll likely retire PiHole in favor of AdGuard Home the next time the SD card dies on that Pi.
My preferred configuration is using some fairly invasive scripts to redirect all outbound DNS except to NextDNS. I’ve got blocklists for DoH hosts because I can’t just block port 443. AdGuard then routes to one of two different backends: for local domains it routes to CoreDNS that gets the hosts from my UDM-Pro to give everything nice hostnames. Everything else goes out via DNS over TLS to NextDNS. On PiHole it’s a little more complicated as it can’t directly forward with DNS over TLS.
It’s amazing how many semi-hostile devices this found on my network (looking at you Samsung TV and devices that hard code in Google’s DNS). It also reminds me of how terrible the internet is when I don’t have these protections.
I ran pihole for a long time and then used AdGuardHome for a while before switching to NextDNS. And my experience was that AdGuardHome was an enormously more advanced product. Among other things, the ability to natively support encrypted DNS protocols like DoH, DoT, and dnscrypt both as a client and server was a huge advantage over pihole. AdGuardHome also made split horizon DNS much easier to configure, especially for multiple domains. Basically, my pihole setup eventually did what I wanted after installing a lot of extra software and editing config files by hand. I could do all of those things through the AdGuardHome GUI.
I'll admit I briefly switching back to pihole after Russia invaded Ukraine given that AdGuard is a Russian company. Whether or not that was a reasonable choice, the technical step back was obvious and noticeable.
AdGuard is not a russian company since long time ago. We moved the HQ in 2014, the core team including the owners are also on Cyprus, and finally half of AdGuard websites are even blocked by russian authorities. Anyways, I guess we’ll never get rid of this badge so ignore my rant:)
I've been using this on Home Assistant, very easy to deploy and configure. Ad and tracker blocking on all mobile browsers is awesome, load times are so fast. https://www.home-assistant.io/integrations/adguard/
Is there anything in this field that actually doesn't block DNS but hijacks it and serves up 1x1 GIF for any image requests, 1 frame videos, empty HTML, CSS, JS, fake VAST/VPAID files so that requests don't have to timeout and fail? I setup a pi-hole a couple of years ago and the kids begged me to shut it off because it screwed up with games on their phones (crashed if they couldn't load ads or got stuck because there was no reply).
I think you can configure PiHole to return whatever IP you want for blocklisted domains. I guess you could set up a box with nginx that inspects the request content type header and returns generic content. But, TLS will cause problems here. You’d need to MITM all the traffic and serve up your own root certs, install them on devices etc.
Yeah TLS will be the headache. Just did a quick test with a self-signed, that works fine but I'll need to create one for each TLD (wildcard doesn't seem to be allowed as root, at least in browsers). That's easy to script, hard to install. So the only issue are devices that I can't install certs on like our Apple TV's and Rokus.
We'll I decided to teach them they have to pay for stuff themselves, and at least it taught them to be rather frugal. The real problem is that they mostly play what the other kids are playing.
Or you could buy your kids some decent games rather than training them to suffer through ads or pay-to-win in-app purchases? This is the best feature of Apple Arcade in my opinion.
PiHole & AdGuard are DNS blockers. Those tools are only serving/blocking domain mame requests. So they are not aware of the actual request your client is sending to those servers (to for example download a file). So no, by the nature of the DNS protocol this is not possible with those tools. What you probably wanna do is to use some kind of proxy which does deep package inspection (be aware that this is very resource intensive since you have to break up encryption and stuff).
Properly not worth it for the task you described. Simply add a DNS whitelist to AdGuard or manually unblock those domains causing issues.
If people can figure out which names resolve to ads and block them, people can figure out which names resolve to tracking pixels and send it to a server that will hand back a pixel.
Love NextDNS and it is my current choice, but it appears that the big difference between the two is that NextDNS does not provide a way to self-host the DNS server.
For me that’s a benefit. It’s extremely configurable for a hosted solution and since DNS is critical I prefer it now after having a few showstoppers with self-hosted DNS.
Nothing major but annoying to have to deal with everything being broken because of maintenance or whatever else.
