Super easy to install, full-featured, lots of lists to pick from, auto-updates lists, no need for an additional device, and you will benefit from router features produced by the openwrt community and maybe unavailable in your router proprietary firmware. Much recommended.
If that sounds attractive and it sounds like a good opportunity to change your crumbling unpatched router, the question "what's today's good cheap router running openwrt without trouble?" is frequently answered by https://www.reddit.com/r/openwrt/ :) .
[1] https://community.ubnt.com/t5/EdgeRouter/DNS-Adblocking-amp-...
But I presume Pi-hole has automatic updates to lists, data visualisations, better community support than the routers with open source firmwares which are often quite bug-ridden (not to belittle the effort though).
Those visualizations on the pi-hole look great indeed!
> "Pi-hole has automatic updates to lists, [...] better community support than the routers with open source firmwares which are often quite bug-ridden (not to belittle the effort though)."
OpenWRT/adblock auto-updates lists too, and I can't speak for DD-WRT or Tomato, but I've been pleasantly surprised by the support and quality I met using OpenWRT. About support, my few questions got answered quickly on their forum and r/openwrt. On the software quality side, apart from the UI being slow (which seems reasonable, it's running on a cheap router), sometimes complicated by lots of options (but at least they're available, and an effort is usually made to hide the exotic options under an "Advanced" tab), and blandly bootstrap-y, I don't remember hitting any bug.
I use Pi-hole now, and it works great. The one feature that I use quite a lot is the ability to disable it for a short period of time -- when I'm shopping for something, Google ads are sometimes actually useful!
I'd say I use that feature about once a month. That's the sum value of advertising for me.
I like to get my host list from https://github.com/StevenBlack/hosts
Did you check the 'Shopping' tab of Google search?
If you aren't using it, you should!
But as an adblocker - I feel like I'm missing something. It acts as a DNS server for your local network and blocks what's essentially a host file.
So how does it handle ads served through websockets?
How does it handle ads that come from the same domain as legitimate content (which is increasingly common)?
The complexity of rulesets by addons like ublock origin or PrivacyBadger seem to far surpass what PiHole is capable of.
I think PiHole has it's place on a network - obviously, but people have been promoting this thing like you can just get rid of your adblocker on your browser now.
People also downplay that this can be a pain in a home with a handful a streaming devices, each with a handful of apps. You end up whitelisting so much for those devices, you might as well whitelist the whole device just so the apps can work.
Your wife downloads a game on her phone, and you get that look like "ok, why isn't this working.. what did you do now?"
It just seems like a lot of effort for fairly imperfect results.
Sure installation is easy, but long term maintenance (the OS, the app, constantly whitelisting or troubleshooting when a new service or app breaks for someone in the house).
THISSSSSS. The only thing stopping me from using Pi-hole at home are my family members and the inevitable "this isn't working!?!?" rant and then I need to figure out how and what to whitelist. No thanks. I have ad blockers on the kids' PC and when something doesn't work, it's one click to temporarily turn it (browser extension) off.
The pi-hole asks you to choose security over convenience, and you must accept that not all apps and services will work.
That's a personal choice you can make for your own setup in your own home.
I've never seen anyone say this _replaces_ your browser's ad blocker though.
I don't think it's a situation where you can ditch your ad blocker if you are dead set on never seeing an ad. It may be good enough for most people though. Personally, I still run ad blockers on my devices. Other people in the household do not.
I seldom have to whitelist anything. I may not have whitelisted anything at all. I have blacklisted a few extra domains - things like analytics requests for IoT devices. I don't recall a time that something didn't work and I had to fiddle with the pi-hole to fix it. It's been very low maintenance and very effective in my experience.
In contrast, For my home network, it's just under 15% of queries that get blocked. I've got 3 Macs, a Windows 10 machine, an Apple TV (all connected 24/7) and a handful of iOS devices that hop on and off the network.
My blocklist contains ~114k domains I believe.
My rpi 3b (not 3b+) just couldn't handle it. It had 2 users. Our DNS resolution times increased by about 200ms. It was awful. I stripped it back out and haven't bothered trying to set it up again.
