I run PiHole for years in my home network, I cannot live without it.
With the years, I have made small changes to increase my control over it.
I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version.
The apps themselves are fully controller and 99% of the access blocked.
That is why I have a fairly low numbers after purging all the logs a few days ago.
> Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
Like you said, you cannot just block 443, the dynamic firewall uses a public list,
which contains all the public DNS known to man ( the last bit was just to sound a little dramatic haha )
So OPNSense will block anything within that list in both 443 and 853.
So my Samsung QLED TV can no longer use Google:443 for DNS resolution.
OPNSense blocks it and redirect it to PiHole, a NAT is also required to avoid devices getting mad.
I didn't pay a kidney for that smartTV back in 2019 to make it dumb, when it is on, PiHole logs goes brrrrrrrr
It is also one of the reason why my whole network was going down, it was making too much request exhausting PiHole 150 concurrent DNS requests,
there is a flag to increase that and no more issues.
Google:443: DNS request only, not actual 443 request gets blocked
Cloudflare:443: DNS request only, no actual 443 request gets blocked
etc etc
Read that blog I shared to understand it.
If I run a dig google.com @8.8.8.8, PiHole terminal shows the request
If I run 8.8.8.8:443 on the browser, OPNSense firewall log shows access denied, the same msg when my TV turns on or my Home Assistant goes on.
DoT on 853 is simple to block on its own, no much secret there.
While there is absolutely value in doing what you are doing and I commend you for fighting the good fight, the fact that 61% of your queries are still going through means your data is still getting out there. Maybe to a lesser degree but that doesn't mean the marketing target isn't being painted it just means you are an impressionistic painting rather than a modernist with straight, accurate lines.
I see your point, I have no need to block 99% of everything.
For instance, many apps like bank apps use Google to delivery notification (there is a name for it), so if you start blocking everything, you won't use anything.
To your credit, I can block more stuff but I haven't bothered. I have spent many nights blocking stuff haha
Reddit doesn't work atm home because I blocked static.reddit.com
Since the API drama, I never used it again, I used to waste hours of my life everyday there. Couldn't be happier to be honest haha
The only fight I gave up is YouTube, I do see value into YouTube Premium.
Spotify is dogshit, YouTube Music allows to me listen to music available nowhere else like DJ remix, old music and the the offline music works which Spotify gave me the finger.
I watch YT only, TV News are complete useless nowadays. There are solid news channels so anyway, I do pay for it over trying to block its ADs from the free version.
I mean, try listening music with ADs, nah thanks haha
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
In this arms race you are saying a current "move" is a curated list of IPs that correspond to known DoH servers ... and that's fine ..
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
That might work but if your Samsung example is behind cloudflare, you're basically going to have to block any and all access to cloudflare's Network.
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
If you're really serious about DNS interception, you'd setup something where
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
> for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts)
We employ exactly this technique for our Android firewall app. It can do IPv4 (by mapping hash(domain) name onto RFC6598 reserved subnet [0]) as number of unique AAAA/A requests on a client seldom exceeds 35k/mo!
Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
> (this is going to be a big PITA, but that's how these things go)
> Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
This sounds good, and I've wondered how I could implement such a thing.
However, with the clearly hostile approach all IoT appliances are taking, I wonder if they'll actually fall back to a "degraded" (for them) config with the network-provided DNS, or whether they'll just fail and complain the network is broken or something.
I run Zenarmor in addition to Adguard at home, which can detect DoH traffic and intercept it. You have to pay for this enterprise level tool, but if you are worried about DoH, Zenarmor is so far the easiest tool to block it.
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
And before DoH was a thing, several Chinese apps I've used also used to do plain HTTP for DNS resolution (I only caught them by chanbecause they were doing HTTP). PiHoles only work for apps that stick to the standards and don't mind being caught.
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
Also, doesn't that break the network if the pihole is offline? Before I'd just override DNS on my workstation, but that iptables config would block any "unsanctioned" DNS traffic
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
>Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
Yeah DoH was a solution to a really niche US-only problem where their laws provided the ability for providers to sell their users' DNS logs. In normal countries with privacy protections this isn't a thing anyway.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.
Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).
Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…
The arms race will continue. I think the next gen will be a self hosted archive.ph style host that lets all the garbage load and distills it into a PDF or Web 1.0 style file ready for consumption. I would be fine with a browser extension that learns what I watch the most and preloads it for me, and/or an on demand service that shares prerendered sites bundled into torrents that group together common interests.
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
I know I'm not alone in maintaining a strong feeling that we've "gone the wrong way" with tech in a lot of ways, as the meme goes, and forgotten (societally) that tech is there for us rather than the other way around.
I like your approach - take a light touch using technology; use tech where it helps and ignore it where it doesn't.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power. The entire setup process happens over SSH and it cost me about $25. If someone can figure out how to configure their network for the pi-hole, I’m sure they can also figure out SSH.
