The default way would be to install the package unattendedupgrade which will install security updates on your system every day.
Depending on how pihole is installed, this may not upgrade it. I personally have it installed with docker and uses watchtower for updates, but the risk with this mechanism is that it can break things.
I've set a cron job on the raspberry pi at my parents' house. It's a debian based system with only PiHole running so I just pihole -up and apt update && upgrade every month or so.
I don’t see the issue with this? Anyone who’s able to install Pihole in the first place will be more than capable of keeping the system up to date. I’d generally trust the underlying software and the maintainers to address security issues in a timely manner, security vulnerabilities on home routers on the other hand...
Pi-hole is very easy to set up, and it works so well you can basically forget about it from that point on. Blocking ads is nice, but it’s also a huge boon for privacy. I run uBlock origin on all my browsers, but Pi-hole still blocks 30-50% of requests on my network. It’s also really nice to be able to glance at the logs and get an idea of what’s going on on your network, or if there’s any unusual activity.
I’m especially excited to see CNAME inspection. I was tired of trying to figure out what domains like “xuenl4v1szy8g.cloudfront.net” were doing.
I set up a pihole and literally forgot about it. Like I was cleaning out a closet on moving day and found it plugged in. Took a moment to even realise what it was doing there.
Typically a pi-hole is used as a DNS resolver. In order to work it must connect to the internet.
Scenario for attack: Laptop looks up a website, DNS request is made to pi-hole, pi-hole sends request to internet. Response packet received back is actually from an attacker, that uses a known vulnerability in the handling of the packet to take over the machine.
Attacker can now see what DNS requests are being made, and by returning custom responses, it can MITM any HTTP request you make from your laptop. Let's hope everything is encripted via TLS, and hope that some piece of software that just asked for admin permission didn't just install a new TLS trust root.
That is definitely a bad situation. Thanks for the reply. Unnerving to think there'd be even a possibility of getting root just from processing a DNS response!
There are lots of ways. A basic vector is CSRF (like eg https://tools.cisco.com/security/center/content/CiscoSecurit...), or the server side variant (SSRF). Then there's the DNS vector already mentioned. There are others too. Generally it's a bad idea to rely on home network boundary protections.
I’m reminded almost every day that I have a pi-hole since it is not my dns provider when on my company’s vpn. It’s absolutely night and day on so much of the web. Some sites have so many ads now it’s just shocking to be frank.
No, but there are plenty of other content filtering solutions on iOS, including Mozilla’s own Firefox Focus that can be installed as a system-level content filter.
I could (and heck, probably should). But I don't browse websites all that often on the vpn. Just on the occasion that I do, I'm blown away at all the ads :) So just lazy.
Obviously will depend on your company, but some corporate VPN clients will still let you use a local or alternate DNS. Then just add the machines you need to connect to on your work network to your hosts file.
Won't fix your issue but I run a Wireguard VPN on my PiHole that allows me to get onto my local network. The other upside is that once connected you get the PiHole blocking from anywhere....
Right, I didn’t mean to make it sound like uBO was letting stuff through the cracks (it’s actually far more thorough than dns filtering). But the amount of tracking requests that come from outside of the browser and from other devices is no joke.
Some ad agencies starting asking hosters to add a CNAME record to one of their domains.
Let's say I have your own blog running on dastx.me, and I wanted some ads from adgiant.com.
As an adblocker you've added `* .adgiant.com` to your blacklist and I'm an asshole and try to circumvent such adblocking measure. Them young millennials and their tech. Stealing me out of my money!
So I go to adgiant.com and ask them if there is something i can do. adgiant.com asks me to add a new DNS record of `CNAME definitely-not-an-ad-subdomain.dastx.me -> terribleads.adgiant.com`. This way, whenever I wanna call terrible-ads.adgiant.com, I instead use `definitely-not-an-ad-subdomain.dastx.me`.
When it comes to adblocking this is an issue because adblocking lists are usually based on a blacklist. They'll have `*.adgiant.com` on the list but not `definitely-not-an-ad-subdomain.dastx.me`, thus my ads will start working. We could of course ad every subdomain we come across to the blacklist, but suddenly our adblock list doubles, triples, quadruples or more.
What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
This CNAME method is also a huge security issue, but I'm not gonna go into that.
