Just recently I experimented going without my pi-hole or any ad blocker software for 4 weeks to see what would happen.
My goodness the internet is a dumpster fire without it. So many pages lagging and slow to load. Things I wanted to click that jumped when an ad loaded resulting in miss clicks. Annoying things following me around.
It was especially bad on mobile with the GDRP/Cookie notices and ad's to the point that on my iPhone SE some pages had a thin smear of the actual content no taller than a single line of text. News sites were especially bad for this.
With the experiment ended my pi-hole and ad blockers are now set to very on (and updated to this version and can confirm the block list went from 100,000 to 89,000) and I am much happier. Seems about 20% of the traffic on my network is blocked now which explains why some pages performed so awfully.
The ad industry really needs to up its game because the current state of the web is just horrible.
IME, it really depends on the website. If the user normally has Javascript disabled, then suddenly enables it on a graphical browser while visiting a news website, look out.
Dumpster fire indeed. The user's computer resources are quickly usurped and things slow to a crawl. Users have been trained to be patient I guess, waiting for websites to "load".
Interestingly, I find that many egregiously ad/tracker-laden websites actually "work" well enough without Javascript, meaning the content is readable, sometimes even the images are displayed. For these websites, it does not appear that they are purposely designed to be "unusable" without Javascript enabled. As a text-only browser user, I sometimes perceive some websites "do not work" with Javascript enabled. Trying to view them with the "recommended browser" with Javascript enabled makes the computer so unbearably slow and janky that I give up and go back to turning Javascript off.
> many egregiously ad/tracker-laden websites actually "work" well enough without Javascript, meaning the content is readable, sometimes even the images are displayed.
Websites that can't manage to load an image without javascript are a pet peeve of mine and they are everywhere. News sites are the worst, but even popular images hosts where displaying images is their entire job fail miserably. At the very least sites that can't load the image should show a direct link to the image but they never do. I'd happily welcome back all the marquee tags and "under construction" banners of the past if we could take web development back to the point where we didn't need several massive JavaScript libraries hosted across multiple domains to do the most task like display an image.
Why four weeks? Surely you could have reached a similar conclusion in a day, or less? Or did you learn anything in that time that couldn't have been learnt in a short burst of unprotected internet activity?
Seemed like a reasonable period of time. I got to see what the difference was on different devices including desktop, laptop, tablet and phone.
I also got to see how they were affected for work, study and play over weekends and weekdays.
I did notice I started to wait longer for pages to load with the ad's so that I would not accidentally click on them while they loaded in. That and I got generally annoyed by the web experience in general.
This has always been my conclusion when I experiment with not using an ad blocker. So many websites with outwise "okayish" content are basically ruined by ads.
Some sites are littered with "targeted" ads like download buttons and similar, which I'm not even sure why that's allowed.
It's also fun on "big" websites like MS Teams, Netflix, hulu, etc, to see the "blocked" count raise into the hundreds.
> My goodness the internet is a dumpster fire without it. So many pages lagging and slow to load.
Yeah, people always knock pi-hole for not blocking "everything" like browser-based blockers do, but even though it's not perfect it still makes a huge difference. Due to some network changes I had to go without pi-hole for a couple days after having previously used it for years, and you never really appreciate how much crap pi-hole traps until it's gone.
It's not just ads in apps, it blocks tracking beacons too. If I connect my (big Chinese manufacturer's) android device to my vps which has the pihole running I can watch as one or two requests per second are blocked with no browser open.
Yep, my experience as well. There must be a better way. I think we're warming up for a war since browsers (Chrome and Safari at least) have slowly started making it harder to block ads, which I think will becoming a creeping normality.
You can disable that; both at a network level, and in the browser itself. You can also choose a different DoH provider if you don't want to use cloudflare.
Yes, it should be disabled by default but it not the end of the world. I would hazard a guess that when Chrome implements something similar that it won't be so easy to disable.
Why couldn't pi-hole answer over http as well? You would also be able to use it from outside your home, without leaking your DNS traffic, or risking interception.
