AdGuardHome is far better than PiHole. It's a single Go binary and I think UI is better. It won't break if you upgrade your system. You don't need docker or LAMP stack. Just pull binary and run it. It will even generate systemd service file for you if you need.
Wow, was debugging a dockerized Pi-Hole when I saw this comment.
Now I'm running AdGuardHome on an EdgeRouter-POE, very slick install via script!
Happy to move on from constantly handholding Pi-Hole. I had to move it from a Raspberry Pi to an Intel NUC earlier, since the raspi SD-card had crapped out.
Yay for efficient programming!
Edit: Also great to see that AGH has secure DNS built in. My Pi-Hole solution required cloudflared [0] for that.
Agreed, the fact that it's a single binary made me switch from pi-hole. I don't need to run an extra device now, AdGuard runs directly on my edgerouter-x.
This is cool. I was planning on setting up a PiHole soon, but maybe I'll try this instead. Are there any downsides you've noticed?
Also, I'm cool with a paid product, but it looks like this one is open source? I know they have paid products, but I can't figure out if it relates to this at all?
Agreed! I switched to a Gli.net Flint router which has AdGuard built in. It’s incredibly simple to setup compared to a separate pi-hole and easy to edit a custom Allow/Block list. No hesitation in recommending this to non-technical people too.
That looks interesting. I'm using a pi-hole now, but it seems that AdGuardHome can be installed directly on my (OpenWrt) router. Does anyone here have experience with that?
I do have proxmox at home already, so spinning up a container for PiHole and pivpn was super easy. But it looks like AGH supports certain features PiHole does not.
I used a Pi-Hole for all devices in my house, including my work MacBook. They manage their MacBooks with JamF, so most things are pretty locked down (including DNS settings in System Preferences). Sudo access is only possible if you open up the Self Service app, login, and issue yourself sudo/admin access for 6 hours. Once it expires, you have to issue yourself admin/sudo access again. No sudo = no changing DNS.
I set it and forgot it, until I went to Estes Park, Colorado over the Christmas holidays one year. I travelled with my MacBook just in case anything popped off... and it did. I logged into my MacBook, but quickly realised although I could connect to WiFi as normal, no DNS would resolve (it was pointed to 192.168.1.100 of my home network), and I couldn't connect to anything - including logging in the Self Service app to re-issue sudo access, to change the DNS. I had to walk a new colleague how to handle the scandal over the phone, driving through the mountains... thank goodness for good cell service!
The best config I've found is to have the pihole use NextDNS as its upstream server and have the DHCP server on the router hand out the pihole's ip as the DNS server. Have tailscale set up on the pihole as a subnet router so it gives you access to your home network on the move. Then have your tailscale dns point to the tailscale ip of your pihole.
All machines on your local net now use the pihole as dns as handed out by the router, and when you roam tailscale routes your dns to your pihole.
If you're travelling overseas though, it makes sense to reconfigure tailscale to use NextDNS directly so its faster.
Mainly because you can set it to hand out a configured TTL - I set it to provide a min value of 2400 (40 mins) so the frequency of queries reduces and most other queries from across the LAN get answered locally from the pihole cache
You shouldn’t trust your upstream provider if you use a major ISP. Most collect data not only from their own DNS servers but also unencrypted traffic over port 53 and then sell that data.
Using NextDNS allows you to use encrypted DNS upstream (supported out the box with AdGuardHome, unlike pi-hole), meaning your ISP can’t as easily snoop on you. Of course, they still may be monitoring the hosts you connect to and the non-encrypted SNI requests, but that’s a lot more effort and most of the major US ISPs don’t do that at scale. DNS snooping does almost as well and is way easier.
ISP is payed and contracted service. NextDNS is free (300k queries/month) and Tailscale too. Who do you think most likely sell your data to make business?
Yes, this. Although it's not so much a trick and more managing your home network so it's like any other. Computers connected to the network should automatically detect everything they need to work normally, so no manual settings are needed.
Otherwise, as the parent poster realized, moving the device to another network will require manual changes. And then changes again when you get back.
MikroTik's Router OS is able to have pi-hole in container directly on router, as well as Wireguard that is now in OS by default.
I'm just not able to configure custom upstream in pi-hole (ie Unbound or NetDNS). Probably some firewall rule or anything related to setting of container to work with pihole.
Wireguard has now been in the kernel for OpenWRT releases since 20.xx (maybe earlier?) so you don't even need a Pi if you have a decently robust router that will take OpenWRT. Netgear R7800s are a sweet spot for this setup, dual core 1.9ghz ARM A15 and they even have an eSATA port.
