I make these suggestion during all conversations about PiHoles:
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
> It's also not possible (or not clear) how to have different behavior for different clients
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
It's slightly more complicated. What you are suggesting works if (1) you are using Pi-hole as a DHCP server or (2) all your devices are individually configured to use the Pi-hole IP address for DNS resolution. What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
> What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
That depends entirely on what capabilities your router has.
Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.
Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.
But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).
Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.
FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.
And if your gateway device is configurable enough you can ban or redirect port 53 requests (DNS) to whatever machine you would like to use to serve up resolution.
DNS doesn't have redirection like HTTP has, so what you describe can only be implemented using port forwarding (or SSH tunnelling, but I've never seen a router with the ability to tunnel DNS in this fashion?).
Port forwarding used like this, won't enable one to use the 'groups' functionality on PiHole — which was the (g)parent thread here — because all requests arriving at the PiHole will come from the same client, i.e. the router. Because port forwarding is more like a proxy than a redirect (to use HTTP terms).
The correct solution here if one wishes to use PiHole's groups — and not have a janky network configuration like you describe here (an extra unnecessary hop for local DNS) — is to either (a) use the router's DHCP settings to tell the clients to use the PiHole IP for their DNS, or (b) disable the router's DHCP and simply use the DHCP that PiHole provides, which is at least as good as what most routers provide (and more configurable than most routers also, should one need to)
> That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.
That's the first time such a thing has been mentioned in this thread.
But I now get what you're trying to say in your comment above.
Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.
But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.
And of course it wouldn't work if the device is using DoH.
But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.
The better option is to configure DHCP to hand out the Pi-hole as your DNS server. If your router cannot do that, but you want to go deep enough to configure your home network with a Pi-hole, you should probably also invest in either a better router or OpenWRT on your current one to get a few more features.
Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.
DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.
It works for me and I don't use Pi-Hole as a DHCP server or have any of my devices individually configured. I have my router acting as a DHCP server and have it tell clients to use my Pi-hole for DNS. Some routers' default firmwares don't let you do this, but most OpenWRT and Tomato and the like should.
Using clients and groups works fine for me. I'm able to block youtube on my kids' devices, but allow it on others. I have pihole running in a container without being my dhcp server.
Not OP but we can assume when he's talking about blocking Youtube, he's in fact blocking youtube for his kids, not Youtube ads. Pi-hole can't block Youtube ads as they are delivered by the same servers as content. Then you can't block one without blocking the other.
Just go to PiHole's "Domains" page, in the box labelled Domain, type youtube.com, enable the checkbox for Add domain as wildcard, then click the button labelled Add to denied domains.
Now youtube.com and all of its subdomains are blocked, for all clients.
If you wish for it to only be blocked for some clients, then assign your clients to groups, and set the setting appropriately on the domains page.
Previously, PiHole used /etc/dnsmasq.d/ with best practice being to put one's own additional config, or overrides, in separate file(s) in that folder.
PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).
But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.
One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
Most non-smart 4K screens are more expensive than 4k-smart tv screens though. Really weird, because there's less stuff in it. I just want a nice 50" 4k screen with hdmi and display ports. I don't use all the other junk anyway, since i watch tv via a computer and sounds goes to a surround set.
I've had a little insight into this world. To make the BOM costs work at the retail prices they charge for things like common set-top streaming boxes (e.g. Roku) and, now, TVs themselves since they incorporate the same stuff, they have to be selling data. Otherwise they're selling at a loss, once you factor in middleman margins and such.
You can try to compete by charging a reasonable amount for your hardware and software, but you'll be competing against economy of scale and wrestling for shelf-space with products that are (don't forget retail percentage mark-up) at least 30% cheaper than yours, which means your units don't move, which means you don't get (or keep) shelf space, and hello death spiral. Also if you somehow manage to make it despite that, as soon as an MBA gets in charge you'll just switch to selling data, too.
I only didn’t mention that because I’m not sure how much spying they do. I’d bet it’s a lot less, but probably still too much.
But yes, that’s what I have, two of them in fact. Tried a Shield, sucked, should have just gone straight for Apple TV instead of trying to pinch pennies.
A follow up question is, what does the transaction look like. Bulk DB dump or JSON files per person, spreadsheet, that would be interesting like race, interests, budget...
Looking at Vizio's financial records[0], the numbers make it clear.
They seperate everything into 2 distinct businesses, Device and Platform+.
Device represents their hardware business of selling physical TVs and soundbars. Platform+ covers all of their other "software-related" business, mainly consisting of ad delivery and selling user data to third parties.
2019:
- Device Net Revenue = $1.7 billion
- Device Gross Profit = $125 million
- Platform+ Net Revenue = $63 million
- Platform+ Gross Profit = $40 million
2023:
- Device Net Revenue = $1.0 billion
- Device Gross Profit = -($8.6 million)
- Platform+ Net Revenue = $598 million
- Platform+ Gross Profit = $364 million
So over the course of just 4 years:
- hardware revenue is down 40% and is actually losing money (confirms they are indeed selling the TVs at a loss)
- Ad/user data revenue, however, is up almost ten-fold (+949%)
- total gross profits of the two combined are up over 54%
No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.
Is there an equivalent of DDWRT/OpenWRT but for TVs?
Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?
Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.
> Is there an equivalent of DDWRT/OpenWRT but for TVs?
Get a used mini-pc, install Linux on it, and don't allow the TV to connect to any networks. This is a 50-75 dollar solution. Good if you are on a budget and are not interested in any wiz-bang features like HDR.
There are a few TV-dedicated Linux systems out there, like libreElEC.
Or get a more powerful system with a AMD GPU and install Bazzite on it. That way you get something like "SteamOS for your TV". Pairs nicely with controllers like 8BitDo.
It would be nice to have TVs as open as PCs, but the manufacturers and media companies are ran by dirtbags and would rather have victims then customers.
As someone who tried that route I'd strongly recommend against it for anyone who isn't core HN audience or just loves tinkering. You're much better off with an Apple TV or an Nvidia Shield unless you really want the "beefy gaming media center".
I walked the mini-PC/RPi road and they came up short every time even for me, let alone the rest of the family. Even when I put in place the perfectly optimized initial setup I was still left with a bad compromise of performance, power consumption, noise, boot time, ergonomics, and the constant trickle of things breaking down or needing tweaking because of some update.
When trying to watch a movie with the family the last thing I want is to troubleshoot random issues.
I just use an old macbook air with a bluetooth keyboard that also has a touchpad. The thing is in sleep mode when not needed, so it wakes up fast and does not need a lot of energy. With that setup I can access whatever media I want, have a solid adblocker and a browser with a real keyboard.
> with a bluetooth keyboard that also has a touchpad
Different strokes for different folks, having to use a keyboard to control my TV is for me one of those usability compromises I preferred to avoid. It's probably related to how I use the TV, things like browsing the web were never on the list of requirements. I'll have a phone, tablet, or laptop at hand for that.
I've had a MSI Trident functioning as a gaming/HTPC computer for years and the family loves it. They know how to browse the various streaming services and use Steam and Kodi.
This is diverging quite a bit from "a smart TV replacement". Especially if Steam is a requirement.
The gaming PC you have there is probably exactly the combination you want. But for most others it's the compromise to avoid I mentioned above. It delivers the console and TV/media center experience but with the full PC power consumption, noise, boot times, maintenance effort, and inconvenient controls.
The cheapest Trident I can find on eBay costs more (by 2-5x) than an Xbox and an Apple TV together. And these 2 deliver their respective experiences with far fewer compromises.
> They know how to browse the various streaming services
Knowing how to use it is just the bare minimum requirement. With an Apple TV for example you can do the same with almost instant startup time, 0 noise, 0 maintenance, ~1-2W streaming, and a small remote control. And probably has less ads than the average Windows computer :). I found the "right tool for the job" more appropriate for my use case but that might not work for everyone or all the time.
Things just happened that lead to that optimised state of using one device for alll (The MSI). Nevertheless the main question was about a nice 4k screen. :)
One difference between Monitors and TV used to be that Monitors used RGB Subpixel-Layout and TVs used BGR. (i.e. TV panels are upside down)
Configuring subpixel-layout per monitor is something that most OS won't allow.
So if you use several monitors, you usually have to mount the BGR-ones upside down. (Otherwise fonts will be blurry...)
For some time now there are really cheap 4K Monitors with BGR-layout available. If you mount those upside down you're fine... (I use LG 4K Monitors mounted upside down in combination with other screens)
Subpixel hinting isn't that useful at high DPIs though. Apple has ditched it entirely in macOS, regardless of monitor DPI, and gone back to standard anti-aliasing.
Bare in mind I went down this hole years ago, so these could be solved problems, but in my experience Monitors speak a set of more useful modes (Resolution and refresh rate combos) and tv's often need to be trammed in a bit, the default screen position not being properly centered in all cases.
Yeah exactly, as also others point out in the thread, if you want "TV-sized monitor" you will pay more than for a TV, and probably get worse panel, lower brightness, etc. Hence it would be useful to buy "smart" TV and turn it into a monitor instead.
Would be fun if some could hack those os'es indeed.
It could make a nice CrowdSupply project, except for the cheap distribution of the huge packages. Sounds not that hard though: Just get some nice 50" 4k smart tv's and remove all the junk. Cool features like DP daisy chain or something and one could have a nice project. But i'm guessing there is (too) much money to be made in user info and ads. :(
Because just like virtually everything in the embedded SoC ecosystem outside of the RPi competitor SBC crowd, the TV embedded board likely has a chip with little or no doc (with or without NDA), and unlike a Pi-ish SCB there's probably not even an unsupported, outdated kernel linked with a ton of opaque proprietary blobs hidden on an obscure Chinese language web site to try out.
Maybe there are smart TVs out there with a SoC that's been reverse engineered enough to do something with. If there is, that should be shouted from the rafters. But I kinda doubt it.
I have a 'smart tv'. I don't allow it to connect to any network.
