Before adblockers came along I had a script that updated my hosts file. I then moved to a DNS black hole but it’s been more than a decade since I’ve used either solution.
Do you people have that many hostile IoT / Smart thingies connected to your networks? Are you just unwilling to pay for the ad-free versions of apps. Are you using apps/services on these devices that don’t offer an ad-free option, if so why? I’m genuinely curious.
This is why it gets to the front page.
It's a DNS black hole with a slick interface.
You run it and it does great by itself, manages the updates, and when it does do something you don't want (or vice versa) there's this really slick interface for figuring it out and correcting it.
We underestimate how much slick interfaces are worth, especially when they make a chore that was almost entirely CLI driven and making it a non-chore for a bigger audience.
Lack of device control, unknown alternatives, unwillingness to just say no (for whatever reason… not criticizing here) seems to be the answer.
Unfortunately, as ignoramous states there are techniques that will render DNS blacklisting useless if they want to.
And something, something some rsync and ftp and you've got Dropbox. Yes, Pi-Hole is just dnsmasq with a pretty face, which is precisely why I use it. $50 for a Pi starter kit, and as soon as it hits your mailbox, you are about 20 minutes away from living the #adfreelife (and most of that 20 minutes will be redirecting your network after install. Where the hell are the docs for this router?).
Sometimes I'm content to manually tweak JSON files all evening. And sometimes I just want to plug it in and pretty much works out of the box. Ad filtering on my network falls into the unsexy latter bucket of "just give me something that requires a minimum of yak shaving".
Are you using apps/services on these devices that don’t offer an ad-free option
Yes, the NYT as one example. The app still has ads. I continue to pay for the NYT to support good journalism. I don't get to pick both, so I choose to continue to pay.
A device in my house went nuts and decided it needed to ping an NTP server 1K a night. Not anymore.
In the end, I kind of get the impression you're spending more mental energy on arguments against, rather than ask yourself why someone might find it useful. I could come up with quite a list of reasons with just casual thought.
Wait, Pi-hole was your solution here?
> In the end, I kind of get the impression you're spending more mental energy on arguments against, rather than ask yourself why someone might find it useful.
I’m asking because I believe there are better ways. I could be called out for baiting or pushing a “the only way to win is not to play” for IoT and creepy apps/services agenda. Yet, NYT, FB and many others can still be viewed and signed into with a mobile browser. The experience may not be as nice but it still works and sends the right message to these corps. When creepy app/device/service is the only option I recoil and reassess.
Besides, DNS blacklisting isn’t perfect and requires a fair amount of tweaking depending on how many thingies you’re using it with. Any compromise you make for one affects all others. I think we have the same goal of “having your cake and eating it too” just different methods. Either way, we’re both expending constant energy and compromising.
And $35 for an OpenWRT router that does the same thing and also offers a web interface. Why pay more for a second standalone device?
Thinking along similar lines, can't help but wonder if cert-pinning does more harm than good.
--
[0] Folks have been doing this since atleast 2002 http://sam.zoy.org/writings/internet/doubleclick.html
[1] https://adguard.com/en/blog/adguard-dns-announcement.html
[2] OpenDNS founder, davidu, has been crying foul about it too https://news.ycombinator.com/item?id=18257318
Note that paying and hiding ads doesn’t mean the app stops talking to the ad server. I had one app which pinged the Google Ads server even after paying (not going to name & shame as it’s a small independent developer so I’m leaning towards it being a legitimate bug).
Oh and don’t forget analytics which paying doesn’t work against at all.
Here's a screenshot of the current blocking situation from the phone:
https://i.imgur.com/lTsZFhE.png
Almost 60%... I don't install many apps, I use Firefox with Ublock Origin. Most of the blocked requests are to Google or Facebook.
At home I have it network-wide, and typically the block percentage stays under 10%. Until my partner opens his Windows 10 laptop, then the block graph goes up. Also my television talks to advertiser trackers (LG), which I can easily block from Pi-Hole.