This. At my previous job we had to serve content from Salesforce and Marketo from subdomains of our main domain. Rather than use CNAMEs direct to those companies, we proxied the requests so we could strip cookies etc.
How does this work exactly? asking for a friend..
(like the requests from browser to definitely-not-an-ad-subdomain.dastx.me also include cookies set by *.dastx.me content?)
>What adblocking software do now, is they do a dns lookup for every domain, and consider all domains in the result as the same. So if either of previous domains are in the block list, both domains are considered blocked.
So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
Yeah, uBlock Origin recently added a new permission request just to allow that.
> So this means that the ad blocker will query "definitely-not-an-ad-subdomain.dastx.me" and realize that it actually points to "terribleads.adgiant.com", right?
Thanks! I hadn't heard of this method. One question though: What will prevent the ad providers from asking their customers to add an A/AAAA record to one of their IPs? That'll be much harder to combat for an adblocker especially because those IPs will usually be shared with actual content services.
Of course this'll add overhead to the visited website manager because the IPs will probably change regularly as they're pointing to cloud services. But I'm sure they'll manage to automate this.
I bet this will be the next step in this cat & mouse game.
I think it would be only marginally harder to combat, since now you just need a list of IPs to block. Someone would have to maintain the (likely ever changing) list of IPs used, but that's not so different from what's happening now.
> Someone would have to maintain the (likely ever changing) list of IPs used
What if the ad-network is domain-fronting via a CDN? Either ways, can't block IPs since http-domain <-> IP isn't supposed to be a one-to-one mapping, each belong to different layers of the TCP/IP stak.
Here is an example (the domains are fake, it’s for demonstration purpose only):
The domain adcompany.com 5 is in my blacklist, so it returns the IP of my Pi-Hole if I do a DNS query:
$ host adcompany.com
adcompany.com has address 192.168.1.10
But if I do a DNS query of ad.newspaper.com it doesn’t get blocked by Pi-Hole even though it’s simply an alias (CNAME) for adcompany.com:
$ host ad.newspaper.com
ad.newspaper.com is an alias for adcompany.com.
adcompany.com has address 6.6.6.6
What I would like that Pi-hole do is to check if the domain is a CNAME (in the example ad.newspaper.com) then comparing the domain that is aliased to (in the example adcompany.com) with my blacklist. If it is in my blacklist block the domain (by returning the IP of my Pi-hole).
One of a trick a website operator can use to evade hostname-based adblockers is by putting the ad-serving domain as a cname entry in one of their subdomain. Since the ad now served from a subdomain of their website, it won't get blocked unless the dns adblocker did deep inspection on nested cname entries.
It was really easy to set-up, but on first day it actually broke an Android TV-app on default settings (meaning it blocked some call that stopped the app from loading through).
Ironically, after disabling it for a minute and then loading through the app, it didn't block the video ads (not rendered into the video).
YMMV of course, but it wasn't usable for me since everyone in the household needs to understand/solve any issues.
I just realised that if your router runs OpenWrt, you can install PiHole (an equivalent of, rather) directly onto your router by installing the following packages [1]
dnsmasq
adblock
luci-app-adblock
You may also need
libustream-mbedtls
Just tried it, works great. With a few small lists, the amount of blocked DNS requests is floating at around 30%.
https://command.honestsec.com sounds promising... looks like the system includes a secure router with secured double layer dns filtering (local at source and upstream resolver).
Alternatively for MAX_lazyness and convenience I've been using https://nextdns.io, does all the same stuff and is the alternative to cloudflare in Firefox for DNS-over-Https (DOH)
Too bad in my country all ISPs are required by the government to intercept (or block) all dns requests except their own dns server to block any domain listed in the national domain blocklist database. DNS on port other than 53 is still working though, so I have set up my pihole to use an upstream dns server that accept connection on a higher port and a cloudflare DoH server as a fallback (not sure why but DoH is really slow here).
They could've at least intercepted the requests and applied their blacklist while leaving unblacklisted requests pass through as-is (so you can still use a custom server for the non-banned domains). Not saying I'm in favour of these shenanigans at all but at least if you are forced to do it then better do it with the minimum level of interference possible.
Then you can have your client lookup blacklistedsite.com.yourdomain.com and have yourdomain.com return the record of blacklistedsite.com to bypass filtering.
