In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
In this arms race you are saying a current "move" is a curated list of IPs that correspond to known DoH servers ... and that's fine ..
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
That might work but if your Samsung example is behind cloudflare, you're basically going to have to block any and all access to cloudflare's Network.
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
I run Zenarmor in addition to Adguard at home, which can detect DoH traffic and intercept it. You have to pay for this enterprise level tool, but if you are worried about DoH, Zenarmor is so far the easiest tool to block it.
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
If you're really serious about DNS interception, you'd setup something where
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
> for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts)
We employ exactly this technique for our Android firewall app. It can do IPv4 (by mapping hash(domain) name onto RFC6598 reserved subnet [0]) as number of unique AAAA/A requests on a client seldom exceeds 35k/mo!
Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
> (this is going to be a big PITA, but that's how these things go)
> Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
This sounds good, and I've wondered how I could implement such a thing.
However, with the clearly hostile approach all IoT appliances are taking, I wonder if they'll actually fall back to a "degraded" (for them) config with the network-provided DNS, or whether they'll just fail and complain the network is broken or something.
And before DoH was a thing, several Chinese apps I've used also used to do plain HTTP for DNS resolution (I only caught them by chanbecause they were doing HTTP). PiHoles only work for apps that stick to the standards and don't mind being caught.
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
>Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
Yeah DoH was a solution to a really niche US-only problem where their laws provided the ability for providers to sell their users' DNS logs. In normal countries with privacy protections this isn't a thing anyway.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.
Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).
Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…
The arms race will continue. I think the next gen will be a self hosted archive.ph style host that lets all the garbage load and distills it into a PDF or Web 1.0 style file ready for consumption. I would be fine with a browser extension that learns what I watch the most and preloads it for me, and/or an on demand service that shares prerendered sites bundled into torrents that group together common interests.
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
Also, doesn't that break the network if the pihole is offline? Before I'd just override DNS on my workstation, but that iptables config would block any "unsanctioned" DNS traffic
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
I recommend against the Pi Zero. Once you add in the cost of the microUSB to USB-OTG adapter and the ethernet USB adapter you might as well buy a 3B or 4. Price aside it adds an extra mechanical point of failure as microUSB is not very robust.
If you want a machine to run 24/7 for a long time, running it of an SD card is a bad idea. The NVMe support on a Pi 5 is important for somthing like a PiHole
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
And if you're getting close to $75 and don't need ultra-low power use, you should get a N97/N100 MiniPC anyway - or a used business PC like a Lenovo ThinkCentre.
All can be bought for around $100 and are upgradeable with standard parts AND are multiple times more powerful than any raspberry pi.
It’s all relative. I’m at 24.4% but I have quite a few devices like Wemo light switches at the top of my DNS queries. Only have one Amazon Alexa device but that’s near the top as well.
IoT devices which constantly phone home will skew things.
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
"uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc."
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
I mean I expect devices and apps to move to DoH, but they haven't yet, or at least not all of them. My experience generally on my phone at home (with DNS blocking) is better enough than my experience away from home that I'm glad I took the half a day or there about to set up a DNS blocking tool a couple years ago.
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
I agree. I don't want to be a hater, because it's a cool idea... but I find that this is just the wrong level to operate on.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
I watch YouTube on my TV. Using Firefox, with uBlock Origin. We have a laptop plugged into the TV, with a bluetooth keyboard. It is a vastly superior experience to any smart TV I have ever seen.
And also more than most people want to have setup in the living room. My wife would rather have ads on YouTube occasionally than an ugly computer plugged in all the time. It’s also more difficult to deal with than a remote you can work one handed.
You can get a pi and tuck it behind the TV. Then get a mouse that's styled like a remote. There's also plenty of OSs designed to look like a proper smart TV OS
Small PCs and drawers exist and i would rather have a whole damn server rack than 30 seconds to 3 minute ads every 5-10 minutes / video. It's worse than TV...and no im not gonna give google money for a continually worse experience despite paying.
I'm with you entirely, and that is how I interact with youtube.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
Using my ShieldTV, I've very much enjoyed SmartTube for ad-free YouTube viewing. It performs very well and is constantly updated when YT pushes new blocking techniques.
No, the objections are stupid. Not only is the Firefox experience vastly superior to any smart TV app, but you can have easy and effective ad blocking on top.
My best guess at why people don't want to do this is that we're conditioned not to do anything that isn't advertised to us, and nobody is running adverts telling you to hook a laptop up to your TV for a superior smart TV experience.
But I also get why people just want to sit on the couch, find a nice video on the phone and with the press of a button want to see it on the TV. No computer boot time, no updates, no writing on the keyboard while laying down.
I get that you can buy a fanless pc, install linux with unattended-upgrades and you have something more powerful. But most people don't know how or don't want to go through that hassle.
Leave the computer running all the time. Never install software updates. Browsing for videos with keyboard is equivalent or better than browsing with phone. If you really want to browse with phone I guess you need a Firefox extension that can send the tab to the laptop. Personally I've never looked into that because I can't imagine wanting to do it.
