I ran a competing project[0] on my home network for a few years before I discovered NextDNS[1]. What I lost in performance (requests don't leave my house) I gained in portability: ALL my devices can take advantage – at home and away – and time-saved. PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it. At $20/year, I simply couldn't compete with NextDNS.
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
> PiHole works 90% of the time, but when it did stop working, I'd have to spend a bit of time fixing it.
I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
> At $20/year [...]
At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
I think it's weird when people suggest that a self-hosted on-prem solution requires no maintenance and has so little downtime such that the time spent fixing issues doesn't matter.
I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
Don’t want to jinx it but I’ve been running a pihole on a RPi 3 for a really long time - at least 6-7 years and the only thing I’ve had to do is an occasional upgrade.
I like the convenience and the fact that I’m blocking about 4M domains.
My TV is also forced to use it so ads don’t update on Android TV.
Not sure if NextDNS supports custom domain lists or not.
I'm curious what issues you ran into with Pi-hole? I was running my instance for years without a single hiccup. I ended up moving to AdGuard Home about a year ago though because I wanted to run it on my OPNSense box.
I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
> I'm curious what issues you ran into with Pi-hole?
My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
> I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
Exact same setup for me also.
I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
Too many false positives with Pi-Hole. I never felt comfortable putting my partner on the same vlan that it was serving DNS requests for fear that something would break for them when I was out of town, unable to get into the pi-hole and sort out the issue.
I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
The blocker on PFsense eventually had the same issue.
Realistically, I was probably running too many overly restricting blocklists for my actual needs.
But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
I did have several issues with adguard home, after some time (or packets?) the dns wouldn’t resolve and basically you can’t open any website, you can ping with no issues but not opening the site, only resolved by either restarting the server or waiting few minutes, didn’t bother to troubleshoot it but I tried it on several hardware and got the same issues with different interruptions time.
The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
Interesting -- for me pi-hole has worked for so long that I've forgotten my login even, but when I redo my home network in the near future I definitely intend to re-evaluate the options. Sounds like I've got 3 now...
This is also my issue with pi-hole, I still use it but I lost the password. Every now and then I take a crack at getting back in so I can update it. I have been thinking of switching to NextDNS so I could have blocking everywhere.
Other than this problem, Pi-Hole has always been great
Haven’t used NextDNS but have used PiHole and currently running AdGuard Home. But if you are paying $20/year just for DNS encryption/blocking, you may consider upgrading to Mullvad which gives you DNS Ad blocking but also IP anonymity, tunneling etc.
The two are not the same; with NextDNS I can choose to enable logging and see all requests from each device, as well as allowlist/denylist any domain/subdomain I want.
Except all of these third party VPN and DNS type services are literally NSA honeypots and privacy nightmares. I get that you have to do DNS lookups somewhere, but I'm not going to make it ridiculously trivial for a bad actor to scoop up all that data conveniently in a central location.
I setup Pi Hole with tailscale on an inexpensive cloud server. It is configured to serve DNS requests over the tailscale interface. Also added tailscale IP address of the Pi Hole to tailscale DNS override to ensure that all devices on the tailnet use it without any additional reconfiguration. For redundancy, I have multiple DNS servers on my tailnet. Family and friends can use it without worrying about portability and be protected at all times, especially on cell networks.
Tried this. Latency of DNS so critical, wasn't loving the self host option. Plus Tailscale wasn't quite reliable enough for all DNS traffic outside the house.
I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
Happy nextdns user here who used to have an overly-complicated setup with pihole and vpns etc. The only thing I have to complain about is the iOS app- I really wish it had a builtin way for viewing logs and white/blacklisting domains from the app, without having to go to the site. (Other settings would be nice too, sure, but as aggressive as I run it I find myself fiddling with the whitelist the most)
I've used ControlD [https://controld.com/] for this and liked it. Does anyone know how NextDNS compares to it?
ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
I've been a NextDNS user for years now, and am trying out ControlD (last week) before I commit to switching. NextDNS development seems to have stalled and there are a number of conveniences missing, such as being able to label allowlist entries (ControlD supports this). Also, running the NextDNS app on a device that use a different profile then the one on my home router results in constant issues when the device wakes from sleep (not able to resolve domains for a noticeable amount of time on wake). NextDNS claims this is an Apple issue, but I don't think that's entirely true. Certainly not a problem for other similar services.