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
I just have never connected my Samsung TV to the Internet. My streaming all goes through my Roku. When the TV turns on it displays a splash screen asking me to connect to the network, which disappears after about 15 seconds and never comes back until I turn the TV back on.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
If you use an Android device, you have the potential to live an ad-free life:
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls.
- Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads.
- Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
Yes, those are the "smart" features. Just plug in a Raspberry Pi and don't touch the TV after its initial setup. I'm still using the same Raspberry Pi 2 I've been using for more than 5 years now. Beats "smart" TVs that you can buy today.
It only has a 100Mbps Ethernet jack, yes, but so do both of my TVs.
I don’t have any HEVC media so I’m not sure there, but the lack of 4K output would be a big stopper for me.
I’m also not sure about the streaming services it would support, but chances are if your running off of a Pi2, you’re sailing the seven seas for media. Will that thing even play YouTube in a browser at this point?
Nah, I used to have a YouTube plugin that worked years ago but don't any more. I don't use it for "TV" purposes, though, it's more of a home cinema device. I don't have background screens in my house.
But my point wasn't literally to use a Raspberry Pi 2, just that you can get cheap low power devices that beat "smart TV" crap. You can of course get much more recent ARM-based boards that support all the latest HD standards etc. I don't do the hedonic treadmill, though, so I'm still happy with 1080p Blu-ray.
Can't disagree with that. If it's still fulfilling it's purpose, why change?
Smart TVs really aren't very smart and a nicely ripped 1080p Blu-ray often looks better than what the streaming services will stream you anyway.
I don't think I'd even have a TV if it were just me. Wife and kids seem to need one though, so simplicity counts. What would they do if they couldn't watch people who watch people play games?
I let one of my cheap smart TVs update for this reason (and not the other two identical ones I have) and now that one crashes and lags all the time, despite none of them being on the internet.
Embedded device software development quality is usually even worse than webapp software development quality.
My tv after a recent update has begun randomly crashing with audio looping for a few seconds before rebooting. When an update comes through for that you can he damned sure I’ll be disabling all future updates.
Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
I recommend putting all these things on their own VLANs with strict routing rules.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.
Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.
It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
Thanks for giving my glib comment the credibility it didn't deserve.
Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...
I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.
The only times I have seen this happen is when the remote devices were communicating with something on blacklist (which should be concerning anyway, but also a quick fix if not) or doing something naughty like not using the DNS server broadcast by DHCP.
I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
You can definitely set client groups, either based on CIDR, MAC (if on the same network segment) or individual IP. From there, you can assign different domains and list to the specific groups.
You'd be hard pressed to find that an auditing mode would be helpful. Even once you hit that big red button, depending on the blocklists you use you will come across false positives that cause issues.
The way I handled this issue for my family and devices is just by having two SSIDs - one with pihole blocking and one without. If it’s interfering with something me or my wife can just switch to the unblocked network temporarily.
I've been using AdGuard Home, which does pretty much the same thing, but is slightly better polished, with things like support for DoH and OSs other than Linux.
I used to use NextDNS, but pi-hole is such low maintenance it makes no sense to pay for a third party service and additional latency to do ads filtering. I set up pi-hole on an Arch Linux for ARM installation on a rPI 3 like 5 years ago and haven't touched it since. Still chugging along nicely.
The big benefit of running a DNS server locally is caching. Using any external provider means you have to go out to the internet for every single request.
With a local server, most requests are fulfilled from the local cache.
Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.
I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.
I think my PiHole is up for 3+ years on a Raspberry Pi dedicated to that task. Did not fail once since then, so not sure if "DNS is going down" is really an issue. But maybe I've got survivorship bias.
Living in a North American city with power wires being above ground, I have had so many power outages in the last five year, it was kind of a crazy thing to get used to. My Pi would not deal well with power outages when running through the SD card and so I stopped using it.
I ran it on an old laptop and never had issues. The extra ram and cpu + actual disk hd gave me ~99% uptime even after power outage no sd card corruption. Laptop auto rebooted on crash too.
I've had a raspberry pi and pihole going on the same SD card for approximately seven years now.
I also regularly reboot the pi by simply cycling power.
The solution was fairly simple. Send the linux log files to /dev/null (or whatever it is actually called, i.e. RAM) and disable query logging in pihole.
I live in Vancouver BC, we have a power outage every 1-2 years due to high winds or fallen power poles. I noticed some devices on my home network whilst connected to power have power quality issues too, no doubt a UPS would help here.
Why not run pi-hole in one of those kubernetes cluster for Raspberry Pi, and don't forget a set up a UPS for redundant power supply.
Or: in the rare eventuality that your raspberry pi dies, it takes 15 seconds to open your router interface and reset to the ISP DNS. Work smart, not hard.
I dare you to tell my wife how easy it is. I still remember OpenDNS being blocked in France the exact day I went for business trip and me not anticipating it (I didn't remember it was set in pi-hole)
Switched to AGH too a few years ago because from time to time pi-hole would get stuck upon unplanned reboots of the Raspberry Pis on which I had it installed
I love AdGuard Home but the single binary container from a Russian company makes me nervous. I may move to building it myself. Is this criticism unfair?
> Yes because you judge people by the country they live in.
This is an extremely uncharitable reading of the preceding comment. The comment is clearly concerned about the national jurisdiction from which the AdGuard binary originates, not the national origin of a human.
American government initiatives against Huawei telecom hardware at critical junctures aren't making a personal statement about Chinese individuals. European regulatory skepticism of American-located cloud services isn't a personal statement about American individuals. Russia and China requiring the on-shoring of data-centers doing business in their internal economies aren't making personal statements about foreigners by doing so.
Whether or not you hold all those governments as roughly equal, none of them mistrusting each others' jurisdictions is "judging people by the country they live in." It is judging the trustworthiness of the governments of those countries. And the people in those countries are inevitably subject to the jurisdictions of the governments that rule them.
If someone actually attacks people on the basis of national origin, have at it, but please don't brow beat individuals for making common-sense risk assessments.
I built it myself for a while but as I mentioned elsewhere, it's now being packaged in the Alpine Linux testing branch. That makes a container image an 'apk add' away.. whether you trust Alpine Linux more or less than the AdGuard Home teams is up to you.
I don't trust Iran, North Korea, or China either. It's not hard, I'm an American and it's 2025. These are our adversaries (I didn't choose them) who currently commit cybercrimes against us. Hopefully in 2035 that won't be the case and we can all sing kumbaya.
This seems like woefully naive virtue-signaling to me. I geo-block all traffic from Iran, N Korea, China and Russia specifically at my clients' firewalls because I have watched the logs and could clearly see IPs from each of these countries attempt connections to American businesses every minute of every day. Try to single out the offending IP and tomorrow it moves to another; you will spend the rest of your days adding to that block list. It is perfectly sensible to block the country entirely; and better yet - as I've made a standard for my clients - block the entire world, and only allow specific countries to talk to your firewall. Then you can add more granular blocks on top of this. If something gets blocked that shouldn't, that's not painful to adjust. I have no doubt there are many fine people in Russia, but that doesn't mean there's a single computer in Russia that has any business talking to mine.
Logically, if Russians would want to infiltrate your organization, they won't do it from Russian IPs directly, but instead do it from cheap proxies, and those proxies are abundant in Netherlands or Germany.
i used to do similar on gaming clans' forums; for local rationalized fps we didnt want folks with 300+ ping and country blocking was pretty easy (and folks on the forums were either spamming us with porn or trying to become a member). though since it was forums based i did allow GETs but restricted POSTs ect vs straight up 0 access
Opnsense is not like OpenWRT, it targets running on relatively powerful generic x86 hardware. Intel CPUs and networking hardware usually works best because of driver support on BSD, but it will work on others. I say "relatively" because even low power old embedded CPUs are more than enough to route at a gigabit or more with lots of firewall rules and services running. Opnsense's cousin Pfsense also has some support for ARM, but that version is only really available on their commercially supported hardware.
Most people either buy a generic box that can be had for ~$250, or recycle an old PC and stick in a network card. You can also buy commercially supported hardware for Opnsense or Pfsense's parent companies, though the value proposition isn't worth it for home users IMO as you will pay a steep premium versus loading up something yourself.
Look on eBay for old 4 port Intel NICs, you can get em for very cheap and they work forever. Beware Opnsense and Pfsense are based on BSD and you're really not supposed to touch the underlying OS by design anyway, so you will need to virtualize if you also want to host containers alongside.
Pi-hole is such a great tool. I've been running it for a few years on a raspberry pi zero, and am constantly astonished by the sheer amount of cruft it blocks for me.
Congratulations to the team for the release - happy to support you via Patreon!
I have had many times click an article link on reddit where everyone in the post comments complains about how the site is riddled with ads that it makes it unreadable and all I see is the article with a lot of whitespace.
IT department does not like that, but I had them install Firefox on the machines of my team, so we can install uBlock Origin. People are _amazed_ how the internet does look without ads.
On the pihole subreddit there's a wiki with lists of domains you can whitelist for certain services. I had to whitelist something for xbox live to work.
Pi-hole is a killer application and I've loved it since I got it setup. One other app I highly recommend to run on your Pi in addition to Pi-hole is Nginx Proxy Manager[1].
I moved from pihole to Technitium a few months back because I wanted more DNS features than just adding A and CNAME records.
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
Excellent write-up. As a Tailscale + Pi-hole user you may have just inspired me to switch to Technitium. I’ve wanted that kind of split horizon functionality for years, for all sorts of things!
Technitium is great. Rock solid, plenty performant and it has more features than you'll ever need. Pretty wild when you consider it's being maintained by a single dev.
Switched to Technitium (from piHole via Docker on amd64 and manual dnsmasq before that) primarily for DNS over HTTPS and never looked back. Used it for DHCP and DNS.
Latency isn't the important measurement — it's the actual time to resolve. This will be significantly longer than the ping latency.
