I looked at Pi-hole recently but went with AdGuard Home. Nicer UI and nicer everything by all appearances. There's also a surprising amount of customization for something this slick, like being able to defer to my internal DNS for local private domain queries, etc.
I'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
Yes, it’s really awesome. The split-dns feature has all the options you would imagine.
I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
About the give-away-for-free aspect I was also wondering. Do they maybe configure their dns servers as default upstream and hope many people keep the defaults? DNS is one of the best technologies to do data mining and sell the data. I guess it's also why all those easy to remember dns servers like 8.8.8.8 and 1.1.1.1 exist. Google and Cloudflare for sure don't do it just to be nice.
Disclaimer: adguard claims not to sell any customer data.
> I'm not entirely sure why AdGuard is giving this away
Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
See, I just got five of my friends to download and buy the service in that dinner party.
I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
I ran a competing project[0] on my home network for a few years before I discovered NextDNS[1]. What I lost in performance (requests don't leave my house) I gained in portability: ALL my devices can take advantage – at home and away – and time-saved. PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it. At $20/year, I simply couldn't compete with NextDNS.
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
Most likely it's due to the different lists you can add or use on NextDNS. I also have issues with captive portals (I run a number of lists on NextDNS) and I just flip it off and on when I need to.
I just checked, and I don't use any lists, except for an allow list I just started with captive portal domains. Eg .aainflight.com, .captive.apple.com, etc
Interesting -- for me pi-hole has worked for so long that I've forgotten my login even, but when I redo my home network in the near future I definitely intend to re-evaluate the options. Sounds like I've got 3 now...
This is also my issue with pi-hole, I still use it but I lost the password. Every now and then I take a crack at getting back in so I can update it. I have been thinking of switching to NextDNS so I could have blocking everywhere.
Other than this problem, Pi-Hole has always been great
i paid for NextDNS back in 2020 but discontinue the following year due to services such as streaming from PBS app and websites not working properly. I knew this maybe related to aggressive blocking DNS but I wasn't having the time to investigate. I have no complain about NextDNS. Their service works and pricing is fine. I just use Adguard premium now and have no issue for a year.
Haven’t used NextDNS but have used PiHole and currently running AdGuard Home. But if you are paying $20/year just for DNS encryption/blocking, you may consider upgrading to Mullvad which gives you DNS Ad blocking but also IP anonymity, tunneling etc.
The two are not the same; with NextDNS I can choose to enable logging and see all requests from each device, as well as allowlist/denylist any domain/subdomain I want.
Except all of these third party VPN and DNS type services are literally NSA honeypots and privacy nightmares. I get that you have to do DNS lookups somewhere, but I'm not going to make it ridiculously trivial for a bad actor to scoop up all that data conveniently in a central location.
I agree there's a very high chance they and the majority of other VPNs are - or if not the US some other intel org.
The US government has form (what was that early crypto machine they sold to allies and it was backdoored?), and they'd be foolish to miss such a strategically obvious play.
NSA tapped the phones of the German Prime Minister.
They are the same spooks that intercept router gear in transit, flashed it with secret firmware, then put it back in the mail. Like, of course the United Stated Intelligence apparatus, agencies with an unlimited budget, a national security mission, and is completely exempt from all laws has 100% capability to spy on some tiny company in Sweden.
It is up to you to decide what you believe, but Mullvad is a swiss company that does not ask for your personal information for signup and even allows payment in cash. You hurt your own credibility each time you make an unqualified claim without looking into it.
I also switched from pihole, because of the random disservice, I’d have it working, the suddently it would just stop, without changing anything, and even having it in their own docker container, unbelievable, I am quite happy with adguardhome, but now I kinda would try this nextdns
Have you looked into their privacy/data collection policies?
Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
I'm curious what issues you ran into with Pi-hole? I was running my instance for years without a single hiccup. I ended up moving to AdGuard Home about a year ago though because I wanted to run it on my OPNSense box.
