I know some folks are anti Ubiquiti Unifi on here, but you can run pihole (along with a bunch of other stuff) right on a UDM/UDM-Pro. IMO it makes the most sense to run this on the router, and you can run it in a docker container. If you're looking for a fun hour or two project, check out:
I have another point of view as a non-pro user. The leas thing my router is doing the better. I want my router software be as simple as possible to reduce possible bugs. Plus I want it to put all cpu time onto processing packets.
I would consider using pihole like functionality if it’s baked in firmware. But definitely don’t want to install extra software.
Unless you are doing deep packet inspection, which isn't useful in most home setups anyway, even mediocre hardware is going to be more than powerful enough to process packets while running PiHole or AdGuard home.
Never heard of smoothwan but I've been running PiHole on LXC on OpenWRT for years. It was never difficult to set it up, I just created a Debian (or Devuan, can't remember now) container and ran the PiHole install on it.
I run a PiHole and a Tailscale exit node on my Unifi routers (previous generation). The Tailscale exit node lets me do both site-to-site VPNs and site-specific egress. The one thing keeping me from site network nirvana is that I haven't quite figured out how to set up a wifi network on the Ubiquiti device that routes all traffic through a given other exit node, however. Someday!
I'm afraid to ask, but why are people anti ubiquity? I freaking love my udm-pro and am waiting for their cams to come back in stock so I can ditch my nests.
I saw your exact question elsewhere, so I'll reply with my exact same answer:
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
Stupid bugs caused me to move away from them, conveniently only days before the breach became public.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
- Synology DS1019+ for storage, Plex, and Pi-hole via Docker
- 2x Rucuks R610 APs running Unleashed firware (off-lease eBay purchases, enterprise grade APs, about $150/ea, both wired/non-mesh)
- Brocade ICX6430-C12 Switch (4x 802.11at PoE, handles the APs, another eBay special, cost around $90)
This is working well for me, and unlike the UniFi stuff I can now pretty easily swap out any piece of it with another brand of the same function and things will be fine. The single ecosystem of Unifi always bothered me a bit.
If I want a new VLAN (or special WLAN) it's a little harder than on UniFi, but it's really just setting it up on OPNsense, defining it on the requisite ports on the switch, and turning up the new SSID (if needed).
I also don't miss Unifi's single pane of glass view either. All the shiny threat stuff isn't particularly actionable, and there's a bunch of gaps (IIRC like how it'd wouldn't have usable timestamps for some things) so I was never able to use it to make decisions.
I run the Synology with a LACP link; that's plenty fast as its more a storage/backup box than anything that needs to be performant. Speeding all that up would just be a matter of replacing the switch and adding a card into the Synology, but I don't need that for now. (I'd probably get a new NAS before that.)
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware.
• Various features sold as _coming_soon_, that really take several years to come about.
• making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it.
• It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together.
Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
"On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
"Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January."
No matter how good your security is, a rogue employee with high-level access will always be a threat. Since they now have experience with this situation, I trust that Ubiquiti has dedicated more resources to preventing both employee sabotage and external breaches.
This also shows that not every breach is what it seems, and investigating fully before publicly disclosing can sometimes help prevent disinformation. The “whistleblower” in this case was intentionally lying, and every customer that dedicated time to mitigation had to pay part of the cost.
Yeah, reminiscent of the (apocryphal?) story of the stuntplane mechanic whose negligence almost cost the pilot his life; assuming he'd be fired, the mechanic was shocked when the pilot said he was now the only mechanic allowed to touch his plane, bc he knew, with certainty, there'd never be another such mishap.
I had six unifi protect cameras for over a year until I replaced them all. Rain at night means motion notifications every 30 seconds, bugs at night, same thing. Unifi cameras are terrible for outdoor applications.
Be aware that UI is planning to consolidate the UDM/UDM Pro software (1.x) into the UDM Pro SE / UDW software branch (2.x) in the near future, and the 2.x software doesn't use Podman and instead runs the software "bare metal".
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
I caught a bug related to this in Project Zomboid in an early multiplayer version.
Often when someone joined a server there would be a tiny bit of lag for all of the users.
I figured out the server was using a java method that indirectly was doing a blocking DNS lookup.
I think it was reverse DNS but I forget which method it actually was, and if it was blocking the main thread or just the networking thread.
(PiHole still wouldn't have created an additional cost though.)
No expected impact. If for some insane reason a game is also calling as servers your performance will be improved.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
I run it on my NAS computer in a ubuntu server vm. It was 20 minutes to set that up and another 5 to install and point my router's DNS to it. Maintenance is a monthly login, and a biannual update after puttying into the box.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
You will not have any extra latency once the DNS resolution is done.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
Any recommendation on hardware piholes? I have a UDM Pro but honestly i don't know how much i trust modifying it at all - i've found Ubiquiti software to be iffy... so i'm a bit hesitant to modify anything.