> I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power.
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
1. You’re totally right about that, but I couldn’t find one as easily
2. I was initally hesitant about using WiFi for DNS, but after reading comments it seemed that no one really had any issues. Mine has been kicking for 6 months sitting right next to my router without any noticeable delays, so I think it’s okay.
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
For the Google issue, I’ve been using Kagi as a search tool for the last 2 weeks and love it. No ads and great results that can be personalized. I’m on the free version but will likely start the subscription soon.
To fix that you just need to look through the logs through the native pi-hole UI and whitelist those domains which cause friction with your browsing habits.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
NextDNS is not the answer if someone is looking for apps to toggle on or off the blocking easily. The NextDNS apps on iOS and iPadOS have not been updated for about five years and the toggle is broken (I know this because I’ve been troubled by it for years). If using the app on iOS/iPadOS (and not a permanent VPN profile), anytime you wish to know if NextDNS is on or not, go to test.nextdns.io on a browser and see if it shows “unconfigured” or some specific NextDNS endpoint. For me this test has proven how it randomly works or doesn’t work.
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
I had been meaning to do this for the longest time. I even had a couple spare raspberry Pis laying around, but didn't want to set it up. Finally, I realized you don't need a raspberry pi at all. It's running in docker on my plex server. Much less friction. Don't get hung up on needing to run it on a raspberry pi.
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
I watch YouTube on my TV. Using Firefox, with uBlock Origin. We have a laptop plugged into the TV, with a bluetooth keyboard. It is a vastly superior experience to any smart TV I have ever seen.
And also more than most people want to have setup in the living room. My wife would rather have ads on YouTube occasionally than an ugly computer plugged in all the time. It’s also more difficult to deal with than a remote you can work one handed.
Small PCs and drawers exist and i would rather have a whole damn server rack than 30 seconds to 3 minute ads every 5-10 minutes / video. It's worse than TV...and no im not gonna give google money for a continually worse experience despite paying.
You can get a pi and tuck it behind the TV. Then get a mouse that's styled like a remote. There's also plenty of OSs designed to look like a proper smart TV OS
I'm with you entirely, and that is how I interact with youtube.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
Using my ShieldTV, I've very much enjoyed SmartTube for ad-free YouTube viewing. It performs very well and is constantly updated when YT pushes new blocking techniques.
No, the objections are stupid. Not only is the Firefox experience vastly superior to any smart TV app, but you can have easy and effective ad blocking on top.
My best guess at why people don't want to do this is that we're conditioned not to do anything that isn't advertised to us, and nobody is running adverts telling you to hook a laptop up to your TV for a superior smart TV experience.
But I also get why people just want to sit on the couch, find a nice video on the phone and with the press of a button want to see it on the TV. No computer boot time, no updates, no writing on the keyboard while laying down.
I get that you can buy a fanless pc, install linux with unattended-upgrades and you have something more powerful. But most people don't know how or don't want to go through that hassle.
Leave the computer running all the time. Never install software updates. Browsing for videos with keyboard is equivalent or better than browsing with phone. If you really want to browse with phone I guess you need a Firefox extension that can send the tab to the laptop. Personally I've never looked into that because I can't imagine wanting to do it.
> Browsing for videos with keyboard is equivalent or better than browsing with phone.
Again, for you yes. But some lay down on the couch and a keyboard in that posture is just annoying.
And copying a youtube video from the app, into firefox app to just send it to the computer is bonkers complicated when you could just press the cast icon.
A lot of people interact with their phone all the time, but rarely use the computer. I'm telling you, it's more easy to use the build in Youtube app for a lot of people.
"uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc."
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
I mean I expect devices and apps to move to DoH, but they haven't yet, or at least not all of them. My experience generally on my phone at home (with DNS blocking) is better enough than my experience away from home that I'm glad I took the half a day or there about to set up a DNS blocking tool a couple years ago.
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
I agree. I don't want to be a hater, because it's a cool idea... but I find that this is just the wrong level to operate on.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
pihole, adguard, nextdns etc work at the network level. meaning you do not need to configure client devices. its one and done. also means that your dummy clients like TVs, IOT devices, etc... are going to be participating as well. you can't install ublock origin on a TV, or my dog's wifi collar, etc.
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
Yeah, and set the IP of the PiHole as DNS for any device you've set static network settings on as well, but yes, it is indeed "very straightforward" for anyone that's able to set up their local network (or able to ask a "nerdy" friend or family member to do it for 'em).
You don't strictly need it, it just makes it a tiny bit more convenient since you can set it up to override DNS on any connected device, and Tailscale sets up a private VPN mesh between your devices I've come to get take for granted - a tangential feature that goes well with centrally managed DNS.
There's a lot more to Tailscale but for a basic setup you just install the client on all your devices, and set DNS to the NextDNS endpoint. Any device on your network will automatically pick it up.