Then you lose all your blocking/filtering when you're least equipped to deal with the noise. I use NextDNS via DoH which a) works the same everywhere and b) encrypts the DNS traffic out of the machine.
This is why I have my rpi4 set up as 1) a Pi-hole, 2) Wireguard VPN host and 3) DHCP DNS server on on my home network. That as long as I am connected to the VPN from my phone I get no ads. If there's any kind of network issue at my house I can just disable the VPN on my phone. This also has a side benefit that I can use my phone's wi-fi hotspot to remote into my work machine at home as needed.
Sounds awful, most consumer connections have restricted upstream (like 1200/25 Mbps). Instead just take a travel router (GL-Inet makes nice ones) with you setup to use Wireguard and Mullvad and to internally serve DNS from NextDNS
I take your point. But how do you power this travel router? Also, does it have a 4G/LTE/5G SIM card? Otherwise, what is its modem; i.e. how does it route?
It connects to wired or WiFi connections and bridges it to a separate internal network and routes all traffic across its VPN tunnel. These are common devices for security conscious travelers. Yes, some support cellular either directly or via USB LTE modems.
I treat my work laptop as a hostile entity on my network. It connects to a dedicated Wi-Fi network with client isolation enabled and on a dedicated VLAN with no access to other VLANs, just egress to the internet. DHCP serves 8.8.8.8 as DNS.
On the trusted VLAN I use Technitium as DNS and DHCP. I don't use any block lists, though, because I had too many complains from other network users. Technitium is mostly just because it's easy to manage DHCP hostnames and other DNS records in the same UI.
As a person who manages workplace malwar^Wdevice management software, this is a wise choice. You can gather so much information from home networks, just by passively listening.
Care to share any concrete examples on "useful" information that has been gathered this way?
Also, FWIW, I'm assuming this hypothetical software is clever enough to only function in jurisdictions where that would be legal? Spying on your employees home network is a massive no-no here, you'd need some very deep pockets if you wanted to attempt it, because when you are found out you'll be paying a lot of compensation for privacy violations.
In America, if you are using company property at home on your personal network and the company tunnels in and scans your home network for "security" reasons, there's not much recourse.
You would have a very difficult time even proving that they did it unless they told you that it happened or if you were the kind of person whom, bordering on certifiable paranoia, kept logs of all of your home internet traffic.
Even then, the only thing you could do would be to sue the company, a very expensive process with no guarantee of success and that would take years to see any small measure of justice. They would only be liable for the damages you suffered as a result of their theoretically justifiable intrusion into your home network unless they tampered with your systems or downloaded files from your other computers, in which case you may have a criminal complaint against your company, but even with the Federal laws (like 18 U.S.C. § 1030 federal computer hacking) you not only have to prove that they accessed your personal computers without your permission but also that they did so with the "intent to cause harm".
If they did this and then fired you because of what they found, then you might have the slimmest of chances with a good lawyer to both federally prosecute the company and also sue for damages, but you first have to keep a flawless and undebatable log of all network activity on your personal network, bring a work computer to your home, join it to your network, and have someone acting in an official capacity from the company (because some rogue I.T. guy poking around doesn't represent the company and would thus be personally liable for the damages, absolving the company of any guilt) use that computer to access your personal network, snoop around, and download your personal files or data AND cause you some verifiable injury for what was found.
To say that is a tall order is such an understatement it's like saying Mar's Mons Olympus is a pretty big pile of dirt.
Organizations with savvy legal and security teams are going to either not do this in jurisdictions where it's not legal, not do it at all, or be very quiet about it.
I'm not a security professional so take this with a grain of salt but, if I were going to do this I would be listening for things that could conceivably be trying to pop equipment in employee possession. So malicious mDNS advertisements, nmap scans, that kind of thing.
1. Using tcpdump passively to collect multicast, broadcast, etc with, for example, information such as identity information and in some cases what you're watching on your streaming box. This isn't always encrypted.
2. Using tools to sniff Bluetooth and Wi-Fi information. macOS and Windows includes such tools by default.
Sure! I use TP-Link Omada access points and a mix of managed L2 switches (TP-Link, Unifi, Brocade, Mikrotik). My router is VyOS running on a used commodity SFF box.
I know you can accomplish the same thing with Unifi access points and security gateway and of course Ruckus, Cisco, Aruba, etc will as well. I don't know of any residential equipment that will but I haven't used residential Wi-Fi gear for almost a decade.
The setup is:
- traffic on a particular SSID gets tagged with a VLAN at the AP
- That VLAN is tagged on all of the switch ports between the AP and the router
- the router's firewall is configured to block the guest subnet from the other local subnets and allow internet egress
My bet would be that if they're quarantining their work device, they also don't use it for anything other than work, and don't use any other device for work. If that's the case this would never come up.