Unbound, recommended for use with Pi-hole, can be configured to log this by enabling "log-replies" in unbound.conf⁽¹⁾ where the time to resolve will be logged in seconds.
my biggest gripe with NextDNS is not having an ability to add custom blocklists. I'd gladly pay for it even if there was a paid tier with this feature.
I'm aware of adding domains one by one, but I want to add some lists like Hagezi Threat Intelligence Feed which is not available in the blocklists, and these blocklists have >500k domain list.
I'm currently using Blocky as my DNS resolver. It works fine and is super fast because of the fine control over caching, but I'm disappointed with its memory footprint. 400MB for a total blocklist of 1.3M domains
I'm currently seeing 12ms latency to my upstream NextDNS server. On my home network I "proxy" it with a forwarding/caching DNS server on my router, so for "the usual suspects", latency is not an issue.
On the go, over 5G, those 12ms won't make much of a difference.
Considering that people deploy PiHole on Raspberry Pi W models, over wifi, you won't lose much running NextDNS, but you gain dns blacklisting on all networks, as opposed to just your home network (or via VPN)
I'm not sure how that could be. Even if it's your first ever request to the host, the latency is a one time thing and then it's cached. Even an extra 100ms for DNS latency is going to be unnoticeable compared to an empty browser cache and having to download a bunch of images
welp. for every single domain you interact with, you gotta do a dns lookup. visit a modern website like yahoo, cnn, wapo, whatever and that will be like 100 dns requests. your device hits your router, if it has no answer, it recursively goes up the line getting an answer. do that 100 times. that is just for resolution. you still gotta actually hit that endpoint and get whatever it is you are trying to get.
so if your dns is slow, there is a tremendous amount of latency added to virtually everything that you do. just because you can hit nextdns in 12ms does not mean the e2e duration for a single dns-then-fetch is going to be in the realm of 12ms. if nextdns doesn't have the answer it needs to go find it.
I use my local router as a DNS cache/proxy for this exact reason, though i doubt 12ms (or 24ms) will mean much in the grand scheme of things compared to downloading a 25MB webpage which is mostly tracking code and ads.
Yes, if we were in the "good old days" of slim websites, 12ms may be noticable, but today, with webpages taking up lots and lots of storage that is served with every connetion, i seriously doubt you'll notice.
Besides that, every browser and modern operating system will cache DNS records for whatever the TTL from the upstream DNS is set to.
This actually seems rather nice. Not the same as PiHole but I can see its upsides.
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
> This seems like I have to manually configure each device?
You don't have to (and I assume most users don't), but you can if you want per-device reporting. You just set your router's DHCP server to hand out NextDNS's DNS servers.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
Right! When my Pi died, my network didn't look for a backup DNS, so everything became inaccessible. It was weird - probably the classic SD card issue. With NextDNS, while I do use DNS over TLS, if my Synology fails, it just kicks back to regular NextDNS domain name servers.
NextDNS has not updated its client applications on multiple platforms (iOS/iPadOS/macOS) for several years. Those client applications did have the ability to stop the blocking (or not), but now it's just a toggle that does nothing.
Most of the time when I visit test.nextdns.io it shows as "unconfigured" even though the NextDNS client is installed and configured with a NextDNS profile (and approved in Settings as a VPN provider on these OSes). Sometimes it will work on its own.
I wouldn't recommend NextDNS unless the user is comfortable installing a (somewhat) permanent Profile on these devices with no temporary "off" switch to stop blocking. For me it's important to stop the blocking once in a while.
At least on macOS, there's Little Snitch (paid application), which can subscribe to the same blocklists used by ad blockers and has a working toggle.
They do let you switch it off, it's just a bit buggy sometimes (like having to toggle twice), I know because I use it all the time. https://i.imgur.com/YpSkS93.png
FWIW, in my years of using NextDNS I think I've needed to do this only twice. On Macs, the menubar app lets you enable/disable NextDNS. The average HN reader can probably automate switching to a non-blocking profile for a given length of time. https://community.home-assistant.io/t/nextdns-integration-te...
> The web interface has been completely overhauled with settings split into Basic and Expert modes. This allows users to customize their experience based on their comfort level and needs.
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
> Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
With wireguard in particular, you're probably not running much risk, as wireguard runs over UDP, and as long as you're not connecting with a correct (recognized) key, it will not even generate a response, so a potential attacker has no way of knowing for sure that wireguard is running on a given port.
Does anyone know if pihole is ever going to add DoH or similar support natively? I've had such troubles with cloudflared awhile back that I gave up on DoH, but would love to encrypt those queries.
Speaking of not wanting DoH to exist on the local network, does anyone know if there is anything pre-existing that can hook into firewall rules to default deny outgoing traffic and only allow (until TTL expiry) in response to a DNS lookup? That way things cannot bypass your DNS filtering with DoH or hardcoded IPs.
People use DoH/DoT so that their upstream DNS lookups are not transmitted in plaintext across the open internet. You can do this and still run your own DNS server on your network. The parent commenter is asking about Pihole with DoH, which is exactly this.
Hostile firewalls that block and/or intercept DNS traffic are also a bad pattern, but people don't always control their local network these days. You can't always count on 853 being open. There are valid use cases for both.
its far easier to control your network than it is to control your devices on that network - far too many closed source devices nowadays, and it’s extremely difficult to avoid all of them
IIRC, there is not a native GUI method for Pihole to talk encrypted to DoH providers. You have to set up a daemon locally and configure via CLI, then set that as your "upstream" DNS provider in Pihole admin.
Obviously the goal is to have your local clients talking to Pihole, but the goal of having remote DNS queries encrypted is to prevent ISP snooping.
Though if you really want to prevent ISP snooping you have all clients using VPN or configure your router to send all outbound traffic to a VPN endpoint.
I've been using https://github.com/DNSCrypt/doh-server for serving my DNS server via DOH for at least 2 years. Only had two issues with it and both were due to lack of maintenance on my part (ie. not updating the binary for one and then not re-configuring it after I changed configurations for the upstream DNS).
I also block Twitter ASN (yes, it is called Twitter ASN), and a whole bunch of IP ranges from not so democratic countries with very bad hostile actors. They don't have rule of law there, so I don't need these.
With regards to X. Blocking it serves as a good reminder to use a proxy, or try and find the source elsewhere (Blue Sky, Mastodon). More often than not, these exist.
Finally, if required I can use Tor Browser. No cookies, no profiling, no ads.
Out of interest, those IP ranges that you’re blocking… is that at DNS level or are you doing some firewall-level blocking too?
And do you use any kind of reference for determining which ranges/countries are wise to block or has this just been something you’ve evolved over time?
Currently, I have IPv4 only (will change end of year to dual stack), and to block AS13414 (NetName TWITTER-NETWORK) blocking 104.244.40.0/21 to block x.com is suffice. However, if you follow [1] you have a more complete blocklist. In a *BSD you can use cron and curl to update these lists based on if a change occurred, OPNsense allows the same in their webUI. In that vein, I also have Tor exit node block list (this is public data), I have a Censys (& Co) blocklist. You name it.
I don't use DNS-based in this instance (I do for example, for porn, cause I have children). I use a firewall-based one in OPNsense. PF (and therefore OPNsense) have a feature called anchors (alias in OPNsense) which basically allows you to use OOP to develop lists.
I'm pretty sure Linux like OpenWrt can do the same, and you can also use DNS-based blocklists. You can even outsource the hosting to e.g. NextDNS. Because these blocklists, whether firewall or DNS-based filtering, they do use some RAM especially. Back when I started w/this in early '00s this was an issue on my Soekris OpenBSD machine. Nowadays, I assign 8 GB RAM to the VM and call it a day.
“not so democratic countries with very bad hostile actors. They don't have rule of law there, so I don't need these.”
Time to add united states to those filters.
Lots of screenshots circulating of posting the word "Cisgender" being flagged by Twitter. Not sure if they just flag or remove it though, as I don't use Twitter any more.
This has to be a disingenuous request. X is signaling at free speech, while in practice it amplifies or suppresses content the owner agrees or disagrees with.
In my experience Pi hole is a very worthwhile investment. People who used my internet when I had one would remark how much faster it was. Everything in general seems faster, even things that you wouldn't think of. I typically use Brave for browsing which has good ad blocking capabilities, but this adds a whole additional layer.
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
I used to love pihole, but it seems like it's more trouble than it's worth now. Advertisers have wised up and will use the same subdomain for both content and ads. I've also had issues with normal website functionality being broken due to pihole which isn't fun for my wife. It seems mostly useful for blocking background traffic on smart devices, not so much for ads.
Why should the programmers of the TV's OS look for edge cases, and do you think the TV makers would give them budget for that? For 90+% of users the standard config of trusting the DHCP server will work fine, and the Pi-Hole users will probably not give them money anyway, and will be dedicated to defeat their workarounds...
I've been worried about companies that make software like this (applications with embedded telemetry or advertisements) starting to do their on DoH style lookups.
I don't KNOW of any doing it but I can't imagine it'd be too hard for them to do.
> Wouldn’t a smart tv do something ... smarter than just using the default dns given to it by the network?
It could certainly try... but usually you would block that in your firewall. Fixed DNS servers or fixed server IP addresses are tricky because if you ever need to change them, you can't, because you'd need to update the hardware (which you can't since it sits behind a firewall).
It could try to use things like Google's DNS server, but that is easily blocked in your router.
Not a lot that could be done except trusting your (internal) DNS server...
I had an Apple TV connected to a TCL Roku TV and the TV was analyzing video frames from the AppleTV to popup ads suggesting to watch the same content on other streaming services.
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
Lots of great memories using Pi-hole and messing with RPi. I eventually ended up putting my devices on Tailscale and managing DNS through it, eventually using Mullvad VPN as the exit node.
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
The big feature miss for me in this announcement is baked in support for configuration sync between servers. Redundant DNS is common and it would be nice if pi-hole supported this oob. Making it even better would be an ability to see stats across all synced servers from one location.