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
And if you're getting close to $75 and don't need ultra-low power use, you should get a N97/N100 MiniPC anyway - or a used business PC like a Lenovo ThinkCentre.
All can be bought for around $100 and are upgradeable with standard parts AND are multiple times more powerful than any raspberry pi.
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
I recommend against the Pi Zero. Once you add in the cost of the microUSB to USB-OTG adapter and the ethernet USB adapter you might as well buy a 3B or 4. Price aside it adds an extra mechanical point of failure as microUSB is not very robust.
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
If you want a machine to run 24/7 for a long time, running it of an SD card is a bad idea. The NVMe support on a Pi 5 is important for somthing like a PiHole
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices.
The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
Yup, I am using a Pi 3B as well. Silent, passive-cooling case, 16GB µSD card which is at least twice as big as it needs to be, and it uses about 10% of RAM and 10% of CPU.
I enabled `unattended-upgrades` and set it to do all types of update. I've never caught it in a reboot but it's always current. It swaps to ZRAM for less load on the µSD card.
TBH I was surprised how easy it was, how unobtrusive it is, and how a bit of borderline e-waste that was in my spares box now helps every device on the network, including things like phones where I can’t so easily add ad-blocking.
What black-swan event would cause would 2 PiHoles go down simultaneously? You could always use a non-PiHole guest-network if your WiFi hardware supports it, and let your family know to use the guest network if the regular network is down. The manual switching might not be necessary as most computers, phones and tablets automatically disassociate from a WiFi network if it's "offline", such as when DNS resolution fails.
They could just switch their dns back to auto (or statically use google/cloudflare/etc depending on how you configure it), no? Then fix it when you’re back.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
I run Wireguard in combination with Pi-Hole so I can VPN into my home network to configure anything I need. DuckDNS if you’re on a dynamic DNS provider. It’s also nice to have this since you can get the adblocking when away from home.
One work-around is to get them to modify their wifi connection to use a specific DNS (e.g. Google at 8.8.8.8 and 8.8.4.4 is easy to remember).
I run Pi-hole in docker on a NanoPi that I setup as my router (running OpenWRT). In the rare occurrence that it misbehaves, I could just tell my spouse to power cycle it. I did think of having a failover, but there's always going to be a single point of failure with my ISP router anyhow.
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
Pi hole devs recommend running it locally only and discourage exposing your pi-hole to the internet. I used pi hole for years but have been using NextDNS lately and it works well outside of my home network, and even has a free tier.
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
No, but it won't have auth in front of it so it will eventually be discovered and used by people who aren't you. That could get you wrapped up or even implicated in a cyber attack.
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
I used to have one on my network. Then I wanted to use my RPi for some other experimentation and just kind of forgot about it. I run adblockers on my browsers anyway, but been feeling the need to start using pi-hole again recently.
Some years ago I used Privoxy on my computer to filter unecessary request.
It worked great and is an alternative to consider if you don't want a computer plugin 24/24 on your network.
I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
What do you mean without machine specific binaries? Like, building it from source? The instructions for that are pretty ambiguous and look like they are only for part of the system (https://docs.pi-hole.net/ftldns/compile/). However, if you just mean running it bare metal then running the installer script mentioned at the top of the Github page will install it using native packages for your system (apt, rpm, etc).
>I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
I have done so for four or five years.
Well, with x86_64 binaries -- but I could compile the code myself if I wanted.
That still won't work if they use the same server to serve DoH as the rest of the content. You really have to break open the TLS connection to block it properly.
66% would indicate that OP may have a device repeatedly trying to resolve a blocked query with no reasonable backoff logic.
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
66.6% of traffic per DNS request is a metric of network traffic. You could measure by bandwidth, by number of packets, by number of sessions, etc. There are many measurements one could use, and DNS requests is one of them. It would probably be irrelevant for other purposes but isn't a crazy measurement given this context.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
I wouldn't bother buying a raspberry pi 5 to run this shit though, as the article suggests. It's way overkill.
Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.
I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
It's not worth the support trouble for the little it would make. Adblockers often break legit things too. Often people still want to use links that go through tradedoubler and the like. One support call and your yearly profit is wasted.
And how do you block access to non paying customers? DNS isn't autenticated.
It's also not really a great method for adblocking anymore (which would make the support problem worse, "why am I still seeing ads?")
I like the idea, but also it wouldn't feel fair for some services that I use like Twitch, or some cooking websites. I get that they sometimes really abuse all that stuff, but also I feel like they deserve some kind of compensation.
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
It’s all relative. I’m at 24.4% but I have quite a few devices like Wemo light switches at the top of my DNS queries. Only have one Amazon Alexa device but that’s near the top as well.
IoT devices which constantly phone home will skew things.
I run PiHole for years in my home network, I cannot live without it. With the years, I have made small changes to increase my control over it.
I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version. The apps themselves are fully controller and 99% of the access blocked. That is why I have a fairly low numbers after purging all the logs a few days ago.
> Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
[0] https://developers.cloudflare.com/1.1.1.1/encryption/dns-ove...
I followed this blog to get the firewall dynamic firewall in place: https://labzilla.io/blog/force-dns-pihole
Like you said, you cannot just block 443, the dynamic firewall uses a public list, which contains all the public DNS known to man ( the last bit was just to sound a little dramatic haha )
So OPNSense will block anything within that list in both 443 and 853.
So my Samsung QLED TV can no longer use Google:443 for DNS resolution. OPNSense blocks it and redirect it to PiHole, a NAT is also required to avoid devices getting mad.
I didn't pay a kidney for that smartTV back in 2019 to make it dumb, when it is on, PiHole logs goes brrrrrrrr
It is also one of the reason why my whole network was going down, it was making too much request exhausting PiHole 150 concurrent DNS requests, there is a flag to increase that and no more issues.
Google:443: DNS request only, not actual 443 request gets blocked
Cloudflare:443: DNS request only, no actual 443 request gets blocked
etc etc Read that blog I shared to understand it.
If I run a dig google.com @8.8.8.8, PiHole terminal shows the request
If I run 8.8.8.8:443 on the browser, OPNSense firewall log shows access denied, the same msg when my TV turns on or my Home Assistant goes on.
DoT on 853 is simple to block on its own, no much secret there.
Good stuff.
As an alternative, has someone tried running http/s proxy on the firewall and blocking the rest of client HTTPS (except maybe for whitelist devices)?
While there is absolutely value in doing what you are doing and I commend you for fighting the good fight, the fact that 61% of your queries are still going through means your data is still getting out there. Maybe to a lesser degree but that doesn't mean the marketing target isn't being painted it just means you are an impressionistic painting rather than a modernist with straight, accurate lines.
I want to know how to become a Pollack painting.
I see your point, I have no need to block 99% of everything. For instance, many apps like bank apps use Google to delivery notification (there is a name for it), so if you start blocking everything, you won't use anything.
To your credit, I can block more stuff but I haven't bothered. I have spent many nights blocking stuff haha
Reddit doesn't work atm home because I blocked static.reddit.com Since the API drama, I never used it again, I used to waste hours of my life everyday there. Couldn't be happier to be honest haha
The only fight I gave up is YouTube, I do see value into YouTube Premium. Spotify is dogshit, YouTube Music allows to me listen to music available nowhere else like DJ remix, old music and the the offline music works which Spotify gave me the finger.
I watch YT only, TV News are complete useless nowadays. There are solid news channels so anyway, I do pay for it over trying to block its ADs from the free version. I mean, try listening music with ADs, nah thanks haha
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
[1] https://github.com/dibdot/DoH-IP-blocklists
In this arms race you are saying a current "move" is a curated list of IPs that correspond to known DoH servers ... and that's fine ..
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
That might work but if your Samsung example is behind cloudflare, you're basically going to have to block any and all access to cloudflare's Network.
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
If you're really serious about DNS interception, you'd setup something where
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
I guess at that point they’d have to establish a tunnel and route ads through the same HTTPS connection as legitimate traffic.
> for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts)
We employ exactly this technique for our Android firewall app. It can do IPv4 (by mapping hash(domain) name onto RFC6598 reserved subnet [0]) as number of unique AAAA/A requests on a client seldom exceeds 35k/mo!
Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
> (this is going to be a big PITA, but that's how these things go)
You don't say.
[0] https://github.com/celzero/firestack/blob/2191381f/intra/dns...
> Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
This sounds good, and I've wondered how I could implement such a thing.
However, with the clearly hostile approach all IoT appliances are taking, I wonder if they'll actually fall back to a "degraded" (for them) config with the network-provided DNS, or whether they'll just fail and complain the network is broken or something.
I run Zenarmor in addition to Adguard at home, which can detect DoH traffic and intercept it. You have to pay for this enterprise level tool, but if you are worried about DoH, Zenarmor is so far the easiest tool to block it.
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
And before DoH was a thing, several Chinese apps I've used also used to do plain HTTP for DNS resolution (I only caught them by chanbecause they were doing HTTP). PiHoles only work for apps that stick to the standards and don't mind being caught.
Browsers allows corporations to prevent DoH and force DNS through company-owned DNS servers:
https://support.mozilla.org/en-US/kb/dns-over-https
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
I've seen Windows 11 ignoring DNS settings too, for Microsoft telemetry, ads and updates.
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
Also, doesn't that break the network if the pihole is offline? Before I'd just override DNS on my workstation, but that iptables config would block any "unsanctioned" DNS traffic
It would, yes
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
If you control the machine you can always defeat pinning, given enough effort. But for an IoT device, yeah, we're already there.
To be fair, if you are geeky enough to run a PiHole you will have no trouble finding the config option to turn off DoH in your browser.