(Other details: the RPI was hardwired, wireless disabled, and it was a fresh raspbian install with zero customization outside of adding pihole.)
The router has a secondary dns server as well in case the rpi goes down (which has happened ~2 in the last year or so) or I need to fiddle with it.
https://community.cloudflare.com/t/1-1-1-1-does-not-resolve-...
https://news.ycombinator.com/item?id=20044430 [/tinfoilhat]
Paul Vixie got very upset when he discovered that his chromecast bypasses local DNS settings to go directly to Google: https://news.ycombinator.com/item?id=19170671
I wouldn't be surprised if soon Chrome defaults to DNS-over-HTTPs direct to base, except for the corporate intranet version. They just need to work out how to deal with wifi captive portals.
1) trusted endpoint / untrusted network (laptop in a coffee shop)
2) untrusted endpoint / trusted network (chromecast/alexa/other corporate zombie on your home network)
Which category a given scenario falls under depends on who you ask - to Google, Chromecast is in the first category. I don't know if it's possible to design a system that somehow always favors the rights of the individual.
You set your DNS preference to point to the PI-hole and it should behave like any other DNS server. I guess it could attempt to resolve some spam domain like doubleclick.net and if it was incorrect it could complain...
Firefox is working on using DoH (opt-in at the beginning, but who knows) from "select" providers. Chrome has a similar switch, surely. Same with Android 9, opt-in DoH, but maybe it'll become opt-out or no-opt in the future.
In the name of privacy and security of course, but with the totally unintended side effect of users unable to dodge ads via DNS/hosts. Interesting, no?
https://www.reddit.com/r/googlehome/comments/8917ci/google_h...
There was a bit of controversy about FireFox doing exactly that. https://yro.slashdot.org/story/18/08/05/2353249/security-res...
I'm thinking about this, and feeling like the PiHole is a nice start, and I mean that sincerely, not sarcastically or dismissively, but what we need is a whole-house reverse firewall with that sort of capabilities, including everything the PiHole already does. If you did TLS interception, you could also pretty much implement uMatrix at the household level, for instance.
And so the arms race continues.
The fact that this requires special hardware, bash commands, etc is severely limiting the audience. The more people blocking ads the quicker the internet changes.
Edit: thanks for the replies!
There was discussion a few days ago: https://news.ycombinator.com/item?id=20012687
There's a certain level of trust when I use 1.1.1.1 or 8.8.8.8. I'm unwilling to take the risk for this solution. I'm not sure what would help in the trust department to legitimize a solution like this.
I run my own knot-resolver server that forwards everything to 1.1.1.1 over TLS and I generate an .rpz that is basically the same filter list as pihole. Most DNS traffic ends up at Cloudflare, so you may as well go straight to the source.
https://gist.github.com/jzelinskie/3d2b11830224993fc8a7441b3...
include "/etc/bind/ad-blacklist";
/etc/cron.daily/update-ad-blacklist
or equivalent for unbound, maradns.... whatever.
I am not the relevant commenter, but what things would you expect to not change in a scenario where a majority of websites lost all ad revenue. (As admittedly unrealistic as it sounds the same was once true re moon landing and here we are, debating viability of not ruining our lives with advertising.)
Or could fund it with some targeted ads. Oh, wait.
I actually want to do the opposite: transition this to dedicated hardware (like a Pi, but worried about performance) that is a little less noisy. This is shockingly quiet for a 2U but I am a stickler for silence.
Some pix: https://imgur.com/a/0xwcfNN
It became a problem when everyone and their sister started needing to know what kinds of kinks I'm into just to sell me dish detergent.
I've been predicting for a while now that sites would fall back to the old television show model "RockAuto presents MustangForums.com" or something to that effect.
Instead, we get a dancing Albert Einstein begging us to take IQ tests.
The flip-side of this is that I’ve noticed that YouTube shows me PSAs from my own municipal government (“there’s an election soon” ads, “we’re building a new piece of civil infrastructure” ads, etc.) I actually kind of like that; I don’t have cable, so it’s not like I would see them anywhere else.