I do something similar to Pi-Hole using plain dnsmasq.
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
Not sure if this is the right place to ask, but I've got a semi-obscure DNS question.
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Please don't spam HN with LLM generated slop. The value of HN is the human discussion, everyone here is perfectly capable of asking an LLM of their choice.
I've had the same PiHole rule (for years!) which blocks all the text-splash-over-ads... but it becomes very cat and mouse if you want to block the pre-roll video ads (any rule that initial works... won't for very long).
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
Have used pi hole for over 5 years and very happy with it. Most times I use it via phone to manage kids devices to block/unblock access etc and this also works quite well . Thank you very much
Ha! I bought a Pi5 as a Christmas present for myself, I've only done some basic setup and gotten sidetracked by other projects - but setting up pi-hole is near the top of my list of sh*t to get done
In unbound those are indeed views[1]. I moved from pihole to unbound+nsd a couple of years ago for precisely this use case. Block filters courtesy of[2].
I managed this by getting a gTLD (digit-only .xyz is cheapest) for internal-only services and then running a Caddy instance to reverse-proxy to my internal services. I don't port forward or open ports to that Caddy instance, so it's not available externally.
I wish pfblocker-ng was as easy to use and polished as pihole. It seems silly to run an extra DNS resolver if I'm already running one on pfsense, but the interface makes it tempting
if you are on openwrt i can recommend checking out unbound and adblock as alternatives (running directlly on your routers without the need of a raspberry pi)
Slightly off topic, but it annoys me that protonvpn does not allow split tunnel of DNS to an internal host. It calls this DNS leak protection, which is a good default. But I want to run my own DNS server and I know what I'm doing, and the Proton GUI won't let me.
I make these suggestion during all conversations about PiHoles:
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
> It's also not possible (or not clear) how to have different behavior for different clients
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
It's slightly more complicated. What you are suggesting works if (1) you are using Pi-hole as a DHCP server or (2) all your devices are individually configured to use the Pi-hole IP address for DNS resolution. What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
> What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
That depends entirely on what capabilities your router has.
Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.
Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.
But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).
Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.
FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.
And if your gateway device is configurable enough you can ban or redirect port 53 requests (DNS) to whatever machine you would like to use to serve up resolution.
That's kinda janky really.
DNS doesn't have redirection like HTTP has, so what you describe can only be implemented using port forwarding (or SSH tunnelling, but I've never seen a router with the ability to tunnel DNS in this fashion?).
Port forwarding used like this, won't enable one to use the 'groups' functionality on PiHole — which was the (g)parent thread here — because all requests arriving at the PiHole will come from the same client, i.e. the router. Because port forwarding is more like a proxy than a redirect (to use HTTP terms).
The correct solution here if one wishes to use PiHole's groups — and not have a janky network configuration like you describe here (an extra unnecessary hop for local DNS) — is to either (a) use the router's DHCP settings to tell the clients to use the PiHole IP for their DNS, or (b) disable the router's DHCP and simply use the DHCP that PiHole provides, which is at least as good as what most routers provide (and more configurable than most routers also, should one need to)
That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.
> That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.
That's the first time such a thing has been mentioned in this thread.
But I now get what you're trying to say in your comment above.
Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.
But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.
And of course it wouldn't work if the device is using DoH.
But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.
This is exactly what I do with my Unifi router, but still all I see in Pi-hole is the router making the DNS requests.
I think you’ve set the WAN dns to the PiHole. You need to set the DNS in networks.
Are you NATing the redirection to the pi hole server? If so, disabling it should let pihole see unique clients.
The better option is to configure DHCP to hand out the Pi-hole as your DNS server. If your router cannot do that, but you want to go deep enough to configure your home network with a Pi-hole, you should probably also invest in either a better router or OpenWRT on your current one to get a few more features.
Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.
DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.
It works for me and I don't use Pi-Hole as a DHCP server or have any of my devices individually configured. I have my router acting as a DHCP server and have it tell clients to use my Pi-hole for DNS. Some routers' default firmwares don't let you do this, but most OpenWRT and Tomato and the like should.
I haven't tried Pi-Hole yet but is there a package for OpenWrt which could offer functionalities equivalent to Pi-Hole?
I already run OpenWrt on x86 hardware so I have plenty of RAM and disk.
Yes. It's called adblock and it's rock solid. I also run mine on an x86. Just set and forget.
[dead]
Using clients and groups works fine for me. I'm able to block youtube on my kids' devices, but allow it on others. I have pihole running in a container without being my dhcp server.
Do you mind sharing your blocklist for youtube? It has been a challenging one so far.
Not OP but we can assume when he's talking about blocking Youtube, he's in fact blocking youtube for his kids, not Youtube ads. Pi-hole can't block Youtube ads as they are delivered by the same servers as content. Then you can't block one without blocking the other.
My comment wasn't clear. I was indeed referring to blocking youtube completely, not just ads on youtube.
Just go to PiHole's "Domains" page, in the box labelled Domain, type youtube.com, enable the checkbox for Add domain as wildcard, then click the button labelled Add to denied domains.
Now youtube.com and all of its subdomains are blocked, for all clients.
If you wish for it to only be blocked for some clients, then assign your clients to groups, and set the setting appropriately on the domains page.
That's my only gripe with the current pi-hole; there is no easy way to configure DHCP options.
Not all routers proxy DNS; many have DHCP settings so you can give the pi-hole’s address as DNS server to clients via DHCP.
I imagine this is how it’s usually done. There’s no reason to double proxy.
I use pihole for dhcp and it's extremely easy with dnsmasq. Hope their settings overhaul does not break this.
dhcp-option=tag:nospam,option:dns-server,x.x.x.x dhcp-option=tag:spam,option:dns-server,y.y.y.y dhcp-host=client1...,set:nospam dhcp-host=client2...,set:spam
Previously, PiHole used /etc/dnsmasq.d/ with best practice being to put one's own additional config, or overrides, in separate file(s) in that folder.
PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).
But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.
One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
[0] https://nextdns.io/ [1] https://controld.com/
I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
Most non-smart 4K screens are more expensive than 4k-smart tv screens though. Really weird, because there's less stuff in it. I just want a nice 50" 4k screen with hdmi and display ports. I don't use all the other junk anyway, since i watch tv via a computer and sounds goes to a surround set.
> Really weird, because there's less stuff in it.
It's also not subsidized by selling your user data.
Is this really true? The margin must be huge. I've seen 4K smart tv's for half the price of 4k monitors.
In 2019 the Vizio CEO went on the record saying there was no money in dumb TVs. They sell near cost and make it all up in ads and metrics.
https://boingboing.net/2019/01/11/telescreens-r-us.html
I've had a little insight into this world. To make the BOM costs work at the retail prices they charge for things like common set-top streaming boxes (e.g. Roku) and, now, TVs themselves since they incorporate the same stuff, they have to be selling data. Otherwise they're selling at a loss, once you factor in middleman margins and such.
You can try to compete by charging a reasonable amount for your hardware and software, but you'll be competing against economy of scale and wrestling for shelf-space with products that are (don't forget retail percentage mark-up) at least 30% cheaper than yours, which means your units don't move, which means you don't get (or keep) shelf space, and hello death spiral. Also if you somehow manage to make it despite that, as soon as an MBA gets in charge you'll just switch to selling data, too.
Or you buy an Apple TV, that’s priced appropriately with its capabilities and doesn’t thieve everything from your network and your house.
I only didn’t mention that because I’m not sure how much spying they do. I’d bet it’s a lot less, but probably still too much.
But yes, that’s what I have, two of them in fact. Tried a Shield, sucked, should have just gone straight for Apple TV instead of trying to pinch pennies.
A follow up question is, what does the transaction look like. Bulk DB dump or JSON files per person, spreadsheet, that would be interesting like race, interests, budget...
You'll be plugging your AppleTV into that data collecting TV device because you won't pay more for it.
I don’t allow my smart tvs on the network. They complain a bit but they work.
It's completely true.
Looking at Vizio's financial records[0], the numbers make it clear.
They seperate everything into 2 distinct businesses, Device and Platform+.
Device represents their hardware business of selling physical TVs and soundbars. Platform+ covers all of their other "software-related" business, mainly consisting of ad delivery and selling user data to third parties.
2019:
- Device Net Revenue = $1.7 billion
- Device Gross Profit = $125 million
- Platform+ Net Revenue = $63 million
- Platform+ Gross Profit = $40 million
2023:
- Device Net Revenue = $1.0 billion
- Device Gross Profit = -($8.6 million)
- Platform+ Net Revenue = $598 million
- Platform+ Gross Profit = $364 million
So over the course of just 4 years:
- hardware revenue is down 40% and is actually losing money (confirms they are indeed selling the TVs at a loss)
- Ad/user data revenue, however, is up almost ten-fold (+949%)
- total gross profits of the two combined are up over 54%
[0] https://investors.vizio.com/financials/quarterly-results/def...
TVs usually have lower requirements regarding frame rate and latency compared to computer monitors. That's probably also a factor.
Probably more to do with the economies of scale. More TVs are sold than PC monitors so therefore cheaper.
> Really weird
No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.
Is there an equivalent of DDWRT/OpenWRT but for TVs?
Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?
Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.
> Is there an equivalent of DDWRT/OpenWRT but for TVs?
Get a used mini-pc, install Linux on it, and don't allow the TV to connect to any networks. This is a 50-75 dollar solution. Good if you are on a budget and are not interested in any wiz-bang features like HDR.
There are a few TV-dedicated Linux systems out there, like libreElEC.
Or get a more powerful system with a AMD GPU and install Bazzite on it. That way you get something like "SteamOS for your TV". Pairs nicely with controllers like 8BitDo.
It would be nice to have TVs as open as PCs, but the manufacturers and media companies are ran by dirtbags and would rather have victims then customers.
