Pi-hole is my most prized addition to my connected home. It was simple to set up, easy to manage, and easy to access for whitelisting. Now, all of my devices throughout my network benefit from the service, as opposed to relying on locally installed solutions.
I see it as an advantage for all the devices on your network. I mean, to block trackers from Windows computers, or Roku devices or android apps.
But as an adblocker - I feel like I'm missing something. It acts as a DNS server for your local network and blocks what's essentially a host file.
So how does it handle ads served through websockets?
How does it handle ads that come from the same domain as legitimate content (which is increasingly common)?
The complexity of rulesets by addons like ublock origin or PrivacyBadger seem to far surpass what PiHole is capable of.
I think PiHole has it's place on a network - obviously, but people have been promoting this thing like you can just get rid of your adblocker on your browser now.
People also downplay that this can be a pain in a home with a handful a streaming devices, each with a handful of apps. You end up whitelisting so much for those devices, you might as well whitelist the whole device just so the apps can work.
Your wife downloads a game on her phone, and you get that look like "ok, why isn't this working.. what did you do now?"
It just seems like a lot of effort for fairly imperfect results.
Sure installation is easy, but long term maintenance (the OS, the app, constantly whitelisting or troubleshooting when a new service or app breaks for someone in the house).
> Your wife downloads a game on her phone, and you get that look like "ok, why isn't this working.. what did you do now?"
THISSSSSS. The only thing stopping me from using Pi-hole at home are my family members and the inevitable "this isn't working!?!?" rant and then I need to figure out how and what to whitelist. No thanks. I have ad blockers on the kids' PC and when something doesn't work, it's one click to temporarily turn it (browser extension) off.
I've been running it for months now and so far none of my family has come back with any 'major' issues. The only ones, which I could whitelist are when they use something like google shopping that has affiliate links and they're blocked.
>The only ones, which I could whitelist are when they use something like google shopping that has affiliate links and they're blocked.
If you have impatient shoppers in your household, the blocked affiliate(s) might be a benign issue at first, but when you miss out on a buying opportunity and then an algorithm prices it higher (while you are conducting a 'whitelisting' exercise) - things can escalate very quickly..
It's not much effort. You basically write an image to an SD card, put it into a pi and you're up and running. Although it doesn't block everything that ubo does, it does a darn good job and it's also effective for devices where ubo isn't an option. It updates the list on its own. I occasionally update it when I happen to log in to check something and I notice the software is out of date.
I don't think it's a situation where you can ditch your ad blocker if you are dead set on never seeing an ad. It may be good enough for most people though. Personally, I still run ad blockers on my devices. Other people in the household do not.
I seldom have to whitelist anything. I may not have whitelisted anything at all. I have blacklisted a few extra domains - things like analytics requests for IoT devices. I don't recall a time that something didn't work and I had to fiddle with the pi-hole to fix it. It's been very low maintenance and very effective in my experience.
It's a layer of defense, to be used with other layers. It should not be used as the sole solution. I don't use PiHole but I use a similar manual setup using dnsmasq, but also employ browser-based adblocking.
Your fourth sentence is what strikes me as really important. All this discussion about adblockers will not work if Google develops technologies to embed their ads directly inside content providers. It's going to be a race to see if ad blockers and the reliant technologies are faster than Google.
Over 50% of my DNS queries get blocked by the pihole [0]; and I've seen it much higher. Like you said, it's one of the most prized devices on my network.
That's fascinating.. I would love to know what the averages are across a wider range of users..
In contrast, For my home network, it's just under 15% of queries that get blocked. I've got 3 Macs, a Windows 10 machine, an Apple TV (all connected 24/7) and a handful of iOS devices that hop on and off the network.
I get about 15% of queries blocked with 3 Windows laptops, 2 Android phones, 1 iPhone, and a smart TV. I do run most of the traffic generated for work through work VPN though, and that tends to be the largest source of traffic (about 80% by data volume), which completely ignores local DNS.
Haven't you noticed any drastic reductions in speed?
My rpi 3b (not 3b+) just couldn't handle it. It had 2 users. Our DNS resolution times increased by about 200ms. It was awful. I stripped it back out and haven't bothered trying to set it up again.
(Other details: the RPI was hardwired, wireless disabled, and it was a fresh raspbian install with zero customization outside of adding pihole.)
I would say that you may have a setup issue with your router. My resolution times decreased when the pi-hole is providing DNS responses. I have 30+ devices on a 3b+.
I'm using a UniFi setup and both WAN and LAN point to the pi-hole local ip address.
I'm running a pfsense setup with cloudflare as my DNS (DNS-over-TLS, in specific). As soon as I had the rpi in the middle, it jacked up resolution times like crazy (rpi was set to use my SG as its DNS, so <clients>->rpi->pfsense->1.1.1.1
It's good to know you guys haven't been having problems; I thought everyone was just fucking nuts or something, but no; local problem. Sigh.