The entirely-static ads model does work when the consumption of the media is entwined with the consumption of the advertised brands, though. For example, a podcast can certainly advertise its own tour, since—given that you’re listening to the podcast—you likely want to see the podcaster speak in person, even if you can’t make it there.
Or, of course, if a (global) website is just advertising another (global) website. The NYT can advertise Amazon just fine.
We post about office design and our ads are primarily for office furniture or other services related to the industry. We also self-host the ads which are non-animated jpgs and sell them without using any ad networks.
What you describe works well for us :)
A couple things:
1. It facilitates a world in which only large content providers, who can afford to individually sell ads to advertisers, to exist.
There's a lot of overhead to ad sales and individual companies do not want to work with 1,000,000 providers, they want to work with 10-100.
2. It's substantially less efficient and only works for brand advertising or mass-market direct-response advertising.
One of the greatest things that Facebook and ad retargeting enabled was the rise of direct-response brands. Previously if you were selling a niche product - and most larger brands started out with a niche product - it was very difficult to reach an early audience who would be interested in purchasing your product. Facebook and Google flipped this on it's head, enabling millions of businesses to more efficiently reach customers. Facebook alone made the direct-to-consumer brand explosion we've seen over the last 10 years possible.
That's not my business. If they want to make money, they'll shift to other profit models that don't involve intrusive tracking and annoying advertisements.
I regularly try browsing without adblocking on, and it's a constant nightmare. If sites held their advertising networks accountable to any reasonable set of standards, they wouldn't be in this situation.
The content I appreciate, I have found ways to support it.
[EDIT] to expand, I think the piles of spyvertising money funding sites & services is a big part of the decline of truly free sites and open protocols, and make running a paid site (or app, or whatever) harder since you're competing with "free" (but spying on you). Less incentive to use them, less incentive to contribute to them. The whole system's perverse and harmful and it would 100% not be the end of the world, or the end of nice things for free/cheap, if it just disappeared tomorrow.
In the world we live in something like a pihole isn't an ideological position, it's a necessity to not have everything we do end up rolling into someone else's ad profile on my household.
If I go to a site and am bombarded with pop ups, auto playing video ads, etc., then yeah why wouldn't I block them? With the malware and tracking that is often injected into ads I have no problem using my adblocker at all times and disabling it for pages that ask politely.
I'm happy to click on ads on sites that I frequent and would like to support. I think there's absolutely a balance here, and for many years the advertising industry has abused their stay.
I choose who deserves my attention carefully. Internet ads have not earned it.
giantbomb.com sells premium subscriptions and merch and does okay
It is not our responsibility to prop up their poor model. If these sites want to make their case that they won't survive without our eyes on their ads, then they can open their books for us to look at the costs and revenues and decide for ourselves whether or not we should help them. But at the end of the day, it is their problem, not ours.
The answer being that content providers can't be trusted to self report metrics that determine how much advertises pay. At least not for pay per view/client/etc models.
The people that self select themselves from viewing advertisements might be doing advertisers a favor. They're perhaps less likely to make purchases based on impressions//click ads on purpose; per dollar, ad campaigns might be more effective without said people.
I do that for the sites that have the banner that hides if you scroll down, but pops out the moment you scroll one pixel back, or sites that put up "please don't leave me" modals the moment your cursor strays out of the window.
There isn't a chrome extension or anything to white list a site quickly. You have to go back into the interface, login, and whitelist, go back and load the page then you'll find that you needed to whitelist a few subdomains/cdns as well. This is really fun when you've got all your devices using the Pihole for DNS and you can't load something on your phone/TV and need to run to your laptop to deal with it.
If you just got your pihole you probably threw in a bunch of community generated lists and you'll find a good amount of stuff you do visit gets blocked. You can get to Google but not Google drive, so you whitelist it. And you do this over and over again until you finally get annoyed because you just want to make a car payment so you permanently disable it for 5 minutes, or 60 minutes if you've gotten annoyed enough.
