I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
> It's also not possible (or not clear) how to have different behavior for different clients
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.
I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
You can definitely set client groups, either based on CIDR, MAC (if on the same network segment) or individual IP. From there, you can assign different domains and list to the specific groups.
The way I handled this issue for my family and devices is just by having two SSIDs - one with pihole blocking and one without. If it’s interfering with something me or my wife can just switch to the unblocked network temporarily.
You'd be hard pressed to find that an auditing mode would be helpful. Even once you hit that big red button, depending on the blocklists you use you will come across false positives that cause issues.
I've been using AdGuard Home, which does pretty much the same thing, but is slightly better polished, with things like support for DoH and OSs other than Linux.
I love AdGuard Home but the single binary container from a Russian company makes me nervous. I may move to building it myself. Is this criticism unfair?
I don't know why but adguard often just freeze and need to be restarted. Maybe due my device is old enough (Pi 1). But Pihole + cloudflared run flawlessly.
Switched to AGH too a few years ago because from time to time pi-hole would get stuck upon unplanned reboots of the Raspberry Pis on which I had it installed
Pi-hole is such a great tool. I've been running it for a few years on a raspberry pi zero, and am constantly astonished by the sheer amount of cruft it blocks for me.
Congratulations to the team for the release - happy to support you via Patreon!
I have had many times click an article link on reddit where everyone in the post comments complains about how the site is riddled with ads that it makes it unreadable and all I see is the article with a lot of whitespace.
Pi-hole is a killer application and I've loved it since I got it setup. One other app I highly recommend to run on your Pi in addition to Pi-hole is Nginx Proxy Manager[1].
I moved from pihole to Technitium a few months back because I wanted more DNS features than just adding A and CNAME records.
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
Technitium is great. Rock solid, plenty performant and it has more features than you'll ever need. Pretty wild when you consider it's being maintained by a single dev.
Switched to Technitium (from piHole via Docker on amd64 and manual dnsmasq before that) primarily for DNS over HTTPS and never looked back. Used it for DHCP and DNS.
This actually seems rather nice. Not the same as PiHole but I can see its upsides.
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
> The web interface has been completely overhauled with settings split into Basic and Expert modes. This allows users to customize their experience based on their comfort level and needs.
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
> Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
Does anyone know if pihole is ever going to add DoH or similar support natively? I've had such troubles with cloudflared awhile back that I gave up on DoH, but would love to encrypt those queries.
I've been using https://github.com/DNSCrypt/doh-server for serving my DNS server via DOH for at least 2 years. Only had two issues with it and both were due to lack of maintenance on my part (ie. not updating the binary for one and then not re-configuring it after I changed configurations for the upstream DNS).
In my experience Pi hole is a very worthwhile investment. People who used my internet when I had one would remark how much faster it was. Everything in general seems faster, even things that you wouldn't think of. I typically use Brave for browsing which has good ad blocking capabilities, but this adds a whole additional layer.
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
I used to love pihole, but it seems like it's more trouble than it's worth now. Advertisers have wised up and will use the same subdomain for both content and ads. I've also had issues with normal website functionality being broken due to pihole which isn't fun for my wife. It seems mostly useful for blocking background traffic on smart devices, not so much for ads.
I had an Apple TV connected to a TCL Roku TV and the TV was analyzing video frames from the AppleTV to popup ads suggesting to watch the same content on other streaming services.
I make these suggestion during all conversations about PiHoles:
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
Lots of great memories using Pi-hole and messing with RPi. I eventually ended up putting my devices on Tailscale and managing DNS through it, eventually using Mullvad VPN as the exit node.
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
The big feature miss for me in this announcement is baked in support for configuration sync between servers. Redundant DNS is common and it would be nice if pi-hole supported this oob. Making it even better would be an ability to see stats across all synced servers from one location.
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
Slightly off topic, but it annoys me that protonvpn does not allow split tunnel of DNS to an internal host. It calls this DNS leak protection, which is a good default. But I want to run my own DNS server and I know what I'm doing, and the Proton GUI won't let me.
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
I do something similar to Pi-Hole using plain dnsmasq.
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
Not sure if this is the right place to ask, but I've got a semi-obscure DNS question.
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Have used pi hole for over 5 years and very happy with it. Most times I use it via phone to manage kids devices to block/unblock access etc and this also works quite well . Thank you very much
Ha! I bought a Pi5 as a Christmas present for myself, I've only done some basic setup and gotten sidetracked by other projects - but setting up pi-hole is near the top of my list of sh*t to get done
I've had the same PiHole rule (for years!) which blocks all the text-splash-over-ads... but it becomes very cat and mouse if you want to block the pre-roll video ads (any rule that initial works... won't for very long).
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
In unbound those are indeed views[1]. I moved from pihole to unbound+nsd a couple of years ago for precisely this use case. Block filters courtesy of[2].
I managed this by getting a gTLD (digit-only .xyz is cheapest) for internal-only services and then running a Caddy instance to reverse-proxy to my internal services. I don't port forward or open ports to that Caddy instance, so it's not available externally.
I wish pfblocker-ng was as easy to use and polished as pihole. It seems silly to run an extra DNS resolver if I'm already running one on pfsense, but the interface makes it tempting
if you are on openwrt i can recommend checking out unbound and adblock as alternatives (running directlly on your routers without the need of a raspberry pi)
andy_xor_andrew|1 year ago
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
MyOutfitIsVague|1 year ago
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
windexh8er|1 year ago
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
[0] https://nextdns.io/ [1] https://controld.com/
ge96|1 year ago
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
josephg|1 year ago
Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.