> Get a used mini-pc, install Linux on it
As someone who tried that route I'd strongly recommend against it for anyone who isn't core HN audience or just loves tinkering. You're much better off with an Apple TV or an Nvidia Shield unless you really want the "beefy gaming media center".
I walked the mini-PC/RPi road and they came up short every time even for me, let alone the rest of the family. Even when I put in place the perfectly optimized initial setup I was still left with a bad compromise of performance, power consumption, noise, boot time, ergonomics, and the constant trickle of things breaking down or needing tweaking because of some update.
When trying to watch a movie with the family the last thing I want is to troubleshoot random issues.
I just use an old macbook air with a bluetooth keyboard that also has a touchpad. The thing is in sleep mode when not needed, so it wakes up fast and does not need a lot of energy. With that setup I can access whatever media I want, have a solid adblocker and a browser with a real keyboard.
> with a bluetooth keyboard that also has a touchpad
Different strokes for different folks, having to use a keyboard to control my TV is for me one of those usability compromises I preferred to avoid. It's probably related to how I use the TV, things like browsing the web were never on the list of requirements. I'll have a phone, tablet, or laptop at hand for that.
I've had a MSI Trident functioning as a gaming/HTPC computer for years and the family loves it. They know how to browse the various streaming services and use Steam and Kodi.
> a MSI Trident
This is diverging quite a bit from "a smart TV replacement". Especially if Steam is a requirement.
The gaming PC you have there is probably exactly the combination you want. But for most others it's the compromise to avoid I mentioned above. It delivers the console and TV/media center experience but with the full PC power consumption, noise, boot times, maintenance effort, and inconvenient controls.
The cheapest Trident I can find on eBay costs more (by 2-5x) than an Xbox and an Apple TV together. And these 2 deliver their respective experiences with far fewer compromises.
> They know how to browse the various streaming services
Knowing how to use it is just the bare minimum requirement. With an Apple TV for example you can do the same with almost instant startup time, 0 noise, 0 maintenance, ~1-2W streaming, and a small remote control. And probably has less ads than the average Windows computer :). I found the "right tool for the job" more appropriate for my use case but that might not work for everyone or all the time.
Things just happened that lead to that optimised state of using one device for alll (The MSI). Nevertheless the main question was about a nice 4k screen. :)
Isn't a TV that permanently shows HDMI input a big monitor?
Weirdly they always seem to be more expensive than a TV though.
One difference between Monitors and TV used to be that Monitors used RGB Subpixel-Layout and TVs used BGR. (i.e. TV panels are upside down)
Configuring subpixel-layout per monitor is something that most OS won't allow. So if you use several monitors, you usually have to mount the BGR-ones upside down. (Otherwise fonts will be blurry...)
For some time now there are really cheap 4K Monitors with BGR-layout available. If you mount those upside down you're fine... (I use LG 4K Monitors mounted upside down in combination with other screens)
Subpixel hinting isn't that useful at high DPIs though. Apple has ditched it entirely in macOS, regardless of monitor DPI, and gone back to standard anti-aliasing.
Bare in mind I went down this hole years ago, so these could be solved problems, but in my experience Monitors speak a set of more useful modes (Resolution and refresh rate combos) and tv's often need to be trammed in a bit, the default screen position not being properly centered in all cases.
Yeah exactly, as also others point out in the thread, if you want "TV-sized monitor" you will pay more than for a TV, and probably get worse panel, lower brightness, etc. Hence it would be useful to buy "smart" TV and turn it into a monitor instead.
Well yes, but i guess either big monitors use different panels or there's some shady business going on.
Inclusive or.
Would be fun if some could hack those os'es indeed.
It could make a nice CrowdSupply project, except for the cheap distribution of the huge packages. Sounds not that hard though: Just get some nice 50" 4k smart tv's and remove all the junk. Cool features like DP daisy chain or something and one could have a nice project. But i'm guessing there is (too) much money to be made in user info and ads. :(
Top tip: some smart TVs will turn into perfectly serviceable dumb TVs if you reject their on-screen software license agreement/privacy disclaimer.
Yup. This. Just tell it no.
Because just like virtually everything in the embedded SoC ecosystem outside of the RPi competitor SBC crowd, the TV embedded board likely has a chip with little or no doc (with or without NDA), and unlike a Pi-ish SCB there's probably not even an unsupported, outdated kernel linked with a ton of opaque proprietary blobs hidden on an obscure Chinese language web site to try out.
Maybe there are smart TVs out there with a SoC that's been reverse engineered enough to do something with. If there is, that should be shouted from the rafters. But I kinda doubt it.
I have a 'smart tv'. I don't allow it to connect to any network.
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
I just have never connected my Samsung TV to the Internet. My streaming all goes through my Roku. When the TV turns on it displays a splash screen asking me to connect to the network, which disappears after about 15 seconds and never comes back until I turn the TV back on.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
I am hanging on to my 15 year old Vizio for dear life (With a Roku box). We don't watch much TV anyways. Its just Youtube playing.
I dread the day it dies.
does pi-hole actually block youtube ads ? last time I tried it did not really work (on pc and phone). Switched back to UBO
They probably do some tricks that blocking ads with DNS is not possible.
If you use an Android device, you have the potential to live an ad-free life:
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls. - Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads. - Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
My thought is to develop a headless, Smart TV like device that just sends random bullshit data to the servers that collect it.
> For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates
Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.
I imagine software updates might bring improved support for various media codecs, or UI enhancements, or better Bluetooth compatibility, etc.
Or more likely: reduced privacy settings, increased analytics, and in-menu advertisements.
Why would the manyfacturer spend money on that if it had your sale already and you aren't paying any support subscription?
Yes, those are the "smart" features. Just plug in a Raspberry Pi and don't touch the TV after its initial setup. I'm still using the same Raspberry Pi 2 I've been using for more than 5 years now. Beats "smart" TVs that you can buy today.
>Raspberry Pi 2
Isn't that the one with the network speed capped at 100MB/s and no capability to stream HEVC files?
It only has a 100Mbps Ethernet jack, yes, but so do both of my TVs.
I don’t have any HEVC media so I’m not sure there, but the lack of 4K output would be a big stopper for me.
I’m also not sure about the streaming services it would support, but chances are if your running off of a Pi2, you’re sailing the seven seas for media. Will that thing even play YouTube in a browser at this point?
Nah, I used to have a YouTube plugin that worked years ago but don't any more. I don't use it for "TV" purposes, though, it's more of a home cinema device. I don't have background screens in my house.
But my point wasn't literally to use a Raspberry Pi 2, just that you can get cheap low power devices that beat "smart TV" crap. You can of course get much more recent ARM-based boards that support all the latest HD standards etc. I don't do the hedonic treadmill, though, so I'm still happy with 1080p Blu-ray.
Can't disagree with that. If it's still fulfilling it's purpose, why change?
Smart TVs really aren't very smart and a nicely ripped 1080p Blu-ray often looks better than what the streaming services will stream you anyway.
I don't think I'd even have a TV if it were just me. Wife and kids seem to need one though, so simplicity counts. What would they do if they couldn't watch people who watch people play games?
I let one of my cheap smart TVs update for this reason (and not the other two identical ones I have) and now that one crashes and lags all the time, despite none of them being on the internet.
Embedded device software development quality is usually even worse than webapp software development quality.
My tv after a recent update has begun randomly crashing with audio looping for a few seconds before rebooting. When an update comes through for that you can he damned sure I’ll be disabling all future updates.
Same, my smart tv has never heard of the Internet.
Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
I recommend putting all these things on their own VLANs with strict routing rules.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.
Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.
It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
Smart TV opt-out telemetry is malicious.
Edited to clarify what I mean.
Thanks for giving my glib comment the credibility it didn't deserve.
Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...
There's also adguard home
https://adguard.com/en/adguard-home/overview.html
It replaced my Pi-hole a long time ago.
Running w/ my opnsense router. All-in-one.
[dead]
I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.
It's destructive if you can't reach your remote devices anymore. See also jeff geerling's "It was DNS T-Shirt" https://www.redshirtjeff.com/shop/p/it-was-dns-shirt
Only if they're configured to explode if not pinged for 30s or something.
The only times I have seen this happen is when the remote devices were communicating with something on blacklist (which should be concerning anyway, but also a quick fix if not) or doing something naughty like not using the DNS server broadcast by DHCP.
I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
For the seconds question, it is indeed Groups. I have my SO's phone bypass everything. It's the way she wants it.
Yea i agree it's not super UX friendly.
You can definitely set client groups, either based on CIDR, MAC (if on the same network segment) or individual IP. From there, you can assign different domains and list to the specific groups.
You need to put your SmartTV on a different VLan.
The biggest risk is not samsung knowing what someone watched but what devices you have on your lan
You'd be hard pressed to find that an auditing mode would be helpful. Even once you hit that big red button, depending on the blocklists you use you will come across false positives that cause issues.
The way I handled this issue for my family and devices is just by having two SSIDs - one with pihole blocking and one without. If it’s interfering with something me or my wife can just switch to the unblocked network temporarily.
Adguard home seems to be better in every way. Not sure if this is a feature though.
I've been using AdGuard Home, which does pretty much the same thing, but is slightly better polished, with things like support for DoH and OSs other than Linux.
https://github.com/AdguardTeam/AdGuardHome
I went from PiHole -> AdGuard -> NextDNS. My patience for tinkering and maintaining wasn't high enough to not just pay someone else to do it :)
I used to use NextDNS, but pi-hole is such low maintenance it makes no sense to pay for a third party service and additional latency to do ads filtering. I set up pi-hole on an Arch Linux for ARM installation on a rPI 3 like 5 years ago and haven't touched it since. Still chugging along nicely.
The big benefit of running a DNS server locally is caching. Using any external provider means you have to go out to the internet for every single request.
With a local server, most requests are fulfilled from the local cache.
Hmmm, my router caches DNS queries.
You can just run something like dnsmasq locally though.
You can run NextDNS on your router to solve this.