I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
I ran Pi-hole along with my OpenBSD router running unbound for some period. Then I realized I can download the same entries used for Pi-hole, AdGuard, uBlock, etc. I created a simple script that generates an unbound configuration that I can include in my unbound.conf file.
One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
I gave up on using anything that isn’t the default/auto DNS for when I’m on the go more, as it breaks every single public wifi hotspot that has a login/I-agree-to-not-do-illegal-shit-etc page that obv cannot be resolved
On my Pixel I just set Private DNS. Yea I had to setup a SSL certificate but that's easy to do. So when I leave home, I still use my Adguard server for adblocking without having to touch settings etc (except, as mentioned, captival portals)
I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
I run a pihole server for myself- and access it over VPN when I’m traveling. But I’ve tried NextDNS and can confirm it works pretty well. Set my grandmother up on the free tier and within the first week it stopped her from getting phished, because the scam text she clicked went to a site that wouldn’t resolve.
I also switched from pihole, because of the random disservice, I’d have it working, the suddently it would just stop, without changing anything, and even having it in their own docker container, unbelievable, I am quite happy with adguardhome, but now I kinda would try this nextdns
I love nextdns - pihole was fine but required admin, and I also had challenges vpn’ing in to use it out side of home. Whereas nextdns is simple to use, and effective.
No idea how I have been living under a rock. I was using Google dns forever, but just switched my router over to next! This looks amazing, and great to see so many people using it with positive feedback.
i paid for NextDNS back in 2020 but discontinue the following year due to services such as streaming from PBS app and websites not working properly. I knew this maybe related to aggressive blocking DNS but I wasn't having the time to investigate. I have no complain about NextDNS. Their service works and pricing is fine. I just use Adguard premium now and have no issue for a year.
Have you looked into their privacy/data collection policies?
Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
One of the major reasons why I don't use or recommend NextDNS is because they force you to use their DNS resolver when a DNS resolver like Quad9 has vastly superior threat intelligence.
NextDNS sends EDNS client subnet (ECS). If challenged on privacy grounds they can claim it is for performance but a primary benefit of ECS, whether intentional or not, is to serve online advertising interests.^1
1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf
AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
I looked at Pi-hole recently but went with AdGuard Home. Nicer UI and nicer everything by all appearances. There's also a surprising amount of customization for something this slick, like being able to defer to my internal DNS for local private domain queries, etc.
I'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
Yes, it’s really awesome. The split-dns feature has all the options you would imagine.
I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
About the give-away-for-free aspect I was also wondering. Do they maybe configure their dns servers as default upstream and hope many people keep the defaults? DNS is one of the best technologies to do data mining and sell the data. I guess it's also why all those easy to remember dns servers like 8.8.8.8 and 1.1.1.1 exist. Google and Cloudflare for sure don't do it just to be nice.
Disclaimer: adguard claims not to sell any customer data.
> I'm not entirely sure why AdGuard is giving this away
Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
See, I just got five of my friends to download and buy the service in that dinner party.
I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
AdGuard is a Russian company, with Russian engineers, the majority of AdGuard developers and other employees working from Moscow, registered in Cyprus. Not a great recipe. Hard pass on security grounds.
MacPaw lists Russian-developed software as a risk because the government can access your data at any time — this is self-hosted open-source software though.
The FSB can’t just access your local server with an arbitrary court order.
Therefore this doesn’t feel like a legitimate concern but more like Russophobia, which I understand but also think is utterly unasked for as I know first hand how much Russian developers are suffering from the stupidity of their government.
Technically, yes you can. But do you really have the time to sit down to understand a piece of software enough to know if it's doing anything nefarious?
One other neat thing about AdGuard is that it is available as a Home Assistant addin - and it does integrate with the rest of HA, so you can e.g. have a switch to enable/disable blocking as part of your dashboard.
AdGuard Home is amazing! I used PiHole for a time but did run into small issues quite at lot. Mind you nothing serious but things like these are only really useful if they just work.
Adguard Home works without any issues on my Pi setup via docker-compose [1] and it even runs on a second Pi as backup using a cool container called adguardhome-sync [2] to keep their configurations in sync. I am not seeing any ads in my network anymore and it is quite interesting to see how many tracking/ad requests are sent by some devices...
The real eye-opener is when you start redirecting DNS 53 requests to your own DNS server and block DoT/DoQ/DoH – so many devices/apps just trying to reach out to their hardcoded DNS servers for tracking/ad targeting.