BHSPitMonkey|1 year ago
btreecat|1 year ago
https://adguard.com/en/adguard-home/overview.html
guhcampos|1 year ago
jkingsman|1 year ago
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
bdcp|1 year ago
Yea i agree it's not super UX friendly.
everdrive|1 year ago
nkrisc|1 year ago
NoPicklez|1 year ago
Mekoloto|1 year ago
The biggest risk is not samsung knowing what someone watched but what devices you have on your lan
simooooo|1 year ago
LeoPanthera|1 year ago
https://github.com/AdguardTeam/AdGuardHome
laweijfmvo|1 year ago
brynx97|1 year ago
> The cloudflared binary will also work with other DoH providers.
2OEH8eoCRo0|1 year ago
roger_|1 year ago
Is there anything in Pi-Hole v6 that would make someone switch back?
zzyzxd|1 year ago
- I run it in Kubernetes with multiple replicas behind a load balancer for high availability.
- A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.
- Configuration as code, which gets mounted as a secret.
- Query logs from all replicas forwarded to loki for visualization and performance review.
nocchedure|1 year ago
febrianrendak|1 year ago
mattrighetti|1 year ago
lawn|1 year ago
Mossy9|1 year ago
Congratulations to the team for the release - happy to support you via Patreon!
hk1337|1 year ago
_fat_santa|1 year ago
[1]: https://nginxproxymanager.com/
robk|1 year ago
yard2010|1 year ago
seanp2k2|1 year ago
I have some scripts to sync config between them and a Jenkins job if I want to pause blocking on them for a bit.
It looks like https://github.com/mattwebbio/orbital-sync and https://github.com/lovelaze/nebula-sync can sync configs with Pi-hole 6 now, but it’s quite a bit of code for what looks like just a few HTTP requests to get the config from one using the teleporter feature, then restore it on the others using the same.
seemaze|1 year ago
[0] https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
jccalhoun|1 year ago
JamesBrooks|1 year ago
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
I documented that process here in case anyone is interested: https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
malmeloo|1 year ago
bjoli|1 year ago
2bluesc|1 year ago
eamag|1 year ago
poisonborz|1 year ago
zymhan|1 year ago
hk1337|1 year ago
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
system7rocks|1 year ago
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
shmoogy|1 year ago
zymhan|1 year ago
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
Sohcahtoa82|1 year ago
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
TheArcane|1 year ago
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
TriangleEdge|1 year ago
precommunicator|1 year ago
unsnap_biceps|1 year ago
newman314|1 year ago
Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost) --DoH--> upstream
Not the prettiest but it works.
chgs|1 year ago
I want my devices to use my defined dns sever on my network, not some ad company (and all tech companies eventually become ad companies)
zamubafoo|1 year ago
hotpocket777|1 year ago
plg|1 year ago
we block all meta and X properties from our home network, also ads
and it's self hosted on our own metal
it's a wonderful life
andrewinardeer|1 year ago
There's a difference between meta, X and ads?
google234123|1 year ago
wkyleg|1 year ago
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
Salgat|1 year ago
_chris_|1 year ago
I’m not up to speed on this stuff but I thought pihole only blocked the simplest stuff from devices that play nice?
Shadowmist|1 year ago
ProllyInfamous|1 year ago
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
kmfrk|1 year ago
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
lanthade|1 year ago
reboot81|1 year ago
urbanporcupine|1 year ago
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
theshrike79|1 year ago
unethical_ban|1 year ago
aspenmayer|1 year ago
https://protonvpn.com/support/custom-dns
Netcob|1 year ago
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
nirav72|1 year ago
dmacvicar|1 year ago
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
RandomDistort|1 year ago
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Is this possible in a simple way?
unknown|1 year ago
[deleted]
woleium|1 year ago
https://www.perplexity.ai/search/i-d-like-to-use-cloudflare-...
ConanRus|1 year ago
oh noes!
mrbluecoat|1 year ago
Any details on what HTTPS support provides, other than a TLS connection to the admin dashboard?
thomassmith65|1 year ago
eellpp|1 year ago
miningape|1 year ago
edm0nd|1 year ago
sizzle|1 year ago
ProllyInfamous|1 year ago
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
10729287|1 year ago
ncrmro|1 year ago
I wish pihole or adguard would add support for change DNS records based on the query subnet. I believe this is called DNS views.
That way my local devices and wireguard devices can get the correct IP for internal services.
VTimofeenko|1 year ago
[1]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
[2]: https://github.com/StevenBlack/hosts
Marsymars|1 year ago
dpacmittal|1 year ago
kayson|1 year ago
Havoc|1 year ago
That’s why I switched to affairs home but wouldn’t mind switching back
TZVdosOWs3kZHus|1 year ago
I am using Pi-Hole for about 8 years and can't imagine a world without it.
Another big THANK YOU to all list maintainers out there. You're doing an incredibly useful service to the community.
tailspin2019|1 year ago
There are always some features that I wish it had, but ultimately it does a really good job.
It’s easy to take for granted the hard work that goes into creating and maintaining such awesome tools.
unknown|1 year ago
[deleted]
opengears|1 year ago
issafram|1 year ago
nirav72|1 year ago
jedisct1|1 year ago
bangaladore|1 year ago
NeckBeardPrince|1 year ago
piyuv|1 year ago
peme969|1 year ago
mbasho|1 year ago
[deleted]
merillecuz56|1 year ago
[deleted]