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
Except, now you don't really control your web browser either, and ad blockers are getting crippled. It is an uphill battle.
AdBlockers are not crippled on Firefox
And then there is amazon sidewalk, which can only be evaded by unplugging the wifi board on your tv
>Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
True, but I want all the devices on my home network to have DoH disabled too. Most of them I can't change directly.
Yeah DoH was a solution to a really niche US-only problem where their laws provided the ability for providers to sell their users' DNS logs. In normal countries with privacy protections this isn't a thing anyway.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
Your comment makes no sense. The DoH providers can still log requests and sell them.
DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.
Sending anything in clear text over the internet in 2025 is criminally negligent.
HTTPS is not necessary to encrypt DNS traffic. DNS-over-TLS exists, but it has much less traction compared to DNS-over-HTTPS. I am guessing the reason is that HTTPS traffic all goes through port 443, so "censorship" of DNS becomes tricky, since DNS traffic becomes a bit harder to distinguish from ordinary web traffic.
Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).
Everything other than 80 and 443 is blocked by default, anything-over-https is just a matter of time. With a properly configured TLS MITM proxy only certificate pinning will prevent snooping, but it’ll also prevent connectivity, so you might call it a win for security/privacy, or a loss for the open internet if it’s you who needs to VPN to a safe network from within such an environment…
A port number does not force a certain protocol. You can run everything you want over port 443.
And yeah I also think it's a really bad idea to run everything over https. But I don't think it'll happen.
You can. The client side enterprise proxy/firewall really doesn’t want you to, though. Just a fact of life.
Yeah I wasn't really thinking of enterprise in this whole discussion though. After all, it's about pi-hole.
Yes but in the US the ISPs are the intermediary. And the big DoH providers like Cloudflare have better privacy protection.
Here the ISPs are intermediairs too, but we have laws to prevent them from using our data using DPI etc. And even if you use their DNS.
I agree encryption is important but DoT is much better then. DoH mainly took off because of this in the US.
Jokes on you, I do have a fortinet which does this.... Oh wait, only up to TLS 1.1 or something and it's slow.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
You need to get an F5 box instead. :)
The arms race will continue. I think the next gen will be a self hosted archive.ph style host that lets all the garbage load and distills it into a PDF or Web 1.0 style file ready for consumption. I would be fine with a browser extension that learns what I watch the most and preloads it for me, and/or an on demand service that shares prerendered sites bundled into torrents that group together common interests.
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
That's what The Internet Junkbusters Proxy / Privoxy excelled so good at.
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
You can block known DoH servers.
Apps that open arbritrary UDP/TCP ports? Isn't that something the app store policies should reject?
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
I know I'm not alone in maintaining a strong feeling that we've "gone the wrong way" with tech in a lot of ways, as the meme goes, and forgotten (societally) that tech is there for us rather than the other way around. I like your approach - take a light touch using technology; use tech where it helps and ignore it where it doesn't.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power. The entire setup process happens over SSH and it cost me about $25. If someone can figure out how to configure their network for the pi-hole, I’m sure they can also figure out SSH.
> I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power.
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
Original pi zero with usb Ethernet also runs fine
1. You’re totally right about that, but I couldn’t find one as easily 2. I was initally hesitant about using WiFi for DNS, but after reading comments it seemed that no one really had any issues. Mine has been kicking for 6 months sitting right next to my router without any noticeable delays, so I think it’s okay.
> I was initally hesitant about using WiFi for DNS, but after reading comments it seemed that no one really had any issues
FWIW, that was also an initial concern of mine. Almost three years later, i've never once had an issue with running my pi-hole over wifi.
You're right it's usable, though DNS is the most critical service to have low latency.
on good wifi with no interference you can get good 2ms avg and 0.2-0.4 ms SD ping distribution.
ethernet will have 0.2 ms avg and 0.01 SD
it's the outliers that will cause headaches, when there is radio interference.
wifi is a dynamic system with every base station migrating bands for interference.
it's mostly fine, only edge cases. with original zero W and 2.4ghz radio, microwaves were real interference.
I mostly used USB as an experiment and I didn't know what else to do with the regular-zero
Very cool how a $5 board could work so well! I was glad to see your post.
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
Edge browser + uBlock Origin, and YouTube works perfectly without ads.
Plus staying logged out of YouTube, which seems to avoid their ad-blocker-blocking for now.
Firefox works well too. 10.2M blocked requests on my uBlock, and YouTube - and every other site - works perfectly fine.
youtube was likely broken because
jnn-pa.googleapis.com
was likely in one of the lists - add it to "Exact allow" list
Similarly you can allow
googleadservices.com
but that is too much IMO - I just have a habit now to not click on such results.
For the Google issue, I’ve been using Kagi as a search tool for the last 2 weeks and love it. No ads and great results that can be personalized. I’m on the free version but will likely start the subscription soon.