I looked into nextdns and compared dns traffic on my adguard. My current usage would overshoot the free tier, and having another subscription but for dns doesn’t sound so fun
That's true, but functionally NextDNS also has several features AdGuardHome does not that made me switch even though I'd prefer a self-hosted solution all else being equal.
AdGuardHome (and pi-hole) work almost entirely on domain blocklists they regularly download from configurable sources (AdGuardHome also incorporates Google safe browsing). This blocks a lot of stuff, but NextDNS also has options like blocking typo squatting, newly registered domains, domains that are created by domain generation algorithms, and whatever their "AI-driven threat detection" feature is doing. It's hard to tell how useful those features are and there's no reason blocklists couldn't incorporate all those kinds of things. But I have no idea if they do, and outsourcing putting all that together to a service like NextDNS seems like a better solution than a locally hosted option that relies on a user figuring out the right blocklists to use. Although NextDNS also allows you to play with blocklists if you want.
While true, you can run nextDNS CLI locally and have the same performance as if you’re hosting your pihole/adguard home locally. I run it directly off my Ubiquti switch and redirect all DNS request to it.
looks like it proxies standard DNS traffic to NextDNS via DOH, and does some other fancy stuff including caching, zeroconf discovery, and conditional forwarding.
Dang, this looks like a nice option for my home setup - I may give it a try!!
I'm running the same setup you are, but the primary DNS servers are still pointing to nextdns rather than being fully local. I'm extremely happy with it, and any latency/speed difference is negligible anyways.
One of the surprising benefits of NextDNS is how fast their DNS queries are. At least in my case they are faster than all other DNS solutions including Google and Cloudflare.
I just tried the docker version and the startup is really fast. You can also specify multiple upstream dns and have it return answer from whichever server that answer the query the first, etc.
Performance aside, i just switched my pihole to AdGuard and immediately noticed that AdGuard wasn't blocking anything. Switching back to pihole showed immediate queries to icloud analytics being blocked. So you should at least figure out a better filter than what AdGuard offers out of the box.
My work application has domains that resolve to localhost for our dev setup, and it took me several days to figure out what the issue was. Basically, OpenWRT by default filters out any DNS records that resolve to "local networks" like 192.168.0.0/16 or 10.0.0.0/24. The benefit of this approach is that our services only run with TLS, but you will need whitelist some addresses!
I moved my network from PiHole to AdGuardHome after running them in parallel for a bit. Resource-wise they're about the same, but I found AdGuardHome to reply faster (with the same upstream servers). Haven't really explored features beyond the core DNS blocking and DNS rewrites for local services.
Side question: One thing that keeps me from setting up stuff like that is that it’s unclear to me what is involved in keeping it up to date. With Debian packages, I can easily have everything auto-update (e.g. using cron-apt). But for projects like this, it seems one would have to set up some idiosyncratic procedure?
Not sure about this project, but Pi Hole (which is very similar and likely covered under your "stuff like this") has updating built in.
Updating pihole is as simple as:
pihole -up
Easy enough to cron up.
So, idiosyncratic in that it's not "apt update", but also pretty nice that it's all self-contained.
A lot of projects are also now available as docker containers, so you can just pull down the latest container version, currently my preference for home hosted things.
> you can just pull down the latest container version
Of course, but how do you automate this? Using Watchtower? Setup instructions never address this aspect. I get the impression that there’s no standard way to auto-update, and most people only update manually?
Like other mentioned, it's probably best not to autoupdate these kind of apps. For example, I run a pihole in an old raspberry pi 2b and the latest docker image update broke it and I had to revert. Imagine if you're in the middle of something important and suddenly your network is broken and you had to drop everything to fix it. Just do regular once a month docker pull and container restart instead.
Yeah, that’s what I suspected, and that is why I probably won’t start using such a setup. With distributions like Debian, you get curated and timely security updates without having to do anything manually for years.
I've been running AdGuardHome for years, almost since it came out. I prefer keeping it up to date manually after reading the release notes and known issues (by visiting the config page and clicking update if it notifies me that there is a new version) but if you want to automate it you can install the Snap or Docker version or use the API[1] to trigger an auto upgrade. Installing it is easy, there's even an automated installation script now[2] but I prefer to do it manually and run it as a regular user without root permissions. It can run from pretty much anywhere in your filesystem and as any user as long as it has the correct permissions, that's what made me choose it instead of PiHole at first, also the more advanced regex blocking rules.
The easiest way to keep it up to date is probably a Cron script that runs curl to trigger the upgrade API endpoint.
How best to enforce usage of this and stop apps/phones from bypassing and using DoH?
Edit: I found this post on pi hole forums explaining the situation with DoH / DoT. I think this will become a much popular topic to discuss on HN soon as both technologies are increasily popular.
I'm curious to know if it's possible to block those domains which collect my "data". As in, these days it is becoming more and more common i speak something and I see ads a couple of hours. I turned off all microphones but apparently that doesn't help.
It'd be good to block these data collection requests.
Edit: it even has home assistant integration like pihole. I'm going to test it for a few days and see how it performs. So far I have positive impression.
This looks great. Currently I'm using Hyperweb, which is working great, but one thing I'm missing is an easy way to disable blockers for a particular site - and for it to remember that. As far as I can tell, all I can do is use Safari's 'Turn off Content Blockers' - but this doesn't seem to remember where I did it, and only seems to work temporarily / not for a whole domain, so I end up fighting with it.
How do you deal with DNS based ad blockers in a multi-user environment (eg. home network)?
One issue I always seem to hit- adblocker breaks some site and user has to go to a webUI to unblock it, which is a bit to ask from some family members.
If you have home automation system like home assistant or apple homekit, you can add pihole and adguard home to them. Both pihole and adguard home has home assistant integration, which let you add a toggle in your home assistant page to quickly disable it. There is also a 3rd party homekit integration, so you can ask siri to temporarily disable it. If you use android, home assistant has google assistant integration so you can use voice command on your android phone to control it.
119 comments
[ 0.25 ms ] story [ 194 ms ] threadIf they wanted to cripple our systems, it would be very easy to do.
pi-hole was great back in the day but unless you're just keeping on keeping on with an existing install there's better options available now.. AdGuard Home, Blocky, Technitium DNS etc.
I often compare pi-hole to DD-WRT inasmuch as it was awesome back in the day but times have changed and you probably wouldn't use it as first choice these days given what else is now available to you.
If I want metrics, I just open a browser and see what clients have been the noisiest, what’s being blocked a lot and so on. Generally I don’t even think about it.
Encrypted upstream lookups. Responding to encrypted lookups made to themselves. Realtime threat protection via API. Quick toggle of blocks instead of rebuilding lists. Ability to quickly change blocking of individual devices. Decent Metrics.
Probably more.
But if you just want something with no web bling then there's other alternatives to dnsmasq which would be worth looking at which give some of the above features whilst keeping it commandline and manual blocklist building.
dnscrypt-proxy is wonderful, for example, and can do most of the stuff you can do in dnsmasq.
I can easily see what domains are blocked in the web ui and see that Adobe products are trying to phone home so often and which clients are trying to resolve what domains.
AdGuard Home is a lot cleaner to use. In particular it makes it much easier to control routing for queries by domain and supports forwarding over DNS over TLS, DoH, and DoQ natively. SSL support is a breeze. This means that my ISP can see the IP addresses of hosts but not their domain names unless they get aggressive with snooping. The single binary and clean configuration is nice.
PiHole seems to have a better landing page for analytics out of the box. It also works a little better for configuration for some devices.
I’ll likely retire PiHole in favor of AdGuard Home the next time the SD card dies on that Pi.
My preferred configuration is using some fairly invasive scripts to redirect all outbound DNS except to NextDNS. I’ve got blocklists for DoH hosts because I can’t just block port 443. AdGuard then routes to one of two different backends: for local domains it routes to CoreDNS that gets the hosts from my UDM-Pro to give everything nice hostnames. Everything else goes out via DNS over TLS to NextDNS. On PiHole it’s a little more complicated as it can’t directly forward with DNS over TLS.
It’s amazing how many semi-hostile devices this found on my network (looking at you Samsung TV and devices that hard code in Google’s DNS). It also reminds me of how terrible the internet is when I don’t have these protections.
If you can do OpenWRT, you can do this.