Why it's better than just a hosts file? One is I can easily whitelist/blacklist domains from the UI or I can just disable all blocklists if I need for any reason. I also like the statistics it gives me.
I've picked up a few things that were making a crazy amount of requests. I don't know what Alexa is up to but over 1000 requests to device-metrics-us.amazon.com blocked each day
I don't use Pihole, but I do use something similar for pfSense. I rarely mindlessly-browse the internet and I don't have any IoT junk. That said, my stats for 30 days:
List Blocked
-------------------------
pfB_IP1 35834
pfB_IP2 17606
pfB_IP3 150789
DNSBL_Malware 4
DNSBL_Ads 832479
DNSBL_Trackers 26085
It blows my mind every time I look at these stats and see how much they've increased... The data these companies would otherwise have on me. The data these companies have on everyone else. How much has actually gone through / missed / not blocked and rendered any of these efforts meaningless.
At the end of the day, I don't really care, but it's all pretty neat!
I pay for most web services I use, things have just gotten worse over time.
My primary reason for running PiHole? Two Roku devices that cannot help but call home. It doesn't take "many" to make it annoying and unwanted.
Maybe the HN crowd avoids Instagram, Snapchat, and Facebook but most people don't, and can't unless they want to socially cut themselves off from parts of their social circles.
I have tried the very same concept but embedded in a WiFi router many years ago ( https://wijvrij.nl, Dutch ).
Apparently, this was not the right product-market fit. The PiHole is.
I block ads in my home because it's just a nicer web experience for everyone. Plus when I play games on my phone I don't get a barrage of ads every time I die.
I believe low-latency anonymizing networks like Tor might be a better more suited for accomplishing the task of obscuring one's own network traffic. In fact, I'm typing this comment from Firefox with uBlock Origin configured to use a Tor SOCKS proxy which is always running locally - eliminating ads and making little attributable netflow in my wake.
Dunno about Cox, but I promise you I trust Digital Ocean far more than I will ever trust Comcast or AT&T. Even if they didn't have a history of being bad actors (and they do), a lot of people have exactly one choice of ISP but dozens of choices for hosting in the cloud, so the incentives are much more favorable.
Say your ISP is Comcast... If Comcast knows your are connected to some VPS via VPN, it's likely that anything coming out of that VPN is yours. And if Comcast (or some subsidiary or partner) is also the upstream provider for that VPS, they could pretty easily make some correlations.
But it is significant revenue opportunity for ISPs serving households.
I need UBlock Origin as a remote proxy.
thats because you need to tell DHCP to use the pihole's address as primary DNS
For example, I want to blackhole all X-related stuff because I don't use service X and don't want them to track me, but my girlfriend wants to access and use service X. So either we each get an instance of PiHole and tailor it to our specific needs, or we share an instance and one of us is unhappy.
You'll see connections to Facebook, Google and ad networks.
Pihole and diversion are essential for privacy.
My Android TV when in sleep mode DRILLS Netflix and calls home.
I also tried to go one step further and setup mitm-proxy to man in the middle all of my traffic to see if I could do more invasive but thorough ad filtering. Certificate pinning from the likes of instagram, facebook, apple, and google really stymied this approach. So all in all, I don't see much benefit from DNS adblocking instead of ublock origin.
The only 3rd party thing we use is Google Analytics and a Google font, but the site still works fine when users block them.
> So all in all, I don't see much benefit from DNS adblocking
The benefit is as a tack-on for a home network for devices and traffic that doesn't go through a web browser. E.g. for mobile apps connected to the network. But once again, as far as privacy is concerned, that won't block e.g. Facebook SDKs embedded in apps unless you block the relevant domain entirely.
Probably works similarly for Android
Firefox Focus itself works all right on Android Pie. You can even set it as default browser for opening links in place of Android Web View.
Android Pie has DNS-over-TLS for both WiFi and LTE so I am ad-blocking via my private DNS server and blacklists.
Now I am using Algo + Steven's hosts files for the similar idea. No complaint thus far yet.
Wireguard is super cool. Hoping for an official windows client and then all the platforms I use are covered :)