Yep, this. No personal stuff on work laptop, with the sole exception of my Spotify login. No work stuff on personal machines other than my payroll login.
Files don't leave my work laptop. If I need to get files into my work laptop (very rarely, usually slack emojis) I email them to my work account or share a Google Drive folder with my work account. These methods are traceable and auditable for my company and, importantly, don't open any of my personal accounts to legal discovery from the company's side as far as I can tell.
Wait, your work laptop only lets you perform administrative tasks on the local machine if it can connect over the internet to corporate, and that includes being unable to modify certain network settings without first having a working network uplink? That sounds like something that was always guaranteed to break in an awkward way, not a particular problem with the DNS server that you happened to be using that day.
Yeah exactly! Just once (every x hours) but always required for anything sudo, and it's really buggy, too. Restarting stuff, installing some stuff with brew sucks especially, even updating some apps all require sudo. I've resulted to stack the prompts in my lower right corner until I have to do to
That's why I ultimately stopped using my pi-hole. It works great most of the time, but there are enough exceptions that other users on my network (wife and kids) weren't able to address. I now use the adguard public DNS service and am quick to toggle it off when connecting to other networks when out and about.
This is why I recommend folks instead use NextDNS and a DoH resolver proxy on their edge device. Plus Pis have poor resilience to power issues which are commonplace.
Using NextDNS you are getting the same capability served by a global anycasted network of resolvers and it can work even on your phone while away from home (because the mobile web is even more gross).
I love, use, and subscribe to NextDNS, but round trip times from my house to their nearest Anycast address are large enough to notice a substantial difference loading webpages, over using a local caching DNS server (or 8.8.8.8 Anycast, for that matter).
Yes, that is true. They don’t have as many PoPs as Google and CloudFlare do. Thus is why I use a local caching resolver in front of it. If you use Firefox on desktop and configure it to use DoH it also internally caches which greatly helps performance.
The benefits outweigh the downsides, and at least in North America the performance is good.
Wouldn't help here, since most people have to use DDNS to connect back home since residential IPs change constantly. And with no DNS resolver, no DDNS lookup, no phone home.
Best way to handle it is to just reconfigure your router to hand out the pihole dns server to all the clients on your network. That way it's automatic when at home, and doesn't override anything when you're away.
Another option is to make your pi-hole semi-public, so you can see it what-ever network you are on. You don't want the world and his dog's flees using your DNS resolver though, so you'd have to arrange some for of port-knocking or other authentication solution to temporarily open up the relevant ports to you (or at least just the network local to you) and not everyone.
Another hack to consider is running pi-hole in a VM or container on the laptop itself, and have it act as a filtering cache for a more public resolver. Though this imparts an administrative load, you no longer have a single pi-hole so either need to configure it separately or arrange for it to be able to sync with config on your main instance.
Both these arrangements will have trouble if you find yourself on a network that blocks DNS requests to anything other than its local resolvers (though for the pi-hole-on-laptop you can always reconfigure pi-hole to look at the local resolvers if/when needed), so the VPN option is better where available. If you have no static IP at your base of operations, there is always the option of a cheap VPS somewhere to be the VPN endpoint – essentially my first paragraph but your “port knocking” is connecting to the VPN, with pi-hole either on that machine or a machine also connected to the same VPN to get around its lack of fixed public address. Though back to the adversarial local network problem: if the network blocks DNS queries to non-local resolvers it is not unlikely to try block VPNs too.
My method is to set up wireguard from my home network to a cheap VPS. I can then VPN into that VPS and get into my home network since the VPS has a static IP
To solve this exact problem PI-Hole is setup as the DNS server on my home router. Hence when out and about the DNS is not bound to Pi-Hole. When I am out I use Tailscale to tunnel my DNS queries to Pi-Hole at my home. Easy and reliable ad blocking on the go.
I think the best way to set pihole up is to use the docker image, https://github.com/pi-hole/docker-pi-hole/. run it on a pi or any other computer with docker. Upgrades are painless.
I firmly agree, but would make an even more specific recommendation to use the docker-compose setup so that redeploying the same customizations is easy. I do this on two different hosts so I have redundant DNS, and it's been working great for several years.
I went with the pihole in docker approach with a Ubuntu 22.04 machine. Pretty smooth, I had a few quirks with docker desktop for linux that might not show up otherwise. Definitely my recommendation too.
I managed a Pi-Hole in my house for about 4-years, and then I found NextDNS. I'm not a person who shies away from doing things the complicated way (because it's fun or makes life better), but paying only $19/yr to have everything managed automatically for me was a no-brainer. Not having to worry about my mobile devices using it, too, was icing on the cake.