Unsurprisingly, Google and Facebook IoT junk is the worst. They both hardcode their own DNS, and I've caught Google devices ignoring the DNS IP from DHCP (not the gateway) and attempting to resolve from the gateway (with external blocked)
PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
And you can load the ad blocking lists into anyway so you get solid DNS, ad blocking and none of those random youtube spinners from rando dns issues. For nothing but a little configuration.
There are a few mostly positive comments here about NextDNS but I'll start a new comment since I'm thinking about switching away from NextDNS. Why? I'm on a Mac / Safari now and would like to enable their "Hide IP address from trackers" feature but if I do, then I start seeing advertisements on websites that would normally be blocked by NextDNS. So I have to uncheck this option and can't use Apple's feature. Overall, I guess the two can't be used together, per an issue reported on the NextDNS Help site:
Are you referring to iCloud Private Relay? If so that's expected behavior for with any DNS based ad blocker. Turning on the relay proxies your connection and your local network's DNS server will not be used. Doesn't matter if it's PiHole, NextDNS, or AdGaurd.
It does with encrypted DNS (I think - still mid setup). If you use a configuration profile [0] to explicitly set a DNS over HTTPS or DNS over TLS server this is still honoured within private relay.
IMO vanilla private relay is much neater and simpler if privacy is your goal. It uses Oblivious DNS over HTTPS [1] which is pretty neat.
To trade some of that privacy to reduce ads setting up encrypted DNS restores filtering control. This does mean you then need to funnel those queries somewhere likely less oblivious though. Current setup I'm playing with in the homelab uses Adguard Home for filtering. This then forwards to a local Unbound instance acting as a recursive resolver with strict DNSSEC [2] and QNAME minimisation [3]. End result is the DNS traffic is still open, but does not all go to any one single entity (apart from my ISP, which can see TLS SNI anyway).
You're using one product that blocks ads and trackers, but then bypassing that with another product that deliberately provides access to ads and trackers, but via a third party.
I subscribed + configured my router to use NextDNS years ago so ads + trackers are blocked on my IoT devices. More recently, I inherited a MacBook and now an iPhone and naturally enabled their built-in blocking capabilities. I think I assumed two blockers are better than one but now I just leave Apple's IP limiting features off and let NextDNS do its thing but it just feels weird to deliberately turn off a privacy feature.
Readit News
Note: This isn't a shill for NextDNS; I love these kinds of projects and think they absolutely should exist, but NextDNS just happens to be one of those dead-simple SaaS tools that is an insanely good value.
0 - https://pi-hole.net/
1 - https://nextdns.io
I don't know what problems you had with your Pi that resulted in 10% downtime, but that sort of hyperbole sounds a lot like shilling. Cases of SD card corruption are 99.9% due to the use of underpowered power supplies - just buy the official Raspberry Pi power supply if you can be bothered to search for a proper 2.5-3A USB power supply.
> At $20/year [...]
At $20 a year, I could buy a RPi Zero 2W and an SD card to keep as a spare every single year and have enough left over for a celebratory Sheetz sandwich. PiHole + WireGuard + $15 RPi Zero (once off) are unbeatable.
I run a bunch of local services on RPis and a decade-old Mac Mini. I love having the control over things, but I don't pretend I don't spend a decent amount of time maintaining it. I only run things that don't need to be highly available, so something like Pi-Hole is off the table. The last thing I want is for our DNS to go out while I'm sleeping, and my partner has to wake me up because she has work to do.
You mention SD card corruption as the only reason why a RPi-based service might fail, but there are plenty of others: botched updates, random hardware failures, power supply issues, and likely other things I'm not thinking of.
And even if a Pi-Hole can keep three nines of uptime (I'm skeptical of this claim), many people will find significant value in giving someone else money so they don't even have to think about digging into fix a problem for the rare occasion it happens. Suggesting that a particular home-hosted solution is "unbeatable" is meaningless; "unbeatable" in this case is a subjective measure, and other people will value different things than you do.
I like the convenience and the fact that I’m blocking about 4M domains.
My TV is also forced to use it so ads don’t update on Android TV.
Not sure if NextDNS supports custom domain lists or not.
I have an automatic WireGuard VPN set up on my devices to VPN into my home network when I'm not connected to my SSID, so my local DNS still works remotely.
My primary problem with Pi-hole or any other DNS-based blocker is that it silently breaks things. YouTube stopped saving my spot in videos. I couldn't click through on any link that involved a tracking service.