Same except skipping AdGuard.
Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.
I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.
I think my PiHole is up for 3+ years on a Raspberry Pi dedicated to that task. Did not fail once since then, so not sure if "DNS is going down" is really an issue. But maybe I've got survivorship bias.
Living in a North American city with power wires being above ground, I have had so many power outages in the last five year, it was kind of a crazy thing to get used to. My Pi would not deal well with power outages when running through the SD card and so I stopped using it.
I ran it on an old laptop and never had issues. The extra ram and cpu + actual disk hd gave me ~99% uptime even after power outage no sd card corruption. Laptop auto rebooted on crash too.
I've had a raspberry pi and pihole going on the same SD card for approximately seven years now.
I also regularly reboot the pi by simply cycling power.
The solution was fairly simple. Send the linux log files to /dev/null (or whatever it is actually called, i.e. RAM) and disable query logging in pihole.
That's it. Helps greatly!
I live in Vancouver BC, we have a power outage every 1-2 years due to high winds or fallen power poles. I noticed some devices on my home network whilst connected to power have power quality issues too, no doubt a UPS would help here.
What's the concern about power outages? My Pi-hole is back online much faster than my router.
DNS issues during power outages is the least of your problems, as chances are your Internet and all your PCs are down as well.
Also, having two Raspberry Pi for primary and secondary dns is good practice, in case something goes wrong with the main one.
Why not run pi-hole in one of those kubernetes cluster for Raspberry Pi, and don't forget a set up a UPS for redundant power supply.
Or: in the rare eventuality that your raspberry pi dies, it takes 15 seconds to open your router interface and reset to the ISP DNS. Work smart, not hard.
I dare you to tell my wife how easy it is. I still remember OpenDNS being blocked in France the exact day I went for business trip and me not anticipating it (I didn't remember it was set in pi-hole)
But you don’t have to run pi-hole on a pi. I run it in an Ubuntu Linux container on my Proxmox server.
I run AdGuard Home on the same device as my router, so anything that would take it down would also take down the entire router anyway.
Yeah +1 for NextDNS. It's so easy to setup and manage, and works really well.
[dead]
DoH is possible on pihole using cloudflared-- https://docs.pi-hole.net/guides/dns/cloudflared/.
> The cloudflared binary will also work with other DoH providers.
I moved to AGH a while ago too.
Is there anything in Pi-Hole v6 that would make someone switch back?
And it's much easier to customize.
- I run it in Kubernetes with multiple replicas behind a load balancer for high availability.
- A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.
- Configuration as code, which gets mounted as a secret.
- Query logs from all replicas forwarded to loki for visualization and performance review.
Switched to AGH too a few years ago because from time to time pi-hole would get stuck upon unplanned reboots of the Raspberry Pis on which I had it installed
Pet peeve: I wish there was an (easy) way of installing Adguard directly on my Dream Machine.
I love AdGuard Home but the single binary container from a Russian company makes me nervous. I may move to building it myself. Is this criticism unfair?
>Is this criticism unfair?
Yes because you judge people by the country they live in. AdGuard has made their stance clear if something like this is important to you: https://www.reddit.com/r/Adguard/comments/t15gr4/announcemen... & https://adguard.com/en/blog/official-response-to-setapp.html
> Yes because you judge people by the country they live in.
This is an extremely uncharitable reading of the preceding comment. The comment is clearly concerned about the national jurisdiction from which the AdGuard binary originates, not the national origin of a human.
American government initiatives against Huawei telecom hardware at critical junctures aren't making a personal statement about Chinese individuals. European regulatory skepticism of American-located cloud services isn't a personal statement about American individuals. Russia and China requiring the on-shoring of data-centers doing business in their internal economies aren't making personal statements about foreigners by doing so.
Whether or not you hold all those governments as roughly equal, none of them mistrusting each others' jurisdictions is "judging people by the country they live in." It is judging the trustworthiness of the governments of those countries. And the people in those countries are inevitably subject to the jurisdictions of the governments that rule them.
If someone actually attacks people on the basis of national origin, have at it, but please don't brow beat individuals for making common-sense risk assessments.
I actually didn't know this. Thanks!
I built it myself for a while but as I mentioned elsewhere, it's now being packaged in the Alpine Linux testing branch. That makes a container image an 'apk add' away.. whether you trust Alpine Linux more or less than the AdGuard Home teams is up to you.
Given that the whole thing is open source and it is possible to build it yourself, I'm willing to give them the benefit of the doubt.
Not that it means all that much, but AdGuard is headquartered in Cyprus, for what it's worth.
> Is this criticism unfair?
Only if you don't trust only Russians and no one else.
I don't trust Iran, North Korea, or China either. It's not hard, I'm an American and it's 2025. These are our adversaries (I didn't choose them) who currently commit cybercrimes against us. Hopefully in 2035 that won't be the case and we can all sing kumbaya.
I hope that you at some point will understand that these are minorities among a huge population that you are talking about.
It sounds like you think that every butcher, barber, dancer, teacher, software dev etc in China is just thinking of how they can hack the US.
Guess what: that's the image propagated by propaganda and very far from the actual truth.
If you don't trust people, study their code and make a formed opinion about it.
This seems like woefully naive virtue-signaling to me. I geo-block all traffic from Iran, N Korea, China and Russia specifically at my clients' firewalls because I have watched the logs and could clearly see IPs from each of these countries attempt connections to American businesses every minute of every day. Try to single out the offending IP and tomorrow it moves to another; you will spend the rest of your days adding to that block list. It is perfectly sensible to block the country entirely; and better yet - as I've made a standard for my clients - block the entire world, and only allow specific countries to talk to your firewall. Then you can add more granular blocks on top of this. If something gets blocked that shouldn't, that's not painful to adjust. I have no doubt there are many fine people in Russia, but that doesn't mean there's a single computer in Russia that has any business talking to mine.
The question is why those specific countries? Do you just assume that all connections made from, say, Netherlands, are safe by default?
Basic statistics. The chance of someone from Netherlands being a state-level hacker is a lot smaller than someone from a Russian IP.
Logically, if Russians would want to infiltrate your organization, they won't do it from Russian IPs directly, but instead do it from cheap proxies, and those proxies are abundant in Netherlands or Germany.
And yet experience shows that GP is correct. The vast majority of mailicious traffic originates from those countries IME.
i used to do similar on gaming clans' forums; for local rationalized fps we didnt want folks with 300+ ping and country blocking was pretty easy (and folks on the forums were either spamming us with porn or trying to become a member). though since it was forums based i did allow GETs but restricted POSTs ect vs straight up 0 access
But if the binary came from US even with some malicious code, it would be OK simply because the origin is different?
>with some malicious code
Obviously not.
I even run Adguard Home on my router that runs opnsense.
What routers are compatible with opnsense? Or does it need a full-blown server/container?
Been happy with my pihole for a few years, and this thread is full of new information for me.
Opnsense is not like OpenWRT, it targets running on relatively powerful generic x86 hardware. Intel CPUs and networking hardware usually works best because of driver support on BSD, but it will work on others. I say "relatively" because even low power old embedded CPUs are more than enough to route at a gigabit or more with lots of firewall rules and services running. Opnsense's cousin Pfsense also has some support for ARM, but that version is only really available on their commercially supported hardware.
Most people either buy a generic box that can be had for ~$250, or recycle an old PC and stick in a network card. You can also buy commercially supported hardware for Opnsense or Pfsense's parent companies, though the value proposition isn't worth it for home users IMO as you will pay a steep premium versus loading up something yourself.
Thanks very much for that. Been thinking about converting an old server to a router + container host for a while.
Look on eBay for old 4 port Intel NICs, you can get em for very cheap and they work forever. Beware Opnsense and Pfsense are based on BSD and you're really not supposed to touch the underlying OS by design anyway, so you will need to virtualize if you also want to host containers alongside.
I bought my router from this site: https://teklager.se/en/products/routers/
They have some guides and stuff that explains the hardware requirements that might be helpful for you.
Pi-hole is such a great tool. I've been running it for a few years on a raspberry pi zero, and am constantly astonished by the sheer amount of cruft it blocks for me.
Congratulations to the team for the release - happy to support you via Patreon!
I have had many times click an article link on reddit where everyone in the post comments complains about how the site is riddled with ads that it makes it unreadable and all I see is the article with a lot of whitespace.
IT department does not like that, but I had them install Firefox on the machines of my team, so we can install uBlock Origin. People are _amazed_ how the internet does look without ads.
Can’t you just use uBlock for this?
Pihole catches a lot of the trackers and crap coming out of my android tv. On my pc I see it as an extra line of defense after ublock.
Hulu stopped working properly on my Shield after using Pi-Hole, so I guess it was working?
On the pihole subreddit there's a wiki with lists of domains you can whitelist for certain services. I had to whitelist something for xbox live to work.
Yeah, even the paid (non-ad) hulu has trouble if you block its telemetry servers.
You can't use uBlock everywhere, .e.g phones, tablets, TVs.
Pi-hole is a killer application and I've loved it since I got it setup. One other app I highly recommend to run on your Pi in addition to Pi-hole is Nginx Proxy Manager[1].
[1]: https://nginxproxymanager.com/
Do yourself a favor and move from nginx to caddy
Nginx Proxy Manager is a great piece of software!
How do? It has frequent vulnerabilities.
I've been using Technitium for a couple years and been pretty happy with it https://technitium.com/dns/
I moved from pihole to Technitium a few months back because I wanted more DNS features than just adding A and CNAME records.
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
I documented that process here in case anyone is interested: https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
Excellent write-up. As a Tailscale + Pi-hole user you may have just inspired me to switch to Technitium. I’ve wanted that kind of split horizon functionality for years, for all sorts of things!
Technitium is great. Rock solid, plenty performant and it has more features than you'll ever need. Pretty wild when you consider it's being maintained by a single dev.
So have I. I found it more approachable once I started having more advanced configurations.