I run two Pi4s with the filesystem on a usb drive, which is probably a bit overkill but I keep some monitoring on them too. In Unifi Routing, give the piholes a fixed ip and swap your dhcp server to have manual DNS entries - you might need to do this in the classic settings view.
I run 2 raspberry pi zeros connected (and powered) to my router as usb network devices both running pihole. I've been running this for years and have had zero issues.
You can run Pihole on any crappy raspberry pi you have around.
I ran mine on a Raspi Model B. You know, the one with the RCA plug and SD card slots. From 2012. At some point the SD was so messed up I couldn't ssh into it any more, but it still worked.
Now Pihole is running on my Thinkcenter minipc as a Socker image along with a good dozen others. I don't have to worry about SD corruption or sudden shutdowns any more.
For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
I moved to NextDNS after my SD card died on my Pi. One of the biggest features is that I can enable this on my phone using Android's Private DNS feature, which means it works for mobile data without having to run a VPN. Covers all networks with no extra configuration. Highly recommend.
I generally like NextDNS, but the customer service is _literally_ non-existent. About a week after becoming a paying member, I had an issue where requests wouldn't resolve at all, and there was no way to move forward, and there was no way to get help from the NextDNS team. So, a good service, but not so great for your family members who can't track down solutions to issues like that themselves.
> ctur - For those not wanting the overhead of running a service on your network, NextDNS sells what is basically managed pihole. I’ve used it for about a year and have been very happy. It also lets you use it on mobile devices for when you aren’t on your home network.
The overhead is very minuscule.. I always forget that I'm using it...
you can configure to use a self hosted DNS. I do this coupled with a VPN that was very easy to install and configure: https://dietpi.com . this VPN I access with ddns for free.
only fixed cost was the pi to run in (pi version 1 ram if by far enough for just pihole +unbound)
Won't be long now until IoT and other crap-ware devices catch on to this trend and start hard-coding DNS servers in code, or worse, using DNS encryption to avoid this sort of routine blocking by end-users. I wonder how people are thinking about solving this problem.
Essentially it's just DNS filtering on steriods. You start with an empty (or preseeded) ipset, and a firewall rule that says to reject/drop all outbound traffic if the destination isn't in the ipset. Dnsmasq is setup as the default dns provider in DHCP, and it's setup to add all resolved IPs to the ipset (with an expiration so stale entries get removed).
Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT, etc don't work as their hardcoded IPs are blocked by default, and DNS filtering knocks out domain resolution of the endpoints. Even if an alternate resolver is allowed through the firewall, none of it's responses get into the ipset, so it's still broken (and is a sign I need to update the DNS filter).
I really like the concept of this approach, I'd say it's worth writing a blog post / article describing the process and details so others can duplicate it.
This is already happening. The likes of Google Home et al already hardcode their own servers. I noticed that no DNS requests were being made through my Pi Hole, so when I looked, it turned out their DNS servers were hardcoded.
However, I'm more worried about when they start hardcoding DoH servers.
In the case of just using a PiHole, a hard-coded server would easily get around it.
But if the network outright blocks random DNS requests, that only leaves DoH, which would require fixed IPs, which should be able to be detected and blocked, right?
Unless I understand incorrectly, this doesn't seem to make the problem any worse. You'd just have to block the proxy rather than the DNS server. Like DoH, only a problem if that's also the web server.
In order for this to be true the device manufacturer would have to send both DNS and web requests through the proxy. They'd also have to "obliviously" encrypt web traffic as well. Otherwise, a MITM could determine which are DoH requests or determine which server is the proxy server and which are web requests.
This means that the DNS response for the web server would always be the proxy itself, or some set of proxies (and it would have to be the same IP for both wanted and unwanted traffic). What does DNS even add at that point? You'd be better off just making your "wanted" and "unwanted" servers the same server.
I believe there was a proposal for something like this a while back, before the DoH we see now. IIRC, the idea was that DNS information could be contained inside the web page, maybe enclosed in a tag. Addresses for ad servers perhaps.
Few of these ideas can be expected to work unless Evil, LLC controls the program the end user chooses to read the web. When an advertsing services company is also the majority share "web browser" vendor, then ideas like this become feasible. Whereas if web users can choose any client to access the web,[FN1] then these ideas would be non-starters. The open source text-only browser I am using is not going to read the IP address of an ad server embedded in a web page and connect to it automatically. Even if it did, I would simply edit the source code to disable that behaviour and re-compile.