Sometimes weeks will go by and you'll forget you even had it disabled at all.
FWIW, I also don't use NoScript because I find it incredibly annoying. This is one step further from the NoScript annoyance because you have to go into the webUI and make your changes.
If you don't mind NoScript you'll probably be fine with Pihole. Or if you have the time to curate and pick lists that fit exactly within your browsing habits.
I know it doesn’t sound very sentimental, but the first time I showed my relatives what the Internet looks like without ads, I think those were the strongest hugs I ever got from family members.
I commented on a different post last night, that I was a bit shocked and saddened to see their Patreon is only pulling in $1,700/mo.
Do they have another significant revenue stream? Is it just too much hassle to bother signing up to Patreon to commit to even $1/mo? Do they have something on the Admin panel where users can click to pay directly?
I’m not judging, I don’t even have a Patreon account. I’m curious how such an apparently crucial and useful piece of software — one that no doubt is responsible for providing millions of dollars of value to its users, and perhaps blocking tens of millions of dollars in ads — how can the project be sustainable after 53 releases and 2,700 issues on Github while pulling in less than $24k/yr?
This is an astonishingly huge amount of money for an open source project to raise directly from its users. Most open source projects get basically nothing.
First, certain streaming websites would fail and it was too much trouble to try to find the URL to whitelist.
Then after I had disabled it from the Pi-hole interface everything was fine but it wasn't actually active. No problem...until I forgot my router was using it as a DNS server and I moved and didn't set my Pi up yet. Then it took me a couple weeks going back and forth with Comcast to find out that my router was still pointing to a DNS server that wasn't running.
Somehow my FireTV bypassed the bad DNS server at one point (still no idea how this happened cause my router was routing all traffic through the IP for pi-hole) and that made me realize that I can get data from Comcast somehow so maybe it really was my router.
Also beware as most ads in your phone apps come from ad intermediaries that are either dynamic or constantly change.
Pi-Hole is a cool project but please take in consideration those two when using it. We are far from the 90's in ad-tech.
> most ads in your phone apps come from ad intermediaries
I don't know about the intermediaries you are talking about, but all the ad-ridden proprietary mobile apps that I use (the ones that don't self host ads) are blocked by DNS based ad blockers.
The one thing that these DNS based ad blockers can't do however, is block in page annoyances which is why using an extension like uBlock Origin is still necessary.
Anyway good luck with that if the app is using a mediator from a big known name as it will likely block all of their services as well.
it worked pretty well
[] Root user check
\e[1;32m.;;,.
.ccccc:,.
:cccclll:. ..,,
:ccccclll. ;ooodc
'ccll:;ll .oooodc
.;cll.;;looo:.
\e[1;31m.. ','.
.',,,,,,'.
.',,,,,,,,,,.
.',,,,,,,,,,,,....
....''',,,,,,,'.......
......... .... .........
.......... ..........
.......... ..........
......... .... .........
........,,,,,,,'......
....',,,,,,,,,,,,.
.',,,,,,,,,'.
.',,,,,,'.
..'''.\e[0m
[] OS distribution not supportedI'm using this[1] but I'm surprised there isn't something more official/baked.
Anybody familiar with this code able to point out where it does the "interesting" work?
>root@pihole:~# uptime > 17:02:51 up 587 days, 22:34, 1 user, load average: 0.03, 0.03, 0.05
https://discourse.pi-hole.net/t/change-upstream-dns-server-i...
Explain your setup some more and I can add more details.
I run both pi-hole and my own DNS server inside my network as containers on the NAS. I then have my router configured to default to the pi-hole and then the DNS server.
Advantage of my own DNS server is it exclusively resolves using DNS-over-TLS so my queries are private.
Final fallback for resolution is 1.1.1.1 but based on logs my setup hasn’t hit the fallback.
I imagine you could also use a container to host VPN.
If you're intending to use OpenVPN, you could easily justify a basic x86 pfSense or linux router: https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...
tmpfs /var/log tmpfs nosuid,nodev 0 0
anyone have this type of setup?
Previous discussions =>