I know some folks are anti Ubiquiti Unifi on here, but you can run pihole (along with a bunch of other stuff) right on a UDM/UDM-Pro. IMO it makes the most sense to run this on the router, and you can run it in a docker container. If you're looking for a fun hour or two project, check out:
I have another point of view as a non-pro user. The leas thing my router is doing the better. I want my router software be as simple as possible to reduce possible bugs. Plus I want it to put all cpu time onto processing packets.
I would consider using pihole like functionality if it’s baked in firmware. But definitely don’t want to install extra software.
I run a PiHole and a Tailscale exit node on my Unifi routers (previous generation). The Tailscale exit node lets me do both site-to-site VPNs and site-specific egress. The one thing keeping me from site network nirvana is that I haven't quite figured out how to set up a wifi network on the Ubiquiti device that routes all traffic through a given other exit node, however. Someday!
I'm afraid to ask, but why are people anti ubiquity? I freaking love my udm-pro and am waiting for their cams to come back in stock so I can ditch my nests.
Be aware that UI is planning to consolidate the UDM/UDM Pro software (1.x) into the UDM Pro SE / UDW software branch (2.x) in the near future, and the 2.x software doesn't use Podman and instead runs the software "bare metal".
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
Won't be long now until IoT and other crap-ware devices catch on to this trend and start hard-coding DNS servers in code, or worse, using DNS encryption to avoid this sort of routine blocking by end-users. I wonder how people are thinking about solving this problem.
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
This is already happening. The likes of Google Home et al already hardcode their own servers. I noticed that no DNS requests were being made through my Pi Hole, so when I looked, it turned out their DNS servers were hardcoded.
However, I'm more worried about when they start hardcoding DoH servers.
> Smart devices manufacturers often “hard-code” in a public DNS server, like Google’s 8.8.8.8, and their devices ignore whatever DNS server is assigned by your router - such as your PiHole.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
Already happening, Google products like the Chromecast serve up plenty of obnoxious ads these days, and hardcode Google DNS. Even blocking Google DNS still allows ads to get through.
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
I couple PiHole with a pfsense router. In pfsense all DNS queries are blocked except to my pihole. This thwarts an IoT device or streaming devices, etc., from bypassing pihole. Then I block known DoH servers on both pfsense and pihole---which is not perfect, since it's really a game of whack-a-mole, but better than not.
I've been running a pi-hole on my home network for years and I love it, it consistently blocks about 19% of outgoing requests. Some of the benefits for us are:
- It disables (and hides) the annoying ads on our Samsung smart TV
- Browsing is noticeably smoother (especially recipe websites on mobile!)
- Most front-end browser trackers are blocked
- It's now possible to see how often apps or devices tend to phone home by just logging into the Pihole web interface
- We're not giving (most of) our DNS activity to our ISP
- Updating to a newer version is a breeze with docker
Some thoughts for folks considering getting one (or more):
- I've not locked it down further with a firewall yet to force all DNS requests to go through the Pihole, but I'm planning to.
- I won't run a Pihole container on my UDM as it will likely mess with future updates and settings, keeping things separate feels better.
- Sometimes I consider adding more blocklists but every time I do, something gets annoying somewhere and I usually end up reverting to the standard config.
My pet peeve has become to report login flows or frontend interactions that break when the tracking script fails to load because of my Pihole. It doesn't happen often luckily :-).
Obviously, people whose products rely on those ads and telemetry, won't be happy and will try to retaliate, for example, by refusing you service. This frequently happens because of my usage of VPNs and ublock. In that case I have an option to quickly turn vpn/ublock off for that specific web site or service. In your case it's not so easy.
Pi-Hole is brilliant. I set up[1] one few years back and used for over a year. Here are the issues;
- When I'm away from home and traveling, if something goes wrong, the Pi-Hole is usually the single source of that error, and is hard to solve by talking to my wife to walkthrough the settings.
- A few websites (India in my case), mostly government ones, do not work when Ads are blocked. Try paying LIC Premium or even login to LIC of India with your DNS modified, Ads Blocked!
- Wife want ads in some of her apps, "What did you do to my Ads!"
Since then, the family was on NextDNS[2] for almost two years - premium member hitting million+ request a month from a 4-member family. With NextDNS slow to update when macOS changes the way they deal with Private Relay, I stumbled on AdGuard's DNS[3] (in beta now). I already bought the lifetime (family) AdGuard license sometime back. So, I tried it and am on it now.
With the current setup, the last-mile choices of blocking ads or not blocking (for some website) is at the client (wife, daughter, and other devices). This works good so far -- everyone have a choice without being totally locked down. I have also taught my 13-year old daughter to keep a watch on Little Snitch.
Here is the typical settings for all of the devices in our family, which works well when inside the home or outside.
Apple's Private Relay (ON) > AdGuard with DNS Routing (OFF/ON) > (Optional VPN when needed) > Balanced/Bonded common ROUTER with minimal locked down settings > All of the ISP's entry routers.
Nonetheless, I've been meaning to tinker so I can have Pi-Hole sitting between our family and the Internet but optionally circumventable easily -- perhaps a big Amber Button which even my 5-year old can press and go into the Internet momentarily.
Edit: I forgot to add my thinking/concept/philosophy in all of this -- We should be able to walk out from most entrapments/situations/entities with minimal or no change needed.
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
Specifically relating to pihole (as of previous versions) it wasn’t the cleanest install uninstall experience and left a bunch of crap behind on my system.
I now run it in a docker container because of this, but I can’t speak to OPs motivations
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Any special setup amongst your network takes excess work to maintain. In the case of Pihole, I gave up on maintaining it because I was running it on a Raspberry Pi, and found that it was annoyingly hard to keep a Pi running stable for a long period of time.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
The real advantage is another layer of complexity, so you can write a blog post about running PiHole on a home network, which done by a billion other people (conservative estimate).
for those who want something effective outside of their home network...
ublock origin works fine as a plugin in firefox on android, and blocks ads just as effectively on firefox on desktop.
the ability to install arbitrarily chosen firefox compatible plugins on firefox on android is a huge deal for me. it makes it almost as powerful and useful as firefox desktop.
the only time I need to touch chrome anymore is when using some rare 1% of online shopping website that seems to think a firefox useragent is a bot.
Every time I've tried pihole it has failed on services like YouTube. Can someone explain this to me and how I solve it? I know it's not just me, it even happened to Linus Tech Tips but I constantly hear responses "works for me" which are unhelpful. If ublock works fine, why can't pihole? I'm actually interested in a technical answer.
Note that pi-hole can also be used by only installing the DNS resolver, without the web server and UI, which allows it to be installed on any tiny Linux system as well.
Additionally I can recommend the "Privacy" web browser on Android combined with the "Rethink DNS" firewall.
Both are amazing tools that help speed up your phone, and allow you to even filter ads out of specific apps that use e.g. an embedded cloudflare DoH resolving mechanism.
If you want to dig deeper, there's always the Aurora App Warden and Permission Manager X which allows you to modify other Apps and remove their Activities and Services that are coming from ad frameworks.
I run the combo Wireguard/Adguard, what is nice is that only the Wireguard clients have the DNS filter and the rest of the network is not affected. Also I have the filter when away from home. And another advantage to setting Adguard as DNS server in the router is that the clients are split in the analytics overview (otherwise it looks like there is only one client, the router and you can't set different filters for different clients).
I do still have issues with keeping Wireguard running when I switch from lan to wan with my phone, so for now I'm setting it as conditional (only Wireguard on when outside of lan).
I ran Pi Hole (and AdguardHome) for years, but eventually just upgraded to NextDNS instead. It works almost the same (minus the DHCP stuff), but instead of just working on your LAN, it works on every device all the time.
Our phones and smart devices all use either DoH or hardcode a specific DNS resolver. I haven't spent the time going all the way down to re-routing all port 53 traffic, but I doubt it'll do much.
To me the future of the home network is largely dead as long as I can't reasonably manage the software on these devices.
I don’t know how you maintain your hosts list, but with a solution like pi-hole, you can easily subscribe to multiple blocking filters and have them update periodically without any intervention. Of course, you could automate your hosts update too, but pi-hole comes with this built-in.
