Yes, or — if you're lazy like I am, and don't want to manage another device or container — use something like NextDNS, which has a very generous free plan and an extremely inexpensive yearly plan. Control D is a popular alternative with similar plans.
In the last 3 months, NextDNS has blocked nearly 9% of 10M DNS queries from devices in my household with no ill effects that I'm aware of. (I'm not affiliated with NextDNS in any way, other than as a satisfied paying customer.)
Not only can Tailscale directly integrate with NextDNS and therefore not require extra configuration on-device for DNS, but you can use Tailscale ACLs to assign different NextDNS profiles to different devices (for example, a parental control profile to a kid's device or an Apple TV, or an IoT profile, etc)
It’s also easy to use Pi-hole with NextDNS as the upstream server using cloudflared as the DNS-over-HTTPS tool[1] to connect to NextDNS in a secure manner
Lets say you have internet from comcast or your phone company in the us, aren't they able to be compelled to log your requests in the same way? Is there any internet access where you have actual privacy? I think not unless you vpn somewhere, and then that other company could be doing it.
Paying does not solve the online ads problem, it only adds to it by creating a market for companies that can profit from online ads while collecting even more data from internet users. DNS query data is probably as close to www browsing history as one can get.
These companies can easily be acquired by Big Tech. Nothing stops them from selling out and selling their customers out. This is a win for the DNS provider, a win for Big Tech and a loss for the internet user.
Google already collects fees from some people who are willing to pay in return for "no ads"; meanwhile Google still collects data on these people; it may be used to support ads shown elsewhere or for any purpose whatsoever. Paying does not stop the online ads problem. If anything it makes online ads even more attractive; they can be used to annoy people into paying fees. Some people will actually pay to have their data collected by an advertising company.
As far as I know, please correct if wrong,, Pi Hole is 100% non-commercial. It is basically a modified dnsmasq with default settings that forward queries to third party DNS providers that profit from ad services, like Google. If online advertising were to decrease or disappear, then Pi Hole is not threatened. Whereas a third party DNS service like NextDNS has a financial incentive to ensure that the online ads problem persists, as it creates their "market". The disapperance of online ads, for whatever reason, would be catastrophic for NextDNS.
I am not a Pi Hole user as I do nmot like dnsmasq. I use other DNS software and map DNS data collected in bulk from variety of sources into local forward proxy memory.
Been using nextdns on both droid and linux and am really grateful for it. Coupled with ublock, I can browse the tubes without having a seizure. I'm so satisfied with it, that I fear someone will come along and prick me happy bubble, explaining why it's bad. But I might just look away.
9% is reasonable. I've got pretty strict filters on my home DNS and it's currently blocking 12%. I imagine that number would be much higher if I didn't have ad block extensions on all my browsers and IoT devices on a restricted VLAN.
Nope! NextDNS blocked 913,294 of 10,287,370 queries over the last 3 months. I'm sure the percentage would rise if I flipped on other options that they provide ("AI-Driven Threat Detection", "Block Newly Registered Domains", etc.), and I should probably revisit those.
An alternative option for those already running an OpenWRT router - whether that be on dedicated hardware (usually a reflashed commercial wifi access point + router) or as a virtual router (e.g. running in a container or VM, this is how I use it) - is to use the Adblock package and configure it to force local DNS (Redirect all DNS queries from specified zones to the local DNS resolver, applies to UDP and TCP protocol). This partly works but it is not effective against applications (e.g. TikTok) and devices (e.g. 'smart' televisions) using DoH (DNS over HTTPS) since that traffic is indistinguishable from normal web traffic without deep packet inspection. I have tried to run ipset-based blocklists to force such applications and devices to use 'normal' DNS but this is not really feasible as DoH servers can be hosted just about anywhere.