1. In theory they can but in practice they generally don't.
I guess if the relationship we have with our devices is full-on adversarial and yet still need them, they should be put on a dedicated subnet with a default deny rule in place.
I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
Even a dedicated subnet won't be enough, because these devices could be made to connect to any open wifi until they can phone home or even use the cell network, without the user even knowing about it.
> I guess, at this point, the other commenter's solution of "just stop using those things" may be the best.
Yeah. Assuming this doesn't change, this is the end result for me, at least.
Perhaps, but blocking 53 is better than not, IMHO. I've seen devices fall back once blocked to a hard-coded dns, so it works today. DoH is another that devices will eventually employ, so that's another whack-a-mole situation.
Been using this solution myself for a number of years. Works remarkably well. I do not even use DNS recursion or any remote DNS requests because I can load bulk DNS data into the proxy's memory. There is only ever one nonrecursive request to a localhost authoritative DNS server and the answer is always the same: the address of the proxy. Ironically perhaps, DoH outside the browser can be used to gather the bulk DNS data, thanks to HTTP/1.1 pipelining.
Many years ago I anticipated that "developers" would no longer allow end users to choose DNS servers. The developers' work, i.e., software, was dropping in market value and they began to adopt a Trojan Horse "business model". End users could use the software for free with the expectation that few would notice/complain about increased surveillance and data collection, or injected advertising.
The so-called "MITM proxy" is neither a new nor radical idea. Corporations routinely "MITM" TLS traffic from their networks. Enterprise hardware/software companies have provided turnkey solutions.
The issue is not limited to addresses for DNS servers. For example, WhatsApp hardcodes IP addresses in their mobile app. For that problem I use an application firewall.
The PiHole is essentially a slightly modified version of dnsmasq running on a RPi. It is funny that no one has tried using other DNS software. Given a choice of DNS software, I would not choose dnsmasq. It also still seems that no one has presented a "PiHole" that uses a forward proxy instead of a DHCP/DNS server. Similar to corporations, home users need a turnkey solution for monitoring their home networks.
I have an early one someone gave me and there was a custom ROM that one could flash that let one choose their own DNS servers.[FN1] I actually bought a Teensy 2.0 in order to install the custom ROM, but I never got around to doing it. So now I have an old Chromecast and a Teensy 2.0 I am looking to make use of.
TBH, I always found the Chromecast proposition to be unreasonable: "Look at this neat form factor single board computer you just paid for. Too bad only Google is allowed to have control over it. Sorry, you cannot use this for your own projects because [unspecified]. Google must be allowed to conduct surveilllance and gather data." By comparison, lack of complete control over the RPi GPU is rather easy to ignore. AFAIK, the RPi Foundation is not selling online ad services. Compare the number of cool projects people have done with the RPi versus the Chromecast.
1. I think it used to be possible to force use of different DNS servers via DHCP as well.
> Smart devices manufacturers often “hard-code” in a public DNS server, like Google’s 8.8.8.8, and their devices ignore whatever DNS server is assigned by your router - such as your PiHole.
> Nearly 70% of smart TVs and 46% of game consoles were found to contain hardcoded DNS settings - allowing them to simply ignore your local network’s DNS server entirely. On average, Smart TVs generate an average of 60 megabytes of outgoing Internet traffic per day, all the while bypassing tools like PiHole.
Already happening, Google products like the Chromecast serve up plenty of obnoxious ads these days, and hardcode Google DNS. Even blocking Google DNS still allows ads to get through.
This is a big reason why I will never buy another Chromecast branded product, or Google product, again. Congratulations on successfully monetizing my time and annoying me into swearing off Google products altogether.
On the upside, the endpoints are nicely documented by both MS and independent researchers. Also, Windows enforces packet filtering rules on it's own phoning home so a well configured firewall like SimpleWall will be relatively secure from a spying perspective.
I couple PiHole with a pfsense router. In pfsense all DNS queries are blocked except to my pihole. This thwarts an IoT device or streaming devices, etc., from bypassing pihole. Then I block known DoH servers on both pfsense and pihole---which is not perfect, since it's really a game of whack-a-mole, but better than not.
I would love if there was an open 4K HDR TV but I think only a very niche audience actually cares about this so most manufacturers will not see a market opportunity
Search for "signage displays", some have TV functionality built in and some have no, or more tweakable, smart functions. Cost is a lot higher than consumer sets as is quality: they're built to guarantee 18/24 or even 24/24 operation and are the same screens one sees around at malls, streets, stations, airports, etc that would be simply too costly if they broke as often as consumer devices do.
I see your point. Real question: In today's world, what is the difference between a TV and a computer monitor + RasPi? I guess the biggest issue will be streaming on services with very strict operating system / browser requirements.