It might work for the better in the long run. No possibility to block ads combined with advertiser's greed will eventually make the whole thing unusable. And I am okay with consuming less content. Maybe along with the fall of the internet advertising industry we'll reinvent the wheel from scratch. Paywalls are fine if you absolutely care about that content but they don't work so well alongside free content back-ed up by ads.
I tried running pi-hole for a few days, but went back to pfBlockerNG.
The ui is nice, but not really anything i care to look at as long as it works.
AFAIK pfBlockerNG not only blocks the domains, but the IPs they resolve to as well, meaning no funny business will get around it.
I realize it requires a pfsense router out similar, but don't understand why it's not brought up more alongside pi-hole.
Maybe don't use something free and awesome to improve your experience and instead find whatever magical slice of the internet isn't ad driven?
It takes a few minutes to set up pi-hole, and it isn't just for websites either. It happily swallows in-app advertisements. The benefits are extended to anybody on your wifi. What possible reason would you have to not use it?
If you’re into fun experiments, you can also try putting a few pennies into a jar whenever you visit a website or write a script to simply block the sites you need to visit.
Make plain, no funny-business HTTP GET, server responds 200 and sends some text. Guess they wanted me to have it. I'll decide what I do with it, thanks.
The same argument applies to DVR ad skipping and previews on movies. If your profit model depends on people not blocking advertisements, your profit model is broken.
I much prefer the way movies and podcasts so it, as in, having the advertisement as part of the content itself. Instead of plugging in ads on the side, podcasts have a small segment where the host mentions a product and gives their personal experience with it. Moves place products in the shot, which is also a kind of approval from the studio. Webpages, however, just throw in ads with no context, and it's completely jarring.
Part of the problem is that placing ads is much easier than working ad placement into an article, and another part is that paying for things online is a painful experience. I don't mind paying to remove ads, but I'm not going to sign up for a subscription service just to read an article without ads. I really hope something like GNU Taler becomes popular to make these types of microtransactions easier to manage. Even better, I would like something like Netflix, but for quality journalism where I pay a subscription for a variety of content.
I want content producers to get paid, I just don't like advertisements and juggling subscriptions.
Technicality? Huh? I asked for a document and you sent it so now I'd better make sure I only read it with software that also requests every link in it and runs any code it finds? LOL no. No technicality about it.
People tend to forget that websites are just documents. Especially those who are not deeply familiar with the web technology. So, to those who are not aware, I'd like to add: web is nothing more than a protocol in which a user requests a document, and a server generates and returns a text response. It is up to the user what they will do with this text response. For example, they may open it in a browser which parses special tags and turns it into a nice visual page. They also can choose to open it in a browser which cherry-picks which tags to parse and which tags not to parse. They can also just read it as an unparsed text. This is simply how web was designed.
What's unethical about reading the parts of a webpage that you want to read? It's like getting a free newspaper and then covering up the ads inside before you read it.
Well not quite. It's more like having someone else remove the ads so you're never exposed to them. Which I would say is a little unethical considering the newspaper is free for a reason.
If your server sends bits back to my computer when I request them, it is perfectly within my right to decide which of those bits I do and do not want to see.
This is like the people who say they can say what they want because of free speech.
If you're able to justify something because of a technicality and are intentionally ignoring the ethics of the situation and what is clearly right/wrong... well, that's not a good look.
If ad networks would behave ethically, I would agree with you. But they don't, so I don't.
It's not all black and white. If you want to charge me for content, charge me for content. If I think it's worth it, I'll pay. Don't force an unusable, emotionally-manipulative, probably malware-filled experience on me from the get-go because you don't otherwise have a sustainable business model.
You’re getting something you value (video, article, etc.) in exchange for looking at ads instead of paying money. If you don’t want to look at ads, don’t look at the content. Don’t hide behind server requests and technicalities.
It would be fine in the 1995 version of the internet where a page served up content plus a banner ad. I might click, I might not. But now we're faced with privacy invasion, tracking, data-collection, TVs that output tones during ads that our phones pick up and report back to advertisers, pages that are slow and unreadable because the ads have taken over more real estate than the content. The list goes on, and it's not a trade we agreed to.