I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
> I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
Exact same setup for me also.
I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
I like the idea and might set that up but my residential ISP doesn't have great peering and latency isn't great. I wonder if that extra roundtrip would be noticable or not.
I do this from my phone with crummy copper ADSL at home that gets <20Mbps in the uplink and don't notice the difference between it being on and being off. YMMV of course, and all I'm doing is basic web browsing, occasional youtube videos and chat apps but it's fine for that.
I did have several issues with adguard home, after some time (or packets?) the dns wouldn’t resolve and basically you can’t open any website, you can ping with no issues but not opening the site, only resolved by either restarting the server or waiting few minutes, didn’t bother to troubleshoot it but I tried it on several hardware and got the same issues with different interruptions time.
I experience similar issues with Cloudflare Zero Trust (I have it setup to work as an ad blocker, using a Terraform config to update blocklists pulled from eg uBlock Origin sources). It'll work great most of the time, but when it stops working I need to disconnect and reconnect. Hard to complain since it's free, though.
Too many false positives with Pi-Hole. I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town, unable to get into the pi-hole and sort out the issue.
I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
The blocker on PFsense eventually had the same issue.
Realistically, I was probably running too many overly restricting blocklists for my actual needs.
But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
"Just" is doing a lot of work in that sentence. That sounds like a lot of work, and it isn't always obvious which weirdly-spelled domain is causing the issue.
I can empathize with the sometimes aggressive blocking, and as you pointed out can be pretty block list dependent.
I generally will go in and whitelist things if a site breaks due to a DNS block, but of course putting your partner on the same VLAN can be problematic. I "got around" that by having a button in Home Assistant that will completely turn off Pi-hole (and now AdGuard). So my partner will go in and toggle that if there's a problem.
AdGuard Home does also have the ability to completely disable blocking for specific clients.
I had similar issues and the problem with a white list is it can be very difficult to figure exactly which cryptic subdomain of some major company is necessary for the service to work, without just allowing everything and defeating the purpose .
Sure, if you’re accessing it in your web browser. But when it’s an app on someone else’s phone that’s misbehaving, that’s where I throw in the towel. It’s not worth the effort at that point.
> I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town
One potential workaround, if your hardware supports it, is to broadcast two separate SSIDs for general users: one with a blocklist, and one without as a fallback. Users just need to know when to use each.
I tried that too, but the Pi needs to be bridged to the network for it to show up properly and that caused issues with docker containers not being able to access it properly.
Most likely it can be made to work, but I have more money than time to spend on faffing about with stuff that should Just Work, so I threw $10 at NextDNS which solved all my issues instantly :)
The Pi needs a bit more power than most USB powerplugs deliver, did you get any warnings about underpower? The SD Card corruptions are often caused by this.
> I'm curious what issues you ran into with Pi-hole?
My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
Odd - I have a pi-hole on my home network and never hit the issue with YouTube. The only breakage I've found is the top "results" (actually sponsored ads) on Google search don't work, but I always scroll past those anyway to discourage bad behaviour.
In fact pi-hole works so well that I'm always struck by how awful the internet has become when I venture away from my home network. Doctorow's enshitification in action.
The YouTube thing was what turned me on to Pi-Hole's list of commonly-whitelisted domains[1], but even after adding it, the experience of things breaking was just ultimately too frustrating to keep using it.
It's really an issue with feedback, though. When my ad blocker breaks a page, it says that it blocked something. When pi-hole breaks a page, it just appears to be broken.
I have had to do the same to fix Youtube progress reporting, but not much more. That is one of few things the PiHole has ever broken for me (that I know of...). I agree that a problem with PiHole is that if something is not working and I disable uBlock as a debugging step, then I have to also browse and login to 2 different PiHole GUIs and temporarily disable it. Without knowing if PiHole actually blocked anything. It is especially inconvenient when on the phone. I have not looked if it already exist, but I would want a nice little app I can open and just click "disable for X time" which would disable the blocking on all my PiHoles at once. Also syncing all settings from a "master" instance would be great. Maybe the default lists should contain some of the whitelis domains or something aswell.
