I know some folks are anti Ubiquiti Unifi on here, but you can run pihole (along with a bunch of other stuff) right on a UDM/UDM-Pro. IMO it makes the most sense to run this on the router, and you can run it in a docker container. If you're looking for a fun hour or two project, check out:
I have another point of view as a non-pro user. The leas thing my router is doing the better. I want my router software be as simple as possible to reduce possible bugs. Plus I want it to put all cpu time onto processing packets.
I would consider using pihole like functionality if it’s baked in firmware. But definitely don’t want to install extra software.
Unless you are doing deep packet inspection, which isn't useful in most home setups anyway, even mediocre hardware is going to be more than powerful enough to process packets while running PiHole or AdGuard home.
Never heard of smoothwan but I've been running PiHole on LXC on OpenWRT for years. It was never difficult to set it up, I just created a Debian (or Devuan, can't remember now) container and ran the PiHole install on it.
I run a PiHole and a Tailscale exit node on my Unifi routers (previous generation). The Tailscale exit node lets me do both site-to-site VPNs and site-specific egress. The one thing keeping me from site network nirvana is that I haven't quite figured out how to set up a wifi network on the Ubiquiti device that routes all traffic through a given other exit node, however. Someday!
I'm afraid to ask, but why are people anti ubiquity? I freaking love my udm-pro and am waiting for their cams to come back in stock so I can ditch my nests.
I saw your exact question elsewhere, so I'll reply with my exact same answer:
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
Stupid bugs caused me to move away from them, conveniently only days before the breach became public.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware.
• Various features sold as _coming_soon_, that really take several years to come about.
• making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it.
• It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together.
Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
I had six unifi protect cameras for over a year until I replaced them all. Rain at night means motion notifications every 30 seconds, bugs at night, same thing. Unifi cameras are terrible for outdoor applications.
Be aware that UI is planning to consolidate the UDM/UDM Pro software (1.x) into the UDM Pro SE / UDW software branch (2.x) in the near future, and the 2.x software doesn't use Podman and instead runs the software "bare metal".
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
No expected impact. If for some insane reason a game is also calling as servers your performance will be improved.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
I run it on my NAS computer in a ubuntu server vm. It was 20 minutes to set that up and another 5 to install and point my router's DNS to it. Maintenance is a monthly login, and a biannual update after puttying into the box.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
You will not have any extra latency once the DNS resolution is done.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
I moved to NextDNS after my SD card died on my Pi. One of the biggest features is that I can enable this on my phone using Android's Private DNS feature, which means it works for mobile data without having to run a VPN. Covers all networks with no extra configuration. Highly recommend.
I generally like NextDNS, but the customer service is _literally_ non-existent. About a week after becoming a paying member, I had an issue where requests wouldn't resolve at all, and there was no way to move forward, and there was no way to get help from the NextDNS team. So, a good service, but not so great for your family members who can't track down solutions to issues like that themselves.
> ctur - For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
The overhead is very minuscule.. I always forget that I'm using it...
you can configure to use a self hosted DNS. I do this coupled with a VPN that was very easy to install and configure: https://dietpi.com . this VPN I access with ddns for free.
only fixed cost was the pi to run in (pi version 1 ram if by far enough for just pihole +unbound)
Won't be long now until IoT and other crap-ware devices catch on to this trend and start hard-coding DNS servers in code, or worse, using DNS encryption to avoid this sort of routine blocking by end-users. I wonder how people are thinking about solving this problem.
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
I really like the concept of this approach, I'd say it's worth writing a blog post / article describing the process and details so others can duplicate it.
This is already happening. The likes of Google Home et al already hardcode their own servers. I noticed that no DNS requests were being made through my Pi Hole, so when I looked, it turned out their DNS servers were hardcoded.
However, I'm more worried about when they start hardcoding DoH servers.
In the case of just using a PiHole, a hard-coded server would easily get around it.