To fix that you just need to look through the logs through the native pi-hole UI and whitelist those domains which cause friction with your browsing habits.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
Or don't use hostile services
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
NextDNS is not the answer if someone is looking for apps to toggle on or off the blocking easily. The NextDNS apps on iOS and iPadOS have not been updated for about five years and the toggle is broken (I know this because I’ve been troubled by it for years). If using the app on iOS/iPadOS (and not a permanent VPN profile), anytime you wish to know if NextDNS is on or not, go to test.nextdns.io on a browser and see if it shows “unconfigured” or some specific NextDNS endpoint. For me this test has proven how it randomly works or doesn’t work.
I tried a Pi Hole a few years ago. I just discovered NextDNS and configured my home router to use it as a DNS and wow, it's SO much easier.
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
I had been meaning to do this for the longest time. I even had a couple spare raspberry Pis laying around, but didn't want to set it up. Finally, I realized you don't need a raspberry pi at all. It's running in docker on my plex server. Much less friction. Don't get hung up on needing to run it on a raspberry pi.
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
I just don't connect those devices to any internet.
Some people like to watch YouTube on their TV
I watch YouTube on my TV. Using Firefox, with uBlock Origin. We have a laptop plugged into the TV, with a bluetooth keyboard. It is a vastly superior experience to any smart TV I have ever seen.
And also more than most people want to have setup in the living room. My wife would rather have ads on YouTube occasionally than an ugly computer plugged in all the time. It’s also more difficult to deal with than a remote you can work one handed.
Small PCs and drawers exist and i would rather have a whole damn server rack than 30 seconds to 3 minute ads every 5-10 minutes / video. It's worse than TV...and no im not gonna give google money for a continually worse experience despite paying.
You can get a pi and tuck it behind the TV. Then get a mouse that's styled like a remote. There's also plenty of OSs designed to look like a proper smart TV OS
It's not ugly, it's hidden inside the cabinet that the TV stands on.
I'm with you entirely, and that is how I interact with youtube.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
Using my ShieldTV, I've very much enjoyed SmartTube for ad-free YouTube viewing. It performs very well and is constantly updated when YT pushes new blocking techniques.
Do you honestly not understand why some people don't want that setup?
No, the objections are stupid. Not only is the Firefox experience vastly superior to any smart TV app, but you can have easy and effective ad blocking on top.
My best guess at why people don't want to do this is that we're conditioned not to do anything that isn't advertised to us, and nobody is running adverts telling you to hook a laptop up to your TV for a superior smart TV experience.
No need to tell me the advantages, I get it.
But I also get why people just want to sit on the couch, find a nice video on the phone and with the press of a button want to see it on the TV. No computer boot time, no updates, no writing on the keyboard while laying down.
I get that you can buy a fanless pc, install linux with unattended-upgrades and you have something more powerful. But most people don't know how or don't want to go through that hassle.
Leave the computer running all the time. Never install software updates. Browsing for videos with keyboard is equivalent or better than browsing with phone. If you really want to browse with phone I guess you need a Firefox extension that can send the tab to the laptop. Personally I've never looked into that because I can't imagine wanting to do it.
> Browsing for videos with keyboard is equivalent or better than browsing with phone.
Again, for you yes. But some lay down on the couch and a keyboard in that posture is just annoying.
And copying a youtube video from the app, into firefox app to just send it to the computer is bonkers complicated when you could just press the cast icon.
A lot of people interact with their phone all the time, but rarely use the computer. I'm telling you, it's more easy to use the build in Youtube app for a lot of people.
Ah, using the YouTube app is a blunder! If you use the web version in Firefox you get to block ads.
[flagged]
You don't connect your phone to the internet?
Smartphone doesn't inherently mean telemetry and ads.
https://grapheneos.org/
https://f-droid.org/
Well I can't control other peoples' devices and I do have friends over occasionally lol
uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc.
It's best to run both.
"uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc."
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
I mean I expect devices and apps to move to DoH, but they haven't yet, or at least not all of them. My experience generally on my phone at home (with DNS blocking) is better enough than my experience away from home that I'm glad I took the half a day or there about to set up a DNS blocking tool a couple years ago.
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
Yeah, blocking the bloated Adobe telemetry from their CC apps has been worth the cost of entry alone.
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
uBlock Origin only works in the browser. And on mobile it only works in Firefox (I think).
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
For me it's because:
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
> When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser
I'm not sure how a blocker would work if it couldn't see the content of the page...
Exactly, that's why I do it on the DNS level
Anything that can mess with you DNS can mess with approximately everything you do on your computer, if only by MiTMing you.
Even with ublock the pihole still ends up catching a bunch of stuff.
Best to run both if you're in a position to do so
Not all internet traffic goes through a browser.
I agree. I don't want to be a hater, because it's a cool idea... but I find that this is just the wrong level to operate on.