Anti-patterns designed to trick us into clicking, signing up, giving up more data, view another few seconds of ads. It never ends! So yeah, we block it. I don't feel sorry. If you don't think it's ethical then you're not paying attention to what's really going on. I used to go around installing Firefox for people before it was called that. Then adblockers, and now I go to people's houses and help them with a raspberry pi loaded with pi-hole. Fuck ads. Fuck that entire industry. And fuck everyone that works in that industry enabling them.
Yes, it’s fine to skip ads in magazines or change the channel during commercials.
It’s not OK to get a robot that changes the channel for you or to have your magazines sent to a service who cuts the ads out and forwards them on to you.
You're setting arbitrary restrictions based on some feel-good criterion you've developed for yourself.
The implication of your ethical argument was that avoiding ads causes the content creator to fail to get paid, and that's wrong.
There's no material difference between whether I avoid ads manually, or have software do it for me automatically. The end result is the same; the creator misses out on ad revenue. You can't cherry-pick the ad avoidance methods and say some are ethical and some are not when the supposed unethical act is depriving creators of payment.
The one thing that's holding me back on actually using Pi-Hole is the lack of flexibility. What I'd really like to see is the ability to do various things on a per-client basis.
For example, one commenter wanted a simple "reload without blocking" functionality and the response was to use a bookmarklet plus the Pi-Hole API to disable it temporarily. This works, but the problem is that it disables it temporarily for everyone and will inevitably result in "Hey, why's the ad blocker broken?" "Oh, sorry, that was me" conversations.
Likewise, I'd also like to be able to configure block lists on a per-client basis. I don't want any Facebook stuff (for example) to resolve from my devices, but my girlfriend wants to use Facebook.
Similarly, I may want different rules on different networks. For example, I may want to restrict what my IoT network can resolve differently than my regular user network. This is really just a generalization of doing things on a per-client basis.
Currently the only solution to these types of problems is to maintain multiple Pi-Hole installations. This isn't a big deal if it's just one or two, but it doesn't scale reasonably.
I have 2 Pi-Holes running. One is the “family” one and our modem/router uses it as primary DNS so basically everything on our network goes through it. This protects the family and any visitors in the wifi.
The other is for me, and my personal devices have been manually set to use it as their DNS. It filters a lot more aggressively as I am more willing to put up with broken stuff for more privacy (eg completely blocking all FB domains, lots of Google stuff, etc). It also means I can suspend mine for a bit if I need to and not have the kids bombarded with ads.
I have almost the same setup but I forward my requests from mine to the family one. If I disable mine I still go through the generic one which is supplied through DHCP.
That's awesome! I'm excited to see what comes of this! I took a look at the changes and the amount of work here is impressive.
I'm going to guess that there are also major UI changes that will need to come along to make this feature usable. Maybe the release that incorporates everything could be Pi-Hole 5.0?
Pihole is just a GUI on top of dnsmasq, they're not doing anything fancy, apart maybe for the extra statistics. These are some interesting ideas for improvement, I'd also be interested in something with more flexibility, but I'm not sure if there's an alternative at the moment.
There are still a few possibilities for how it could work— first would be running multiple instances of dnsmasq and then putting a reverse proxy in front of them that would direct the traffic based on who's asking.
Another would be switching to a purpose-built DNS resolver/cache that had this capability.
Finally, you could have per-client DNS IPs, but this would require the cooperation of the DHCP server, which is less typical on a home network where that's often a closed-source router. But a "super pi-hole" following this pattern could also potentially be the DHCP server. (Yes, raspberry pi can run OpenWRT: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi)
The pf-blockerNG package on pfSense would be the next level up. Not as pretty as pinhole, but far more capable if you are willing to stick with it. And you don't have to use pfSense as your firewall/gateway if you don't want to - pfSense will work just find with only one interface as an application appliance purely for running pf-blockerNG to use as your internal DNS server.
Heh, I'm considering it for the exact same reason you said.
I want to control the whole home network with it and avoid per-client customizations. I want the exact same filter on the whole network, and I don't want it to be easily circumvented.
I want to set up once and forget it and it should filter everything, automagically, every device, every browser, from the whole home network, forever. If I want to REALLY check something out I will use my mobile's internet.
I use two Max OS "Locations" (Apple Menu -> Location), one which uses the router default DNS (which is a Pi-Hole at home), and another which is set to use the Cloudflare DNS servers.