But if the network outright blocks random DNS requests, that only leaves DoH, which would require fixed IPs, which should be able to be detected and blocked, right?
> Smart devices manufacturers often “hard-code” in a public DNS server, like Google’s 8.8.8.8, and their devices ignore whatever DNS server is assigned by your router - such as your PiHole.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
Already happening, Google products like the Chromecast serve up plenty of obnoxious ads these days, and hardcode Google DNS. Even blocking Google DNS still allows ads to get through.
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
On the upside, the endpoints are nicely documented by both MS and independent researchers. Also, Windows enforces packet filtering rules on it's own phoning home so a well configured firewall like SimpleWall will be relatively secure from a spying perspective.
I couple PiHole with a pfsense router. In pfsense all DNS queries are blocked except to my pihole. This thwarts an IoT device or streaming devices, etc., from bypassing pihole. Then I block known DoH servers on both pfsense and pihole---which is not perfect, since it's really a game of whack-a-mole, but better than not.
I would love if there was an open 4K HDR TV but I think only a very niche audience actually cares about this so most manufacturers will not see a market opportunity
If they're really evil, they'd proxy all traffic through a single host (eg. d2v3i0u0qtn52v.cloudfront.net), so you have to choose between no IOT features, or getting subjected to all the ads/telemetry.
> I wonder how people are thinking about solving this problem.
Not sure what potential issues are are being mentioned here, but I'd say a separate VLAN for IoT devices + QoS [0] should rule out most of the concerns.
That's what I do with my printer. I love the company (Brother) and they make IMO the best printers and MFPs but I am quite paranoid already and I just block any WAN traffic. The printer is (and should be) really only used from the LAN anyway.
Can you not just block the specific addresses? Sure, you'll probably have to do some log digging to find out which ones, but I'm guessing someone else on the internet has already done it.
Sure, then the devices throw up an error and refuse to function. I noticed that most smart TV streaming apps refused to run if they failed to connect to their ad servers.
One of many reasons why I don’t even bother with IoT devices. Don’t need all this crap to be connected to wifi. There was nothing wrong with it before.
I've been running a pi-hole on my home network for years and I love it, it consistently blocks about 19% of outgoing requests. Some of the benefits for us are:
- It disables (and hides) the annoying ads on our Samsung smart TV
- Browsing is noticeably smoother (especially recipe websites on mobile!)
- Most front-end browser trackers are blocked
- It's now possible to see how often apps or devices tend to phone home by just logging into the Pihole web interface
- We're not giving (most of) our DNS activity to our ISP
- Updating to a newer version is a breeze with docker
Some thoughts for folks considering getting one (or more):
- I've not locked it down further with a firewall yet to force all DNS requests to go through the Pihole, but I'm planning to.
- I won't run a Pihole container on my UDM as it will likely mess with future updates and settings, keeping things separate feels better.
- Sometimes I consider adding more blocklists but every time I do, something gets annoying somewhere and I usually end up reverting to the standard config.
My pet peeve has become to report login flows or frontend interactions that break when the tracking script fails to load because of my Pihole. It doesn't happen often luckily :-).
Obviously, people whose products rely on those ads and telemetry, won't be happy and will try to retaliate, for example, by refusing you service. This frequently happens because of my usage of VPNs and ublock. In that case I have an option to quickly turn vpn/ublock off for that specific web site or service. In your case it's not so easy.
Wouldn’t pausing pihole allow, say, a Roku box or “smart” TV to exfiltrate data that was previously blocked? This is why I use a VPN for certain websites to bypass pihole filtering.
Given Apple is doing this on their products its a choice they'll have to make. They either put up with it or lose active users along with word of mouth.
Plenty of ad-serving companies have found their way around DNS adblocking, including the top players in that market.
Encrypted DNS looks like any other encrypted stream, there's no reason for subversive apps to rely on DHCP provided DNS servers when they can be guaranteed to serve ads without them.