Still, these problems are so small compared to the value I get out of my PiHoles. Blocking ads for years on end while having troubles maybe 3-4 times in total. All the other time it just works.
Yeah nextdns regularly blocks things I don’t want to see and many email tracking links fail, some online stores don’t work (https://www.thermoworks.com/) and it’s really easy to turn off on my phone.
I saw some people setup pihole 5min temporary off buttons one way or another to get by.
I run lockdown also.
Try disabling ublock or other privacy extensions. Thermoworks add to cart doesn't work on my regular browser with everything but works on my browser that doesn't have those extensions with NextDNS, again it might be one of your blocklists
I love nextdns - pihole was fine but required admin, and I also had challenges vpn’ing in to use it out side of home. Whereas nextdns is simple to use, and effective.
No idea how I have been living under a rock. I was using Google dns forever, but just switched my router over to next! This looks amazing, and great to see so many people using it with positive feedback.
Happy nextdns user here who used to have an overly-complicated setup with pihole and vpns etc. The only thing I have to complain about is the iOS app- I really wish it had a builtin way for viewing logs and white/blacklisting domains from the app, without having to go to the site. (Other settings would be nice too, sure, but as aggressive as I run it I find myself fiddling with the whitelist the most)
I've used ControlD [https://controld.com/] for this and liked it. Does anyone know how NextDNS compares to it?
ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
I've been a NextDNS user for years now, and am trying out ControlD (last week) before I commit to switching. NextDNS development seems to have stalled and there are a number of conveniences missing, such as being able to label allowlist entries (ControlD supports this). Also, running the NextDNS app on a device that use a different profile then the one on my home router results in constant issues when the device wakes from sleep (not able to resolve domains for a noticeable amount of time on wake). NextDNS claims this is an Apple issue, but I don't think that's entirely true. Certainly not a problem for other similar services.
I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
With your link, I'm only seeing "Free Trial". While I'm not seeing any pricing for personal use (without signing up at least), I'll take you at your word.
I ran Pi-hole along with my OpenBSD router running unbound for some period. Then I realized I can download the same entries used for Pi-hole, AdGuard, uBlock, etc. I created a simple script that generates an unbound configuration that I can include in my unbound.conf file.
One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
I setup Pi Hole with tailscale on an inexpensive cloud server. It is configured to serve DNS requests over the tailscale interface. Also added tailscale IP address of the Pi Hole to tailscale DNS override to ensure that all devices on the tailnet use it without any additional reconfiguration. For redundancy, I have multiple DNS servers on my tailnet. Family and friends can use it without worrying about portability and be protected at all times, especially on cell networks.
Tried this. Latency of DNS so critical, wasn't loving the self host option. Plus Tailscale wasn't quite reliable enough for all DNS traffic outside the house.
I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
One of the major reasons why I don't use or recommend NextDNS is because they force you to use their DNS resolver when a DNS resolver like Quad9 has vastly superior threat intelligence.
On my Pixel I just set Private DNS. Yea I had to setup a SSL certificate but that's easy to do. So when I leave home, I still use my Adguard server for adblocking without having to touch settings etc (except, as mentioned, captival portals)
I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
I run a pihole server for myself- and access it over VPN when I’m traveling. But I’ve tried NextDNS and can confirm it works pretty well. Set my grandmother up on the free tier and within the first week it stopped her from getting phished, because the scam text she clicked went to a site that wouldn’t resolve.
> PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it.
I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
> At $20/year [...]
At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
I think it's weird when people suggest that a self-hosted on-prem solution requires no maintenance and has so little downtime such that the time spent fixing issues doesn't matter.
I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
> I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it.
I don't know the nature of your maintenance, but I've had unattended security updates working for years, I automated a bunch of stuff and use etc-keeper.