Of course, but presumably the censoring dns server would never return a censored ip, regardless of domain. Whereas if you were to passthrough all non-blacklisted queries you wouldn't be able to block that, which is why no censor would ever implement it that way.
Indonesia. The blocklist mostly contains porn sites, but the government often use it to force foreign companies to comply with their requests (e.g. putting whatsapp on the block list until they comply with the new censorship rule, etc), and also used to censor any websites that offend the government (mostly communist and anti-islamist sites). Even websites that remotely contains nsfw contents end up getting blocked. Reddit and Vimeo is still blocked, tumblr was blocked (until they banned nsfw content recently), and most surprisingly, readthedocs.org was blocked for quite a while before (I'm not even sure why it was blocked in the first place).
The block list database can be accessed here, you can query a domain to see if they're blocked in Indonesia: https://trustpositif.kominfo.go.id/
No additional hardware required, you can use it to provide some protection to your family without having to worry about remote access to the Pi-Hole to configure things, works for your devices on the go, cheaper than running pi-hole in the cloud yourself unless.
Pricing wise it’s over 2 years worth of service for the price of an original Pi, a good SD card and a case.
The only circumstances where Pi Hole is unquestionably superior is if you are on a network that redirects all DNS requests there are still some ISPs that do that however if you are on such network you probably want to either get off it ASAP or use a VPN.
I know I mentioned you can run it in the cloud/hosted, however for most home installations unless you have a dedicated VM server that is always on it does requires additional hardware.
I run pi-hole on my qnap nas at home since it’s always on anyhow.
I don't think it's live on latest. I just did a fresh pull again (I did it a couple hours ago too) but I don't see the new bar graphs nor the local DNS option.
Edit: Oops I didn't wipe the container. Works now!
I do exactly that, though I run my VPN in the cloud (a scaleway instance which is only 3 euro per month). Using algo for the vpn: https://github.com/trailofbits/algo . I can highly recommend it! Though I had some issues with play store updates being blocked but that's resolved now. Unfortunately google play services are essentially one big spyware collection so it makes sense for it to block them.
I also had to manually provision my Android phone on IKEv2 (ipsec), Algo used to provide a strongswan config but unfortunately they dropped this in favour of wireguard. But you can still set it up manually (and on Samsung devices you don't even need strongswan). Wireguard is faster, yes, but my work blocks pretty much every port they don't know, except IKEv2/ipsec because many contractors use it to connect to their work :)
Also, unless you go through the trouble of setting up unbound, your requests would need to go to an upstream server anyway, so might as well send them to one with the best privacy policy.
though they do also have some additional security protections for typosquatting, safebrowsing, homoglyphs, threat-intelligence which is also nice. All of which could be done on a pihole though not out of the box when I last used it ~2 years ago.
Is that not a trivial amount for hands off DNS recursion services? Consider the cost to purchase a Raspberry Pi, set it up, electricity, wear and tear on flash storage, etc
If you point me at a checkout page for $2/month to not even have to think about plugging a Pi in, I’m going to pull my credit card out in a heartbeat. A single coffee costs me more. Think about your time!
Price-wise it'll probably be a no-brainer. Even though a pi can come as cheap as 2 or 3 coffees. A zero is sufficient for pi-hole.
But it's about taking control too. Personally I wouldn't like taking a service even if it were free, over hosting something myself, especially when it's made as easy as Pi-hole does.
Pi-hole is a tool to improve your privacy. Handing all your DNS requests to a 3rd party is the exact opposite. Now you have to deal with their privacy policy, track whether that company got hacked or bought etc.
Installing and maintaining pi-hole takes very little time.
Nextdns pings are bad for me in south India. Like 8x slower than Cloudflare and 10x slower than Google. So sticking with PiHole at home setup for now and Windscribe VPN outside home.
There's one thing i noticed: When I click on a twitter link, the first request goes via twitter analytics and gets blocked. I have to click it again, the second time it doesn't go to twitter analytics and the request goes through.
That’s pretty neat! Do you plan on open sourcing it? I’m hesitant to trust an application with my pi-hole api token (and with it, all of my browsing/network data).
It's not my project. I am using it from within Test Flight. It is great for non-technical people who just need to temporarily disable Pi-Hole in order to get some sort of functionality to work that wouldn't otherwise.