I recommend opnsense [0] over pfsense. I ran pfsense for 5 years and it is great, but there was some bad blood [1] between the two projects and the community.
Yeah. You have a live logging tab and can either put the URL into a whitelist rule by clicking on the plus icon or manually input it into a whitelist setting.
Pi-Hole is brilliant. I set up[1] one few years back and used for over a year. Here are the issues;
- When I'm away from home and traveling, if something goes wrong, the Pi-Hole is usually the single source of that error, and is hard to solve by talking to my wife to walkthrough the settings.
- A few websites (India in my case), mostly government ones, do not work when Ads are blocked. Try paying LIC Premium or even login to LIC of India with your DNS modified, Ads Blocked!
- Wife want ads in some of her apps, "What did you do to my Ads!"
Since then, the family was on NextDNS[2] for almost two years - premium member hitting million+ request a month from a 4-member family. With NextDNS slow to update when macOS changes the way they deal with Private Relay, I stumbled on AdGuard's DNS[3] (in beta now). I already bought the lifetime (family) AdGuard license sometime back. So, I tried it and am on it now.
With the current setup, the last-mile choices of blocking ads or not blocking (for some website) is at the client (wife, daughter, and other devices). This works good so far -- everyone have a choice without being totally locked down. I have also taught my 13-year old daughter to keep a watch on Little Snitch.
Here is the typical settings for all of the devices in our family, which works well when inside the home or outside.
Apple's Private Relay (ON) > AdGuard with DNS Routing (OFF/ON) > (Optional VPN when needed) > Balanced/Bonded common ROUTER with minimal locked down settings > All of the ISP's entry routers.
Nonetheless, I've been meaning to tinker so I can have Pi-Hole sitting between our family and the Internet but optionally circumventable easily -- perhaps a big Amber Button which even my 5-year old can press and go into the Internet momentarily.
Edit: I forgot to add my thinking/concept/philosophy in all of this -- We should be able to walk out from most entrapments/situations/entities with minimal or no change needed.
I had this same issue with family members having issues with a Pi-hole on our network. I solved the problem by setting up a Tailscale network and setting the Pi-hole as the default dns server[1]. Once set up its as simple as a turning the Tailscale connection on or off if the Pi-hole blocking causes any issues. (Plus blocking works from anywhere!)
I also ran into the issue of a wife who didn't like the fact that I had set up a pihole, apparently it blocked a number of shopping websites she was regularly looking at.
At the end of the day I looked at a few of the sites with her and whitelisted a couple of them, but basically told her that (based on the lists I was using) if the pihole was blocking the site entirely then it was either straight spam marketing or the site itself was malicious in some way.
Similarly, my dad has a few email lists he is part of that route their links through something pihole tends to block, be it tracking or ad based, and I had to work with him to go to the website itself then find the articles he was after. Fully legit otherwise and I eventually found ad whitelisted the tracking domain on his pihole instance. He still says it is vastly worth it vs the ads he sees on his tablet when traveling or at other families homes.
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
My experience is that as long as a rule has only one exception, people are pretty good at keeping on top of them. But that always leaves you the question of whether you want to burn that exception on the current project or save it for something better. Which then makes you very nervous when your coworkers start getting clever ideas and trying to volunteer (over-engineered) things as the exception. In the same way the best leaders often didn't want the job, the best exceptions are the ones you accept grudgingly, not enthusiastically.
Much more recently I realized that this phenomenon of One Rule, One Exception falls under the umbrella of - or perhaps explains the effectiveness of - the Rule of Three. Two exceptions are bad, and work is partially pre-empted to correct that problem.
Specifically relating to pihole (as of previous versions) it wasn’t the cleanest install uninstall experience and left a bunch of crap behind on my system.
I now run it in a docker container because of this, but I can’t speak to OPs motivations
I run everything in a Docker container because I have 50+ services running, and I don't want to spend any time on their inner workings. I truly couldn't care less. I only manage the access layers (configuration parameters, volumes, ports and reverse proxy). Using Docker every application is the same from a management perspective.
