119 comments

[ 0.25 ms ] story [ 194 ms ] thread
Meanwhile, people use dozens of Npm and Python etc. packages written and maintained by Russians every day.

If they wanted to cripple our systems, it would be very easy to do.

So stop using nginx too and anything that uses it
Im not sure stifling open-source/innocent coders is the way to achieve freedom from govt and tech domination.
You’re right it’s not logical but you aren’t actually doing anything.
How does this compare to pihole? Do I have to migrate to this?
Would love to hear if anyone have used both and how they compare to each other.
Adguard can do dns over https/tls
Pi-hole is a bloated mess compared to this IMO. At the end of the day pi-hole is still just a fork of dnsmasq with a load of scripts and a bootstrap gui whacked on top. You need to add on extra bits and pieces to get anything like modern tech whereas AGH has https gui, multi-user support, DoH/DoT/dnscrypt/etc, toggles for quick blocks, access to a 'realtime' blocklist for emergent threats all baked in. It's also a single self-updating binary with a single config file instead of spraying bits all over your OS. Runs on pretty much anything you can think of, too.

pi-hole was great back in the day but unless you're just keeping on keeping on with an existing install there's better options available now.. AdGuard Home, Blocky, Technitium DNS etc.

I often compare pi-hole to DD-WRT inasmuch as it was awesome back in the day but times have changed and you probably wouldn't use it as first choice these days given what else is now available to you.

You can be fully protected just using vanilla dnsmasq and downloading fresh blocklists from time to time. It seems all the more ‘marketed’ flavors of adblockers are just web bling on top of dnsmasq. What else do they really offer?
Anecdotally, I’ve been a sysadmin for 20 years, been around computers since I was a toddler (apparently slept on top of a Data General something-or-other as a baby..). I have the skills to learn how to do dnsmasq-based blocking from scratch, write the scripts to fetch blocklists, init scripts etcetera. However, I run AdGuardHome on my OpenWRT router because I want to spend my time elsewhere. It was a case of install the package, fiddle the DNS routing slightly, pick my blocklists, and pick my up streams.

If I want metrics, I just open a browser and see what clients have been the noisiest, what’s being blocked a lot and so on. Generally I don’t even think about it.

Well 'the alternatives' are many so there's no quick answer to this, but restricting to just AGH as per this post then...

Encrypted upstream lookups. Responding to encrypted lookups made to themselves. Realtime threat protection via API. Quick toggle of blocks instead of rebuilding lists. Ability to quickly change blocking of individual devices. Decent Metrics.

Probably more.

But if you just want something with no web bling then there's other alternatives to dnsmasq which would be worth looking at which give some of the above features whilst keeping it commandline and manual blocklist building.

dnscrypt-proxy is wonderful, for example, and can do most of the stuff you can do in dnsmasq.

Have you used it?

I can easily see what domains are blocked in the web ui and see that Adobe products are trying to phone home so often and which clients are trying to resolve what domains.

I used both. Adguard Home is wayyyy better. More user friendly.
That’s my experience as well. AdGuard has simpler UX, very snappy and written in Golang (I like Go). I never had issues in my 5 or so years running it
I keep both on my network running on two different raspberry pis.

AdGuard Home is a lot cleaner to use. In particular it makes it much easier to control routing for queries by domain and supports forwarding over DNS over TLS, DoH, and DoQ natively. SSL support is a breeze. This means that my ISP can see the IP addresses of hosts but not their domain names unless they get aggressive with snooping. The single binary and clean configuration is nice.

PiHole seems to have a better landing page for analytics out of the box. It also works a little better for configuration for some devices.

I’ll likely retire PiHole in favor of AdGuard Home the next time the SD card dies on that Pi.

My preferred configuration is using some fairly invasive scripts to redirect all outbound DNS except to NextDNS. I’ve got blocklists for DoH hosts because I can’t just block port 443. AdGuard then routes to one of two different backends: for local domains it routes to CoreDNS that gets the hosts from my UDM-Pro to give everything nice hostnames. Everything else goes out via DNS over TLS to NextDNS. On PiHole it’s a little more complicated as it can’t directly forward with DNS over TLS.

It’s amazing how many semi-hostile devices this found on my network (looking at you Samsung TV and devices that hard code in Google’s DNS). It also reminds me of how terrible the internet is when I don’t have these protections.

AdGuardHome is pretty great. Run it on my OpenWRT router and miss it every time I use my phone away from home : )
Setup a wireguard VPN at home and connect too it from your phone whenever you're out.

If you can do OpenWRT, you can do this.

Tailscale is your friend. No need to open ports!
Or use nextdns and get this everywhere if you don’t care about self hosting.
But then you'll have less control over traffic control. With nextDNS you cannot see what app or device is calling for specific domains.
why would I use this instead of pihole?
(comment deleted)
This is one setting on a regular router IIRC.
I could be wrong but I don’t think pihole supports DNS over TLS out of the box. But AdGuard does
It’s better in every respect you could name
I ran pihole for a long time and then used AdGuardHome for a while before switching to NextDNS. And my experience was that AdGuardHome was an enormously more advanced product. Among other things, the ability to natively support encrypted DNS protocols like DoH, DoT, and dnscrypt both as a client and server was a huge advantage over pihole. AdGuardHome also made split horizon DNS much easier to configure, especially for multiple domains. Basically, my pihole setup eventually did what I wanted after installing a lot of extra software and editing config files by hand. I could do all of those things through the AdGuardHome GUI.

I'll admit I briefly switching back to pihole after Russia invaded Ukraine given that AdGuard is a Russian company. Whether or not that was a reasonable choice, the technical step back was obvious and noticeable.

AdGuard is not a russian company since long time ago. We moved the HQ in 2014, the core team including the owners are also on Cyprus, and finally half of AdGuard websites are even blocked by russian authorities. Anyways, I guess we’ll never get rid of this badge so ignore my rant:)
Maybe link to a source for this info and people will recognize.
Can this block the entirety of Facebook as well? Not just the tracking part.
Yes, just block their domains in the config.
Literally has a one-click toggle for blocking Facebook, yeah.
Yes. I do. One toggle switch for Facebook.
Is there anything in this field that actually doesn't block DNS but hijacks it and serves up 1x1 GIF for any image requests, 1 frame videos, empty HTML, CSS, JS, fake VAST/VPAID files so that requests don't have to timeout and fail? I setup a pi-hole a couple of years ago and the kids begged me to shut it off because it screwed up with games on their phones (crashed if they couldn't load ads or got stuck because there was no reply).
I think you can configure PiHole to return whatever IP you want for blocklisted domains. I guess you could set up a box with nginx that inspects the request content type header and returns generic content. But, TLS will cause problems here. You’d need to MITM all the traffic and serve up your own root certs, install them on devices etc.
you could just -j REJECT the traffic, that makes the connection fail immediately because it sends an icmp port-unreachable packet back.
Yeah TLS will be the headache. Just did a quick test with a self-signed, that works fine but I'll need to create one for each TLD (wildcard doesn't seem to be allowed as root, at least in browsers). That's easy to script, hard to install. So the only issue are devices that I can't install certs on like our Apple TV's and Rokus.
You should be able to install a single CA (installed on devices) and then use the key for that to sign individual domain (wildcard) certs?
Why not teach your kids to play real games instead of ad-ridden mobile garbage?
We'll I decided to teach them they have to pay for stuff themselves, and at least it taught them to be rather frugal. The real problem is that they mostly play what the other kids are playing.
"other kids" are idiots. ;-) Or, at least, their parents are, for not saying No to stupid shit. :-)
PiHole doesn't normally time things out, it returns 0.0.0.0 as the result.

The few apps I use, I haven't experienced time out or crashing issues as a result of PiHole. You might have other network or DNS issues.

I think nextdns will do this.
Why timeout? Point them to 0.0.0.0 and there will be an instant failure. This is precisely what NextDNS does when not using their blocking page.
Or you could buy your kids some decent games rather than training them to suffer through ads or pay-to-win in-app purchases? This is the best feature of Apple Arcade in my opinion.
PiHole & AdGuard are DNS blockers. Those tools are only serving/blocking domain mame requests. So they are not aware of the actual request your client is sending to those servers (to for example download a file). So no, by the nature of the DNS protocol this is not possible with those tools. What you probably wanna do is to use some kind of proxy which does deep package inspection (be aware that this is very resource intensive since you have to break up encryption and stuff).

Properly not worth it for the task you described. Simply add a DNS whitelist to AdGuard or manually unblock those domains causing issues.

(comment deleted)
If people can figure out which names resolve to ads and block them, people can figure out which names resolve to tracking pixels and send it to a server that will hand back a pixel.
Which proxies break encryption for you?
AdGuard develops many products, some of them supports TLS MiTM
You can override settings for specific clients.
NextDNS is a similar solution: https://nextdns.io/
Love NextDNS and it is my current choice, but it appears that the big difference between the two is that NextDNS does not provide a way to self-host the DNS server.
For me that’s a benefit. It’s extremely configurable for a hosted solution and since DNS is critical I prefer it now after having a few showstoppers with self-hosted DNS.

Nothing major but annoying to have to deal with everything being broken because of maintenance or whatever else.

I looked into nextdns and compared dns traffic on my adguard. My current usage would overshoot the free tier, and having another subscription but for dns doesn’t sound so fun
I felt the same way when I was testing it...then realized it was only 20 a year which is a fantastic price IMO.
True, but the price is very reasonable. Works very well outside of my home. Never need to remember to apply updates and I cant unplug it.
That's true, but functionally NextDNS also has several features AdGuardHome does not that made me switch even though I'd prefer a self-hosted solution all else being equal.

AdGuardHome (and pi-hole) work almost entirely on domain blocklists they regularly download from configurable sources (AdGuardHome also incorporates Google safe browsing). This blocks a lot of stuff, but NextDNS also has options like blocking typo squatting, newly registered domains, domains that are created by domain generation algorithms, and whatever their "AI-driven threat detection" feature is doing. It's hard to tell how useful those features are and there's no reason blocklists couldn't incorporate all those kinds of things. But I have no idea if they do, and outsourcing putting all that together to a service like NextDNS seems like a better solution than a locally hosted option that relies on a user figuring out the right blocklists to use. Although NextDNS also allows you to play with blocklists if you want.

While true, you can run nextDNS CLI locally and have the same performance as if you’re hosting your pihole/adguard home locally. I run it directly off my Ubiquti switch and redirect all DNS request to it.
I didn’t understand this. What does the local cli do that has similar performance? Does it create a local dns server that relays to upstream?
This was the first google result for NextDNS CLI -

https://github.com/nextdns/nextdns

looks like it proxies standard DNS traffic to NextDNS via DOH, and does some other fancy stuff including caching, zeroconf discovery, and conditional forwarding.

Dang, this looks like a nice option for my home setup - I may give it a try!!

I'm running the same setup you are, but the primary DNS servers are still pointing to nextdns rather than being fully local. I'm extremely happy with it, and any latency/speed difference is negligible anyways.
(comment deleted)
One of the surprising benefits of NextDNS is how fast their DNS queries are. At least in my case they are faster than all other DNS solutions including Google and Cloudflare.
Is there a performance/weight comparison between this and Pi-hole? Is AdGuard lighter weight or more bloated compared to Pi-hole?

Curious both about load on the raspberry pi and how long it takes browsers to fetch pages

AdGuard Home is more lightweight, no doubt; it's a single binary executable.

Whereas Pihole... where do I start

I just tried the docker version and the startup is really fast. You can also specify multiple upstream dns and have it return answer from whichever server that answer the query the first, etc.
Performance aside, i just switched my pihole to AdGuard and immediately noticed that AdGuard wasn't blocking anything. Switching back to pihole showed immediate queries to icloud analytics being blocked. So you should at least figure out a better filter than what AdGuard offers out of the box.
If you run OpenWRT on your router (or can) there’s also a comprehensive adblock package that “just works”:

https://openwrt.org/docs/guide-user/services/ad-blocking

What's a reason to chose the Adguard plugin over Adblock? I've the latter configured atm.
Adguard works at the computer level, so all browsers are protected.
They are both Openwrt plugins, as per gp's link...
I started using the adblock package years ago and it just does the job. I’ve never bothered to try adguard.
Adguard plugin..?

As for simple-adblock vs adblock, I prefer the former because malformed lists won't break DNS, which it does for adblock.

> Adguard plugin..?

See option 3 in gp's link: apparently theres an Adguard package for openwrt.

Just be careful with rebind protection: https://forum.openwrt.org/t/possible-dns-rebind-attack-detec...

My work application has domains that resolve to localhost for our dev setup, and it took me several days to figure out what the issue was. Basically, OpenWRT by default filters out any DNS records that resolve to "local networks" like 192.168.0.0/16 or 10.0.0.0/24. The benefit of this approach is that our services only run with TLS, but you will need whitelist some addresses!

Thanks for posting this as I was having similar issues just today.
I moved my network from PiHole to AdGuardHome after running them in parallel for a bit. Resource-wise they're about the same, but I found AdGuardHome to reply faster (with the same upstream servers). Haven't really explored features beyond the core DNS blocking and DNS rewrites for local services.
I use adgaurd on my phone it works well. I may give this a try on my network.
My rpi4 runs this in a container and it works great
You can also run Adguard Home as a DNS-over-HTTPS server and use it on both iOS and Android.
I run this on my OPNsense router and I'm extremely happy with it.
Side question: One thing that keeps me from setting up stuff like that is that it’s unclear to me what is involved in keeping it up to date. With Debian packages, I can easily have everything auto-update (e.g. using cron-apt). But for projects like this, it seems one would have to set up some idiosyncratic procedure?
Not sure about this project, but Pi Hole (which is very similar and likely covered under your "stuff like this") has updating built in.