For example, can you stream Netflix @ 4K via RasPi? I assume no, due to super strict DRM.
It is a little bit surprising to me that the big streaming companies have not creating an open source operating system (similar to Android) that can be used by manuf to create TVs. Then, smaller manuf can find ways to offer bloatware- / adware-free options. Maybe this already exists, and this comment makes no sense!
Size, OLED, HDR, and eARC are three things I can't find in a monitor. I don't know of any 55" OLED monitors that support Dolby Vision and can output their audio to my home audio system over eARC. OLED and Dolby Vision are important to me because HDR makes such a huge difference in properly mastered content. eARC is important because my audio system is able to take advantage of Dolby Atmos metadata and I don't want to lose that. I could just pass my HDMI inputs through my receiver, but my receiver doesn't support passing through 4k 120Hz which I appreciate using with my Xbox.
HDR and OLED are available in some monitor models, but to my knowledge there aren't any 55" monitors with HDR and OLED, and especially eARC.
As someone who recently invested in their first AV receiver, surround sound setup, then navigating hacked drivers to get Dolby Atmos, DTS etc working properly on Windows, finding I can't use my Hue strips in Netflix etc because of DRM, realising Plex cannot serve HDR content, having to edit EDID data so my PC would allow 4k/120fps + VRR with my fiber optic cables... I realise that we're living in an unnecessarily complex DRM hell.
If they're really evil, they'd proxy all traffic through a single host (eg. d2v3i0u0qtn52v.cloudfront.net), so you have to choose between no IOT features, or getting subjected to all the ads/telemetry.
>so you have to choose between no IOT features
I'll bring out the fainting couch. These devices are enough of a poison pill that you're better off without them. You can problem block them with Pihole, but you're one update away from either circumventing the Pihole, or breaking your IoT device because something got changed on the manufacturer's end.
> I wonder how people are thinking about solving this problem.
Not sure what potential issues are are being mentioned here, but I'd say a separate VLAN for IoT devices + QoS [0] should rule out most of the concerns.
That's what I do with my printer. I love the company (Brother) and they make IMO the best printers and MFPs but I am quite paranoid already and I just block any WAN traffic. The printer is (and should be) really only used from the LAN anyway.
Can you not just block the specific addresses? Sure, you'll probably have to do some log digging to find out which ones, but I'm guessing someone else on the internet has already done it.
Sure, then the devices throw up an error and refuse to function. I noticed that most smart TV streaming apps refused to run if they failed to connect to their ad servers.
One of many reasons why I don’t even bother with IoT devices. Don’t need all this crap to be connected to wifi. There was nothing wrong with it before.
Not that I’m terribly experienced with it, but a lot of home automation can be done without “IoT” — specifically without the crapware Trojan controllers that come with consumer solutions from Best Buy. ISY994 for example. Easy solutions for remote access via apps (vpn to home) and notifications as well. It’s not as easy to set up as a plug and play controller from Google, but it’s far more private.
I've been running a pi-hole on my home network for years and I love it, it consistently blocks about 19% of outgoing requests. Some of the benefits for us are:
- It disables (and hides) the annoying ads on our Samsung smart TV
- Browsing is noticeably smoother (especially recipe websites on mobile!)
- Most front-end browser trackers are blocked
- It's now possible to see how often apps or devices tend to phone home by just logging into the Pihole web interface
- We're not giving (most of) our DNS activity to our ISP
- Updating to a newer version is a breeze with docker
Some thoughts for folks considering getting one (or more):
- I've not locked it down further with a firewall yet to force all DNS requests to go through the Pihole, but I'm planning to.
- I won't run a Pihole container on my UDM as it will likely mess with future updates and settings, keeping things separate feels better.
- Sometimes I consider adding more blocklists but every time I do, something gets annoying somewhere and I usually end up reverting to the standard config.
My pet peeve has become to report login flows or frontend interactions that break when the tracking script fails to load because of my Pihole. It doesn't happen often luckily :-).
Obviously, people whose products rely on those ads and telemetry, won't be happy and will try to retaliate, for example, by refusing you service. This frequently happens because of my usage of VPNs and ublock. In that case I have an option to quickly turn vpn/ublock off for that specific web site or service. In your case it's not so easy.
Wouldn’t pausing pihole allow, say, a Roku box or “smart” TV to exfiltrate data that was previously blocked? This is why I use a VPN for certain websites to bypass pihole filtering.
Given Apple is doing this on their products its a choice they'll have to make. They either put up with it or lose active users along with word of mouth.
Plenty of ad-serving companies have found their way around DNS adblocking, including the top players in that market.
Encrypted DNS looks like any other encrypted stream, there's no reason for subversive apps to rely on DHCP provided DNS servers when they can be guaranteed to serve ads without them.
I recommend opnsense [0] over pfsense. I ran pfsense for 5 years and it is great, but there was some bad blood [1] between the two projects and the community.
I am aware of opensense, and while e.g. the GUI looks cleaner and seems to have more plugins, when I started checking it more in depth I think that pfsense has more thorough documentation and things like traffic shaping which i plan to implement seems to be way easier on pfsense
also have you done migration between the two? if so, how hard was it?
> have you done migration between the two? if so, how hard was it?
I tried the auto-migration in OPNsense (backup from PFsense, restore to OPNsense) a couple times. Both times it got it mostly right, but whatever it got wrong blocked pretty much all traffic and was difficult to figure out why because everything looked right. I gave up and stayed with PFsense, but figured if I ever really did want to switch I would start from scratch.
Yeah. You have a live logging tab and can either put the URL into a whitelist rule by clicking on the plus icon or manually input it into a whitelist setting.
Pi-Hole is brilliant. I set up[1] one few years back and used for over a year. Here are the issues;
- When I'm away from home and traveling, if something goes wrong, the Pi-Hole is usually the single source of that error, and is hard to solve by talking to my wife to walkthrough the settings.
- A few websites (India in my case), mostly government ones, do not work when Ads are blocked. Try paying LIC Premium or even login to LIC of India with your DNS modified, Ads Blocked!
- Wife want ads in some of her apps, "What did you do to my Ads!"
Since then, the family was on NextDNS[2] for almost two years - premium member hitting million+ request a month from a 4-member family. With NextDNS slow to update when macOS changes the way they deal with Private Relay, I stumbled on AdGuard's DNS[3] (in beta now). I already bought the lifetime (family) AdGuard license sometime back. So, I tried it and am on it now.
With the current setup, the last-mile choices of blocking ads or not blocking (for some website) is at the client (wife, daughter, and other devices). This works good so far -- everyone have a choice without being totally locked down. I have also taught my 13-year old daughter to keep a watch on Little Snitch.
Here is the typical settings for all of the devices in our family, which works well when inside the home or outside.
Apple's Private Relay (ON) > AdGuard with DNS Routing (OFF/ON) > (Optional VPN when needed) > Balanced/Bonded common ROUTER with minimal locked down settings > All of the ISP's entry routers.
Nonetheless, I've been meaning to tinker so I can have Pi-Hole sitting between our family and the Internet but optionally circumventable easily -- perhaps a big Amber Button which even my 5-year old can press and go into the Internet momentarily.
Edit: I forgot to add my thinking/concept/philosophy in all of this -- We should be able to walk out from most entrapments/situations/entities with minimal or no change needed.
I had this same issue with family members having issues with a Pi-hole on our network. I solved the problem by setting up a Tailscale network and setting the Pi-hole as the default dns server[1]. Once set up its as simple as a turning the Tailscale connection on or off if the Pi-hole blocking causes any issues. (Plus blocking works from anywhere!)
I also ran into the issue of a wife who didn't like the fact that I had set up a pihole, apparently it blocked a number of shopping websites she was regularly looking at.
At the end of the day I looked at a few of the sites with her and whitelisted a couple of them, but basically told her that (based on the lists I was using) if the pihole was blocking the site entirely then it was either straight spam marketing or the site itself was malicious in some way.
Similarly, my dad has a few email lists he is part of that route their links through something pihole tends to block, be it tracking or ad based, and I had to work with him to go to the website itself then find the articles he was after. Fully legit otherwise and I eventually found ad whitelisted the tracking domain on his pihole instance. He still says it is vastly worth it vs the ads he sees on his tablet when traveling or at other families homes.
That you can manage & think of this machine (program/process/container/vm) the same was as every other machine & dont have to ever ever ever ask "what should i do in this case?" or "what's right for this case?" because it's a unified answer that works well & operates the same everywhere.
Uniformity & no special cases. Death to pitiful old ways.
My experience is that as long as a rule has only one exception, people are pretty good at keeping on top of them. But that always leaves you the question of whether you want to burn that exception on the current project or save it for something better. Which then makes you very nervous when your coworkers start getting clever ideas and trying to volunteer (over-engineered) things as the exception. In the same way the best leaders often didn't want the job, the best exceptions are the ones you accept grudgingly, not enthusiastically.
Much more recently I realized that this phenomenon of One Rule, One Exception falls under the umbrella of - or perhaps explains the effectiveness of - the Rule of Three. Two exceptions are bad, and work is partially pre-empted to correct that problem.