My setup is on a nanopi running FriendlyWRT/OpenWRT with Docker installed. PiHole is easy to run from docker - have a look at https://github.com/pi-hole/docker-pi-hole/
FreshTomato also has a adblock function that can go off the usual web lists. DD-WRT I recall does as well. Just goes to show the open source firmwares in general are superior and it should be a feature people look for when buying routers.
Unfortunately, moving to DNS blocking could only be a brief refuge before the creeping anti-adblock efforts target it as well.
Adtech and the web are identifiable by mostly unique domains, but what if that could be hidden? What if the adtech industry builds and pushes a reverse proxy tech of sorts for page content inside the page where the web server goes and loads 3rd party content for the page render before sending it you? The theoretical result could make every request looks like it comes from the domain you requested and there's nothing to discriminate on when it comes to DNS requests.
Unrealistic? Today, maybe. Wait until DNS ad blocking goes mainstream, Manifestv2 addons are long since stamped out and Manifestv3 addons are proven to be gutted and defeated. If click-through rates are noticeably higher with some kind of anti-dnsblocking proxy, we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
Filtering proxies on the other end. A lot of corporate networks already MITM all traffic so they can block, monitor, and rewrite; and ironically that has been much-maligned by those working for Big Browser, ostensibly for "security" reasons. Ditto for the DoH advocates.
I've been running a filtering proxy on my network since the turn of the century. This was somewhat common in the past, then waned as browsers started growing extension functionality (one wonders if growing, and then now heavily restricting, extensions was a way to discourage proxying) but I suspect it'll become more popular in the future too.
...and the fact that TLS fingerprinting is now a thing, and you'll be easily considered a "bot" by many sites if you MITM your own traffic, shows what their real intentions are.
Note that when I tried PiHole years ago, travel/flight-booking sites frequently required exemptions in order to operate. Not sure if the filtering is finer grained now, but it is not entirely a risk free proposition to set this up for an entire household.
The default list is so small that I am inclined to believe you used an untested and unmaintained 3rd party block list. Use the lists from firebog.net and hagezi. They are well maintained and documented
My Chrome browser has just announced that uBlock Origin was turned off as it's no longer supported. Time to install another browser. Edit: actually uBlock Origin Lite has been recommended as an alternative.
Both Pi-Hole and AdGuardHome are good; I've used both and settled on AdGuardHome as I've found it to be slightly faster to resolve (with the same Quad9 upstream for both).
Not a great headline, the article focus is on recent version improvements and entire local network "front of house" protection for all devices, all browsers, tablets, TVs, local data phones, etc:
Pi-Hole 6 appeared a few weeks ago. Since then, there have been a few small bug fixes and it's now up to version 6.0.5.
The new release is lighter weight and has fewer external dependencies: it no longer needs PHP or an external web server. If you run the Docker container version on top of another Linux OS, it's lighter still, as the container is now based on Alpine Linux instead of Debian.
Is it really worth setting up a dedicated ad-blocker on your own network? We decided it was high time to try.
For those that want to it's an easy setup on a NAS box and gives a central dashboard for whitelisting, blacklisting, toggling ad filters, logs, etc.
I nearly submitted this story myself, so I'm glad somebody did.
I've been running pihole at two locations for many years. It does a great job of blocking ads and scripts on all devices.
I customized one of my two locations and it stopped service DHCP on one of the two subnets after the update a few weeks ago. I reverted the update and it's been fine. (I keep good backups.) A friend who also runs it had the same problem and he provided me with his solution before I had a chance to look at it myself:
Granted, Pi hole is a great project, and this new version does seem like a big improvement. It just irks me how people will stay with a hostile browser instead of spending the literal five minutes it takes to switch to another one.
As the article notes, Mozilla is telegraphing incoming targeted advertisements in Firefox. Everything else is a Chrome derivative and unless someone steps up to maintain Manifest V2 (which I've seen no evidence of so far), uBlock Origin will no longer function on them.
I would love to be able to rely on my browser to be a user agent that actually has my interests and only my interests at heart—I have hopes that maybe Orion can get there with a paid-for model. But in the meantime, most of the choices I can see are flawed in some way that justifies an extra layer of protection.
What about the Firefox forks? They aren't as popular as Chrome's (by nature of Firefox not being as popular as Chrome), but they're out there; Waterfox, Librewolf, and Mercury come to mind.
I use Vivaldi, I used to use Opera and I like Vivaldi's mission statement. I don't know about manifest v2, but uBO still works on Vivaldi, at least for now.
> I have hopes that maybe Orion can get there with a paid-for model
I'm hopeful. I stopped using firefox last week and switched fully to Orion (I was already using it on my iPhone for the firefox extensions), and now I'm paying for Orion+ to support them https://kagi.com/orion/orionplus.html
We sell used computers with windowa installed. We used to use edge to get chrome, and the someone suggested brave. Everyone uses brave now, except for me,the throwback uses nightly/Firefox. There I was reading news when someone on the machine next to me got a 1-800 alarm. He was shocked... So I turned off his computer, rebooted, and searched his browser history. He was looking for a printer manual, and it hit an auto forward, and in the url was a bytecode dropper. Wow. I copied the text and sent it off to my anti-virus, and scan and cleaned his machine up. Nothing was flagged except for that url, it's cache. I think I got it right before the drop,but I didn't bet on it, and reloaded os,apps and security and again a full scan. I thought he was in chrome, but he was using edge that one time. So now I have to bury all the launch points.
Yes stop using chrome as your daily driver.
Brave and opera were on a workstation I was cleaning up, so I flipped back and forth between them, but am going to do some deep dive on Monday.
I wouldn't recommend Opera, BTW. It was bought by some shady consortium and is no longer the browser it used to be. Vivaldi is its spiritual successor (and what I use).
AI predictably said anything including edge. Which is why it's the second thing I remove from the lab machines.
Anyone using Puffin, Freenet or Vivaldi? I am going to spend a day with each next week on a slow system.
The one thing I was looking for as an alternative to Nightly, was it's speller, that was getting old. Then a week or so ago, it has become significantly better.
The point is there soon may not be. I'm a Firefox guy myself, but Mozilla looks like it is wanting to turn evil as well. So what's left? One of the forks of Chrome or Firefox? What happens if either "for security" decide to stop releasing their code? It could happen, projects have stopped being open sourced in the past. It couldn't stop people from basing browsers on the earlier code of course, but those would eventually have compatibility problems as they wouldn't have access to new changes.
Readit News
In the last 3 months, NextDNS has blocked nearly 9% of 10M DNS queries from devices in my household with no ill effects that I'm aware of. (I'm not affiliated with NextDNS in any way, other than as a satisfied paying customer.)
https://tailscale.com/kb/1218/nextdns
I have been using NextDNS for many years now, but I didn't get why I should use Tailscale.
[1]: https://docs.pi-hole.net/guides/dns/cloudflared/
Regardless they look like good alternative for users who are unable to setup or are prevented from using a pihole.
If someone wanted your internet traffic, they wouldn't bother with NextDNS. They would just compel your internet provider to give it to them.
This is not a real risk to using NextDNS.
NextDNS lets you choose where to store your logs, along with a retention time of 1 hour to 2 years. Logging can also be completely disabled.
The choices for log storage are (1) United States, (2) European Union, and (3) Switzerland.
But I'd love to hear your ideas.
I still use uBlock origin, but like how NextDNS will block stuff from phones and other devices as well.
These companies can easily be acquired by Big Tech. Nothing stops them from selling out and selling their customers out. This is a win for the DNS provider, a win for Big Tech and a loss for the internet user.
Google already collects fees from some people who are willing to pay in return for "no ads"; meanwhile Google still collects data on these people; it may be used to support ads shown elsewhere or for any purpose whatsoever. Paying does not stop the online ads problem. If anything it makes online ads even more attractive; they can be used to annoy people into paying fees. Some people will actually pay to have their data collected by an advertising company.
As far as I know, please correct if wrong,, Pi Hole is 100% non-commercial. It is basically a modified dnsmasq with default settings that forward queries to third party DNS providers that profit from ad services, like Google. If online advertising were to decrease or disappear, then Pi Hole is not threatened. Whereas a third party DNS service like NextDNS has a financial incentive to ensure that the online ads problem persists, as it creates their "market". The disapperance of online ads, for whatever reason, would be catastrophic for NextDNS.
I am not a Pi Hole user as I do nmot like dnsmasq. I use other DNS software and map DNS data collected in bulk from variety of sources into local forward proxy memory.
Nextdns is great
Adtech and the web are identifiable by mostly unique domains, but what if that could be hidden? What if the adtech industry builds and pushes a reverse proxy tech of sorts for page content inside the page where the web server goes and loads 3rd party content for the page render before sending it you? The theoretical result could make every request looks like it comes from the domain you requested and there's nothing to discriminate on when it comes to DNS requests.
Unrealistic? Today, maybe. Wait until DNS ad blocking goes mainstream, Manifestv2 addons are long since stamped out and Manifestv3 addons are proven to be gutted and defeated. If click-through rates are noticeably higher with some kind of anti-dnsblocking proxy, we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
Filtering proxies on the other end. A lot of corporate networks already MITM all traffic so they can block, monitor, and rewrite; and ironically that has been much-maligned by those working for Big Browser, ostensibly for "security" reasons. Ditto for the DoH advocates.
I've been running a filtering proxy on my network since the turn of the century. This was somewhat common in the past, then waned as browsers started growing extension functionality (one wonders if growing, and then now heavily restricting, extensions was a way to discourage proxying) but I suspect it'll become more popular in the future too.
https://news.ycombinator.com/item?id=36824165
https://news.ycombinator.com/item?id=36832736
...and the fact that TLS fingerprinting is now a thing, and you'll be easily considered a "bot" by many sites if you MITM your own traffic, shows what their real intentions are.
I thought about wiring up a physical button which would send the "disable for N minutes command" before I realized I was playing with too much fire.
No! Stop using Chrome! There are other browsers you could (and should) use instead!
I've been running pihole at two locations for many years. It does a great job of blocking ads and scripts on all devices.
I customized one of my two locations and it stopped service DHCP on one of the two subnets after the update a few weeks ago. I reverted the update and it's been fine. (I keep good backups.) A friend who also runs it had the same problem and he provided me with his solution before I had a chance to look at it myself:
listeningMode = "ALL" ### CHANGED, default = "LOCAL"
As the article notes, Mozilla is telegraphing incoming targeted advertisements in Firefox. Everything else is a Chrome derivative and unless someone steps up to maintain Manifest V2 (which I've seen no evidence of so far), uBlock Origin will no longer function on them.
I would love to be able to rely on my browser to be a user agent that actually has my interests and only my interests at heart—I have hopes that maybe Orion can get there with a paid-for model. But in the meantime, most of the choices I can see are flawed in some way that justifies an extra layer of protection.
Yes stop using chrome as your daily driver.
Brave and opera were on a workstation I was cleaning up, so I flipped back and forth between them, but am going to do some deep dive on Monday.
Anyone using Puffin, Freenet or Vivaldi? I am going to spend a day with each next week on a slow system.
The one thing I was looking for as an alternative to Nightly, was it's speller, that was getting old. Then a week or so ago, it has become significantly better.
I'm using Midori for this purpose and it quite sucks a bit. I really hope a good alt browser jumps into the repos soon.
The next thing they'll do is to claim that DNS over TLS (probably port 443 mind you) is mandatory.
On a side note, Safari's latest version seems to do this, and there's no way I can figure out how to disable the behavior.
Per usual, they'll claim is "for safety", but the real motive is to kneecap extremely useful tools like PiHole.
Of course, the escalation from the user side is likely to involve more firewalls and proxies.