Hacker News new | past | comments | ask | show | jobs | submit login

Too many false positives with Pi-Hole. I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town, unable to get into the pi-hole and sort out the issue.

I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.

The blocker on PFsense eventually had the same issue.

Realistically, I was probably running too many overly restricting blocklists for my actual needs.

But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.




I can empathize with the sometimes aggressive blocking, and as you pointed out can be pretty block list dependent.

I generally will go in and whitelist things if a site breaks due to a DNS block, but of course putting your partner on the same VLAN can be problematic. I "got around" that by having a button in Home Assistant that will completely turn off Pi-hole (and now AdGuard). So my partner will go in and toggle that if there's a problem.

AdGuard Home does also have the ability to completely disable blocking for specific clients.


I had similar issues and the problem with a white list is it can be very difficult to figure exactly which cryptic subdomain of some major company is necessary for the service to work, without just allowing everything and defeating the purpose .


Yeah - I usually watch the network tab in debugging tools to figure out whats being blocked, then whitelist and try again.

I also realize that you shouldn't expect most people to do that, let alone know how to.

I am someone who is very aggressively anti-ad.


Sure, if you’re accessing it in your web browser. But when it’s an app on someone else’s phone that’s misbehaving, that’s where I throw in the towel. It’s not worth the effort at that point.


> I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town

One potential workaround, if your hardware supports it, is to broadcast two separate SSIDs for general users: one with a blocklist, and one without as a fallback. Users just need to know when to use each.


Couldn't you just monitor the query log and whitelist domains that were false positives?


"Just" is doing a lot of work in that sentence. That sounds like a lot of work, and it isn't always obvious which weirdly-spelled domain is causing the issue.


> "Just" is doing a lot of work in that sentence

Not really. You can pull your phone out and do it in less than a minute

> it isn't always obvious which weirdly-spelled domain is causing the issue

It typically /is/ pretty obvious. You can drill down to the device making the request, and it becomes obvious once you see the blocked query

To each their own though. I personally don't want to pay a company to do something for me that I can do myself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: