There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
dhcp-option=tag:nospam,option:dns-server,x.x.x.x dhcp-option=tag:spam,option:dns-server,y.y.y.y dhcp-host=client1...,set:nospam dhcp-host=client2...,set:spam
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
I dread the day it dies.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
They probably do some tricks that blocking ads with DNS is not possible.
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls. - Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads. - Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
Yea i agree it's not super UX friendly.
The biggest risk is not samsung knowing what someone watched but what devices you have on your lan
With a local server, most requests are fulfilled from the local cache.
Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.
I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.
> The cloudflared binary will also work with other DoH providers.
Yes because you judge people by the country they live in. AdGuard has made their stance clear if something like this is important to you: https://www.reddit.com/r/Adguard/comments/t15gr4/announcemen... & https://adguard.com/en/blog/official-response-to-setapp.html
Not that it means all that much, but AdGuard is headquartered in Cyprus, for what it's worth.
Only if you don't trust only Russians and no one else.
Is there anything in Pi-Hole v6 that would make someone switch back?
- I run it in Kubernetes with multiple replicas behind a load balancer for high availability.
- A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.
- Configuration as code, which gets mounted as a secret.
- Query logs from all replicas forwarded to loki for visualization and performance review.
Congratulations to the team for the release - happy to support you via Patreon!
I have some scripts to sync config between them and a Jenkins job if I want to pause blocking on them for a bit.
It looks like https://github.com/mattwebbio/orbital-sync and https://github.com/lovelaze/nebula-sync can sync configs with Pi-hole 6 now, but it’s quite a bit of code for what looks like just a few HTTP requests to get the config from one using the teleporter feature, then restore it on the others using the same.
[0] https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
I documented that process here in case anyone is interested: https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
You don't have to (and I assume most users don't), but you can if you want per-device reporting. You just set your router's DHCP server to hand out NextDNS's DNS servers.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
Most of the time when I visit test.nextdns.io it shows as "unconfigured" even though the NextDNS client is installed and configured with a NextDNS profile (and approved in Settings as a VPN provider on these OSes). Sometimes it will work on its own.
I wouldn't recommend NextDNS unless the user is comfortable installing a (somewhat) permanent Profile on these devices with no temporary "off" switch to stop blocking. For me it's important to stop the blocking once in a while.
At least on macOS, there's Little Snitch (paid application), which can subscribe to the same blocklists used by ad blockers and has a working toggle.
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost) --DoH--> upstream
Not the prettiest but it works.
I want my devices to use my defined dns sever on my network, not some ad company (and all tech companies eventually become ad companies)
I just don't want to leak dns requests to my isp. If there's a way to do this without DoH or DoT, I'd happily learn more about it.
Obviously the goal is to have your local clients talking to Pihole, but the goal of having remote DNS queries encrypted is to prevent ISP snooping.
Though if you really want to prevent ISP snooping you have all clients using VPN or configure your router to send all outbound traffic to a VPN endpoint.
we block all meta and X properties from our home network, also ads
and it's self hosted on our own metal
it's a wonderful life
There's a difference between meta, X and ads?
With regards to X. Blocking it serves as a good reminder to use a proxy, or try and find the source elsewhere (Blue Sky, Mastodon). More often than not, these exist.
Finally, if required I can use Tor Browser. No cookies, no profiling, no ads.
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
I’m not up to speed on this stuff but I thought pihole only blocked the simplest stuff from devices that play nice?
It could certainly try... but usually you would block that in your firewall. Fixed DNS servers or fixed server IP addresses are tricky because if you ever need to change them, you can't, because you'd need to update the hardware (which you can't since it sits behind a firewall).
It could try to use things like Google's DNS server, but that is easily blocked in your router.
Not a lot that could be done except trusting your (internal) DNS server...
I don't KNOW of any doing it but I can't imagine it'd be too hard for them to do.
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Is this possible in a simple way?
https://www.perplexity.ai/search/i-d-like-to-use-cloudflare-...
Edit: OP edited their comment, was previously a very long AI-generated response.
oh noes!
Any details on what HTTPS support provides, other than a TLS connection to the admin dashboard?
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
I wish pihole or adguard would add support for change DNS records based on the query subnet. I believe this is called DNS views.
That way my local devices and wireguard devices can get the correct IP for internal services.
[1]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
That’s why I switched to affairs home but wouldn’t mind switching back
I am using Pi-Hole for about 8 years and can't imagine a world without it.
Another big THANK YOU to all list maintainers out there. You're doing an incredibly useful service to the community.
There are always some features that I wish it had, but ultimately it does a really good job.
It’s easy to take for granted the hard work that goes into creating and maintaining such awesome tools.
The service/device dedicated to killing connections (blocking dns, whatever) can't/won't serve my connection.