NextDNS is essentially Pi-Hole as a Service, and I'm really happy with it since I just switched from my Pi-Hole days ago. One of Pi-Hole's biggest limitations is that it only worked on my local network, but NextDNS works anywhere you can specify your DNS settings.
Additionally, my Pi-Hole would frequently (at least once a month) require reboots and troubleshooting. That's the last thing I want to do (with family (im)patiently waiting) after working all day.
This is false. My NextDNS clients on macOS, iOS, and iPadOS devices all feature a Disable toggle that stops all blocking and allows un-blocked DNS resolution.
I don't use Windows at home, but I imagine there is a similar toggle.
Looks like there is a way to “pause” NextDNS. To have this ability, you have to set it up via their App and not the (recommended) configuration profile. Then you will gain a simple app with Enable/Disable toggle.
My NextDNS account is amazing, does anyone else use it with Pi-Hole?
I have my traffic going to Pi-Hole, which forwards it to a stubby instance, which encrypts it and forwards it to NextDNS. When I'm out then my phone just sends it straight to NextDNS
NextDNS is pretty good. My only gripe is that it's a chore to unsubscribe from emails because unsubscribe links often have trackers that NextDNS blocks, so I have to go into the NextDNS console and add a temporary exception.
In the Privacy settings tab, there's an option to enable/disable affiliate links: "Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link."
I feel the same way. With my pi-hole I had an easy button to disable filtering for a few minutes so that I could determine if something broke because of that. NextDNS doesn't have that for some reason.
A thing that is needed when combining RPi with Unbound, is a way to resynchronize the system time after power cuts. The standard NTP setup is driven by DNS hosts, and Unbound, at least with DNSSEC validation is time sensitive. The ballet of NORESOLVE is a nightmare.
This happens easily due to the lack of a realtime clock on the Pi. A local GPS with PPS, a dirty ip-based set of NTP hosts or a shell script can solve it, but this should be part of an extensive guide, in my pained opinion :)
Another option is to try to find an old and super cheap laptop and use that instead. Maybe find one with a broken screen or busted keyboard or something that you won't care about.
This is essentially what my MBP with butterfly keyboard has been relegated to in life. The keyboard is unusable, it's too expensive to repair, but it's not a shitty enough computer to just throw away, and there's practically no trade-in value either. So, there it sits in a closet, on a top shelf, just acting as a remote device doing random things as I assign it tasks.
However, cheap is not how I would have described it ;-)
If your laptop's USB ports will provide enough amps, that could work.
Doesn't the Pi 3 expect up to 2.5 amps? I imagine some of that is for powering USB ports, so you could probably get away with 1.5 amps if you're not using them, but even that's a lot for laptop USB. I'd be surprised if any offered more than 1 amp.
Are there any you could recommend? Most that I have looked at cost about the same or more as a Pi in the first place and don't even come with batteries.
I use a big one (think CyberPower and APC) for a small collection of devices including some network hardware. Smaller ones from those brands or AmazonBasics cost around 50 bucks, battery included. I tried a UPS hat, which would have been the most clean-cut solution, but it failed and the battery bloated.
If you power your Pi via USB just use a phone USB bank that works via passthrough. (I don't actually have one to recommend but just one that can charge and discharge at the same time).
> one that can charge and discharge at the same time
I did some research into this as well and I'd gladly consider this as an option but most power banks can't do this. And the ones that do don't tend to advertise it. Every time someone says they found one that can do this, in some forum or whatever, they are no longer available to buy.
Tip: don't run Pi-Hole or any of these containers on a Pi, they're underpowered, flakey and now hard to get. I run several docker containers, including Pi-Hole, on a Lenovo ThinkCenter thin client which I run headless next to my router. Purchased "used" for $120 from eBay it was actually overstock and brand new. Tons more processing power and RAM than a Pi, SSD and for basically same price all in as a Pi. Just wipe the old version of Windows and install your favorite *nix flavor.
Every time I need another containerized app to run I'm up and running in just a few minutes with plenty of headroom left on the small box.
I’ve had AdGuard Home running on a raspberry pie for about a year, and it’s great. It’s basically a set & forget system, meaning you almost never have to visit the dashboard unless you want to whitelist or blacklist a site. And, I’ve found it to be reasonably effective for blocking ads where ad-blockers can’t, at least on iOS
I've used both, and I have found AdGuard Home to be slightly more reliable. These are the major things that made me switch to AGH:
1. Incredibly fast and easy to install compared to pi-hole
2. It's easier to update because you don't have to ssh into the raspberry, you can just update the thing through the user interface.