Ugh. I tried. Somehow when I first configured it, I configured something incorrectly - and it literally stopped all connections to or from the router entirely. I had to physically connect to it and uninstall the pkg to get it to work again.
I wanted to try it again and NOT do what I had done previously, but I think a conf file is still floating around because the second I install pfBlockerNG(maybe -dev too? I actually can't remember now), my entire network instantly goes down and won't come back until I remove the pkg again.
I don't know enough about BSD's package manager or where pfsense puts package conf files to try to track this down and stop clean it out. I'm sure I COULD figure it out, but I have other projects that are higher priority :)
Edit: I should also note when I was trying to figure this out I had a very angry spouse standing behind me burning holes into the back of my head because the network was down, so I didn't make a priority of really looking through logs and trying to properly diagnose things. I just wanted things to be up so that I wasn't slain.
I have my router setup to act as a dns resolver and cache, with the pi-hole (rpi 3b) upstream. This fixed my speed issues as only a few queries actually make it to the pi-hole.
The router has a secondary dns server as well in case the rpi goes down (which has happened ~2 in the last year or so) or I need to fiddle with it.
I have an old desktop in my basement running Ubuntu with PiHole (and some other things). My router is still the DHCP server, but distributes the PiHole machine as the first DNS server. I haven't noticed anything being slow.
Due to the architecture of DNS, DNS is not end-to-end encrypted. There is a potential solution (djb's DNSCurve), but it will not be deployed. As a result, let's do an assessment.
Using Google DNS, self-hosted resolver, or your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.
Using CloudFlare's DNS w/ DNS-over-HTTPS: only NSA (via a NSL or subpoena), Cloudflare and CloudFlare's upstream can track and see your requests. And I guess 10%-20% of the domain names already use CloudFlare, so for some domain, it's end-to-end encrypted, nobody but NSA and CloudFlare can track you. Even better, Cloudflare is experimenting with peering to upstreams (e.g. Facebook) using private encrypted connections, so the point-to-point encryption ratio would be even higher in the future.
Therefore, using CloudFlare is a net positive.
But one also needs to consider its second-order effect: is giving CloudFlare more leverage over the Internet infrastructure in the long run an acceptable choice over unencrypted DNS? I guess everyone has a different opinion.
Wait a minute... First Google DNS provide both DNS-over-HTTPS and DNS-over-TLS, second Pihole (or should I say dnsmasq, or FTL the name of their dnsmasq fork) does not support forwarding DNS query request to upstream using neither DNS-over-HTTPS and DNS-over-TLS.
> Using ... your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.
Technically speaking the NSA wouldn’t be seeing your DNS requests, they would be seeing your ISP’s, for all its users anonymised.
If you use Cloudflare or Google DNS directly from home (or your own resolver), then yes, the NSA and anyone else can track your individual DNS requests directly.
In that regard using your own ISP’s DNS is clearly superior.
What threat model does concealing DNS but not indirecting traffic via Tor address, given that Tor can also tunnel DNS? Cloudflare's not wrong that the DNS requests are hidden, but many classes of observer who could read your DNS request could also see you connect to the resting host?
Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?
Cloudflare has also rolled out ESNI (https://www.cloudflare.com/ssl/encrypted-sni/) which would mean someone reading your traffic would only be able to tell that you're connecting to a cloudflare IP address.
However be unable to determine which specific site you were accessing.
Why do you want to present a false sense of improved privacy by only obfuscating your DNS queries in these networks?
It seems to me like these DNS tricks are parlor tricks in a security sideshow. Any attacker that could see your packets can also see who you are connecting to. It's pretty rare that SNI does anything relevant to a real threat model.
I think a false sense of privacy is at least as dangerous as the alternative.
Cloudflare scaled up massively so quickly when they started offering cdns a decade ago.
I judged the company in a negative light when their ceo or cfo wrote an open letter rationalizing their ban silencing some obnoxious website over political belief virtue signaling.
A company that crushes free speech cannot be trusted.
I don’t even remember what the obnoxious or offensive website was but I know that offensive speech is protected speech.
Autocratic technocracy centralized into a few digital monopolies wrap our wrists into digital slave chains labeled “free”.
The first amendment applies to government censorship only.
Cloudflare is not the government. A business can choose not to service someone based on almost any criteria, that's not "crushing free speech". You can then choose not to patronize the business based on that policy. This is an important part of a free market.
The problem I have with Pi-Hole is that it is sometimes a pain for the end user. It's impossible to fine tune it on the user side, like one can do with ublock origin.
is there any security concerns with the pi itself? say your computer is infected with a really bad malware. it takes over your host, ignores your right to block out noise, and then the idea that pi-hole will be able to as a last resort block it out?
Some devices use hard coded DNS (looking at you G). You can force devices to use the pi-hole via masqurading. In you example, you'd be able to see the malware requests show up in the pi-hole interface.
If you aren't using it, you should!