These things accomplish their stated task well, but leave behind an insidious trail of browser errors, broken pages, and broken apps without ever indicating to the user what the cause of the problem really is.
DNS just isn't the right tool for fixing shitty UX in the browser DOM or a mobile app. It's a happy coincidence that it works more often than not.
For the price of a single Pi, I can get NextDNS ad protection for _all_ my devices for multiple years. No matter where they are.
Exact same setup for me also.
I also run Tailscale since I have run into some remote networks that blocked wireguard's port.
I also had my banking app stop working one day. Never could get it working. Eventually I just got fed up with having to switch vlans or to mobile data to check my bank and got rid of the pi-hole.
The blocker on PFsense eventually had the same issue.
Realistically, I was probably running too many overly restricting blocklists for my actual needs.
But, I also don't want to fiddle with messing with the out of the block blocklists that also caused me issues.
The one (fairly huge) issue that I have is that it cannot handle captive portals when its enabled on my iPhone. So if I'm joining the wifi on a plane, etc, I need to remember to turn it off. This means that I cannot recommend it to my non-technical friends.
The portal would unapologeticly mitm the server response with a redirect to the portal login page.
The domain needs to exist (to pass DNS) and not have HSTS, but otherwise any address will do.
Other than this problem, Pi-Hole has always been great
I ended up with Pi-Hole on local network (manual DNS tied to Wifi SSID), NextDNS as default/fallback on other networks.
ControlD has worked well for me, outside a few UI complaints I have with their site. I do have some concerns with trust as I don't know much about ControlD, and I'd rather use the most trusted service for this.
I'm seeing ControlD as much more feature-rich and the service is evolving faster. I also personally like the UI a bit more vs NextDNS. Prices are comparable.
Alternative and free for private usage is to set DNS to:
on your devices to block ads with DNS.UPDATE: it seems the old one was dns.adguard.com (which was blocked in some countries)
One advantage over Pi-hole I noticed is I can return NXDOMAIN which makes more sense to me. I didn't see how I had that option with Pi-hole.
I just checked, and the generated unbound configuration comes in at 218000 lines, so takes a moment on my Celeron J3060 class router when loading unbound.
I could do the same with "vanilla" DNS (udp port 53) as well, but I don't.
Pihole can't, easily, do Dns vis TLS/QUIC etc without 3rd party stuff being bolted on etc. Adguard Home is a single binary, it's great.
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
Deleted Comment
Turning it off occasionally reveals the horror of the un-ad-blocked internet. I never forget to turn it back on.
Generally prefer local solutions but gave up on Pi-hole some time back after recurring issues. Currently using client-specific adguard; however the centralized management with nextdns is enticing.
1. Dishonest people might try to debate intentionality. But forseeability is indisputable. The privacy issues created by ECS were known when it was introduced by Google. If ECS is truly for performance _that benefits the user_ then it stands to reason that it should the _user's_ choice whether to send it. That is, ECS should be optional. This is not merely a personal opinion. It was a consensus. See: https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf AFAIK, NextDNS, like Google and OpenDNS, will not allow any user to disable sending ECS.
For example, Cloudflare when it launched 1.1.1.1 decided not to send EDNS subnet and they have claimed this is based on privacy grounds.
Whether anyone cares about privacy is their business, not mine. And whether anyone believes ECS improves peformance for them is for them to decide, not me.^2 Here I am just presenting some facts for consideration. Anyone is free to disregard these facts.
2. When considering "performance" we might differentiate between performance in requesting the resource the user is trying to access versus performance of ad servers or tracking servers. Needless to say, ads are not the resource the user is trying to access. And tracking is not even a resource. The speed of ads and tracking are obviously very important to Google, the company behind ECS. When we see a campaign for a "faster internet" from so-called "tech" companies such as Gooogle and Facebook we should keep in mind that "the internet" as envisioned by these middlemen is an internet full of advertising and tracking. As such, "faster internet" does not necessarily mean better speeds when downloading a resource. Ads and tracking are the not resources that users are intentionally requesting. They only serve to add delay and impede the user's retrieval of a desired resource. Hence the need for "ad blocking".