3. From time to time, it happened that the pi-hole hanged up, dns resolution did not work and I needed to reboot the thing to make it work again. I am not sure how widespread this is but I've seen many other users complain about this particular issue (even though it's a once-per-month thing).
(4. Better APIs)
For an in-depth comparison between the two you can take a look at the AGH GitHub Page[0]
There are several public DNS servers that have block list functionality built in.
This has the advantage of working on any kind of device that allows you to manually specify a DNS server IP address, without having to install or maintain software.
For example, AdGuard maintains public DNS server IP Address options that: filter nothing, filter out ads and trackers, or filter out ads, trackers and adult content.
I can confirm. Set and forget all the way. Works very well on iOs and also on Samsung smartTV (those are evil without some form of Adblock!)
Hardest part for me in the set up was that ad guard should query my router for local domain, because that one keeps track of which dhcp IP address is owned by which host. (This way I can always use host names on my internal network even for devices that get an address via dhcp. Very convenient if you play with Pi Zero and other toys)
Pi-Hole is a great starter DNS-blocker, but for anyone that isn't interested in the pretty graphs, and wants more advanced control; I switched to AdGuard Home and found it more capable.
So here is a real question. Is pihole ( or its equivalent ) enough in today's adversarial environment ( everyone wants to track your internet moves )? I have my thoughts on the subject, but I am curious how everyone's setup evolved.
I'm, honestly, not so much as trying to avoid being tracked entirely. However, I have moved from Pi-Hole to NextDNS to Adguard/DNS/VPN with Apple Private Relay (ON). One day, I want to revamp and setup a better infrastructure but this works for now.
I'm OK with paying for services that the family uses and get returns out of them, such as the YouTube Premium. So, I'm not fighting tooth-n-nail to avoid ads where I can just buy it out.
I have seen and have even tried browsing the Internet without these basic tools (AdBlockers), and I'm stunned how the world had evolved into and how are people are on the Internet without these basic safeguards.
The only problem I have is with a few government/banks/insurance website that I have to strip out and go in naked to get things done.
"...and I'm stunned how the world had evolved into and how are people are on the Internet without these basic safeguards."
World is ruled by money. Advertising is big. Anything that ruin this business will never be advertised publicly. Just imagine huge posters or ads in TV in prime time for pi-hole or AdGuard. That would be paradox not just for advertisers but also for product that is mean to work against advertising.
Pi-Hole does a lot but it acts against DNS queries, that is, requests done in the open through normal name resolution. If a malicious software or piece of hardware wants to pester the user with ads, or spy on them, through connections to hardcoded IPs without using DNS queries then only a properly configured firewall can be effective. At least until said malware decides to use a well known service nobody would block to phone home, for example by having a mail client buried in the code that exchanges encrypted blobs with user data and/or ads through a gmail address; who would ever block gmail? In that scenario, if that is a device that doesn't need mail functionality, for example a Smart TV rather than a PC, a dedicated firewall that blocks any non essential connection to the outside would be mandatory just for that device.
Pi-Hole is just one step in multiple layers when it comes to protecting yourself; I'd say it's main benefit is twofold; ad-blocking, and related benefits, and secondly script/malware blocking.
If also recommend browser based blockers for desktop and mobile, uBlock Origin bring the best in my opinion and couple that with others as required.
Find and use a few different upstream, privacy conscious and providers. I'm not convinced of the efficacy of paid VPNs, but by all means obtain and use one under your own control for when you're out and about on "hostile" (read; not home) networks.
I had nextdns, moved to pihole but the maintenance was frustrating- and I couldn’t use it outside of my home network (without more work with setup).
So went back to nextdns - I have set up different profiles depending on who is using it (so my wife is on a light version, no logging whereas my 9 year old son is on a lockdown down version with logging).
It just makes things simpler and is very reasonably priced
> I had nextdns, moved to pihole but the maintenance was frustrating- and I couldn’t use it outside of my home network (without more work with setup).
Maintenance? What maintenance?
I set up my PiHole a couple years ago and haven't touched it since.
Granted, I didn't set mine up on a Pi, I set it up on my EC2 box in AWS. That way, I could have ad blocking on my phone without needing to expose my home network.
I made the same pihole to NextDNS transition. My pihole worked well for 3 years or so. Well enough that I allowed it to become inaccessible without moving lots of furniture.
Then the SD card died. Instead of digging it out to fix it I tried NextDNS and found it works as good or better while also being less work. Well worth $20 to me.
That's impressive. A Pi-Hole outage in the middle of Thanksgiving prompted me to sign up for NextDNS the next day, and since then my household has already used 150k of the 300k available for the free tier.
NextDNS' unlimited queries for its paid plan is also a large reason why I picked it over AdGuard with its 10m queries/mo limit. Even if I'll likely never hit that limit, I don't even want to worry about it.
How do you use NextDNS with hard-to-configure devices? A lot of its config seems to require DNS-over-HTTPS which I'm not sure my Smart TV would support.
You run a DoH or DoT proxy on your edge device or a caching resolver that supports DoH on your edge device, serve DNS from the edge device over DHCP and block outbound DNS from other devices on the network at the firewall. Doesn’t fix evil Google devices that intentionally use DoH to bypass DNS blocking, but there are ways (more complicated, unfortunately) to fix that too.
I use unbound as my edge resolver, and you can use this to help prevent _some_ rogue DoH clients
# nx domain for disabling firefox DoH, so we can still get adblocking
# https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
local-zone: "use-application-dns.net" always_nxdomain
I have my home router pointing to their DNS servers, and then NextDNS links your public IP to your account. This ensures all your local devices are using it.
But what if your IP changes? NextDNS provides a URL you can call manually to resync your IP address. I recycled my PiHole with a cron job to just call it every minute.
Does anyone know of a solution that would let me slow down access to certain websites, ideally just for certain devices?
I feel like I wouldn't just default to opening HN and reddit all the time on my phone if I knew it was bandwidth capped to dial-up speeds. But if there was something critical there, I would still have access.
How slow of a connection would you need to emulate to get HN to be painful to use? It's just text. I've never done that most evil hacker thing of View Source, but can't imagine it being shockingly bloated.
HN looks like it would do well back in the 14.4 dial-up days. Hell, it would probably be okay using an I/O port on an arduino at 9600baud
A traffic shaper can do that, but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify. As long as HN and Reddit don't share edge servers with things you want unshaped, it should be straightforward.
The "only for certain devices" part would probably mean putting those devices in a VLAN and only shaping that VLAN's uplink.
A router like pfsense should be able to do all of that.
But I am far from a network engineer, so don't quote me...
> but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify
Not necessarily...if you're not using ESNI, then the traffic shaper could sniff the server name from the client hello message, then use the TCP sequence numbers to track the individual TCP connection.
Oh nice. I knew about SNI but didn't realize there would be a perfectly persistent trail from that packet onward. If a site being shaped and a site not being shaped shared an edge server (say they both use Cloudflare or something) there's no chance that the TCP connection gets shared for both? Not disagreeing, just thinking out loud naively.
They have moved to from ESNI to ECH. ECH is being rolled out in stages. Maybe the rollout is complete by now. I don't know. ESNI was available worldwide. I used ESNI for years outside the browser with a custom openssl binary. Although both encrypt SNI, ESNI was less complex and is not compatible with the latest versions of ECH.
A linux box running squid between you and the open internet? Tailscale (or whatever) on your mobile devices to force them in, too?
I'm just spitballing. My bona fides are nothing more than memories of reading about the upside-down-ternet and fiddling with primitive QoS features on elderly routers, but I'm sure this is the right post on the right forum to get a real solution.
You'll need something that can do traffic shaping and you'll also have to segment your network somehow. This will cost you roughly $1000 at least in hardware. Unless you really really want to learn about networking, it's likely not worth the effort.
You can have professional level packet filtering by using OpnSense (FOSS) on any not too slow used PC if you are a home or SOHO user, or on new dedicated hardware that costs half of that money or less. If you are ok with consuming more energy by using older hardware, there are many big brand used firewalls converted to OpnSense or PfSense that can be bought almost for peanuts online. Just search for "pfsense" or "opnsense" on Ebay for example.
This is the only European based vendor I'm aware of, aside PCEngines, whose hardware is excellent but not comparable wrt performance for heavy use. I'm sure there are cheaper similar solutions, especially from far east; also some interesting offers from the US and UK although shipping and import fees make them a lot less appealing (for us in the EU).
Pfsense is free (if you already have a server to run it on) and a switch with vlan support (not a managed switch, just a smart switch) can be had in the $100 range. Probably need an AP/SSID per vlan though, assuming the vlan awareness stops at the switch.
Yeah it all depends. They may need to buy access points and a switch and a device to run the shaping. Depending on how many ports they need on the switch, it's really easy to hit $1k if you don't buy the cheapest no name stuff you can find.
No, just not shitty Netgear or home equipment. I have a Fortigate, 2 Cisco APs, and a 48 port Juniper PoE switch. Obviously it depends on how many devices you have and what kind of quality you're looking for.
I'm not sure where you're getting that price from. If you're already running pi-hole on something like a Raspberry Pi you can just use Linux's traffic shaping tools. That's all you really need for a home network.