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
pihole, adguard, nextdns etc work at the network level. meaning you do not need to configure client devices. its one and done. also means that your dummy clients like TVs, IOT devices, etc... are going to be participating as well. you can't install ublock origin on a TV, or my dog's wifi collar, etc.
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
Don't know about your network - but I have been running it for years without any issue, just a docker pull to update the containers once a while
What do you mean 'destroys your network'? It's just a DNS server - maybe something else is wrong and the presence of the pihole is a coincidence?
Did you not give the pihole a static address or something? What is breaking?
No idea, it barely works.
Then there's something wrong with your network. All it does is serve DNS.
pihole is one of the most straightforward pieces of software out there. It is so easy to use that it is practically an appliance.
"it's always DNS"
It's very straightforward. You set the IP of the pinhole for DNS in the settings of whatever is doing DHCP on your network. That's it.
Yeah, and set the IP of the PiHole as DNS for any device you've set static network settings on as well, but yes, it is indeed "very straightforward" for anyone that's able to set up their local network (or able to ask a "nerdy" friend or family member to do it for 'em).
If you've set static IPs, I don't see how picking where DNS comes from is out of your wheelhouse.
Tailscale with NextDNS is a simpler alternative to this and is easy to set up on all your devices.
Why is tailscale needed?
You don't strictly need it, it just makes it a tiny bit more convenient since you can set it up to override DNS on any connected device, and Tailscale sets up a private VPN mesh between your devices I've come to get take for granted - a tangential feature that goes well with centrally managed DNS.
It lets you leverage it while physically outside of the network (eg at a hotel)
But NextDNS isn’t on your network anyway. You can access it from anywhere.
And also benefit from Tailscale drop feature
So people with access to the TailScale control plane can easily add and remove devices from your network.
https://youtu.be/bJHPfpOnDzg
Is there a tutorial you recommend?
There's a lot more to Tailscale but for a basic setup you just install the client on all your devices, and set DNS to the NextDNS endpoint. Any device on your network will automatically pick it up.
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
1: https://en.wikipedia.org/wiki/Dnsmasq
I was shocked that TFA’s recommended kit was $155! When did Raspberry Pi’s get so pricey?
The latest, overpowered version with all the accessories is that pricey.
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
And if you're getting close to $75 and don't need ultra-low power use, you should get a N97/N100 MiniPC anyway - or a used business PC like a Lenovo ThinkCentre.
All can be bought for around $100 and are upgradeable with standard parts AND are multiple times more powerful than any raspberry pi.
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
I recommend against the Pi Zero. Once you add in the cost of the microUSB to USB-OTG adapter and the ethernet USB adapter you might as well buy a 3B or 4. Price aside it adds an extra mechanical point of failure as microUSB is not very robust.
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
Oh, it will definitely work on older ones. The one I have, w/o logging in and explicitly looking, is a 3-$SOMETHING, probably 3b+. Works just fine.
My Pi-hole runs on a ~13 year old Model B, which has survived several house moves. Definitely don't need top of the line hardware for it!
If you want a machine to run 24/7 for a long time, running it of an SD card is a bad idea. The NVMe support on a Pi 5 is important for somthing like a PiHole
Same. I thought it'd be ~$50.
It's BS anyway. Pihole doesn't need anywhere near pi 5 kinda speeds.
Another option is to run Pi-Hole on any device that can use docker: https://docs.pi-hole.net/docker/
There are also official docs on how to run it using `docker run` and `docker compose` https://docs.pi-hole.net/docker/
I run it under Hyper-V on a NUC sized device that is always on.
+1 for using a picture of "the little mole" https://www.ceskatelevize.cz/porady/898287-o-krtkovi/ https://www.youtube.com/channel/UC8ZKvF049Iku9y41WpIUUCA
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
Check out smarttubenext if you are on an Android TV.
> (You will need) A monitor, mouse, and keyboard that you can plug into the Raspberry Pi as you set it up.
Raspberry pi can be set up to boot with ssh login/password, so you don't even need wired mouse and keyboard.
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
Yup, I am using a Pi 3B as well. Silent, passive-cooling case, 16GB µSD card which is at least twice as big as it needs to be, and it uses about 10% of RAM and 10% of CPU.
I enabled `unattended-upgrades` and set it to do all types of update. I've never caught it in a reboot but it's always current. It swaps to ZRAM for less load on the µSD card.
I run mine on a RPi 1 and it doesn't even break a sweat
I did this in March:
https://www.theregister.com/2025/03/08/pi_hole_6_flyby/
TBH I was surprised how easy it was, how unobtrusive it is, and how a bit of borderline e-waste that was in my spares box now helps every device on the network, including things like phones where I can’t so easily add ad-blocking.
Setting up a Pi-Hole taught me a ton about how networks work. It's a really cool thing to setup for fun.