> I only run things that don't need to be highly available
Redundancy helps. 2 (more!) RPis cam be primary/secondary/tertiary DNS servers to match paranoia levels. Even if you have a single PiHole, keeping a pristine copy of the PiHole on a $3 sd card will get one up and running instantly.
> Suggesting that a particular home-hosted solution is "unbeatable" is meaningless
Oddly I found myself upvoting this comment AND the parent. Neither are wrong. There is no right or wrong on this subject.
$20 a year spent on a hand-rolled RPi that you have full control over and enjoy tinkering with—amazing value!
$20 a year for something like NextDNS so you can spend your time worrying about more important (to YOU) things, amazing value!
It's wondrous the choices we have today. 30 years ago it would have taken a rack full of noisy servers and a few thick books to keep a DNS service up and running at anything even close to 99%.
Not addressing Pihole directly, as I don’t have much experience there. But have you maintained a router? Running open source firmware or not, router does require a certain level of maintenance, open source ones arguably more. But that doesn’t make it problematic enough to have a lot of downtime. Given some people runs pihole-like software directly on a router, I’m skeptical the down time there is significant enough to stay away from. I mean having high availability internet at home is hard, but I expect the rate of failure of a router to be similar of magnitude comparing to pihole. If you can’t tolerate the latter, I wonder how you solve the availability issue of the former?
Don’t want to jinx it but I’ve been running a pihole on a RPi 3 for a really long time - at least 6-7 years and the only thing I’ve had to do is an occasional upgrade.
I like the convenience and the fact that I’m blocking about 4M domains.
My TV is also forced to use it so ads don’t update on Android TV.
Not sure if NextDNS supports custom domain lists or not.
Effectively, yes, for how much it costs to run. You know if you pay for a service that your subscription partially goes toward their power bill, right?
Back of envelope calculstion for my Rpi Zero 2W: 1W * 24h * 365 = 8.76kWh, which when rounded to the nearest dollar is $1 per year on electricity - so I guess I won't get the fancy Sheetz sandwiches, but it's not exactly breaking the bank compared to the $20 SaaS subscription
NextDNS sends EDNS client subnet (ECS). If challenged on privacy grounds they can claim it is for performance but a primary benefit of ECS, whether intentional or not, is to serve online advertising interests.^1
1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf
AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
I gave up on using anything that isn’t the default/auto DNS for when I’m on the go more, as it breaks every single public wifi hotspot that has a login/I-agree-to-not-do-illegal-shit-etc page that obv cannot be resolved
Sadly for the AdGuard team, there isn't much of an audience for this. It's one of those things everyone says they want but few people will actually install one, much less maintain one over time. Add to that the wife-forced uninstalls and the total long-term audience for this is (no kidding) in the thousands.
What is the reason for someone in the network to not want the filtering? Does this break some websites?
My own devices are covered, I definitely want full filtering even when not at home and my devices are completely hackable, but I'm wondering if such a tool would be a convenience for other people using the network in particular with less hackable devices, and people likely to use my network are likely totally uninterested in ads, but I don't want this to be a pain.
I used to need my wife's devices on the whitelist too - she had a job working with tracking and needing to see trackers fire when she loaded webpages etc. I once made a mistake and she got unwhitelisted and waited 4 hours wondering why her tracking codes "weren't working"
I don't get this comment. It is basically the same kind of tool as the Pihole only much easier to install and maintain. (It's a single go binary) Isn't this a popular class of software?
It is not a popular class of software to the masses, it is a popular class of software to a niche audience. I don't share as pessimistic attitude as OP though. I'm pretty sure the audience is in the tens of thousands!
They have that many stars on GitHub. They actually also have thousands of forks each. The api probably still has a way to count downloads but I didn't bother. I wasn't claiming users in the millions anyway. :)
What's funny is that I was once extremely optimistic about the potential for such a device, to the extent of having sold and delivered a few million in product.