One idea that I want to explore is to create an Alexa Skill to temporarily disable Pi-Hole. This has probably been done already.
I don't have a link handy but someone mentioned in an HN comment a few days ago that they created a "shortcut" on iOS that simply hits the Pi-hole URL to temporarily disable blocking.
Seemed like a great way to handle that problem -- especially for the non-technical people on your network.
I prefer blocking ads by browser extension for PC/iOS and device local MiTM solution (like AdGuard) for Android because these solutions can block more precisely and easier to unblock things permanently or temporary, compared to DNS server solution like Pi-hole or NextDNS. Why choose DNS solution? I suspect the reasons are maybe like for lower resource usage (especially for smartphones), works for smart device like TV.
Content Blockers only work in Safari. There are a host of other apps that I use that are susceptible to ads and tracking. (e.g. Apple News, Apollo (reddit app), hacker news apps, etc. )
Not knowing how to disable it temporarily has been the one thing stopping me from adding Pihole to our network (need to test ads for clients sometimes...) so thank you.
Thanks for the suggestion, it's neat that pihole maintains a git repo like this. I didn't get a chance to try it out though, I just installed from scratch.
Is there a way to quickly disable/re-enable pihole for the network?
With AdGuard DNS or uBlock Origin I still get into situations where occasionally they break a site completely and I have to temporarily disable the plugin (or switch to cell tower dns) to get the site working, so I’d want a quick way out of pi-holing traffic as well
I've been using pi-hole for 4 years now and I can remember two situations when I had to disable it - and one of those was cloudflare's fault (PS4 cloud saves don't work with 1.1.1.1 DNS)
The Web UI has a Disable button, and also quick options for permanent, 10 seconds, 30 seconds, 5 minutes, custom, etc. I think there's also an API as well. I can toggle it via Alexa and Home-Assistant.
It's a feature that's been around for 2 years or more
I know. But still I would prefer something a non-profit or volunteer-driven project over one from a for-profit company. Especially in the adblocking business where investor concerns are very likely not going to be aligned with consumer interests. It's not about it being free, I support several free open source projects with donations. I just don't like the clashing interests.
For me that means Firefox, uBlock Origin and pihole (though I ran dnsmasq myself for a while, I like what they've made of pihole now, it's come a long way!)
there is a chrome extension that quickly let's you disable pihole blocking with 1-click. default is 10 minutes. But you can set a custom time in the toolbar popup.
Not OP, but in my case, most of my VLANs can’t perform DNS requests to WAN. Only the pi.hole server is able to do that (and other devices in the DMZ).
Reasoning: appliances like Chromecast/Apple TV/whatever will often ignore DHCP DNS settings if it doesn’t resolve, and they’ll reach out to 8.8.8.8/8.8.4.4 directly.
I have several users and multiple devices in our household. FB is not allowed anywhere near my PC, but wife has to currently switch between piholed and not piholed wifi. It just allows for a much better control. Heavens know not everyone is like me.
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for pi-hole.net. The certificate is only valid for the following names: *.sucuri.net, sucuri.net
Pi-Hole has made my home browsing experience so much better since setting it up. Minimal resource overhead, maximum results - and if you care about stats those are available too but I just turned all logging off.
I had something working a while ago for YT ad blocking in chromecast; the underlying problem there is that the chromecast is hard-coded to use Google's DNS servers (8.8.8.8, etc) instead of your networks. So you need to set up your network to intercept DNS requests to 8.8.8.8 and 8.8.4.4 and instead send these to your own ad-blocked DNS server. My network setup no longer lets me do this, and I don't care enough to make it work.
Just pay for YT premium if you don't want ads (to all those people complaining about wanting an option to pay and not be tracked/advertised to/etc - this is a great opporunity to put your money where your mouth is)
I’m pretty sure that the on-device app blocks youtube ads, not the DNS filtering.
Although I think it is indeed possible to block youtube ads through DNS filtering, it’s just really difficult & only works temporarily before needing to block new domains.
I actually looked into this a bit after posting that comment, since it occurred to me that I don't actually know exactly what's blocking YouTube ads for me. (I'm still not sure, which is why I didn't edit my previous comment after doing that research.)