This is essentially what pihole does, but automatically, using shared lists of ad networks (you can add your own easily). And it’s available to things on your network where you can’t or don’t want to edit etc/hosts
(My smart tv used to love to shove ads in my home screen)
It’s an elegant and efficient way of taking back control of your network and the content It shows you.
I run it in a pi zero w with a little wooden case and a low power phone charger (500ma) I Velcroed it to my router.
Not sure about now, but before I'm using pihole, I was using hosts file to block ads and found a significant increase in network latency. Turns out the huge hosts file significantly increased DNS lookup time in my system (>1 seconds).
Like you said, convenience of propagating the blockage to all devices, a central place for configuration, stats/diagnostics built into PiHole dashboard. I do like your DIY approach, though!
This was the kick in the pants I needed to finally set up one of these. It took 20 minutes to get up and running, and half of that time was finding a wall USB adapter to power it. Easy peasy lemon squeezy.
[+] [-] ferminaut|3 years ago|reply
https://github.com/boostchicken-dev/udm-utilities/tree/maste...
[+] [-] para_parolu|3 years ago|reply
[+] [-] goodburb|3 years ago|reply
[+] [-] pcl|3 years ago|reply
[+] [-] moffkalast|3 years ago|reply
I hope it becomes more ubiquitous (hah) even on lower cost ones eventually.
[+] [-] boostchicken|3 years ago|reply
[+] [-] dawnerd|3 years ago|reply
[+] [-] jeffkeen|3 years ago|reply
[+] [-] 8fingerlouie|3 years ago|reply
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
[+] [-] asdkhadsj|3 years ago|reply
[+] [-] Vaslo|3 years ago|reply
[+] [-] sleepdreamy|3 years ago|reply
We use this at some of our clients in the MSP space
[+] [-] ctur|3 years ago|reply
[+] [-] 0daystock|3 years ago|reply
[+] [-] DistractionRect|3 years ago|reply
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
Works a treat on my IoT devices
[+] [-] lapser|3 years ago|reply
However, I'm more worried about when they start hardcoding DoH servers.
[+] [-] e2le|3 years ago|reply
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
https://labzilla.io/blog/force-dns-pihole
For those devices which ignore DHCP/NDP provided DNS addresses, you could create a firewall to redirect outgoing port 53 traffic to your own server.
[+] [-] heavyset_go|3 years ago|reply
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
[+] [-] RachelF|3 years ago|reply
The DNS queries for these bypass any of your own DNS settings.
They even bypass host file overrides.
[+] [-] asix66|3 years ago|reply
[+] [-] Roelven|3 years ago|reply
(edit, formatting)
[+] [-] EVa5I7bHFq9mnYK|3 years ago|reply
[+] [-] kayson|3 years ago|reply
Combined with pfsense's recursive resolved (unbound), it makes for a pretty great home dns setup.
[+] [-] Brajeshwar|3 years ago|reply
- When I'm away from home and traveling, if something goes wrong, the Pi-Hole is usually the single source of that error, and is hard to solve by talking to my wife to walkthrough the settings.
- A few websites (India in my case), mostly government ones, do not work when Ads are blocked. Try paying LIC Premium or even login to LIC of India with your DNS modified, Ads Blocked!
- Wife want ads in some of her apps, "What did you do to my Ads!"
Since then, the family was on NextDNS[2] for almost two years - premium member hitting million+ request a month from a 4-member family. With NextDNS slow to update when macOS changes the way they deal with Private Relay, I stumbled on AdGuard's DNS[3] (in beta now). I already bought the lifetime (family) AdGuard license sometime back. So, I tried it and am on it now.
With the current setup, the last-mile choices of blocking ads or not blocking (for some website) is at the client (wife, daughter, and other devices). This works good so far -- everyone have a choice without being totally locked down. I have also taught my 13-year old daughter to keep a watch on Little Snitch.
Here is the typical settings for all of the devices in our family, which works well when inside the home or outside.
Apple's Private Relay (ON) > AdGuard with DNS Routing (OFF/ON) > (Optional VPN when needed) > Balanced/Bonded common ROUTER with minimal locked down settings > All of the ISP's entry routers.
Nonetheless, I've been meaning to tinker so I can have Pi-Hole sitting between our family and the Internet but optionally circumventable easily -- perhaps a big Amber Button which even my 5-year old can press and go into the Internet momentarily.
Edit: I forgot to add my thinking/concept/philosophy in all of this -- We should be able to walk out from most entrapments/situations/entities with minimal or no change needed.
1. https://brajeshwar.com/2019/pi-hole-blocking-ads-at-home/
2. https://nextdns.io
3. https://adguard-dns.io/
[+] [-] jrmg|3 years ago|reply
What is the advantage of this in this case?
[+] [-] BrandoElFollito|3 years ago|reply
- I download the ISO for my system (Arch Linux)
- I install it on a drive
- I install docker and a (very) few other things
- I recover /etc/docker and data from a backup
- I run my docker-compose
- the server is up
Time: around 30 min to 1 hour without any documentation.
For me - THAT is the real power of docker.
[+] [-] rektide|3 years ago|reply
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
[+] [-] NegativeLatency|3 years ago|reply
I now run it in a docker container because of this, but I can’t speak to OPs motivations
[+] [-] dspillett|3 years ago|reply
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
[+] [-] ocdtrekkie|3 years ago|reply
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
[+] [-] pigbearpig|3 years ago|reply
[+] [-] walrus01|3 years ago|reply
ublock origin works fine as a plugin in firefox on android, and blocks ads just as effectively on firefox on desktop.
the ability to install arbitrarily chosen firefox compatible plugins on firefox on android is a huge deal for me. it makes it almost as powerful and useful as firefox desktop.
the only time I need to touch chrome anymore is when using some rare 1% of online shopping website that seems to think a firefox useragent is a bot.
[+] [-] godelski|3 years ago|reply
[+] [-] cookiengineer|3 years ago|reply
Additionally I can recommend the "Privacy" web browser on Android combined with the "Rethink DNS" firewall.
Both are amazing tools that help speed up your phone, and allow you to even filter ads out of specific apps that use e.g. an embedded cloudflare DoH resolving mechanism.
If you want to dig deeper, there's always the Aurora App Warden and Permission Manager X which allows you to modify other Apps and remove their Activities and Services that are coming from ad frameworks.
[1] https://www.stoutner.com/privacy-browser-android/
[2] https://github.com/celzero/rethink-app
[+] [-] hackerbrother|3 years ago|reply
[+] [-] teekert|3 years ago|reply
I do still have issues with keeping Wireguard running when I switch from lan to wan with my phone, so for now I'm setting it as conditional (only Wireguard on when outside of lan).
[+] [-] 8fingerlouie|3 years ago|reply
[+] [-] quyleanh|3 years ago|reply
[+] [-] amq|3 years ago|reply
[+] [-] snapplebobapple|3 years ago|reply
[+] [-] codemac|3 years ago|reply
Our phones and smart devices all use either DoH or hardcode a specific DNS resolver. I haven't spent the time going all the way down to re-routing all port 53 traffic, but I doubt it'll do much.
To me the future of the home network is largely dead as long as I can't reasonably manage the software on these devices.
[+] [-] prometheus1909|3 years ago|reply
0.0.0.0 trashsite1.com
0.0.0.0 trashsite2.com
The only downside I see is that my approach is not network-wide. Any other reasons I should reconsider?
[+] [-] jasode|3 years ago|reply
Previous subthread about it: https://news.ycombinator.com/item?id=22535387
(But it doesn't look like wildcard pattern matching doesn't work for the substring middle part of the string like your example.)
[+] [-] pcl|3 years ago|reply
[+] [-] newscracker|3 years ago|reply
[+] [-] more_corn|3 years ago|reply
It’s an elegant and efficient way of taking back control of your network and the content It shows you.
I run it in a pi zero w with a little wooden case and a low power phone charger (500ma) I Velcroed it to my router.
I highly recommend that everyone do it.
[+] [-] neurostimulant|3 years ago|reply
[+] [-] otachack|3 years ago|reply
[+] [-] mFixman|3 years ago|reply
[+] [-] zacharycohn|3 years ago|reply