I run PiHole for years in my home network, I cannot live without it.
With the years, I have made small changes to increase my control over it.
I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version.
The apps themselves are fully controller and 99% of the access blocked.
That is why I have a fairly low numbers after purging all the logs a few days ago.
> Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
While there is absolutely value in doing what you are doing and I commend you for fighting the good fight, the fact that 61% of your queries are still going through means your data is still getting out there. Maybe to a lesser degree but that doesn't mean the marketing target isn't being painted it just means you are an impressionistic painting rather than a modernist with straight, accurate lines.
Is there an updated set of instructions/great guide on how to set up unbound and pihole together along with forced DNS redirection (so all dns requests are forced through unbound/pihole)? I tried to do this a couple of years ago and gave up because of how complicated it was to setup.
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
To fix that you just need to look through the logs through the native pi-hole UI and whitelist those domains which cause friction with your browsing habits.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
For the Google issue, I’ve been using Kagi as a search tool for the last 2 weeks and love it. No ads and great results that can be personalized. I’m on the free version but will likely start the subscription soon.
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
NextDNS is not the answer if someone is looking for apps to toggle on or off the blocking easily. The NextDNS apps on iOS and iPadOS have not been updated for about five years and the toggle is broken (I know this because I’ve been troubled by it for years). If using the app on iOS/iPadOS (and not a permanent VPN profile), anytime you wish to know if NextDNS is on or not, go to test.nextdns.io on a browser and see if it shows “unconfigured” or some specific NextDNS endpoint. For me this test has proven how it randomly works or doesn’t work.
I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power. The entire setup process happens over SSH and it cost me about $25. If someone can figure out how to configure their network for the pi-hole, I’m sure they can also figure out SSH.
> I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power.
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
pihole, adguard, nextdns etc work at the network level. meaning you do not need to configure client devices. its one and done. also means that your dummy clients like TVs, IOT devices, etc... are going to be participating as well. you can't install ublock origin on a TV, or my dog's wifi collar, etc.
I had been meaning to do this for the longest time. I even had a couple spare raspberry Pis laying around, but didn't want to set it up. Finally, I realized you don't need a raspberry pi at all. It's running in docker on my plex server. Much less friction. Don't get hung up on needing to run it on a raspberry pi.
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
66.6% of traffic per DNS request is a metric of network traffic. You could measure by bandwidth, by number of packets, by number of sessions, etc. There are many measurements one could use, and DNS requests is one of them. It would probably be irrelevant for other purposes but isn't a crazy measurement given this context.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
66% would indicate that OP may have a device repeatedly trying to resolve a blocked query with no reasonable backoff logic.
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices.
The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
How do folks deal with Pi-hole unintentionally breaking normal websites? I used it for a couple of months until one day I spent 30 minutes trying to log in to a payment website with no success. Then I remembered I had Pi-hole running. I know the solution was probably to whitelist certain URLs, but at the time I just gave up and disabled Pi-hole.
[+] [-] h4kunamata|10 months ago|reply
I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version. The apps themselves are fully controller and 99% of the access blocked. That is why I have a fairly low numbers after purging all the logs a few days ago.
[+] [-] vladvasiliu|10 months ago|reply
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
[0] https://developers.cloudflare.com/1.1.1.1/encryption/dns-ove...
[+] [-] brewdad|10 months ago|reply
I want to know how to become a Pollack painting.
[+] [-] dayone1|10 months ago|reply
[+] [-] mikestew|10 months ago|reply
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
[+] [-] everdrive|10 months ago|reply
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
[+] [-] xracy|10 months ago|reply
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
[+] [-] chihuahua|10 months ago|reply
[+] [-] NoPicklez|10 months ago|reply
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
[+] [-] perdomon|10 months ago|reply
[+] [-] itchyouch|10 months ago|reply
Makes it nice and easy for the non-technical members of the fam.
[+] [-] n_ary|10 months ago|reply
[+] [-] glial|10 months ago|reply
[+] [-] AnonC|10 months ago|reply
[+] [-] perdomon|10 months ago|reply
[+] [-] sgbeal|10 months ago|reply
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
[+] [-] tonymet|10 months ago|reply
[+] [-] iramiller|10 months ago|reply
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
[+] [-] dend|10 months ago|reply
[+] [-] jstanley|10 months ago|reply
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
[+] [-] dvratil|10 months ago|reply
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
[+] [-] crtasm|10 months ago|reply
It's best to run both.
[+] [-] Twirrim|10 months ago|reply
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
[+] [-] gh02t|10 months ago|reply
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
[+] [-] blurbleblurble|10 months ago|reply
[+] [-] mikestew|10 months ago|reply
[+] [-] BenjiWiebe|10 months ago|reply
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
[+] [-] FredPret|10 months ago|reply
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
[+] [-] kgwxd|10 months ago|reply
[+] [-] whalesalad|10 months ago|reply
[+] [-] imgabe|10 months ago|reply
[+] [-] parpfish|10 months ago|reply
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
[+] [-] 3abiton|10 months ago|reply
[+] [-] bongodongobob|10 months ago|reply
[+] [-] lambdaba|10 months ago|reply
[+] [-] whalesalad|10 months ago|reply
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
[+] [-] ryandrake|10 months ago|reply
1: https://en.wikipedia.org/wiki/Dnsmasq
[+] [-] mikestew|10 months ago|reply
[+] [-] crtasm|10 months ago|reply
[+] [-] hoherd|10 months ago|reply
[+] [-] sixothree|10 months ago|reply
[+] [-] dark-star|10 months ago|reply
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
[+] [-] kube-system|10 months ago|reply
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
[+] [-] pnw|10 months ago|reply
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
[+] [-] Dries007|10 months ago|reply
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
[+] [-] Gucio|10 months ago|reply
[+] [-] the_dude_|10 months ago|reply
[+] [-] vagab0nd|10 months ago|reply
[+] [-] rockbruno|10 months ago|reply
[+] [-] 10729287|10 months ago|reply
Raspberry pi can be set up to boot with ssh login/password, so you don't even need wired mouse and keyboard.