Empirically, I don't get YouTube ads in the iOS app. I do use Firefox Focus as a content blocker, in addition to AdGuard DNS. I don't use the AdGuard app, and it was my understanding that Firefox Focus only blocked ads in Safari, so I assumed it was AdGuard DNS. The documentation for AdGuard DNS seems to indicate that it shouldn't work for this, but it seems like either that documentation or the documentation for iOS content blockers is missing something. Unless YouTube has just decided not to serve me ads for some reason. (I'm not complaining either way.)
I used NewPipe for a while and it was very nice, enjoyed how well it works. However I started wanting to see videos on my TV (Chromecast), and that's where the abilities of NewPipe fell short.
They have an open issue [0] since a couple years ago, but so far it is not a feature yet.
Ditto. Exact same experience. It is great for what it is.
For me on top of that, my wife and I often join chromecast together, and she has an iPhone. Vanced is pretty much fully compatible with the official YouTube app.
Maybe coincidentally after the 10 minutes YouTube changed something? Once or twice NewPipe stopped working for me suddenly but an update helped. BTW F-Droid gets updates of NewPipe a bit later than GitHub it seems.
Interestingly it's been working perfectly for me with no issues for almost 1 year. A bit surprised to learn that it is not stable for a bunch of people.
Well I think it's just a matter of lag between bugfix and updates on my side. Which means from time to time I get a guru error. Other than that it's quite stable.
They very recently moved to require an special additional app just for installing their new .apks file (which is a file containing multiple .apk inside), called SAI.
That would be fine by me, if it wasn't because SAI requires Android 5.0, while my Nvidia Tegra -like tablet (Xiaomi MiPad 1) is stuck on Android 4.4 :-(
(no, Lineage and friends is not a good replacement, they all break the camera, and yet worse, suck battery like crazy)
Server is down, right? Not for this case (which I assume is caused by the HN effect) but one downside of this kind of blockers (I also use uBlock in the browser) is that when something doesn't work well in a website, I'm never confident that it's because the site is broken and not because my blockers are breaking it :-)
I know, you can just disable the blocker and try again, but doing so from my phone is not very convenient...
I set up pihole on docker on Windows and it worked great until I rebooted and then the pihoke server (both ports 53 and 80) was unreachable from outside docker even though docker claimed to be forwarding the ports.
Looks good!
Is anyone else getting this during the update?
[i] Target: https://hosts-file.net/ad_servers.txt
[] Status: Connection Refused
[] List download failed: no cached list available
Looking at the query log, I see a fairly large amount of requests 24/7 by my Xiaomi robot vacuum and my Xiaomi desk LED Desk Lamp. I've blocked both of them.
Is there any way of disabling the wifi on the desk light completely? Right now i've connected the lamp to my Wifi and blocked it at the router to prevent it from starting its own WiFi network.
does anybody know how to properly secure the the DNS server from replay attacks with iptables.
i have a pihone running on a cheap vps on internet, but i connect to it with a vpn and that's draining my smartphone battery. i want to be able to change only the dns settings and point to my pi-hole. but at that time the recommendation was to not run the dns part on the internet because it could be used for dns replay attacks. i found some iptables rules on the net at time but was not sure are they ok. i did not want the ip address blacklisted because i was running some other services on that server.
If you're on an Android phone, apps like Blokada (plain old DNS), Nebulo (DoH and DoT), Intra (DoH) can split tunnel traffic to a DNS server of your choice. Note that, Android 9+ supports DoT, out of the box. Look for the Private DNS setting.
I have migrated wireguard since several months ago and the battery life improvements is tremendous compared to openvpn. Previously I can't enable vpn 24/7 as my phone's battery will be drained before the end of the day, but now with wireguard I can enable it all day without draining the battery too much.
Donated once to this fantastic project. I have it running on a VPS+wireguard+firewall and all devices configured to use it even when I am out and about and using the mobile. It performs well enough that all of my family is on it now as well. It's chugging along fine on a 3$ a month VPS and accessible only when logged in via wireguard.
Wireguard is working so well, that I am now thinking of starting up additional services for the family to use. Voip/Filestore, pic library etc etc... all firewalled of course.
I have no connection to NextDNS other than as a very satisfied user, but my Pi-hole got decommissioned a few weeks ago as a result of my discovery of NextDNS.
I also run their DNS53-to-DoH proxy on a small VM and that VM's IP is the first DNS server in the DNS server list included with DHCP leases (with NextDNS's public IPs as the second and third, losing host-level granularity/logging if the VM is down for whatever reason).