I'll admit I briefly switching back to pihole after Russia invaded Ukraine given that AdGuard is a Russian company. Whether or not that was a reasonable choice, the technical step back was obvious and noticeable.
https://github.com/AdguardTeam/AdGuardHome#how-does-adguard-...
Pihole has many options for different blocks, but all have downsides.
The few apps I use, I haven't experienced time out or crashing issues as a result of PiHole. You might have other network or DNS issues.
Properly not worth it for the task you described. Simply add a DNS whitelist to AdGuard or manually unblock those domains causing issues.
Nothing major but annoying to have to deal with everything being broken because of maintenance or whatever else.
AdGuardHome (and pi-hole) work almost entirely on domain blocklists they regularly download from configurable sources (AdGuardHome also incorporates Google safe browsing). This blocks a lot of stuff, but NextDNS also has options like blocking typo squatting, newly registered domains, domains that are created by domain generation algorithms, and whatever their "AI-driven threat detection" feature is doing. It's hard to tell how useful those features are and there's no reason blocklists couldn't incorporate all those kinds of things. But I have no idea if they do, and outsourcing putting all that together to a service like NextDNS seems like a better solution than a locally hosted option that relies on a user figuring out the right blocklists to use. Although NextDNS also allows you to play with blocklists if you want.
https://github.com/nextdns/nextdns
looks like it proxies standard DNS traffic to NextDNS via DOH, and does some other fancy stuff including caching, zeroconf discovery, and conditional forwarding.
Dang, this looks like a nice option for my home setup - I may give it a try!!
https://adguard-dns.io/en/public-dns.html
Curious both about load on the raspberry pi and how long it takes browsers to fetch pages
Whereas Pihole... where do I start
pihole was only using steven black list last time i checked.
[0] https://raw.githubusercontent.com/StevenBlack/hosts/master/h...
https://openwrt.org/docs/guide-user/services/ad-blocking
As for simple-adblock vs adblock, I prefer the former because malformed lists won't break DNS, which it does for adblock.
See option 3 in gp's link: apparently theres an Adguard package for openwrt.
My work application has domains that resolve to localhost for our dev setup, and it took me several days to figure out what the issue was. Basically, OpenWRT by default filters out any DNS records that resolve to "local networks" like 192.168.0.0/16 or 10.0.0.0/24. The benefit of this approach is that our services only run with TLS, but you will need whitelist some addresses!
Updating pihole is as simple as: pihole -up
Easy enough to cron up.
So, idiosyncratic in that it's not "apt update", but also pretty nice that it's all self-contained.
A lot of projects are also now available as docker containers, so you can just pull down the latest container version, currently my preference for home hosted things.
Of course, but how do you automate this? Using Watchtower? Setup instructions never address this aspect. I get the impression that there’s no standard way to auto-update, and most people only update manually?
The easiest way to keep it up to date is probably a Cron script that runs curl to trigger the upgrade API endpoint.
[1] https://github.com/AdguardTeam/AdGuardHome/blob/master/opena...
[2] https://github.com/AdguardTeam/AdGuardHome#getting-started
Is it owned by the Russian government? I have no idea.
Can you write off any software that had a Russian developer? No! Of course not!
... would I run AdGuard? No.
Edit: I found this post on pi hole forums explaining the situation with DoH / DoT. I think this will become a much popular topic to discuss on HN soon as both technologies are increasily popular.
https://discourse.pi-hole.net/t/blocking-dns-over-https-doh/...
Our unlikely allies in making sure in-app adblocking stays possible...
It'd be good to block these data collection requests.
Does this mean AdGuard Home can't block CNAME cloaking? I think pihole supports deep cname inspection.
Source: have AdGuard Home running in my network for many years.
Edit: it even has home assistant integration like pihole. I'm going to test it for a few days and see how it performs. So far I have positive impression.
https://apps.apple.com/app/apple-store/id1543143740?platform...
This looks great. Currently I'm using Hyperweb, which is working great, but one thing I'm missing is an easy way to disable blockers for a particular site - and for it to remember that. As far as I can tell, all I can do is use Safari's 'Turn off Content Blockers' - but this doesn't seem to remember where I did it, and only seems to work temporarily / not for a whole domain, so I end up fighting with it.