Always wanted to do this but if I get a call from home and I am either
1) at work 2) out of town 3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
What black-swan event would cause would 2 PiHoles go down simultaneously? You could always use a non-PiHole guest-network if your WiFi hardware supports it, and let your family know to use the guest network if the regular network is down. The manual switching might not be necessary as most computers, phones and tablets automatically disassociate from a WiFi network if it's "offline", such as when DNS resolution fails.
They could just switch their dns back to auto (or statically use google/cloudflare/etc depending on how you configure it), no? Then fix it when you’re back.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
I run Wireguard in combination with Pi-Hole so I can VPN into my home network to configure anything I need. DuckDNS if you’re on a dynamic DNS provider. It’s also nice to have this since you can get the adblocking when away from home.
One work-around is to get them to modify their wifi connection to use a specific DNS (e.g. Google at 8.8.8.8 and 8.8.4.4 is easy to remember).
I run Pi-hole in docker on a NanoPi that I setup as my router (running OpenWRT). In the rare occurrence that it misbehaves, I could just tell my spouse to power cycle it. I did think of having a failover, but there's always going to be a single point of failure with my ISP router anyhow.
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
Pi hole devs recommend running it locally only and discourage exposing your pi-hole to the internet. I used pi hole for years but have been using NextDNS lately and it works well outside of my home network, and even has a free tier.
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
No, but it won't have auth in front of it so it will eventually be discovered and used by people who aren't you. That could get you wrapped up or even implicated in a cyber attack.
You can run it on your phone and outside of your net work with something like Tailscale as your vpn
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
I used to have one on my network. Then I wanted to use my RPi for some other experimentation and just kind of forgot about it. I run adblockers on my browsers anyway, but been feeling the need to start using pi-hole again recently.
Some years ago I used Privoxy on my computer to filter unecessary request. It worked great and is an alternative to consider if you don't want a computer plugin 24/24 on your network.
Posted on 28-aug-2024
https://news.ycombinator.com/item?id=41382231
$155 seems like a lot. I do this with a $5 pi zero and a $5 adapter and it works flawlessly.
I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
What do you mean without machine specific binaries? Like, building it from source? The instructions for that are pretty ambiguous and look like they are only for part of the system (https://docs.pi-hole.net/ftldns/compile/). However, if you just mean running it bare metal then running the installer script mentioned at the top of the Github page will install it using native packages for your system (apt, rpm, etc).
I used to have PiHole running in a docker container, which sounds almost exactly like what you're describing.
>I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
I have done so for four or five years.
Well, with x86_64 binaries -- but I could compile the code myself if I wanted.
No containers, just a Linux (Fedora) VM.
I love having an Eero router for the simplicity but I hate that I cannot do all the Linux routing tricks that I used to do.
I choose browser plugins instead for a more consistent experience, at home or anywhere.
For those who think DNS-over-HTTPS can't be blocked: just disable routing and use a whitelist filtering proxy server instead.
That still won't work if they use the same server to serve DoH as the rest of the content. You really have to break open the TLS connection to block it properly.
> 66.6% of all traffic is blocked
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
66% would indicate that OP may have a device repeatedly trying to resolve a blocked query with no reasonable backoff logic.
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
66.6% of traffic per DNS request is a metric of network traffic. You could measure by bandwidth, by number of packets, by number of sessions, etc. There are many measurements one could use, and DNS requests is one of them. It would probably be irrelevant for other purposes but isn't a crazy measurement given this context.
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
I wouldn't bother buying a raspberry pi 5 to run this shit though, as the article suggests. It's way overkill.
Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.
I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
> I wouldn't bother buying a raspberry pi 5 to run this shit though,
PS, I didn't mean the word 'shit' negatively. 'stuff' would have been better. But I meant it more as in 'check this shit out' :)
Pihole is actually a really nice project even though it's just a wrapper around dnsmasq.
Why don't people run their own public DNS and sell you very cheap access to it? $9 a year to Johnny's No-Ad DNS. If it worked I'd pay for it
It's not worth the support trouble for the little it would make. Adblockers often break legit things too. Often people still want to use links that go through tradedoubler and the like. One support call and your yearly profit is wasted.
And how do you block access to non paying customers? DNS isn't autenticated.
It's also not really a great method for adblocking anymore (which would make the support problem worse, "why am I still seeing ads?")
I like the idea, but also it wouldn't feel fair for some services that I use like Twitch, or some cooking websites. I get that they sometimes really abuse all that stuff, but also I feel like they deserve some kind of compensation.
Poor Mr Bezos, I don't know what he would do without your $3 in ad views.
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
<3 my pihole.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
It’s all relative. I’m at 24.4% but I have quite a few devices like Wemo light switches at the top of my DNS queries. Only have one Amazon Alexa device but that’s near the top as well.
IoT devices which constantly phone home will skew things.
Listen. Pi-Hole is forever something I resemble with American Pie.
Good luck with whatever it is. Can't go there.
One problem I have is that o can’t get my pihole to stop blocking archive links. Can’t find it in the blacklist, whitelisting doesn’t work.