Pi-Hole – A black hole for Internet advertisements

DoTLS and DoHTTPS can be intercepted on your own devices by adding a privately generated certificate to your root store and MITMing the traffic. By design this is the only way to filter this traffic based on content.

Regardless name resolution based ad blocking is relatively futile against even naive workarounds. For instance what is to stop someone from using a custom DoHTTPS format on any webpage to resolve the name directly in browser? What's to prevent them from obfuscating it in a way your MITM couldn't realistically detect?

In the end ad blocking is best done directly on the client through something like uBlock Origin. Not only does this allow you to create a network request block list (now with the added capability of reading/filtering on the whole URI) but it also allows for style based blocks where the ad content could even be blocked if it comes from the same server and resources serving the actual page.

Like Vixie said, route and answer 8.8.8.8. He is complaining that he has to do it. He is not saying that there is no solution.

Putting a DNS client in Chrome (I think they removed it but who knows), or Chromecast, or whatever is "evolutionary pressure".

It forces users to evolve the solution to work around it. This is good.

If users are forced to learn to use an RPi for DNS (and we can see they are doing that with Pi-Hole), and eventually another pocket-sized computer with open-source software for routing, that benefits the community of users who want to avoid ads.

If avoiding ads is the goal, then using a pocket-sized computer with a user-installed OS is better than a solution marketed by a commercial third-party, as almost always those third parties rely partially/wholly/directly/indirectly on the ad business.

Re #4: really?! I missed that news. Sounds horrible. So instead of using my ISP, that I chose and trust, all my DNS queries now go to some foreign megacorp?!

I have a pfsense box. It's quite arbitrary to block DNS request that are anywhere except to your pfsense box. eg. https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-...

Could just point to an IP directly as well. That could be blacklisted as well but in today's tech stack it is really easy to change variables so that a block would have a short term effect on the client.

I bought the Pi-Hole kit for ~$US100 but was never able to get it to work properly with SSL/TLS sites despite some (admittedly cursory) Googling. It's a great idea in theory.

https://uk.pi-supply.com/products/pi-hole-kit-network-wide-a...

What is "Firefox 64 for PC"? Does this mean non-mobile Firefox?

I'm running the Docker image for my home network, it is really convenient.

Not directly related, but uBlock Origin is a better ad blocker than AdBlock Plus. From what I understand the uBlock Origin uses fewer resources; but more importantly, doesn't take money from advertisers to allow certain ads: https://adblockplus.org/en/about#monetization

It's more trusted nowadays and very easy to switch to.

There’s a simple pause button on the web interface. I bookmarked it on my wife's phone and showed her how to disable and she's had no trouble since. At first she was skeptical about the pi-hole but after seeing the difference it made, she's totally on board. We don't need to disable it often though, maybe once every month or two.

Right now, I've set up my Pi-Hole at home with this curated whitelist: https://github.com/anudeepND/whitelist

I haven't had any issues come from me or anyone in my family using it thus far. Although, there's an active discussion which that whitelist pulls mostly from here: https://discourse.pi-hole.net/t/commonly-whitelisted-domains...

I am using pfsense with pfblockerng for ad/tracking protection. My wife spents a good amount of time on a mobile fashion game. In addition to the forced in app purchases once a month, it makes her watch plenty of video ads every day. She has to watch those ads to get virtual currency that can be used to purchase things that is a must for playing the game. With the protection enabled, the ads won't show and she can't play. So I had to whiteliste her mobile in pfblockerng. She still complains that it doesn't work. So she uses mobile data to play the game. I am not sure what else in pfsense is breaking it for her, I haven't looked further into it. One good thing is it helps me save bandwidth. My home internet has 500gb limit after which it drops to 1/10th of the speed. She seems to be using up close to her 1.5gb daily limit almost always, just from this game and facebook. So I get more bandwidth to download stuff!

So I did experience this. I eventually just moved my wife's phone over to a static IP/external dns so she didn't have to deal with it. But at least the rest of the network (IoT in particular) had less tracking.

I've unexpectedly nice thing was the Roku screensaver went back to a simple bouncing logo instead of the ad-filled scrolling billboard thing.

On a mac, you can set up Network Locations. I have one set up with the pihole dns server, and have the Automatic one set to normal defaults. There's a simple script[0] that will change your Network Location based on the wifi network you connect to, so I don't have to worry about switching it manually when I leave home and I don't have access to the pi as a DNS server.

Granted, none of this answers your question directly, but a manual Network Location switch from System Preferences is a somewhat simple change that's a little less friction than a whitelist. The auto changer should switch it back next time your wife's computer reconnects to the network in case she forgets.

[0] https://github.com/eprev/locationchanger

You'd have to show her how to login to the web GUI and temporarily disable it I think, but I wonder if it's the use case.

If you're enabling ad filtering on the DNS level on your router, its more along the lines of forced ad filtering on your entire network, so you're kind of sacrificing user configurability for global ad filtering on your network.

Personally, I've only had the experience of a broken webpage once in two and a half years of using it.

I had to divert a bunch of devices (Samsung TV, Switch, etc.) around the pi-hole because it was easier than trying to figure out what they needed whitelisting.

A trick for mobile is to just turn off WiFi for a minute to load the page over cellular.

It doesn't. I stopped using it when one of their default lists started blocking Microsoft.com. I get some people don't like Ms, but that kind of default is just plain negligent. Blocking updates silently is never ok in my book.

sorry, didn’t realize it was already on 5 months ago

You're probably going to want to whitelist a domain here and there relative to the default blacklist. And the pi-hole has a few blacklists that aren't enabled by default, since they are much more strict.

So pi-hole-as-a-service doesn't make too much sense.

Seems like there is: https://adguard.com/en/adguard-dns/overview.html

However, as it's been said, you might want to easily whitelist some domains.

Pi-hole replaces your DNS on the local network so one device is protecting all your other devices without you having to do anthing else. Yes, even that Wii or whatever :-)

Can it be set up on a Pi in a similar way? Or is it designed just to run on each machine?

I tried this with OpenVPN a while back and it was a spectacular failure because keeping the tunnel open also kept the cellular connection active and that sent battery consumption through the roof. I'm talking about 8-10 hours "standby" time on a modern iPhone. Is that not a problem with your setup?

I looked into on-demand but is required a mdm profile and that seemed more trouble than it's worth.

What VPS and how much is it costing you?

As far as I can tell the default blocking method in current builds is NXDOMAIN. You can read the details directly from the PiHole official page [0]. Short version, it just returns a no such domain.

More info on blocking modes [1]. This says the default (and recommended) blocking mode is NULL but it wasn't the case when I recently did my last install. Not sure if it was something with my build or maybe the docs need to be updated.

You will find that failing to access the resource on the other side will make many clients try and try again. On my PiHole I see Philips Hue, Microsoft, or Sonos with tens of thousands of retries triggered by previous failures to contact their destinations.

[0] https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-wi...

[1] https://docs.pi-hole.net/ftldns/blockingmode/

The pages you use the most serve some ads from their own domain. E.g. Youtube et. al.

Also beware as most ads in your phone apps come from ad intermediaries that are either dynamic or constantly change.

Pi-Hole is a cool project but please take in consideration those two when using it. We are far from the 90's in ad-tech.

This will almost certainly never get implemented because the community has a more or less accepted workaround. Run more than 1 pi-hole.

It's a common-ish practice in the community to have a restrictive pi-hole running in your guest/kids network and a more permissive pi-hole running in the trusted/adults network. Pi-holes require so few resources and maintenance that it's not much burden to run more than one.

It would be a pretty large feature to support separate blocklists per IP range.