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Any special setup amongst your network takes excess work to maintain. In the case of Pihole, I gave up on maintaining it because I was running it on a Raspberry Pi, and found that it was annoyingly hard to keep a Pi running stable for a long period of time.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
Yeah, docker simplifies deployment and maintenance/rebuild time. I've stuck to fairly clean/default setups on any computer I use to keep rebuild time down or at least try to use the built in/simple tools of whatever OS I'm using and Docker is the perfect version of that for small services. I say all this of course while running pihole on a pi4 that also serves DHCP so I don't have to mess with it much...
I used to run pihole on various Linux distros I was testing for home server stuff. It used to be that some distros needed a few packages added to support pihole properly but nowadays the app itself is more streamlined and/or most common distros include the minimum components. I think pihole did focus on streamlining to enable easier docker support which is where I should be putting my install whenever I get back to messing with the homelab. I've been working in windows systems for work so everything is currently Win Server based which plex doesn't seem happy with but is easier than running the whole thing as VMs on my older hardware.
The real advantage is another layer of complexity, so you can write a blog post about running PiHole on a home network, which done by a billion other people (conservative estimate).
It's much simpler. A lot less arcane knowledge is needed to get something running, and even less to clean it up completely if you need to delete it or start over for whatever reason.
Readit News
https://github.com/boostchicken-dev/udm-utilities/tree/maste...
https://github.com/openwrt/packages/blob/master/net/adblock/...
https://openwrt.org/docs/guide-user/services/ad-blocking
https://forum.openwrt.org/t/adblock-support-thread/507
They really solved what has always been a major pain with local hosting and made it really easy to use.
I ended up using NextDNS over pihole, but only because it was just easier to get the same result.
Deleted Comment
I hope it becomes more ubiquitous (hah) even on lower cost ones eventually.
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware. • Various features sold as _coming_soon_, that really take several years to come about. • making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it. • It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together. Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
There have been other issues too.
https://discord.gg/ubiquitiinstock
I've scored a few Protect items via alerts here, but be prepared to be patient.
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
https://pi-hole.net/ has more info on the install.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
DNS performance is very fast, better than ISP dns usually.
General web usage is much, much more pleasant.
No issues with gaming.
We use this at some of our clients in the MSP space
The overhead is very minuscule.. I always forget that I'm using it...
But otherwise I concur, I've run pihole for years without any manual intervention needed.
only fixed cost was the pi to run in (pi version 1 ram if by far enough for just pihole +unbound)
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
Works a treat on my IoT devices
https://www.sidnlabs.nl/en/news-and-blogs/dns-resolution-req...
However, I'm more worried about when they start hardcoding DoH servers.
The next step in the arms race is DoH. Afaik no one has a generic answer to that beyond "treat devices behaving hostilely as hostile".
But if the network outright blocks random DNS requests, that only leaves DoH, which would require fixed IPs, which should be able to be detected and blocked, right?
Sure, the setup becomes a bit more involved...
I can’t filter it or redirect it like I can with plain old DNS.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
https://labzilla.io/blog/force-dns-pihole
For those devices which ignore DHCP/NDP provided DNS addresses, you could create a firewall to redirect outgoing port 53 traffic to your own server.
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
The DNS queries for these bypass any of your own DNS settings.
They even bypass host file overrides.
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Si...
https://www.henrypp.org/product/simplewall
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redir...
If the dns request is over 443 and the DoH server is the same host as the served resource, what can be done ?
Not sure what potential issues are are being mentioned here, but I'd say a separate VLAN for IoT devices + QoS [0] should rule out most of the concerns.
[0] https://en.m.wikipedia.org/wiki/Quality_of_service
If it's running on Win/Mac/Linux/Android/iOS, block the app from talking to the gateway, or even the entire LAN.
