I don’t see the issue with this? Anyone who’s able to install Pihole in the first place will be more than capable of keeping the system up to date. I’d generally trust the underlying software and the maintainers to address security issues in a timely manner, security vulnerabilities on home routers on the other hand...
Pi-hole is very easy to set up, and it works so well you can basically forget about it from that point on. Blocking ads is nice, but it’s also a huge boon for privacy. I run uBlock origin on all my browsers, but Pi-hole still blocks 30-50% of requests on my network. It’s also really nice to be able to glance at the logs and get an idea of what’s going on on your network, or if there’s any unusual activity.
I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.
I set up a pihole and literally forgot about it. Like I was cleaning out a closet on moving day and found it plugged in. Took a moment to even realise what it was doing there.
I’m reminded almost every day that I have a pi-hole since it is not my dns provider when on my company’s vpn. It’s absolutely night and day on so much of the web. Some sites have so many ads now it’s just shocking to be frank.
Right, I didn’t mean to make it sound like uBO was letting stuff through the cracks (it’s actually far more thorough than dns filtering). But the amount of tracking requests that come from outside of the browser and from other devices is no joke.
Some ad agencies starting asking hosters to add a CNAME record to one of their domains.
Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.
As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!
So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.
When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.
What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
This CNAME method is also a huge security issue, but I'm not gonna go into that.
Here is an example (the domains are fake, it’s for demonstration purpose only):
The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:
$ host adcompany.com
adcompany.com has address 192.168.1.10
But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:
$ host ad.newspaper.com
ad.newspaper.com is an alias for adcompany.com.
adcompany.com has address 6.6.6.6
What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).
One of a trick a website operator can use to evade hostname-based adblockers is by putting the ad-serving domain as a cname entry in one of their subdomain. Since the ad now served from a subdomain of their website, it won't get blocked unless the dns adblocker did deep inspection on nested cname entries.
It was really easy to set-up, but on first day it actually broke an Android TV-app on default settings (meaning it blocked some call that stopped the app from loading through).
Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).
YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.
I just realised that if your router runs OpenWrt, you can install PiHole (an equivalent of, rather) directly onto your router by installing the following packages [1]
dnsmasq
adblock
luci-app-adblock
You may also need
libustream-mbedtls
Just tried it, works great. With a few small lists, the amount of blocked DNS requests is floating at around 30%.
https://command.honestsec.com sounds promising... looks like the system includes a secure router with secured double layer dns filtering (local at source and upstream resolver).
Alternatively for MAX_lazyness and convenience I've been using https://nextdns.io, does all the same stuff and is the alternative to cloudflare in Firefox for DNS-over-Https (DOH)
Too bad in my country all ISPs are required by the government to intercept (or block) all dns requests except their own dns server to block any domain listed in the national domain blocklist database. DNS on port other than 53 is still working though, so I have set up my pihole to use an upstream dns server that accept connection on a higher port and a cloudflare DoH server as a fallback (not sure why but DoH is really slow here).
They could've at least intercepted the requests and applied their blacklist while leaving unblacklisted requests pass through as-is (so you can still use a custom server for the non-banned domains). Not saying I'm in favour of these shenanigans at all but at least if you are forced to do it then better do it with the minimum level of interference possible.
No additional hardware required, you can use it to provide some protection to your family without having to worry about remote access to the Pi-Hole to configure things, works for your devices on the go, cheaper than running pi-hole in the cloud yourself unless.
Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.
The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.
Also, unless you go through the trouble of setting up unbound, your requests would need to go to an upstream server anyway, so might as well send them to one with the best privacy policy.
Is that not a trivial amount for hands off DNS recursion services? Consider the cost to purchase a Raspberry Pi, set it up, electricity, wear and tear on flash storage, etc
If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!
Nextdns pings are bad for me in south India. Like 8x slower than Cloudflare and 10x slower than Google. So sticking with PiHole at home setup for now and Windscribe VPN outside home.
There's one thing i noticed: When I click on a twitter link, the first request goes via twitter analytics and gets blocked. I have to click it again, the second time it doesn't go to twitter analytics and the request goes through.
That’s pretty neat! Do you plan on open sourcing it? I’m hesitant to trust an application with my pi-hole api token (and with it, all of my browsing/network data).
It's not my project. I am using it from within Test Flight. It is great for non-technical people who just need to temporarily disable Pi-Hole in order to get some sort of functionality to work that wouldn't otherwise.
One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.
I prefer blocking ads by browser extension for PC/iOS and device local MiTM solution (like AdGuard) for Android because these solutions can block more precisely and easier to unblock things permanently or temporary, compared to DNS server solution like Pi-hole or NextDNS. Why choose DNS solution? I suspect the reasons are maybe like for lower resource usage (especially for smartphones), works for smart device like TV.
Content Blockers only work in Safari. There are a host of other apps that I use that are susceptible to ads and tracking. (e.g. Apple News, Apollo (reddit app), hacker news apps, etc. )
Not knowing how to disable it temporarily has been the one thing stopping me from adding Pihole to our network (need to test ads for clients sometimes...) so thank you.
Readit News
I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.
Is there a good explainer for CNAME inspection? I'm not finding anything good with my Google Fu.
Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.
As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!
So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.
When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.
What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
This CNAME method is also a huge security issue, but I'm not gonna go into that.
Here is an example (the domains are fake, it’s for demonstration purpose only): The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:
$ host adcompany.com adcompany.com has address 192.168.1.10
But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:
$ host ad.newspaper.com ad.newspaper.com is an alias for adcompany.com. adcompany.com has address 6.6.6.6
What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).
Source: https://discourse.pi-hole.net/t/apply-pi-hole-blocking-to-cn...
Deleted Comment
Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).
YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.
[1]: https://openwrt.org/docs/guide-user/services/ad-blocking
Deleted Comment
Their privacy policy seems legit[0] but why trust them at all when Pi-hole is an option?
[0] https://nextdns.io/privacy
Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.
The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.
If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!
It's baffling how much useless telemetry and other crap there is, slowing internet down and wasting cpu cycles.
This is more impressive than it sounds. My pihole currently uses about 25MB of RAM with over half a million blocked domains and around 20 clients.
https://www.reddit.com/r/pihole/comments/gathus/pihole_on_ap...
One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.