Updating pihole is as simple as: pihole -up

Easy enough to cron up.

So, idiosyncratic in that it's not "apt update", but also pretty nice that it's all self-contained.

A lot of projects are also now available as docker containers, so you can just pull down the latest container version, currently my preference for home hosted things.

> you can just pull down the latest container version

Of course, but how do you automate this? Using Watchtower? Setup instructions never address this aspect. I get the impression that there’s no standard way to auto-update, and most people only update manually?

Unless you want a randomly broken LAN, you should probably pay attention by manually updating things.
Like other mentioned, it's probably best not to autoupdate these kind of apps. For example, I run a pihole in an old raspberry pi 2b and the latest docker image update broke it and I had to revert. Imagine if you're in the middle of something important and suddenly your network is broken and you had to drop everything to fix it. Just do regular once a month docker pull and container restart instead.
Yeah, that’s what I suspected, and that is why I probably won’t start using such a setup. With distributions like Debian, you get curated and timely security updates without having to do anything manually for years.
I've been running AdGuardHome for years, almost since it came out. I prefer keeping it up to date manually after reading the release notes and known issues (by visiting the config page and clicking update if it notifies me that there is a new version) but if you want to automate it you can install the Snap or Docker version or use the API[1] to trigger an auto upgrade. Installing it is easy, there's even an automated installation script now[2] but I prefer to do it manually and run it as a regular user without root permissions. It can run from pretty much anywhere in your filesystem and as any user as long as it has the correct permissions, that's what made me choose it instead of PiHole at first, also the more advanced regex blocking rules.

The easiest way to keep it up to date is probably a Cron script that runs curl to trigger the upgrade API endpoint.

[1] https://github.com/AdguardTeam/AdGuardHome/blob/master/opena...

[2] https://github.com/AdguardTeam/AdGuardHome#getting-started

Actually, AdGuard Home checks for updates periodically (unless it’s docker or snap) and can update itself right from the admin panel.
AdGuard is owned and operated by Russians. The company was founded in Russia, but moved its headquarters to Cyprus in 2014.

Is it owned by the Russian government? I have no idea.

Can you write off any software that had a Russian developer? No! Of course not!

... would I run AdGuard? No.

How best to enforce usage of this and stop apps/phones from bypassing and using DoH?

Edit: I found this post on pi hole forums explaining the situation with DoH / DoT. I think this will become a much popular topic to discuss on HN soon as both technologies are increasily popular.

https://discourse.pi-hole.net/t/blocking-dns-over-https-doh/...

I expect most apps and OSes to add fallbacks to regular DNS once dictatorships start null routing DoH resolvers.

Our unlikely allies in making sure in-app adblocking stays possible...

I'm curious to know if it's possible to block those domains which collect my "data". As in, these days it is becoming more and more common i speak something and I see ads a couple of hours. I turned off all microphones but apparently that doesn't help.

It'd be good to block these data collection requests.

Some services/devices/sites seem to have hardcoded IP addresses to circumvent these adlists/blockers.
ControlD.com is NeXTdns or AdGuard plus geo unblocking. Highly recommended
> Essentially, any advertising that shares a domain with content cannot be blocked by a DNS-level blocker.

Does this mean AdGuard Home can't block CNAME cloaking? I think pihole supports deep cname inspection.

It can, as a matter of fact.

Source: have AdGuard Home running in my network for many years.

Good to know. I'll test it out.

Edit: it even has home assistant integration like pihole. I'm going to test it for a few days and see how it performs. So far I have positive impression.

I was going to ask if there was a way to easily turn it off from my phone, then I found this linked to from the github page:

https://apps.apple.com/app/apple-store/id1543143740?platform...

This looks great. Currently I'm using Hyperweb, which is working great, but one thing I'm missing is an easy way to disable blockers for a particular site - and for it to remember that. As far as I can tell, all I can do is use Safari's 'Turn off Content Blockers' - but this doesn't seem to remember where I did it, and only seems to work temporarily / not for a whole domain, so I end up fighting with it.

It also has home assistant integration, which let you add a toggle in your home assistant page to quickly disable it.
How do you deal with DNS based ad blockers in a multi-user environment (eg. home network)? One issue I always seem to hit- adblocker breaks some site and user has to go to a webUI to unblock it, which is a bit to ask from some family members.
If you have home automation system like home assistant or apple homekit, you can add pihole and adguard home to them. Both pihole and adguard home has home assistant integration, which let you add a toggle in your home assistant page to quickly disable it. There is also a 3rd party homekit integration, so you can ask siri to temporarily disable it. If you use android, home assistant has google assistant integration so you can use voice command on your android phone to control it.
That may be the missing piece. I’ll look into it. The thanks!