Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
IoT devices which constantly phone home will skew things.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
It's best to run both.
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
I'm not sure how a blocker would work if it couldn't see the content of the page...
Best to run both if you're in a position to do so
Makes it nice and easy for the non-technical members of the fam.
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
1) at work 2) out of town 3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
mikestew•5h ago
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
ignoramous•4h ago
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
shaky-carrousel•1h ago
elashri•4h ago
[1] https://github.com/dibdot/DoH-IP-blocklists
rsync•1h ago
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
baby_souffle•1h ago
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
jeroenhd•1h ago
silverwind•4h ago
epcoa•4h ago
01HNNWZ0MV43FF•4h ago
wang_li•4h ago
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
notarealllama•4h ago
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
gbuk2013•4h ago
gbuk2013•4h ago
freedomben•3h ago
int0x29•2h ago
woleium•2h ago
hnuser123456•47m ago
mikevin•3h ago
iugtmkbdfil834•4h ago
bongodongobob•3h ago