This allows me to to switch location, and instantly reload a page without the Pi-Hole interfering. Of course this only works on my Mac.
As far as I know, Pi-Hole sets a relatively short TTL on its responses, but I think should still cause a non-zero delay when you disable it, shouldn't it?
One solution is to set up two separate wireless networks with separate VLANs where one uses the pihole for DNS and the other does not. Clients can temporarily switch to the ads network at will. It might not be possible unless you have a decently high-end router. I know DD-WRT or Ubiquiti Unifi gear can do this.
Yup, we do this. Works like a charm and makes it easy to configure from any client by just connecting to a new wireless network.
You don't need the VLAN, you can just put the two different wifi networks on different subnets or DNS config depending on your router and you're good to go.
(I do put IoT stuff on a guest VLAN though which can only see the gateway and nothing local in the network).
I did this not more than 2 months ago. Only time I connect to my other network is when I want to access my odroid xu4 on which I accidentally blocked the wrong subnet in iptables.
I think AdGuard's AdGuard Home, Pi-Hole competitor, does this. I've been following it for a while but haven't had the chance to replace my Pi-Hole installation yet.
I played around with it. I really like the integrated DNS over HTTPS, but the reporting doesn't quite match up. I didn't bother switching but it would be a perfectly usable option.
I had similar thoughts about it but I got fed up a couple of years ago and just installed it. If something doesn't work I will think about if I can live without it. Most of the time I can, and if not I just whitelist the domain.
If you want to temporarily disable it for your computer, maybe switch DNS temporarily? Might even be some plugin for that in the browser?
Openwrt has DNS ad-blocking built in which works just as well as pi-hole. It simply doesn't have the monitoring of what is being blocked but it is rarely needed anyway.
I'm running it in an LCX container on OpenWRT. Better to have an external disk connected for the container so the logging will not burn the internal storage too fast.
I can't find this anywhere, but does Pi-Hole have any sort of client side 'reload without blocking' functionality? If I were to implement this in my network and a user has issues with a page not loading/functioning correctly, I feel like they'd need my help to add the site to a white list, which would be pretty inconvenient.
> You can craft a URL that disables pi-hole for X minutes, using the API. You hit the boomark and boom, pi-hole temporarily disabled. If you save it to your phone's home-screen, you've got an instant disable button.
What I'd really like is temporary whitelisting a single domain. Just because I need to use site X for a couple of minutes it doesn't mean I want the flood-gates open.
This is more for the case when a single JS file fails to load from a CDN or things like ReCaptcha.
Since it's an API, even if it would have been 30+ those could all still be approved with a single script call.
Man, it would be nice if there were a native app for iOS which you could link to multiple Pi-Holes for easy management and/or Siri Shortcuts. I'd definitely drop a few bucks for that app - and I'm sure a few others would too! Please DM me if anyone is working on it and needs a beta tester via Test Flight.
I second this. A firefox plugin that is "on" or "off" would be great. I guess FoxyProxy is close if PiHole can act as a SOCKS proxy to do its blocking. Is that one way it can work?
You can do a timed disable (like a pause) from the Pi-hole UI: I've done 5-minute disables to eg. get through purchase check-out flows with tight coupling to trackers.
Unfortunately it doesn’t at this point I don’t believe. But as another comment mentions, there is a nice api. Another option would be to create a bash script and create a php page with a form to add a domain to whitelist. I do something similar to whitelist ip’s for dns in iptables. Pi admin uses php so it’s already installed and working.
It's great, but many blocklists are bad. People often use https://firebog.net/ to get their blocklists, and use only those with a checkmark which are, quote, "least likely to interfere with browsing".
Bollocks, I've had to disable a few of the recommended ones, and adding manual whitelisted hosts because they were blocking legitimate sites (ocsp.apple.com), blocking Windows updates, blocking Instagram altogether!
I agree that blocking OCSP (Online Certificate Status Protocol) servers is a bad practice. The argument to block them is that they can be used for tracking purposes. OCSP stapling is a great way to use OCSP without the risk of tracking - but not everyone does it or supports it.