Specifically relating to pihole (as of previous versions) it wasn’t the cleanest install uninstall experience and left a bunch of crap behind on my system.
I now run it in a docker container because of this, but I can’t speak to OPs motivations
I run everything in a Docker container because I have 50+ services running, and I don't want to spend any time on their inner workings. I truly couldn't care less. I only manage the access layers (configuration parameters, volumes, ports and reverse proxy). Using Docker every application is the same from a management perspective.
Not specific to PiHole, but perhaps keeping the OPs infrastructure management consistent may have monitoring and maintenance benefits.
And specifically mentioned in the very next sentence:
> The Pi Hole project already has a nice Docker project utilizing compose.
It is a supported configuration for PiHole so it fits in nicely, no need to even product their own docker based solution.
Not much of a docker user myself (I've tinkered, and we use it for some things in DayJob, but for my own stuff I use VMs or occasionally LCX if I do want a container instead), but the answer to your questions was really quite obvious.
Any special setup amongst your network takes excess work to maintain. In the case of Pihole, I gave up on maintaining it because I was running it on a Raspberry Pi, and found that it was annoyingly hard to keep a Pi running stable for a long period of time.
Had I a convenient way to set it up in a Docker container, it would've been better. Of course, since I don't run anything in Docker at home, that would also constitute a special setup I have to maintain.
Yeah, docker simplifies deployment and maintenance/rebuild time. I've stuck to fairly clean/default setups on any computer I use to keep rebuild time down or at least try to use the built in/simple tools of whatever OS I'm using and Docker is the perfect version of that for small services. I say all this of course while running pihole on a pi4 that also serves DHCP so I don't have to mess with it much...
I used to run pihole on various Linux distros I was testing for home server stuff. It used to be that some distros needed a few packages added to support pihole properly but nowadays the app itself is more streamlined and/or most common distros include the minimum components. I think pihole did focus on streamlining to enable easier docker support which is where I should be putting my install whenever I get back to messing with the homelab. I've been working in windows systems for work so everything is currently Win Server based which plex doesn't seem happy with but is easier than running the whole thing as VMs on my older hardware.
Yeah, I'm more comfortable in the Windows space personally. My Sandstorm server is Linux but I don't really want to try running something else side by side with it. It looks like a Linux container on a Windows Server is technically possible, but it looks nontrivial enough that I am not sure I want to do it on my domain controller. :D
The real advantage is another layer of complexity, so you can write a blog post about running PiHole on a home network, which done by a billion other people (conservative estimate).
It's much simpler. A lot less arcane knowledge is needed to get something running, and even less to clean it up completely if you need to delete it or start over for whatever reason.
for those who want something effective outside of their home network...
ublock origin works fine as a plugin in firefox on android, and blocks ads just as effectively on firefox on desktop.
the ability to install arbitrarily chosen firefox compatible plugins on firefox on android is a huge deal for me. it makes it almost as powerful and useful as firefox desktop.
the only time I need to touch chrome anymore is when using some rare 1% of online shopping website that seems to think a firefox useragent is a bot.
Every time I've tried pihole it has failed on services like YouTube. Can someone explain this to me and how I solve it? I know it's not just me, it even happened to Linus Tech Tips but I constantly hear responses "works for me" which are unhelpful. If ublock works fine, why can't pihole? I'm actually interested in a technical answer.
Pihole only works if ads are served from a distinct domain name from content. This works in most cases but YouTube serves ads and content from the same place so pihole can’t prevent. As uBlock works client side it does not face this limitation
So wouldn't there be a way to intercept the data and apply the same blocking that uBlock does and then resend it? I know it would have a delay, but that'd probably be worth it to me tbh.
It would be very hard to do so because SSL prevents middlemen from intercepting and modifying data. You'd have to install custom SSL certificates on all devices connected to your network like businesses do. PiHole would then use a copy of that custom certificate to decrypt the SSL, inspect/modify the contents, re-encrypt the contents with a normal SSL certificate, and send it off to its final destination.
I've looked into this and it seems like there is no software out there that makes this easy. For it to be convenient enough to make sense, I think there would have to be some router 'login' page which makes downloading and installing the certificate as easy as possible. But, even 'easy as possible' would probably be too inconvenient for any guests who just want to use your wifi. Maybe it could be optional somehow. Don't install the custom certificate? Fine but you'll still get ads. Install the custom certificate? Awesome, your ads will be blocked.
PiHole works by blocking domains. Few years ago it was like youtube.com served videos and ad.youtube.com (just an example) served ads.
Back then you could simply block ad.youtube.com and there would be no ads but today Google is serving ads via their main domain. You can't block ads unless you block youtube.com.
So now no DNS based adblocker can block YouTube ads. uBlock is the only option which works inside browser only.