Hard experience taught us that churn is just crazy high, no matter how compatible it easy to use you make it. Getting tens of thousands of stars is not the hard part because it's such an easy concept to like. But I would be surprised there are more than let's say ten thousand piholes in active use.
I guess I'm the exception to the rule, I spent a fair chunk of my previous weekend upgrading the hardware on my opnsense router/firewall so that I could virtualize opnsense and be able to glom on related services exactly like AdGuard Home easily.
Anyone know of an Adguard home or pihole equivalent service I can run as part of OPNSense?
I currently have a different machine dedicated to pihole, but it would be intriguing to have something built in. I would imagine split DNS and firewall rules would be simpler this way.
I'm in the process of migrating my OPNSense to a virtual machine so that I can run whatever network-related services I want right along side it in a container or VM. I used to scoff at those enterprising homelabbers who apparently stuck their firewall in a VM just because they could but I get it now. It's super nice to be able to just snapshot and back up the whole VM, and run whatever you want alongside it. (Although I will limit the box to specific network management things like AdGuard Home.)
Don't do this. Network firewalls are harmful. Let people configure their own firewalls on device. Having to VPN around network blocks is annoying to say the least. Network firewalls are harmful and just a lazy excuse for bad client security.
I run AdGuard Home on a Pi and it's fantastic. I was running PiHole previously and found it endlessly problematic, I rarely have to even think about AdGuard Home.
Coincidentally I just set up OpenWRT [1] on a NanoPi from FriendlyElectric.
How would this fit into using Wireguard? Or, how would I go about that? It seems like there might be something conflicting about running both, but I am very new to it all.
[1] It is actually running their FriendyWRT variation which came with the precompiled drivers for getting a Realtek USB wifi adapter to work, otherwise stock OpenWRT would work as well
Perhaps obvious, but if you’re using mixpanel or posthog for analytics on anything you build, you’ll have to put them on exclusion lists, in order to be able to use their analytics platform.
Depends on the blocklists you're using. I broke Google search sponsored links, some Slickdeals links, and the meta quest app store. You have the ability to whitelist as well if you want to unblock some things.
I'm running it in a docker container and then pointing my router at it.
Happy AdGuard user here. It's running directly on my EdgerouterX so no need for an extra device to maintain. I really love the high level service blocking as well, blocking the whole of Facebook is just ticking a checkbox!
And you can load the ad blocking lists into anyway so you get solid DNS, ad blocking and none of those random youtube spinners from rando dns issues. For nothing but a little configuration.
PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
Because it’s written in C# and relatively new. Unbound is written in C so should consume less resources, has been around longer and has been vetted – FreeBSD and OpenBSD replaced BIND with Unbound.
The one downside to Unbound is that there’s no GUI so it can be a bit intimidating to set up. But the docs are excellent and Unbound defaults are secure, so it’s not as hard as it seems.
One other neat thing about AdGuard is that it is available as a Home Assistant addin - and it does integrate with the rest of HA, so you can e.g. have a switch to enable/disable blocking as part of your dashboard.
I contributed improved ipset support to this project. As far as I know, it’s one of the few off-the-shelf DNS servers that can insert result records into Linux ipsets to enable domain-based firewall policy. I run it on OpenWRT and use the ipset support to open the default drop firewall from my “smart” projector on my IoT subnet to NetFlix and YouTube. It sets the ipset entry expiry to the DNS TTL. Now, the only way for the machine to connect to the internet is to resolve a whitelisted domain and it can only access while the record is fresh. I haven’t encountered any issues so far. I take it that some Chinese users use this same functionality to selectively VPN domains to evade GFW.
Also runs on home assistant. The only thing to remember is when your updating HA (or you forget that your HA pi is not on the UPS, and you trip your GFI when doing home maintenance on your ring main) that your DNS also goes down.