Personally, I do not use third party DNS services, i.e., shared DNS caches operated by third parties. Historically these shared caches are the source of various problems. There are plenty of alternatives available today what with the enormous advances in network speeds and local storage that have occurred since the days when shared DNS caches were a necessity. For example, all the DNS data I use is stored locally and served from loopback addresses, either in the memory of a forward proxy or from authoritative DNS servers. Requests never leave the computer. (NB. PiHoles send requests to upstream third party DNS providers by default. Unless the parent commenter changed the PiHole's i.e., dnsmasq's, configuration to use a local DNS server serving locally stored DNS data then requests would by default be sent to the internet. In the case the configuration is changed to point to a local DNS server serving local DNS data and the user is satisfied with DNS-based blocking, like what NextDNS provides, then the utility of a PiHole would be questionable. Just omit DNS data for ad/tracking servers. I have been doing this for decades; I began using DNS for "blocking" before "adblockers" or PiHole existed.)
I'm not entirely sure why AdGuard is giving this away, and maybe I should look into that, but seemed like a relatively low-risk decision to go with this for now. And I can't say enough about how much more pleasant using things like the NYTimes app has been without the obnoxious ads.
I thought i would need a second dns server behind it, but i could add all the rules I need right into adguard home. It even supports DoT and DoH upstreams, which is still not a thing with many home routers.
Edit: here are the docs: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuratio...
Disclaimer: adguard claims not to sell any customer data.
They already have many other commercials products and I guess also the default filter rules are very good because of their experience in the domain.
But I think you can use it completely without the AdGuard servers and use other filter list sources.
Here is my reasoning. I can read up the documentation and set it up and get it working. I'm going to brag to my friends about how my home network has no pesky ads and stuff. They will ask me to “Set up for me, Set up for me.”
I cannot help them maintain, even if I do set it up for them, so -- I'm going to say, “You know what, instead of that complexity, they have a simple app-based setup that just works for just $29 a year for your whole family.”
See, I just got five of my friends to download and buy the service in that dinner party.
I believe this is the same philosophy of todays' tech Startups -- have an Open Source Product but build a commercial business on top of that.
PiHole supports Conditional forwarding
MacPaw lists Russian-developed software as a risk because the government can access your data at any time — this is self-hosted open-source software though.
The FSB can’t just access your local server with an arbitrary court order.
Therefore this doesn’t feel like a legitimate concern but more like Russophobia, which I understand but also think is utterly unasked for as I know first hand how much Russian developers are suffering from the stupidity of their government.
https://github.com/time4tea-net/py-hole
1 - https://thesmarthomejourney.com/2021/05/24/adguard-pihole-dn...
2 - https://thesmarthomejourney.com/2023/02/12/adguardhome-sync-...
https://technitium.com/dns/
Qs: this says “ Technitium DNS Server is an open source authoritative as well as recursive DNS server”
Are pi-hole/Adgyard also recursive DNS server or just a blockers?
Edit: I’ve been using pi-hole for ages, trying to figure out if this has any advantage.
PiHole isn't natively recursive, but you can easily set up a service alongside pihole on the pi (or in another docker, if your pihole is a container) called Unbound which provides recursive DNS.
https://help.nextdns.io/t/q6yq4xy/nextdns-stops-working-prop...
Does anyone by chance know if this is a known issue with AdGuard or even Pi-hole?
IMO vanilla private relay is much neater and simpler if privacy is your goal. It uses Oblivious DNS over HTTPS [1] which is pretty neat.
To trade some of that privacy to reduce ads setting up encrypted DNS restores filtering control. This does mean you then need to funnel those queries somewhere likely less oblivious though. Current setup I'm playing with in the homelab uses Adguard Home for filtering. This then forwards to a local Unbound instance acting as a recursive resolver with strict DNSSEC [2] and QNAME minimisation [3]. End result is the DNS traffic is still open, but does not all go to any one single entity (apart from my ISP, which can see TLS SNI anyway).
[0]: https://dns.notjakob.com
[1]: https://datatracker.ietf.org/doc/html/rfc9230
[2]: https://datatracker.ietf.org/doc/html/rfc7816
[3]: https://datatracker.ietf.org/doc/html/rfc9364
I'm referring to the "Limit IP Address Tracking" option[2] in Safari/iOS and "Hide IP address from trackers" option[3] in MacOS/Safari
[1] https://support.apple.com/guide/icloud/set-up-icloud-private...
[2] https://support.apple.com/library/content/dam/edam/applecare...
[3] https://appletoolbox.com/wp-content/uploads/2014/02/Hide-IP-...
What is the point of the latter?