PiHole blocks at a DNS level, uBlock blocks down to the page element level. If the ads are coming from the same domain as actual content, a DNS block can't be used since you'd be blocking the content that you're trying to view.
When your device sends out requests to the internet, the vast majority of them are encrypted with SSL. SSL encrypts your requests so that middlemen can't inspect or change the content of your requests. Without SSL, anyone would be able to do anything with your data, which of course would be a massive security problem that just cannot happen. Unfortunately SSL also means middlemen adblockers (like PiHole) can't see or modify the contents of your requests either. The only way for PiHole to block requests is by using the only necessarily unencrypted part of the request: the destination IP address.
Without being able to read the destination IP address, all the middlemen between your device and your destination server, wouldn't know where to forward your request. Your request would never make it to its destination website. The destination IP address is retrieved when you access a website. When you type google.com into the address bar, your computer sends out something called a DNS request to something called a DNS server. That DNS server sends back the destination IP address for the website you're trying to access. This DNS request is unencrypted and so PiHole can simply intercept it before it leaves your network, check if it's an ad domain, and if it is an ad domain, send back trash data to your device instead. Your device, unable to retrieve the destination IP address, is now blocked from accessing that content.
To prevent people from being able to block their ads via DNS, Google hosts ads on domains which are critical to using their services. For example, YouTube ads might come from youtube.com. This way, if you block YouTube ads using PiHole, you are also blocking the entire YouTube service as well.
UBlock Origin and other browser-based adblocking tools are able to block with a more fine-grained approach because they live in your browser and don't have to worry about SSL.
Pihole only see dns query. It doesn't see the full url. On the other hand, ad block extensions can see the whole url and can decide to block them while allowing other requests to the same domain through.
I think you should install both though. Pihole can block ads on apps, and can block CNAME cloaking.
Note that pi-hole can also be used by only installing the DNS resolver, without the web server and UI, which allows it to be installed on any tiny Linux system as well.
Additionally I can recommend the "Privacy" web browser on Android combined with the "Rethink DNS" firewall.
Both are amazing tools that help speed up your phone, and allow you to even filter ads out of specific apps that use e.g. an embedded cloudflare DoH resolving mechanism.
If you want to dig deeper, there's always the Aurora App Warden and Permission Manager X which allows you to modify other Apps and remove their Activities and Services that are coming from ad frameworks.
I run the combo Wireguard/Adguard, what is nice is that only the Wireguard clients have the DNS filter and the rest of the network is not affected. Also I have the filter when away from home. And another advantage to setting Adguard as DNS server in the router is that the clients are split in the analytics overview (otherwise it looks like there is only one client, the router and you can't set different filters for different clients).
I do still have issues with keeping Wireguard running when I switch from lan to wan with my phone, so for now I'm setting it as conditional (only Wireguard on when outside of lan).
I ran Pi Hole (and AdguardHome) for years, but eventually just upgraded to NextDNS instead. It works almost the same (minus the DHCP stuff), but instead of just working on your LAN, it works on every device all the time.
It works with any device you can install it on but not for example on cheap tv sticks, smart devices and other IoT stuff which still may be infested with adware phoning home every second. I’ve been using pi-hole at home and NextDNS/VPN outside as they’re more complementary than overlapping.
I have my router hand out NextDNS resolvers per subnet, so that each VLAN uses a different NextDNS configuration. I use the NextDNS CLI[1], so i can take advantage of local DNS caching while at the same time using NextDNS.
Our phones and smart devices all use either DoH or hardcode a specific DNS resolver. I haven't spent the time going all the way down to re-routing all port 53 traffic, but I doubt it'll do much.
To me the future of the home network is largely dead as long as I can't reasonably manage the software on these devices.
I'm not sure about Android, but you can disable iCloud Private Relay by returning NXDOMAIN for the domains below. These are Adguard filtering rules, but you can configure something similar using dnsmasq or Pihole.
I use these to automatically disable iCloud private relay, and I also have rules on my edgerouter to force certain devices to use my adguard instances for port 53 traffic, and it works well.
I don’t know how you maintain your hosts list, but with a solution like pi-hole, you can easily subscribe to multiple blocking filters and have them update periodically without any intervention. Of course, you could automate your hosts update too, but pi-hole comes with this built-in.
This is essentially what pihole does, but automatically, using shared lists of ad networks (you can add your own easily). And it’s available to things on your network where you can’t or don’t want to edit etc/hosts
(My smart tv used to love to shove ads in my home screen)
It’s an elegant and efficient way of taking back control of your network and the content It shows you.
I run it in a pi zero w with a little wooden case and a low power phone charger (500ma) I Velcroed it to my router.