Been 4 months and I'm pretty happy with the following setup: PiHole + RaspberryPi + Tailscale
With Pihole running on a tailnet all my devices use it by default as long as they're on the same tailnet. That way I have seamless ad-blocking even when I'm on cellular data or my friends' wifi networks.
257 comments
[ 3.6 ms ] story [ 238 ms ] threadI'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
Edit: here are the docs: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuratio...
They already have many other commercials products and I guess also the default filter rules are very good because of their experience in the domain.
But I think you can use it completely without the AdGuard servers and use other filter list sources.
Disclaimer: adguard claims not to sell any customer data.
Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
See, I just got five of my friends to download and buy the service in that dinner party.
I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
PiHole supports Conditional forwarding
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
0 - https://pi-hole.net/
1 - https://nextdns.io
The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
The portal would unapologeticly mitm the server response with a redirect to the portal login page.
The domain needs to exist (to pass DNS) and not have HSTS, but otherwise any address will do.
Alternative and free for private usage is to set DNS to:
on your devices to block ads with DNS.UPDATE: it seems the old one was dns.adguard.com (which was blocked in some countries)
Other than this problem, Pi-Hole has always been great
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
The US government has form (what was that early crypto machine they sold to allies and it was backdoored?), and they'd be foolish to miss such a strategically obvious play.
They are the same spooks that intercept router gear in transit, flashed it with secret firmware, then put it back in the mail. Like, of course the United Stated Intelligence apparatus, agencies with an unlimited budget, a national security mission, and is completely exempt from all laws has 100% capability to spy on some tiny company in Sweden.
> all of these third party VPN and DNS type services are literally NSA honeypots
https://mullvad.net/en/help/privacy-policy
It is up to you to decide what you believe, but Mullvad is a swiss company that does not ask for your personal information for signup and even allows payment in cash. You hurt your own credibility each time you make an unqualified claim without looking into it.
Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
Exact same setup for me also.
I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
I like the idea and might set that up but my residential ISP doesn't have great peering and latency isn't great. I wonder if that extra roundtrip would be noticable or not.
I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
The blocker on PFsense eventually had the same issue.
Realistically, I was probably running too many overly restricting blocklists for my actual needs.
But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
Not really. You can pull your phone out and do it in less than a minute
> it isn't always obvious which weirdly-spelled domain is causing the issue
It typically /is/ pretty obvious. You can drill down to the device making the request, and it becomes obvious once you see the blocked query
To each their own though. I personally don't want to pay a company to do something for me that I can do myself.
I generally will go in and whitelist things if a site breaks due to a DNS block, but of course putting your partner on the same VLAN can be problematic. I "got around" that by having a button in Home Assistant that will completely turn off Pi-hole (and now AdGuard). So my partner will go in and toggle that if there's a problem.
AdGuard Home does also have the ability to completely disable blocking for specific clients.
I also realize that you shouldn't expect most people to do that, let alone know how to.
I am someone who is very aggressively anti-ad.
One potential workaround, if your hardware supports it, is to broadcast two separate SSIDs for general users: one with a blocklist, and one without as a fallback. Users just need to know when to use each.
For the price of a single Pi, I can get NextDNS ad protection for _all_ my devices for multiple years. No matter where they are.
I run it on my NAS Linux server (in a Docker container) where I have a bunch of other things. Zero problems, now using it for more than two years.
Most likely it can be made to work, but I have more money than time to spend on faffing about with stuff that should Just Work, so I threw $10 at NextDNS which solved all my issues instantly :)
NextDNS has been fantastic. And like you said, easily portable.
My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
In fact pi-hole works so well that I'm always struck by how awful the internet has become when I venture away from my home network. Doctorow's enshitification in action.
It's really an issue with feedback, though. When my ad blocker breaks a page, it says that it blocked something. When pi-hole breaks a page, it just appears to be broken.
1: https://discourse.pi-hole.net/t/commonly-whitelisted-domains...