> Browsing for videos with keyboard is equivalent or better than browsing with phone.
Again, for you yes. But some lay down on the couch and a keyboard in that posture is just annoying.
And copying a youtube video from the app, into firefox app to just send it to the computer is bonkers complicated when you could just press the cast icon.
A lot of people interact with their phone all the time, but rarely use the computer. I'm telling you, it's more easy to use the build in Youtube app for a lot of people.
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
pihole, adguard, nextdns etc work at the network level. meaning you do not need to configure client devices. its one and done. also means that your dummy clients like TVs, IOT devices, etc... are going to be participating as well. you can't install ublock origin on a TV, or my dog's wifi collar, etc.
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
There's a lot more to Tailscale but for a basic setup you just install the client on all your devices, and set DNS to the NextDNS endpoint. Any device on your network will automatically pick it up.
You don't strictly need it, it just makes it a tiny bit more convenient since you can set it up to override DNS on any connected device, and Tailscale sets up a private VPN mesh between your devices I've come to get take for granted - a tangential feature that goes well with centrally managed DNS.
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
NextDNS is not the answer if someone is looking for apps to toggle on or off the blocking easily. The NextDNS apps on iOS and iPadOS have not been updated for about five years and the toggle is broken (I know this because I’ve been troubled by it for years). If using the app on iOS/iPadOS (and not a permanent VPN profile), anytime you wish to know if NextDNS is on or not, go to test.nextdns.io on a browser and see if it shows “unconfigured” or some specific NextDNS endpoint. For me this test has proven how it randomly works or doesn’t work.
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
Pi hole devs recommend running it locally only and discourage exposing your pi-hole to the internet. I used pi hole for years but have been using NextDNS lately and it works well outside of my home network, and even has a free tier.
No, but it won't have auth in front of it so it will eventually be discovered and used by people who aren't you. That could get you wrapped up or even implicated in a cyber attack.
66% would indicate that OP may have a device repeatedly trying to resolve a blocked query with no reasonable backoff logic.
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
66.6% of traffic per DNS request is a metric of network traffic. You could measure by bandwidth, by number of packets, by number of sessions, etc. There are many measurements one could use, and DNS requests is one of them. It would probably be irrelevant for other purposes but isn't a crazy measurement given this context.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
Yeah, and set the IP of the PiHole as DNS for any device you've set static network settings on as well, but yes, it is indeed "very straightforward" for anyone that's able to set up their local network (or able to ask a "nerdy" friend or family member to do it for 'em).
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
Yup, I am using a Pi 3B as well. Silent, passive-cooling case, 16GB µSD card which is at least twice as big as it needs to be, and it uses about 10% of RAM and 10% of CPU.
I enabled `unattended-upgrades` and set it to do all types of update. I've never caught it in a reboot but it's always current. It swaps to ZRAM for less load on the µSD card.
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices.
The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
To fix that you just need to look through the logs through the native pi-hole UI and whitelist those domains which cause friction with your browsing habits.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
That is also an option yes, however it is challenging in todays world to find products that aren't hostile. Usually its a question of to which degree are they hostile and what can I live with or control.
For the Google issue, I’ve been using Kagi as a search tool for the last 2 weeks and love it. No ads and great results that can be personalized. I’m on the free version but will likely start the subscription soon.
That still won't work if they use the same server to serve DoH as the rest of the content. You really have to break open the TLS connection to block it properly.
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
I know I'm not alone in maintaining a strong feeling that we've "gone the wrong way" with tech in a lot of ways, as the meme goes, and forgotten (societally) that tech is there for us rather than the other way around.
I like your approach - take a light touch using technology; use tech where it helps and ignore it where it doesn't.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
They could just switch their dns back to auto (or statically use google/cloudflare/etc depending on how you configure it), no? Then fix it when you’re back.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
What black-swan event would cause would 2 PiHoles go down simultaneously? You could always use a non-PiHole guest-network if your WiFi hardware supports it, and let your family know to use the guest network if the regular network is down. The manual switching might not be necessary as most computers, phones and tablets automatically disassociate from a WiFi network if it's "offline", such as when DNS resolution fails.
If you really want to try the pihole, and are worried about corruption you could use a read-only root filesystem and mount /tmp and /var/log on tmpfs ramdisk, alternatively, add "@reboot touch /forcefsck" to force a disk check whenever the Pi(s) reboot, including when power returns after an outage.
One work-around is to get them to modify their wifi connection to use a specific DNS (e.g. Google at 8.8.8.8 and 8.8.4.4 is easy to remember).
I run Pi-hole in docker on a NanoPi that I setup as my router (running OpenWRT). In the rare occurrence that it misbehaves, I could just tell my spouse to power cycle it. I did think of having a failover, but there's always going to be a single point of failure with my ISP router anyhow.
I run Wireguard in combination with Pi-Hole so I can VPN into my home network to configure anything I need. DuckDNS if you’re on a dynamic DNS provider. It’s also nice to have this since you can get the adblocking when away from home.