Anyways, I maintain an 'Ads & Tracking' blocklist that I believe is pretty reliable and you are welcome to give it a try if you like: https://www.github.developerdan.com/hosts/
I've been maintaining my list publicly for over a year, and I've got to say its not always clear what deserves to be blocked, what should be blocked but can't be due to broken functionality, and what is legitimate like the OCSP servers. Everyone has their own personal level of expected privacy vs functionality. Its impossible to make everyone happy. I just wanted to say that being a maintainer of these lists isn't always easy. The obvious example you provided with (ocsp.apple.com) isn't exactly obvious because it _could_ be used for tracking, and it certainly isn't need for functional reasons (although I would argue that it is needed for security reasons). Anyways, there is a lot of gray when it comes to blocking and you can't make everyone happy.
I spent some time implementing a Pi-hole module for NixOS, but eventually decided to go for a much simpler setup: dns server (dnsmasq or unbound) + periodically updated hosts file (via systemd timer) passed to the dns server.
At the end of the day, that’s really all you need as a technical user, so I couldn’t justify he rest of what came with pi-hole, which I believe targets a less tech-savvy crowd.
YMMV and I’m very happy Pi-hole exists, I think I’m just not the target audience.
I invite you to look at the codebase more closely. Pi-hole is a fork of dnsmasq (FTL), a PHP web app, and a python web application, plus a bunch of shell scripts.
Compared to what I linked above, there's really no comparison in terms of simplicity.
You literally said: "dnsmasq + periodically updated hosts file".
That is what PiHole, in its core, is!
The rest is just for the webserver, dashboard and API. You don't really need that. Sure, you're solution requires less code but I don't think it's easier to setup or manage.
> The rest is just for the webserver, dashboard and API. You don't really need that. Sure, you're solution requires less code but I don't think it's easier to setup or manage.
I think this really depends on who you are. For me, using a systemd timer and a systemd service is easier than the set of ad-hoc solutions Pi-hole uses. For someone else, probably Pi-hole is easier. That was my point in the OP.
I am running Pi-Hole at home (on a Ubuntu VM, no Raspberry Pi necessary). In addition I have a Wireguard VPN server which uses the DNS server from Pi-Hole. This way a have a system-wide ad blocker for my smartphone when connected to the VPN. The latency hit from this setup is barely noticeable.
This might be an alternative for people who are too lazy for setting up a pi-hole or desire things to be a couple of ms faster: https://simplednscrypt.org/
That isn't what I would call a simple solution for lazy people, it requires the user to run a local service and download/setup their own blocklist, with no way to automatically update it.
Adguard DNS is a simple solution for lazy people. Change your DNS server and, well, that's it.
I'm a huge fan of this project! I have 3 set-up right now.
One as container on my Nuc at home for myself, and 2 other on old Pi's (one is a 1st gen B model) for family. A simple cron job to run every 2 months keeps everything up to date. For myself I use Wireguard to only forward DNS packets to the PiHole when I'm outside the house.
If you install a PiHole (and maybe Unchecky.com) your help desk calls from family will drop by 90% (personal experience).
I have Pi Hole running on my LAN and it's amazing. Also helped me identify that my Amcrest PoE security cameras aggressively phone home, even when no cloud functionality is configured on them. All the reason to keep them on their own VLAN and off the Internet.
Phoning home is not an Amcrest-specific thing, all of my cameras (I have a handful of Amcrest and D-Link cameras, and one Reolink camera) try to do that. I've put them all in a separate VLAN which can't access anything, not even DNS. The NVR software lives on a different VLAN and is able to open connections to the cameras for recording.
This setup works perfectly. Most importantly, the cameras all work fine even if they can't phone home.
How do you like the D-Links? I've got two plus one of their video recorder appliances, and have found them to be completely reliable but the app is hot garbage. Any tips?
They're OK, but fairly old. I've switched to Amcrest as my go-to brand as I'm having a tough time figuring out if the newer D-Links will work with Blue Iris or if they will only work with D-Link's app/cloud stuff.
Some of them are starting to exhibit mechanical failures - I have one pan/tilt model where the connection between the camera and the rest of the unit has broken, and I have another where the mechanical IR filter is starting to stick and sometimes fails to engage or disengage. I think these failures are primarily age-related and I expect that my Amcrest cameras will eventually start to fail in the same way.