If the Pi isn't the gateway (which it likely isn't) that's not going to be trivial. Even if it was, fiddling with iptables isn't exactly easy. How are you going to identify devices? MAC? DHCP reservations? Static IPs? That's not a trivial project.
Why would you buy a firewall? If you're already running Linux just use that or use the one in the WiFi router you probably already own. You don't need 2 APs, I don't know where you're getting this from. It's a home network. And why would you need an 8 port switch? You just need 2 ethernet ports on your Linux box to pass the connection through to the Wifi router.
How are you going to identify devices? MAC? DHCP reservations? Static IPs?
Yes.
That's not a trivial project.
I do this stuff all the time, it's not rocket surgery.
Because I value uptime. I don't want my garbage PC that runs PiHole to crash and totally take down the network.
I have many hardwired devices, they may not.
I need two APs as I live in an older house and I get crappy reception in my basement. I also want a guest and IoT network so I chose to use VLANs to segregate, which requires switching and APs that can do that.
Yes, if you do this all the time (I do too) it's not that hard. But it's certainly not a beginner project.
I definitely recommend checking out Steven Black's unified hosts file [0] for DNS-level adblocking outside of one's local network. It's the default block list in Pi-Hole.
Been running a pi-hole for a few years now and have no complaints. It's the DNS server for my router, so everything on my network uses it. It's behind on updates though. I still need to enable SSH on my pi just so I can update the pi-hole (I believe it can only be done via SSH?). Been too lazy to bother hooking up a mouse/kb to the device again. I'll take this as a reminder that I should get on that.
I set up Pi-Hole in Docker (along with Unbound) to provide recursive DNS. Then changed my router’s DNS settings to point to 192.168.1.2 which is the Pi-Hole. Works perfectly and blocks thousands of requests from the kid’s devices as well as our TVs and smart devices.
Has anybody installed and configured a Squid proxy on a pihole, or using it alone on a pi? Is it relatively easy to do? I would rather have the more fine-grained control a Squid proxy allows, but I have no experience with it.
I use a localhost-bound forward proxy, but it is not squid. I can run the proxy on any computer, whether it is a laptop, a router, an RPi or a non-rooted "smartphone" running Android.1 Optionally, I can bind the proxy to an RFC1918 address then use the computer running the proxy as a gateway for other computers on the local network. This is not for everyone (e.g., I use a text-only browser reading sites submitted to HN) but if one knows what sites she needs to access ahead of time (e.g., all sites submitted to HN), then she can avoid using remote DNS entirely.2 All remote DNS data is fetched in bulk, e.g. using DoH and HTTP/1.1 pipelining, and then loaded into the proxy's memory.
1. By using NetGuard and port forwarding DNS.
2. One can then enjoy reading about myriad security issues that rely on remote DNS, such as the recent DNS rebinding-dependent exploit against Tailscale.
I have been running pihole for quite some time (coupled with wireguard, that's a great way to stay ad-free on the go as well), but a question is nagging at my brain the whole time: What's stopping the bad guys from circumventing DNS entirely by calling their ad/data collection/malware C&C by IP rather than FQDN? Provided it's a public IP, that should slip through all the DNS based filtering, wouldn't it?
The bigger concern for PiHole circumvention is DNS-over-HTTPS or apps that ignore your device's DNS settings and use their own stack. In those cases, the DNS traffic isn't even going to hit your PiHole.
I happen to run a public DoH/DoT content-blocking resolver, and we do see some apps / services bypassing user-set /network-set DNS with regularity these days. But that's not even the bigger problem for DNS-based content blockers. These trackers can and do run under first-party domains these days:
Sure, and you can do BYOIP with cloud providers or CDNs. But then those IPs are trivial to block, and although I've never tried it, I suspect AWS GA isn't set up to constantly rotate IP addresses.
I’ve wondered about the fourth thing. I imagine it is the marketing/sales/business people who love ads, while the techies don’t particularly like ads, so the techies, who probably are aware of ad blockers and pi hole and the such, avoid telling their business overlords about them.
We certainly wouldn't want them to know that if they just replace their main app web server ("www" for example) with a reverse proxy such that some paths ("/ads/" for example) are proxied to the ad server while all other paths are proxied to the app server, ads would make it through to users with no way to use DNS nor IP filtering, leaving only browser extensions! Oops, did I spill the beans?
It would let advertisements reach the segment of pihole users who (don't MITM and (use a browser that doesn't offer extensions such as many default mobile browsers, or use native apps more than web browsers)). I guess that's not huge.
You would need to hardcode the IP address everywhere it's needed and you would need to release an update every time you want to make changes to it, right? That doesn't sound like a thing anybody would do. Also, people using DNS level ad-blocking are rare and loosing that kind of flexibility just to make life harder for such a small amount of people doesn't really make sense.