Still, these problems are so small compared to the value I get out of my PiHoles. Blocking ads for years on end while having troubles maybe 3-4 times in total. All the other time it just works.
I saw some people setup pihole 5min temporary off buttons one way or another to get by. I run lockdown also.
ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
So ControlD would be significantly more than NextDNS for me personally.
Maybe I'll give it a try sometime.
One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
https://www.tumfatig.net/2022/ads-blocking-with-openbsd-unbo...
I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
> At $20/year [...]
At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
I don't know the nature of your maintenance, but I've had unattended security updates working for years, I automated a bunch of stuff and use etc-keeper.
> I only run things that don't need to be highly available
Redundancy helps. 2 (more!) RPis cam be primary/secondary/tertiary DNS servers to match paranoia levels. Even if you have a single PiHole, keeping a pristine copy of the PiHole on a $3 sd card will get one up and running instantly.
> Suggesting that a particular home-hosted solution is "unbeatable" is meaningless
What site am I on, Subscription-Services-News? (:
$20 a year spent on a hand-rolled RPi that you have full control over and enjoy tinkering with—amazing value!
$20 a year for something like NextDNS so you can spend your time worrying about more important (to YOU) things, amazing value!
It's wondrous the choices we have today. 30 years ago it would have taken a rack full of noisy servers and a few thick books to keep a DNS service up and running at anything even close to 99%.
I like the convenience and the fact that I’m blocking about 4M domains.
My TV is also forced to use it so ads don’t update on Android TV.
Not sure if NextDNS supports custom domain lists or not.
1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
Turning it off occasionally reveals the horror of the un-ad-blocked internet. I never forget to turn it back on.
Where are you seeing that? The only reference to OpenWRT I see is in the "Projects that use AdGuard Home" section which links to a different project.
Otherwise that's a misleading title - this is a PiHole alternative.
My own devices are covered, I definitely want full filtering even when not at home and my devices are completely hackable, but I'm wondering if such a tool would be a convenience for other people using the network in particular with less hackable devices, and people likely to use my network are likely totally uninterested in ads, but I don't want this to be a pain.
Apple’s Private Relay also does not work behind a pihole.
Hard experience taught us that churn is just crazy high, no matter how compatible it easy to use you make it. Getting tens of thousands of stars is not the hard part because it's such an easy concept to like. But I would be surprised there are more than let's say ten thousand piholes in active use.
I currently have a different machine dedicated to pihole, but it would be intriguing to have something built in. I would imagine split DNS and firewall rules would be simpler this way.
* https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
* https://try.popho.be/securing-home3.html
* https://git.sr.ht/~moviuro/moviuro.bin/tree/master/item/lie-...
https://0x2142.com/how-to-set-up-adguard-on-opnsense/
How would this fit into using Wireguard? Or, how would I go about that? It seems like there might be something conflicting about running both, but I am very new to it all.
[1] It is actually running their FriendyWRT variation which came with the precompiled drivers for getting a Realtek USB wifi adapter to work, otherwise stock OpenWRT would work as well
I'm running it in a docker container and then pointing my router at it.
https://technitium.com/dns/
Qs: this says “ Technitium DNS Server is an open source authoritative as well as recursive DNS server”
Are pi-hole/Adgyard also recursive DNS server or just a blockers?
Edit: I’ve been using pi-hole for ages, trying to figure out if this has any advantage.
PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
I had a pfsense, which died a few days ago while upgrading from 2.6 to 2.7. I believe it was running Unbound.
The one downside to Unbound is that there’s no GUI so it can be a bit intimidating to set up. But the docs are excellent and Unbound defaults are secure, so it’s not as hard as it seems.
http://www.privoxy.org/
It comes with all the limitations of using a HTTP Proxy in today's world where SSL is everywhere.
Side note: it’s always DNS…
With Pihole running on a tailnet all my devices use it by default as long as they're on the same tailnet. That way I have seamless ad-blocking even when I'm on cellular data or my friends' wifi networks.