I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
What do you mean without machine specific binaries? Like, building it from source? The instructions for that are pretty ambiguous and look like they are only for part of the system (https://docs.pi-hole.net/ftldns/compile/). However, if you just mean running it bare metal then running the installer script mentioned at the top of the Github page will install it using native packages for your system (apt, rpm, etc).
>I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
I have done so for four or five years.
Well, with x86_64 binaries -- but I could compile the code myself if I wanted.
I wouldn't bother buying a raspberry pi 5 to run this shit though, as the article suggests. It's way overkill.
Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.
I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
It's not worth the support trouble for the little it would make. Adblockers often break legit things too. Often people still want to use links that go through tradedoubler and the like. One support call and your yearly profit is wasted.
And how do you block access to non paying customers? DNS isn't autenticated.
It's also not really a great method for adblocking anymore (which would make the support problem worse, "why am I still seeing ads?")
I like the idea, but also it wouldn't feel fair for some services that I use like Twitch, or some cooking websites. I get that they sometimes really abuse all that stuff, but also I feel like they deserve some kind of compensation.
210 comments
[ 2.8 ms ] story [ 218 ms ] threadEDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
[1] https://github.com/dibdot/DoH-IP-blocklists
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
We employ exactly this technique for our Android firewall app. It can do IPv4 (by mapping hash(domain) name onto RFC6598 reserved subnet [0]) as number of unique AAAA/A requests on a client seldom exceeds 35k/mo!
Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
> (this is going to be a big PITA, but that's how these things go)
You don't say.
[0] https://github.com/celzero/firestack/blob/2191381f/intra/dns...
This sounds good, and I've wondered how I could implement such a thing.
However, with the clearly hostile approach all IoT appliances are taking, I wonder if they'll actually fall back to a "degraded" (for them) config with the network-provided DNS, or whether they'll just fail and complain the network is broken or something.
https://support.mozilla.org/en-US/kb/dns-over-https
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.
Sending anything in clear text over the internet in 2025 is criminally negligent.
Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).
And yeah I also think it's a really bad idea to run everything over https. But I don't think it'll happen.
Here the ISPs are intermediairs too, but we have laws to prevent them from using our data using DPI etc. And even if you use their DNS.
I agree encryption is important but DoT is much better then. DoH mainly took off because of this in the US.
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
1: https://en.wikipedia.org/wiki/Dnsmasq
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
All can be bought for around $100 and are upgradeable with standard parts AND are multiple times more powerful than any raspberry pi.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
IoT devices which constantly phone home will skew things.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
It's best to run both.
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
My best guess at why people don't want to do this is that we're conditioned not to do anything that isn't advertised to us, and nobody is running adverts telling you to hook a laptop up to your TV for a superior smart TV experience.
But I also get why people just want to sit on the couch, find a nice video on the phone and with the press of a button want to see it on the TV. No computer boot time, no updates, no writing on the keyboard while laying down.
I get that you can buy a fanless pc, install linux with unattended-upgrades and you have something more powerful. But most people don't know how or don't want to go through that hassle.
Again, for you yes. But some lay down on the couch and a keyboard in that posture is just annoying.
And copying a youtube video from the app, into firefox app to just send it to the computer is bonkers complicated when you could just press the cast icon.
A lot of people interact with their phone all the time, but rarely use the computer. I'm telling you, it's more easy to use the build in Youtube app for a lot of people.
https://grapheneos.org/
https://f-droid.org/
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
I'm not sure how a blocker would work if it couldn't see the content of the page...
Best to run both if you're in a position to do so
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
https://youtu.be/bJHPfpOnDzg
Makes it nice and easy for the non-technical members of the fam.
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I enabled `unattended-upgrades` and set it to do all types of update. I've never caught it in a reboot but it's always current. It swaps to ZRAM for less load on the µSD card.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
jnn-pa.googleapis.com
was likely in one of the lists - add it to "Exact allow" list
Similarly you can allow
googleadservices.com
but that is too much IMO - I just have a habit now to not click on such results.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
https://news.ycombinator.com/item?id=41382231
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
1) at work 2) out of town 3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
I run Pi-hole in docker on a NanoPi that I setup as my router (running OpenWRT). In the rare occurrence that it misbehaves, I could just tell my spouse to power cycle it. I did think of having a failover, but there's always going to be a single point of failure with my ISP router anyhow.
I have done so for four or five years.
Well, with x86_64 binaries -- but I could compile the code myself if I wanted.
No containers, just a Linux (Fedora) VM.
Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.
I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
And how do you block access to non paying customers? DNS isn't autenticated.
It's also not really a great method for adblocking anymore (which would make the support problem worse, "why am I still seeing ads?")
PS, I didn't mean the word 'shit' negatively. 'stuff' would have been better. But I meant it more as in 'check this shit out' :)
Pihole is actually a really nice project even though it's just a wrapper around dnsmasq.