Can someone please explain how exactly does this work? So I have an ubuntu system. Is it ok to just install it in my local system alone and use it? Or should I be doing something to connect to a modem or something? I currently use my phone as the hotspot for my computer.
If I install it say in a remote server in digital ocean, how can I use my phone/computer to use pi hole?
Still a noob when it comes to networking so any help is appreciated thanks :)
Not an expert with PiHole other than having set-up one myself not so long ago.
It is a DNS server. Basically whatever you put into DNS Server list on your device (some host on local network, some host with public IP) - your device will send DNS queries to THAT host.
More often than not, you will configure your router to hand out your local devices these DNS servers via DHCP.
So that answers the question: you can host it on local network or use remote server (given you have public IP and can open port 53/UDP). If you don't have firewall there, you will probably be configuring host local firewall to allow using DNS from hosts@home. It may get complicated if you have a dynamic address for your home router.
I host pihole on a home server in a docker container and spend 5 mins a month just updating it. No other administration. Definitely use it to get rid of trackers and ads.
(I should add that I also pay for about dozen publications/newspapers that I read frequently in lieu of not seeing ads)
Cross-posting from my comment on Reddit's /r/Linux
I'm a little disappointed that they seem to be very uninterested on how to get it working on "unsupported" configurations
My x86 gateway currently runs on Gentoo (PFsense kept having random crashing issues) and it's something I'd love to add to it
as far as I can tell all Pi-Hole needs is
- Lighttpd + PHP (web management portal)
- DNSMASq (DNS)
- DHCPD (DHCP)
- git (blocklist updates?)
There was a single github issue tracker where someone got it working fairly easily (essentially saying "please install package X/Y/Z" during setup) which was closed by the developer as "only two people have asked about Gentoo"
I know Gentoo is fairly niche as far as distributions go, but seeing popular software moving away from "here's how to compile/install it" to "here's a docker container/here's what "we" support" is very disheartening
Pihole comes with some nice features but the core tool could be written in a single shell script (I know this because that’s exactly what I used to do for years before pi-hole even existed).
At its core, all you really need is curl / wget to pull a few text files and then reload dnsmasq.
Sure you’d miss out on the reporting side (which is actually the only reason I switched to pi-hole last year) but it would run on literally any system that runs Linux and dnsmasq.
As for DHCP, I think pi-hole uses dnsmasq for that too. However I’ve wasnt able to get pi-hole to accept my custom DHCP rules for PXE boot images (saves me hunting for USB sticks if someone hands me a trashed system and it’s been invaluable over the years) so I’ve continued to run dhcpd separately from pi-hole. But you don’t even need to do that, all you really need is your existing DHCP server to accept custom DNS resolvers and any consumer router should let you do that. Just make sure you disable DHCP in pi-hole.
Hi, for other reasons I am porting Pi-hole to Erlang/Elixir so that it can run on any platform that has Erlang (including Gentoo). Let me know if you are interested.
I understand your position, and I struggle with this a lot myself.
That said, this is one of the drawbacks of freedom and choice. There are so many different distributions, each one with their own quirks, that creates a massive support burden for developers.
Should developers focus on developing their software, or focus on supporting their software on as wide a range of platforms as possible?
Docker in particular helps solve this particular problem. I agree it's not ideal.
The best thing you can do is contribute directly if your platform of choice doesn't have explicit instructions. If that's out of scope for your own skill set, and you don't have the time or inclination to learn on your own, then I'd recommend learning docker instead. It's not terrible.
I've made this exact argument before, but it was unpopular. I maintain that if your software distrubution model is writing ISO files to SD cards, it's about as retarded as piping `curl` into `bash`.
I too run a Gentoo server at home (fist bump), and I'm running `dnsmasq` for filtering and caching, and `stubby` for DNS-over-TLS, and I run this beauty of a cron job every morning:
The result of this looks a bit mixed up. Are you sure that sedding 0.0.0.0 works? There are some spammers who include 0.0.0.0 in the domain name for example. I used positional splitting with awk to do the same. That worked very well.
> I'm a little disappointed that they seem to be very uninterested on how to get it working on "unsupported" configurations
I think that's entirely reasonable. Unsupported configurations are "unsupported" for a reason: because open source developers have a limited amount of their unpaid free time to devote to their project, a project you get to use for free.