Switched to Technitium (from piHole via Docker on amd64 and manual dnsmasq before that) primarily for DNS over HTTPS and never looked back. Used it for DHCP and DNS.
I’ve been happy with AdGuard Home on two Pi4s and a little home server for years now: https://adguard.com/en/adguard-home/overview.html
I have some scripts to sync config between them and a Jenkins job if I want to pause blocking on them for a bit.
It looks like https://github.com/mattwebbio/orbital-sync and https://github.com/lovelaze/nebula-sync can sync configs with Pi-hole 6 now, but it’s quite a bit of code for what looks like just a few HTTP requests to get the config from one using the teleporter feature, then restore it on the others using the same.
A Raspberry Pi with Alpine Linux makes a sweet little DNS server. AdGuard Home is even packaged in the testing branch[0] these days
[0] https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
Want to highlight https://nextdns.io/ as a similar service, very happy with it
Pihole being a self-hosted service and this being a third party one, I would say the target group is somewhat different.
it's more than that - an app running on your internal network is going to have way better latency than nextdns
However you can't use it on the phone while not at home (aside from using vpn/wireguard), but nextdns allows it.
As for the latency - is it really noticeable?
Latency isn't the important measurement — it's the actual time to resolve. This will be significantly longer than the ping latency.
Unbound, recommended for use with Pi-hole, can be configured to log this by enabling "log-replies" in unbound.conf⁽¹⁾ where the time to resolve will be logged in seconds.
⁽¹⁾ https://docs.pi-hole.net/guides/dns/unbound/ ⁽²⁾ https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound...
my biggest gripe with NextDNS is not having an ability to add custom blocklists. I'd gladly pay for it even if there was a paid tier with this feature.
It seems you can add domains to the deny list via their api: https://nextdns.github.io/api/#profiles
So atleast there's that.
I'm aware of adding domains one by one, but I want to add some lists like Hagezi Threat Intelligence Feed which is not available in the blocklists, and these blocklists have >500k domain list.
I'm currently using Blocky as my DNS resolver. It works fine and is super fast because of the fine control over caching, but I'm disappointed with its memory footprint. 400MB for a total blocklist of 1.3M domains
dns latency is the single biggest reason people think their internet is slow imho
I'm currently seeing 12ms latency to my upstream NextDNS server. On my home network I "proxy" it with a forwarding/caching DNS server on my router, so for "the usual suspects", latency is not an issue.
On the go, over 5G, those 12ms won't make much of a difference.
Considering that people deploy PiHole on Raspberry Pi W models, over wifi, you won't lose much running NextDNS, but you gain dns blacklisting on all networks, as opposed to just your home network (or via VPN)
I'm not sure how that could be. Even if it's your first ever request to the host, the latency is a one time thing and then it's cached. Even an extra 100ms for DNS latency is going to be unnoticeable compared to an empty browser cache and having to download a bunch of images
Define latency ?
This is my latency (ping.nextdns.io):
■ anexia-cph 13 ms (anycast2, ultralow1)welp. for every single domain you interact with, you gotta do a dns lookup. visit a modern website like yahoo, cnn, wapo, whatever and that will be like 100 dns requests. your device hits your router, if it has no answer, it recursively goes up the line getting an answer. do that 100 times. that is just for resolution. you still gotta actually hit that endpoint and get whatever it is you are trying to get.
so if your dns is slow, there is a tremendous amount of latency added to virtually everything that you do. just because you can hit nextdns in 12ms does not mean the e2e duration for a single dns-then-fetch is going to be in the realm of 12ms. if nextdns doesn't have the answer it needs to go find it.
I use my local router as a DNS cache/proxy for this exact reason, though i doubt 12ms (or 24ms) will mean much in the grand scheme of things compared to downloading a 25MB webpage which is mostly tracking code and ads.
Yes, if we were in the "good old days" of slim websites, 12ms may be noticable, but today, with webpages taking up lots and lots of storage that is served with every connetion, i seriously doubt you'll notice.
Besides that, every browser and modern operating system will cache DNS records for whatever the TTL from the upstream DNS is set to.
Pi-hole isn't a "service" though. It's just FOSS.
This actually seems rather nice. Not the same as PiHole but I can see its upsides.
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
> This seems like I have to manually configure each device?
You don't have to (and I assume most users don't), but you can if you want per-device reporting. You just set your router's DHCP server to hand out NextDNS's DNS servers.
That’s a good point, assuming your router allows you to do that.
ATT apparently removed overriding the DNS for IPv4 and IPv6. I had to double check because I thought I could do IPv4 but no.
There’s supposedly several options around it to use your own router but it’s not really worth setting up and my speed is slower using a second router.
The routers provided by your ISP are almost always budget crap. Use your own router if you care about your network
I know it’s crap. The network performance is worse with my own router because I cannot just completely ditch the ATT gateway.
Same for me.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
NextDNS is SASS, you can't self-host it.
Right! When my Pi died, my network didn't look for a backup DNS, so everything became inaccessible. It was weird - probably the classic SD card issue. With NextDNS, while I do use DNS over TLS, if my Synology fails, it just kicks back to regular NextDNS domain name servers.
If only they had a stop blocking function.
NextDNS has not updated its client applications on multiple platforms (iOS/iPadOS/macOS) for several years. Those client applications did have the ability to stop the blocking (or not), but now it's just a toggle that does nothing.
Most of the time when I visit test.nextdns.io it shows as "unconfigured" even though the NextDNS client is installed and configured with a NextDNS profile (and approved in Settings as a VPN provider on these OSes). Sometimes it will work on its own.
I wouldn't recommend NextDNS unless the user is comfortable installing a (somewhat) permanent Profile on these devices with no temporary "off" switch to stop blocking. For me it's important to stop the blocking once in a while.
At least on macOS, there's Little Snitch (paid application), which can subscribe to the same blocklists used by ad blockers and has a working toggle.
They do let you switch it off, it's just a bit buggy sometimes (like having to toggle twice), I know because I use it all the time. https://i.imgur.com/YpSkS93.png
I use Tailscale as my primary interface for handling this. Simple as adding your nextdns id number in the DNS settings and you are done.
Instruct your Tailscale invitees to download the app and voila, simply toggle it on or off as needed.
FWIW, in my years of using NextDNS I think I've needed to do this only twice. On Macs, the menubar app lets you enable/disable NextDNS. The average HN reader can probably automate switching to a non-blocking profile for a given length of time. https://community.home-assistant.io/t/nextdns-integration-te...
> The web interface has been completely overhauled with settings split into Basic and Expert modes. This allows users to customize their experience based on their comfort level and needs.
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
I love PiHole.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
> Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
With wireguard in particular, you're probably not running much risk, as wireguard runs over UDP, and as long as you're not connecting with a correct (recognized) key, it will not even generate a response, so a potential attacker has no way of knowing for sure that wireguard is running on a given port.
I mean, probably not. But I like the idea of keeping everything closed anyways.
I have a script update my hosts file to route domains to 0.0.0.0 and ::0 . I get the domains from https://github.com/StevenBlack/hosts.
The point of pihole is setup blocking on multiple devices though, some of them which you don't control like your PC e.g. smart tvs
Does anyone know if pihole is ever going to add DoH or similar support natively? I've had such troubles with cloudflared awhile back that I gave up on DoH, but would love to encrypt those queries.
You can insert dnscrypt-proxy inline between PiHole and an upstream server. So it'll work something like the following:
Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost) --DoH--> upstream
Not the prettiest but it works.
I’m not sure why I’d ever want DoH, I block as much as I can at my firewall and have a canary domain.
I want my devices to use my defined dns sever on my network, not some ad company (and all tech companies eventually become ad companies)
I want pihole to talk encrypted to the upstream dns server. I don't actually care if my devices talk encrypted to pihole.
I just don't want to leak dns requests to my isp. If there's a way to do this without DoH or DoT, I'd happily learn more about it.
DoT has a standard port, meaning blocking (conforming) requests simple. DoH uses 443.
Nothing says clients need to confirm to the port requirements, but most companies will be lazy and assume 853 will work.
Speaking of not wanting DoH to exist on the local network, does anyone know if there is anything pre-existing that can hook into firewall rules to default deny outgoing traffic and only allow (until TTL expiry) in response to a DNS lookup? That way things cannot bypass your DNS filtering with DoH or hardcoded IPs.
People use DoH/DoT so that their upstream DNS lookups are not transmitted in plaintext across the open internet. You can do this and still run your own DNS server on your network. The parent commenter is asking about Pihole with DoH, which is exactly this.
DoT sure. The whole “tunnel everything over http” is a terrible pattern
Hostile firewalls that block and/or intercept DNS traffic are also a bad pattern, but people don't always control their local network these days. You can't always count on 853 being open. There are valid use cases for both.
its far easier to control your network than it is to control your devices on that network - far too many closed source devices nowadays, and it’s extremely difficult to avoid all of them
Maybe that is true about your devices, and your use cases, on your home network, but that is far from the only use case in the world.
IIRC, there is not a native GUI method for Pihole to talk encrypted to DoH providers. You have to set up a daemon locally and configure via CLI, then set that as your "upstream" DNS provider in Pihole admin.
Obviously the goal is to have your local clients talking to Pihole, but the goal of having remote DNS queries encrypted is to prevent ISP snooping.
Though if you really want to prevent ISP snooping you have all clients using VPN or configure your router to send all outbound traffic to a VPN endpoint.
I've been using https://github.com/DNSCrypt/doh-server for serving my DNS server via DOH for at least 2 years. Only had two issues with it and both were due to lack of maintenance on my part (ie. not updating the binary for one and then not re-configuring it after I changed configurations for the upstream DNS).
Assuming doh = dns over http
Yes
love pi-hole
we block all meta and X properties from our home network, also ads
and it's self hosted on our own metal
it's a wonderful life
> we block all meta and X properties from our home network, also ads
There's a difference between meta, X and ads?