Would a viable solution to this be to block all requests to IPs that have not been resolved via DNS?
E.g. I setup my router as a linux box that has Adblock DNS software package. Extend said package to write all resolved IPs such that its firewall checks the list before allowing traffic?
How else are people solving these rouge systems that ignore the network settings?
Bothered me as well, so I installed Little Snitch and subscribed to a well maintained list of rules. I’m sure there are some edge cases I’m missing, but now I’m positive Adobe isn’t phoning home.
True, but that's a pain to manage since it is fairly rigid. Even bad actors prefer flexibility in hosting that DNS provides. It's easier to burn a domain name than an IP address.
Does anyone know how to get their hands on a Pi at the moment? Even Pi 3s are going for $100+ on eBay. rpilocator shows everything always out of stock.
I do not know about a Pi, but you can run Pi-hole on old(cheap) hardware with linux. You do not need a Raspberry Pi. I have Ubuntu Server running it. It is quite simple(two commands?) and there are plenty of tutorials out there. Odroid is a good alternative to Pi that can run Pi-hole.
Be aware that that will consume substantially more power than a pi. Even my old MacBook seems to consume about 6W idle with the screen off compared to 1W for my cubieboard (~pi 1 equivalent). A PC is probably closer to 10-30W.
What timing. I just set up a Pi-Hole last weekend. One of the things I've been wanting to use it for is ad blocking on my Chromecast, but the Chromecast routes around it. I think I need to set it up as a DHCP server. I currently have my router set to use the Pi-Hole as the DNS server and have blocked port 53 for everything else
I’ve been using pihole for a really long time, but lately have run into an issue around blocking YouTube. I have wildcard blacklisted YouTube.com and www.YouTube.com, but it doesn’t work. It’s not just me, I found a thread online of others discussing this.
I’m using Firefox, so it’s not Chrome bypassing DNS check.
Just guessing, but there may be other devices providing DNS service on your network. For example I have found that AppleTV is listening for DNS queries on a couple ports and MacOS will happily fallback to that.
What's the easiest way to do this while using the Pi to route all of my outbound traffic to a VPN provider? Something like OpenWRT on a Pi https://github.com/wulfy23/rpi4 ?
So you'll need to set up a VPN service on your Pi, then set up iptables for allowing traffic to flow through the Pi, and use DHCP to set the Pi as your gateway. You'll also need to point the Pi to your home router as a gateway. Note that your overall throughput will be limited to the NIC on your Pi. The specifics here depend on your VPN vendor.
Shameless self plug: Using Control D for your DNS is a pathway to many abilities some consider to be... unnatural. It does everything NextDNS, Adguard can do, and a whole bunch more (block is not the only action).
uBlock Origin is the only thing that works for me, on Firefox. You can't block YouTube ads with DNS level tricks because YT serves videos and ads from the very same domain.
I'm currently using a pi-hole, but run OpenWrt on my router. I see that both adblock and AdGuardHome are available in its repos. Did you have any particular reason to go with adblock?
I used a PiHole on an actual Pi and I actually bragged about it during a job interview.
However it was difficult to admin and difficult to tweak to my liking.
I've moved to NextDNS and I'm impressed by the featureful features it features. I also enjoy the seamless transitions from my home network to anywhere else while keeping NextDNS resolving correctly.
The only feature I wish it had was an off switch. It is not easy to get its hooks out of each device and I cannot find a way to make it act like a classic resolver... except when I exceed the monthly free account quota, and then it cuts off its special features until next month.
No hate for the PiHole here; it served me well and it really gives lots of kids a nice project and it's totally turnkey protection. Mad props to the PiHole guys and gals for proving this is viable and this is a good thing for privacy and safety.
That's good timing, because with the increase in the price for youtube premium, I started thinking that I wanted an alternative to watching youtube on my TVs without ads.
Does anyone know if using a pi-hole triggers ad-blockers popups on websites, and if yes, is it easy to deal with (either activate ads for specific websites, etc)?
I have been using my Raspberry Pi-Hole for more than 3 years now without much difficulty. But when I installed replaced my old wifi routers with Linksys Velops, my Pi-hole log is flooded with .in-addr.arpa queries from the routers. Does anyone know if there is a way to remove these from the log? What would happen if I blocked them?
AdGuardHome is far better than PiHole. It's a single Go binary and I think UI is better. It won't break if you upgrade your system. You don't need docker or LAMP stack. Just pull binary and run it. It will even generate systemd service file for you if you need.
Edit: https://github.com/AdguardTeam/AdGuardHome