Not sure about now, but before I'm using pihole, I was using hosts file to block ads and found a significant increase in network latency. Turns out the huge hosts file significantly increased DNS lookup time in my system (>1 seconds).
Like you said, convenience of propagating the blockage to all devices, a central place for configuration, stats/diagnostics built into PiHole dashboard. I do like your DIY approach, though!
You should have both. One is for network wide effects, so anything on your network will have ads blocked (smart TV, projector, phones etc.), another is for youtube and friends.
Ad blocker extensions only block ads on the browser they're installed. Pi hole would block ads on all devices they're connected in, in all apps (not just web browser) as long as the ad domains they requested are in the blocklist.
Also, ublock origin can only protect you from CNAME cloaking (a commonly used to evade ad blockers) on firefox. It can't protect against CNAME cloaking in chrome or other browser. But pihole can.
You should still install an adblocker in your browser though as some ads are loaded from the same domain they're serving site contents from, such as youtube ads. Ad blockers can remove ads based on full urls, not just domains.
If you’re willing to add and maintain an ad-blocker in every single of your browsers (and potentially your family’s) and don’t care about non browser apps it’s virtually the same.
This was the kick in the pants I needed to finally set up one of these. It took 20 minutes to get up and running, and half of that time was finding a wall USB adapter to power it. Easy peasy lemon squeezy.
I love ad blockers such as this and uBlock Origin, they truly will make your experience cleaner than even offering to pay for services will, but you have to be careful to not fall into the "wow, <x> percent/count of my requests were for ads that's crazy!" trap when looking at their statistics. Often when services cannot reach something they are set to retry so it's very easy to turn 1 actual request into 100s of blocked retry-requests in statistics panel.
Can confirm, pihole is great. I put in two for redundancy, helps make sure nothing gets through. No negative impact on network perf, as it only touches DNS and plenty fast for that.
Yes, exactly. DNS settings on router makes that easy, just give each pihole a static address and point DNS to them. The address are listed in priority.
You'll need to make sure that you block popular DNS IPs like 8.8.8.8 because some devices (like Amazon's Fire Tablets) hard code the DNS address as backups.
I have both Pi Hole and browser ad blocker plugin, the biggest problem is, sometimes a website does not function well or everything just loads extremely slow, I then have to spend some time debugging my network to know what is going wrong.
I remember seeing an online service that provides the functionality of Pi Hole, blocking ads, protecting privacy and significantly speeding up browsing. Anyone familiar with it? If you’ve tried it, did you like it?
Yeah I run diversion and skynet on my Asus ac1900p running asuswrt-merlin. Been like that for a couple years now. It's great. Stuff like this should just run in the router if ya can.
My favourite channels on Youtube, once they become large enough they start to include sponsoring/ads. Production quality goes up, but my enjoyment and trust goes down. I prefer the old hobbyist internet over this manipulative and shallow ad-driven one. So I install adblockers on every system and I don't understand people that look at ads to support content creators. If you want to support, then why don't you use Patreon or subscriptions? (I wish micropayments had worked out)
A lot of shady advertising brokers also push malware. And many sites are only able to be used with some type of ad blocker because of how intrusive the ads are. Also the bandwidth savings can be huge in bandwidth constrained environments.
It’s different but has some similarities. This blocks all kinds of configured (DNS) requests from your devices, even from apps and operating systems, whereas Brave browser only blocks ads on the browser. One drawback is that this solution does DNS level blocking, and cannot handle any web page element-level blocking that may be possible in some browsers.
This article didn't actually test their network's latency / throughput before and after this. I don't think ads / metrics passively use a ton of bandwidth no I doubt the author's claims.
Have you read about the subject or measured it on your own?
Use the networking section of the developer tools in your browser. On a mainstream site I was just visiting, the page itself was about 50 kilobytes and it downloaded just under 3 megabytes of ad and tracking JS.
I was excited to try this once as a weekend project. Got it all set up and working so my desktop sent DNS through the Pi. Then went to set the router to use it instead, and it was a no-go. Comcast routers don't allow you to change the DNS settings.
Of course I could've bought a new router and set that up to work between the Pi and the Comcast one, but that was more than I wanted to put into it.
Now I have a different service with a different router, so if I can ever find the Pi, maybe I'll try it again.
I'd highly recommend going the network-wide route with router DNS settings. You might have some luck finding a pi here: https://rpilocator.com/ .
I set up a Pi-hole for my home network easy enough on a Fritzbox router, with the Pi-hole as DNS. I've since gone a step further, and now use the Pi-hole for DHCP too. The router now just routes.
https://github.com/boostchicken-dev/udm-utilities/tree/maste...