Good way to teach other members of your house to use VPNs to bypass your censorship regime
I also block Twitter ASN (yes, it is called Twitter ASN), and a whole bunch of IP ranges from not so democratic countries with very bad hostile actors. They don't have rule of law there, so I don't need these.
With regards to X. Blocking it serves as a good reminder to use a proxy, or try and find the source elsewhere (Blue Sky, Mastodon). More often than not, these exist.
Finally, if required I can use Tor Browser. No cookies, no profiling, no ads.
Out of interest, those IP ranges that you’re blocking… is that at DNS level or are you doing some firewall-level blocking too?
And do you use any kind of reference for determining which ranges/countries are wise to block or has this just been something you’ve evolved over time?
Great questions.
Currently, I have IPv4 only (will change end of year to dual stack), and to block AS13414 (NetName TWITTER-NETWORK) blocking 104.244.40.0/21 to block x.com is suffice. However, if you follow [1] you have a more complete blocklist. In a *BSD you can use cron and curl to update these lists based on if a change occurred, OPNsense allows the same in their webUI. In that vein, I also have Tor exit node block list (this is public data), I have a Censys (& Co) blocklist. You name it.
I don't use DNS-based in this instance (I do for example, for porn, cause I have children). I use a firewall-based one in OPNsense. PF (and therefore OPNsense) have a feature called anchors (alias in OPNsense) which basically allows you to use OOP to develop lists.
I'm pretty sure Linux like OpenWrt can do the same, and you can also use DNS-based blocklists. You can even outsource the hosting to e.g. NextDNS. Because these blocklists, whether firewall or DNS-based filtering, they do use some RAM especially. Back when I started w/this in early '00s this was an issue on my Soekris OpenBSD machine. Nowadays, I assign 8 GB RAM to the VM and call it a day.
[1] https://github.com/platformbuilds/TwitterIPLists
Interesting thanks for elaborating. I might need to take a closer look at OPNsense.
“not so democratic countries with very bad hostile actors. They don't have rule of law there, so I don't need these.” Time to add united states to those filters.
meta and X are both heavily censored so I guess it's censors all the way down?
Teenagers know how to use vpns, you know that right?
I'd like to hear more about this. Can you provide an example of censorship on X?
https://en.wikipedia.org/wiki/Twitter_suspensions
Let me put it another way; can you provide some examples of ideas, topics or opinions that I are likely to be censored if I posted them on X?
How about blocking links to Signal, allegedly since US Government workers are using it to coordinate responses to DOGE requests?
https://www.forbes.com/sites/dimitarmixmihov/2025/02/17/x-is...
Lots of screenshots circulating of posting the word "Cisgender" being flagged by Twitter. Not sure if they just flag or remove it though, as I don't use Twitter any more.
This has to be a disingenuous request. X is signaling at free speech, while in practice it amplifies or suppresses content the owner agrees or disagrees with.
In my experience Pi hole is a very worthwhile investment. People who used my internet when I had one would remark how much faster it was. Everything in general seems faster, even things that you wouldn't think of. I typically use Brave for browsing which has good ad blocking capabilities, but this adds a whole additional layer.
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
I used to love pihole, but it seems like it's more trouble than it's worth now. Advertisers have wised up and will use the same subdomain for both content and ads. I've also had issues with normal website functionality being broken due to pihole which isn't fun for my wife. It seems mostly useful for blocking background traffic on smart devices, not so much for ads.
Wouldn’t a smart tv do something ... smarter than just using the default dns given to it by the network?
I’m not up to speed on this stuff but I thought pihole only blocked the simplest stuff from devices that play nice?
Why should the programmers of the TV's OS look for edge cases, and do you think the TV makers would give them budget for that? For 90+% of users the standard config of trusting the DHCP server will work fine, and the Pi-Hole users will probably not give them money anyway, and will be dedicated to defeat their workarounds...
I've been worried about companies that make software like this (applications with embedded telemetry or advertisements) starting to do their on DoH style lookups.
I don't KNOW of any doing it but I can't imagine it'd be too hard for them to do.
> Wouldn’t a smart tv do something ... smarter than just using the default dns given to it by the network?
It could certainly try... but usually you would block that in your firewall. Fixed DNS servers or fixed server IP addresses are tricky because if you ever need to change them, you can't, because you'd need to update the hardware (which you can't since it sits behind a firewall).
It could try to use things like Google's DNS server, but that is easily blocked in your router.
Not a lot that could be done except trusting your (internal) DNS server...
I had an Apple TV connected to a TCL Roku TV and the TV was analyzing video frames from the AppleTV to popup ads suggesting to watch the same content on other streaming services.
I am a beginner and never used Pi-Hole before.
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
The 5 is completely overpowered and overpriced to run Pi-hole. Go with the zero instead.
Lots of great memories using Pi-hole and messing with RPi. I eventually ended up putting my devices on Tailscale and managing DNS through it, eventually using Mullvad VPN as the exit node.
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
The big feature miss for me in this announcement is baked in support for configuration sync between servers. Redundant DNS is common and it would be nice if pi-hole supported this oob. Making it even better would be an ability to see stats across all synced servers from one location.
I’m using https://github.com/ShiromMakkad/docker-pihole-sync To sync my two piholes. But I haven’t figured out how to keep my third pihole (ip-failover) to get in the loop…
I'm using https://github.com/vmstan/gravity-sync to sync my three piholes but I'll need to find a replacement if I upgrade to pihole v6.
I do something similar to Pi-Hole using plain dnsmasq.
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
Finally a REST API!
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
Have they added more to the existing API? They already had an http API to enable/disable blocking.
Can it do native dns over http yet? Without hacky unbound proxy I mean.
That’s why I switched to affairs home but wouldn’t mind switching back
Not sure if this is the right place to ask, but I've got a semi-obscure DNS question.
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Is this possible in a simple way?
Perplexity thinks so:
https://www.perplexity.ai/search/i-d-like-to-use-cloudflare-...
Please don't spam HN with LLM generated slop. The value of HN is the human discussion, everyone here is perfectly capable of asking an LLM of their choice.
Please don't use AI to write your comments. If I wanted to know what AI thinks I could ask it myself. I read the comments to get feedback from humans.
Edit: OP edited their comment, was previously a very long AI-generated response.
Noted, won’t do it again :)
5+ year development cycle. Impressive! https://pi-hole.net/blog/2023/10/09/pi-hole-v6-beta-testing/
Any details on what HTTPS support provides, other than a TLS connection to the admin dashboard?
That works for me. It means I don't need to relearn everything every year, and the major versions probably won't be riddled with bugs.
Will it block YouTube ads?
I've had the same PiHole rule (for years!) which blocks all the text-splash-over-ads... but it becomes very cat and mouse if you want to block the pre-roll video ads (any rule that initial works... won't for very long).
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
Short answer : no.
What’s the long answer? Ads are obfuscated across the video stream and served as blobs?
Long answer: also no
give me something c’mon what’s the secret sauce?
Ads are using the same servers as content. So you can't block one without blocking the others with dns only.
Have used pi hole for over 5 years and very happy with it. Most times I use it via phone to manage kids devices to block/unblock access etc and this also works quite well . Thank you very much
Ha! I bought a Pi5 as a Christmas present for myself, I've only done some basic setup and gotten sidetracked by other projects - but setting up pi-hole is near the top of my list of sh*t to get done
It's suuuper easy to setup pihole on it. Takes literally 1 curl request and then like 3 minutes.
Nice.
I wish pihole or adguard would add support for change DNS records based on the query subnet. I believe this is called DNS views.
That way my local devices and wireguard devices can get the correct IP for internal services.
In unbound those are indeed views[1]. I moved from pihole to unbound+nsd a couple of years ago for precisely this use case. Block filters courtesy of[2].
[1]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
[2]: https://github.com/StevenBlack/hosts
I managed this by getting a gTLD (digit-only .xyz is cheapest) for internal-only services and then running a Caddy instance to reverse-proxy to my internal services. I don't port forward or open ports to that Caddy instance, so it's not available externally.
With ddwrt and adguard, it took a while to setup but I can ping all my devices with <hostname>.lan.
I wish pfblocker-ng was as easy to use and polished as pihole. It seems silly to run an extra DNS resolver if I'm already running one on pfsense, but the interface makes it tempting
Came here to give a big THANK YOU to everyone making this project possible.
I am using Pi-Hole for about 8 years and can't imagine a world without it.
Another big THANK YOU to all list maintainers out there. You're doing an incredibly useful service to the community.
Seconded! I’ve been using it for multiple years and it is extremely good, and reliable.
There are always some features that I wish it had, but ultimately it does a really good job.
It’s easy to take for granted the hard work that goes into creating and maintaining such awesome tools.
if you are on openwrt i can recommend checking out unbound and adblock as alternatives (running directlly on your routers without the need of a raspberry pi)
FINALLY. that dev branch was out there forever
Still no wildcard domain support for local DNS.
We’ve integrated a new REST API and embedded web server directly into the pihole-FTL binary. This eliminates the need for lighttpd and PHP"
oh noes!
Ironically their website has been hugged to death.
I don't think you know what irony means.
At this point we should accept the vernacular use of the word as correct.
Maybe you'd better define it as an "amusing twist".
Why is it ironic? They’re not providing load balancing or anything similar
Sorry if the point wasn't clear.
The service/device dedicated to killing connections (blocking dns, whatever) can't/won't serve my connection.
You should let Alanis Morissette know.
Slightly off topic, but it annoys me that protonvpn does not allow split tunnel of DNS to an internal host. It calls this DNS leak protection, which is a good default. But I want to run my own DNS server and I know what I'm doing, and the Proton GUI won't let me.
The GUI app should have a custom DNS option:
https://protonvpn.com/support/custom-dns
I am almost certain that in my previous testing, internal DNS addresses still didn't work. Their "leak protection" blocks it.
I just use dnscrypt-proxy directly.
noice
[dead]
[flagged]