These days my main considerations are whether the camera can serve up an RTSP stream. I do all of the motion detection/notification/recording/viewing/etc via Blue Iris.
The access point I use is a UniFi AP-AC-Pro. You can create multiple wifi networks and map each one to a separate VLAN. I also use UniFi switches and a UniFi Security Gateway, but really any equivalent that supports VLANs will work.
I believe I also accomplished the same thing with an Asus router/AP running DD-WRT, but that was a long time ago.
As the situation has worsened with the latest release of Safari I'm really interested to globally setup Pi-Hole on a VPS via docker and use it in combination with VPN (Strongswan) for all of my devices (also mobile). Has anybody had success with such a setup yet?
I have run pi-hole on the cheapest tier of Rackspace cloud server for 2+years now with great success. It’s wonderful. Just configure my routers dhcp to set my pi ip for dns and no ads anywhere (YouTube, streaming [except Hulu unfortunately], and general browsing). It’s especially nice now that it seems every company is offering their own streaming apps with ads. Recent example was I wanted to watch an action sports video and firetv had it with the redbull app. Ten or so minutes in and the video was interrupted with “here’s some ads” stinger and then the video immediately resumed. Kinda caught me off guard but produced an instant smile.
One thing to consider though is becoming a dns resolver for any random thing on the net. What I did for this was create a bash script that adds the visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi admin uses php so it’s already installed and ready to go) which takes the REMOTE_ADDR and passes it to the bash script to add to iptables. Makes it super easy to allow ip’s when isp changes address or when visiting family/friends and they want to use it.
"One thing to consider though is becoming a dns resolver for any random thing on the net. What I did for this was create a bash script that adds the visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi admin uses php so it’s already installed and ready to go) which takes the REMOTE_ADDR and passes it to the bash script to add to iptables."
I hesitate to mention this, as it causes heads to explode, but the problem you're describing is nicely solved with port-knocking. Might be easier than setting up the php page, etc. ...
Because it’s available everywhere e.g. work/family/friends etc. and I can share it with family/friends as well. It’s a lot of fun to see people’s reactions when they see what the net can be like without all of the ads.
Please do not open port 53. Without proper counter-measures, open resolvers contribute to DNS Amplification attacks. If you have an open resolver, I guarantee that it is being used maliciously. Please close your port 53 and use a VPN to securely access your pihole.
> A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.
DNS queries are much smaller then DNS responses. Making a huge amount of queries uses less bandwidth then uses to respond - making it a prime candidate for DDOS attacks. Look at your logs, no doubt you will see a large number of requests for various hosts. This is your system being used to attack people. Please close the port.
You could instead WireGuard split tunnel dns traffic and serve it with Pi-Hole or forward it to dns.aguard.com if you do not really require analytics or use unbound with block lists to resolve names recursively.
Have you managed to get WireGuard to do split tunnel DNS? I've been wanting to do this, but couldn't figure out how to make it work on Android, for example.
Thanks for your answer. I think the sources you linked to are tunneling all of their DNS queries through Wireguard. I don't want to do this, since my work has some DNS records which only resolve internally. Basically I want to be able to give DNS names to the various hosts on my Wireguard network, while falling back to the DNS provided by the network I'm on.
Edit: per discussion on r/Wireguard, looks like one soln is to run dnsmasq locally on ::53 and forward public queries to the VPN/DNS provider of your choosing and resolve private queries locally.
Yeah, thanks for looking deeper into it. I found before that I could do it by running my own DNS server (like dnsmasq) on the local device (so I could do it no problem on my laptop), but that isn't easy on a phone.
I would like to do the same. Maybe have a DNS server (pi-hole) on AWS and do a simple web ui where ui can log in and it whitelists your IP in the security group.
I already have uBlock Origin on Firefox, with tracking protection set to strict and I don't really remember seeing ads on desktop.
I guess the main benefit of the PiHole is to have ad blocking on mobile devices, iPads... and others, do you think this is worth the effort of setting up in your experience?