> ... was closed by the developer as "only two people have asked about Gentoo"
Again, entirely reasonable. Maintaining installation scripts for your project for every OS under the sun is a large burden, especially for OSes that the developers don't personally run themselves.
Since Linux distros are basically the poster-child of fragmentation, the usual way to get a piece of software supported on your distro is to have a distro package (for Gentoo I guess that'd be an ebuild) that does any distro-specific patching. Stuff that's generic enough can be upstreamed. Stuff that is distro-specific often has to stay in the distro patches unless someone is willing to step forward and be trusted to actively maintain it upstream in the long term. As an open source project maintainer, I definitely would not want distro-specific code in my build if there's no one with the inclination or expertise to maintain it.
> essentially saying "please install package X/Y/Z" during setup
... and this is exactly something that goes in your Gentoo ebuild, not in PiHole's generic install.
> I know Gentoo is fairly niche as far as distributions go, but seeing popular software moving away from "here's how to compile/install it" to "here's a docker container/here's what "we" support" is very disheartening
I'm a little puzzled by this remark, since that's how it's always been with open source that's intended to run on Linux. I go back and forth on what I think about Docker, but before we had that, you basically got a tarball with a configure script, and had to figure out on your own what dependencies to install on your distro to get it to build properly. Some projects with more bandwidth would include an RPM Or DEB package, but oftentimes those would only run on a few specific versions of RedHat/Fedora or Debian/Ubuntu, and you'd still have to install the dependencies yourself. At least with Docker it's sorta a "build once, run anywhere" type thing.
The thing I don't think you're getting is that you are not entitled to these people's time or resources. They're putting out a project in the hopes that people will find it useful. It is not reasonable to expect them to cater to every whim of every potential user's personal setup.
I'm sorry for the long-winded reply here, but it really bothers me when people expect open source developers to have their free time directed by non-contributors.
Integration of Unbound in OPNsense has the basics - the web interface lets one edit access lists, blacklists etc. but no statistics dashboard or sophisticated log processing. It supports lists with regex though.
Updating automatically requires a cron job, which has to be added by the administrator using the GUI - adding it automatically is a future feature.
I've always planned on building a free DNS using pi-hole. Any comments on this? Will you use it? (I understand privacy is an issue, how to better address this?)
I had setup Pi-hole and it was blocking something like 66% of my internet traffic which amounted to ads and spyware.
A couple of days later, it just mysteriously stopped working and I couldn't for the life of me figure out why. My theory is that AT&T detected my blocking and blocked my internet as a result. Is that too much of a tin foil hat theory? How can I know for sure?
I don't know too much about computer networking, only the basics.
Browsing sites served over HTTPS still requires querying a DNS server to figure out what IP address to connect to. Pi-hole acts as a DNS server and returns invalid results when asked for the IP of a blocked site. Ads are served from a separate domain from content, so they can be blocked without affecting the content.
It can't. There pihole only sees your DNS requests, not any other traffic, so it can't tell if you pulled 100 KB or 100 GB from that domain you just looked up.
It does show you DNS requests counts and such per device, but that's a poor proxy for bandwidth.
It's a DNS server so it has no way of knowing the bandwidth usage of the clients, the traffic is not flowing trough the pi-hole, it just responds to the DNS queries sent to it by the clients.
Neat app, not using it though due to lack of quality control in the blocklists. Are there any changes yet to the quality control of the blocklists used, or is the author still copying lists from the internet without scrutiny?
Pi-Hole maintains a gravity list (list of domains to block), which is constructed from all the block lists to which you subscribe (public lists), along with your whitelist. [0]
I do this too. After throwing around a bunch of other ideas, I realized that a Pi is cheap enough and the one-shot cost is nice. If it dies, I just update the MAC address for its DHCP reservation to the new pi, spend 10 minutes setting up a new instance, and that's that. It just ends up working.
The dream is to network boot the thing, so you literally plug a new pi in to network+power and it automatically boots and starts running stuff:) (Well, a Pi also needs a 1-time step to enable network boot, but still)
That should work as long as SD card is okay. Unfortunately, it's my understanding that SD cards remain the most likely thing to fail in the entire system, hence my interest in not using them.