In my opinion, additional being a curios software engineer I find it quite interesting.
Necessary? Perhaps not but helpful.
Heating valves for example.
(edit, formatting)
Encrypted DNS looks like any other encrypted stream, there's no reason for subversive apps to rely on DHCP provided DNS servers when they can be guaranteed to serve ads without them.
Combined with pfsense's recursive resolved (unbound), it makes for a pretty great home dns setup.
Jokes aside, I'd love a blog post on this. Seriously. Very likely to apply the knowledge as well.
Pi-hole is to pfBlocker as a Raspberry Pi is to a custom-built router
[0] https://opnsense.org/
[1] https://teklager.se/en/pfsense-vs-opnsense/
Dead Comment
- When I'm away from home and traveling, if something goes wrong, the Pi-Hole is usually the single source of that error, and is hard to solve by talking to my wife to walkthrough the settings.
- A few websites (India in my case), mostly government ones, do not work when Ads are blocked. Try paying LIC Premium or even login to LIC of India with your DNS modified, Ads Blocked!
- Wife want ads in some of her apps, "What did you do to my Ads!"
Since then, the family was on NextDNS[2] for almost two years - premium member hitting million+ request a month from a 4-member family. With NextDNS slow to update when macOS changes the way they deal with Private Relay, I stumbled on AdGuard's DNS[3] (in beta now). I already bought the lifetime (family) AdGuard license sometime back. So, I tried it and am on it now.
With the current setup, the last-mile choices of blocking ads or not blocking (for some website) is at the client (wife, daughter, and other devices). This works good so far -- everyone have a choice without being totally locked down. I have also taught my 13-year old daughter to keep a watch on Little Snitch.
Here is the typical settings for all of the devices in our family, which works well when inside the home or outside.
Apple's Private Relay (ON) > AdGuard with DNS Routing (OFF/ON) > (Optional VPN when needed) > Balanced/Bonded common ROUTER with minimal locked down settings > All of the ISP's entry routers.
Nonetheless, I've been meaning to tinker so I can have Pi-Hole sitting between our family and the Internet but optionally circumventable easily -- perhaps a big Amber Button which even my 5-year old can press and go into the Internet momentarily.
Edit: I forgot to add my thinking/concept/philosophy in all of this -- We should be able to walk out from most entrapments/situations/entities with minimal or no change needed.
1. https://brajeshwar.com/2019/pi-hole-blocking-ads-at-home/
2. https://nextdns.io
3. https://adguard-dns.io/
1. https://tailscale.com/kb/1114/pi-hole/
At the end of the day I looked at a few of the sites with her and whitelisted a couple of them, but basically told her that (based on the lists I was using) if the pihole was blocking the site entirely then it was either straight spam marketing or the site itself was malicious in some way.
Cripes! That is amazing data. Thank you to share.
What is the advantage of this in this case?
- I download the ISO for my system (Arch Linux)
- I install it on a drive
- I install docker and a (very) few other things
- I recover /etc/docker and data from a backup
- I run my docker-compose
- the server is up
Time: around 30 min to 1 hour without any documentation.
For me - THAT is the real power of docker.
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
Much more recently I realized that this phenomenon of One Rule, One Exception falls under the umbrella of - or perhaps explains the effectiveness of - the Rule of Three. Two exceptions are bad, and work is partially pre-empted to correct that problem.
I now run it in a docker container because of this, but I can’t speak to OPs motivations
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
I used to run pihole on various Linux distros I was testing for home server stuff. It used to be that some distros needed a few packages added to support pihole properly but nowadays the app itself is more streamlined and/or most common distros include the minimum components. I think pihole did focus on streamlining to enable easier docker support which is where I should be putting my install whenever I get back to messing with the homelab. I've been working in windows systems for work so everything is currently Win Server based which plex doesn't seem happy with but is easier than running the whole thing as VMs on my older hardware.