It's worth it if you have a lot of "secondary" devices on your network (phones, tablets, smart tvs, game consoles, IOT devices) because then you get ad blocking and no tracking for free on devices you couldn't otherwise effectively block. If you have a lot of those sorts of devices then it's definitely worth it.
If you have an extra Raspberry Pi laying around, and are comfortable adjusting your DNS settings on your router, then it's definitely worth it too.
I have PiHole running my DHCP server as well, so I can assign static IPs to my devices as well, which is nice if you have any servers running or like to SSH into devices.
That's the reason why I switched to Firefox on my android device. You can install ublock (and dark reader) and it really changes the browsing experience on your phone. It's a somewhat worse browser experience, but to not have ads and have every website be in dark mode is quite glorious.
I have similar numbers. 90% of the blocked requests I see come from 3 apps that are particularly diligent about submitting metrics. 2 phones have outlook installed and boy does outlook hate when metrics fails! Those phones alone account for half of the DNS requests in a network with about 15 devices, despite being out of the house for 9 hours every day.
Currently using ublock origin and thinking of adding the pihole (party cause it just seems like a fun weekend project). Anyone have experience with how often maintenance needs to be done and/or settings need to be tweaked on the pihole? Hoping for something I won't have to fiddle with more than every couple months once it's set up.
The management page will tell you if there's an update. I don't remember if it lets you update it from there, because I always login through SSH and run the update command anyway. I rarely need to change blocklists; mostly I temporarily disable blocking for a few seconds for something else to work.
I run my Pihole on an Ubuntu system with other things (not running on a Raspberry Pi), so my issues might not be yours. The update process always resets the management port. After rebooting the system, I have to manually restart the Pihole process for Pihole to work.
The effort is super low, the most time consuming step is downloading Raspbian and flashing it to the SD card. And _as soon_ as I set it up I noticed how much faster it makes things (I was already running ad blockers).
All you have to do is run a script from the pi-hole website to install. It’s very effortless. Like.. literally effortless. If you’re posting here, I guarantee you could do it in no time. The “hardest” part is excluding an IP for the pihole & setting your DHCP server to serve that IP w/ new leases. Good luck dude.
Well to be fair, there's some effort in setting up the RasPi to begin with - flashing a memory card and installing the linux os flavor (which one?), etc. There's a lot of steps.
I'm a total newbie and figured it out, but didn't find it "effortless". Lots of instructions to follow.
Go for it, it's really worth the effort, even if it is a small one, with the bonus of being fun (at least for me it is). I can't imagine setting up my home network without pihole, and I'm considering setting it up at work, I manage a small network with 100 devices connected to the internet.
DNS is a very light protocol. In addition, responses tend to be cached, so it's not like the Pi would be hit with a dozen queries on literally every page load for every client on the network.
As @theandrewbailey mentioned, DNS is light protocol, I guess even older PIs would handle it pretty well. But, as a permanent solution, I would opt to set up on a VM/Docker so that I could have snapshots to quickly recover the service in the event of a problem.
If you have an existing desktop unused or something you can run it on any Linux. I personally run the PiHole on a Debian VM on my FreeNAS server (that is already running).
Is this substantially better than using ublock origin? I feel like my browsing experience is pretty good right now, and I'm uncertain what the benefits to upgrading are.
No. But it works on all devices in your network (phone, computer, smart TV, WiFi connected dishwasher, etc.). I've never really understood how much tracking some apps on my phone did until I saw the graph showing lookups to Facebook's and Google's servers. In the middle of the night, a bunch of apps started trying to reach some tracking domain, something I would never have noticed if it wasn't for the graphing feature.
One way I've noticed the difference with and without pihole is that most apps on my phone become ad free when I connect to my home network. On most phones ad blockers exist, but those are just another layer of software that needs to be woken when the phone wakes from deep sleep.
I use pihole + uBlock in Firefox with tracking protection (on both mobile and PC) for my browsing, but Pihole saves me the effort of finding a reliable Android system ad blocker that's reasonably power efficient. I'm considering also using it on my laptop as a VM to get the same features on the go.
It really depends on what you want/need. The Pi-hole blocks ad traffic by blocking DNS requests to known advertisement URLs. Ublock Origin works great in your browser. However, what about that app on your phone that plays an ad every time you open it? What if you use a mobile browser that doesn't have extensions (Chrome on mobile doesn't).
It really comes down to where you want to block ads.
Also, I don't know if Ublock Origin actually blocks the ad requests or just prevents them from loading, but if it's the latter, then you can reduce traffic with Pi-hole as well.
You need to setup ublock origin on every browser on every device. With pihole, all your devices automatically get adblocking, even your friends coming home and connecting to your wifi get the ad blocking advantage without anything to do on their part.
There was a thread a month ago here (or on Reddit perhaps) about SmartTV's scanning/connecting to open hotspots if they can't phone home from their wlan.
Someone also claimed TV's from the same manufacturer connects to eachother in a mesh to find a way to phone home but that sounds a little too spectacular...
Preface: I'm moderately technical but don't understand the specific nuances of DNS.
Is there any possibility Pi-Hole and the DNS server plus hosts file could be used in an attack? Could I setup a web server with identical UI to my target site, get one of the list providers to direct chase.com to my IP, list gets propagated to all Pi-Hole devices, and start collecting credentials?
At the moment, if an attacker has control of your DNS, it's game over before you even start. There are some technologies that help, such as secure DNS (DNSSEC) and "certificate pinning" but they don't do everything.
In the case of DNSSEC, it doesn't do anything in this scenario, for two reasons: first, and most importantly, virtually nobody uses it (for instance, like almost every tech company as well, CHASE.COM isn't DNSSEC-signed and isn't likely to do so), and secondly because DNSSEC protects only server-to-server lookups and not client-server lookups, so if your Pi-Hole picks up a bad record somehow, DNSSEC isn't going to keep your browser from detecting that.
I set up a pi hole a few months ago. I'm not sure why I waited so long to do so. It's been great to be honest. Now and then someone in my family has a broken web app and I have to whitelist a few things. Confused my wife once or twice, but that's about the only downside. Now she knows to check with me if she doesn't get the expected result.
Isn't it easier to set it up with wireguard? I’ve recently set up my turris running “adblock” (openwrt) natively with only wireguard open, connecting from my laptop, ipad and iPhone, which seems to me to be a far lighter and easier setup ....
It doesn't work for me at least. I still see a ton of ads on the youtube app on all of my Roku devices. I heard that it works for some people so maybe i'm hitting domains that aren't in the blocklists due to my location?
If you are looking for more blocklists, I maintain several. I recommend my 'Ads & Tracking' list for most people. I also have an aggressive list - which I don't normally recommend. I also have a Google AMP list and a Facebook products list (not just facebook - but their other products as well). Anyways, you are welcome to check it out and give me any feedback you have:
Easylist was meant to be an adblock browser extension list and as such it's not perfectly suitable for a DNS blocking solution [0].
> select filter lists for use in your browser provided that you are using a compatible ad blocker (tested with Adblock Plus, AdBlock and uBlock Origin).
The replacement is any other list of hosts available for PiHole.
They have other blocklists. In fact, easylist isn't even enabled by default in Pi-hole. I've been running Pi-hole with its default set of blockers and it still blocks quite a bit, but there are all sorts of lists you can add on top of that.
This 20% queries could be 50% (or whatever) of your traffic. It depends what is being downloaded, would the queries be successful.
You could measure the website you‘re visiting with/without the pihole.
I found it worked better for me because the annoyances list was too broad and blocked too many legitimate page elements, such as the <div> containing the play button for NPR podcasts.
My goodness the internet is a dumpster fire without it. So many pages lagging and slow to load. Things I wanted to click that jumped when an ad loaded resulting in miss clicks. Annoying things following me around.
It was especially bad on mobile with the GDRP/Cookie notices and ad's to the point that on my iPhone SE some pages had a thin smear of the actual content no taller than a single line of text. News sites were especially bad for this.
With the experiment ended my pi-hole and ad blockers are now set to very on (and updated to this version and can confirm the block list went from 100,000 to 89,000) and I am much happier. Seems about 20% of the traffic on my network is blocked now which explains why some pages performed so awfully.
The ad industry really needs to up its game because the current state of the web is just horrible.