I am actively using PiHole in my home network with over 8 devices doing around ~30k requests per day. Some highlights:
* By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)
* I have 650,000+ in my domain blacklist and folks complaining about "it doesnt work on pihole" just have taken that tiny bit of error to unblock some domains like "ssl.googleanalytics.com" which break a lot apps. It took me about 1 day to see what isnt working (ex Facebook app break if graph.facebook.com is blocked)
* On avg 28% of my requests are blocked and 42% are cached. I am quite sure generally my surfing experience is snappier
--
Things like learn running PiHole :
How prevalent tracking really is across the web. A lot of apps dont go "online" if google analytics is blocked (example Toggl)
Manufacturers like Xiaomi are spamming the network with requests - mostly for notification spam
How amazingly scalable, stable RPi+PiHole is - we ran a workshop with 150+ DHCP leases and nearly a few 100k DNS requests without a glitch. Pi didnt even heat up a bit
SmartTV are freaking noisy. Samsung TV makes ~300 DNS requests in <5 min of startup. Literally every button press in the "smart home" is tracked
> * By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)
I work for a small ISP-for-schools. We had an issue which eventually turned out to be related to a specific version of Snapchat on Android, when its connection back to Snapchat was blocked, it'd try and send a mixture of GET/POST at a rate of 1000s a minute. When you've got thousands of devices doing that, it's like an internal DDoS.
We've had a few problems like this and it always appears to be Android apps...
I wanted to say something positive too, after seeing how the thread went here. No issues from the non-technical users in the household, at all, really. The domains I've whitelisted are mainly one-offs - I haven't whitelisted GA as above and nothing has broken here.
I've ended up using uMatrix and uBlock together on my personal machine as they don't interfere with each other and uBlock has an extra list or two that blocks even more tracking and ads - including all youtube ads. Which is just so satisfying. But other devices (of all kinds) run ad and tracker free, with a faster browsing experience to boot.
So that's no ads on any devices on the network, all running on a pi that is also a media centre, NAS and IRC client. Takes minutes to set up and is regularly updated. I don't get what's not to like.
Thanks. Can you expand on what you mean in step 2?
What is involved in selectively allowing domains to load?
Could you do it if the domain is a completely unrelated string to whatever site you are visiting? (Say for site example.com, it requires something from whwehkhsfasfs.com in order to load)... how does step 2 work exactly in this case? Are you being prompted for a small subset of domains that the page is trying to load, for example?
So, PiHole has a web interface to blacklist/whitelist items, but it's hard to use for debugging as what it "sees" are just a bunch of DNS requests come through (they aren't grouped by page/user - at least in the version I had going).
But in Chrome with uBlock Origin - it very clearly tells you what's happening and you can selective unblock domains until the page starts working and then turn around and add that domain to the whitelist.
I'm making this sound harder than it actually is, it's honestly just a couple mouse clicks and page refreshes in Chrome with uBlock origin going.
I use the web interface and filter it with the IP address of the device. It will usually show up in the top of the list and try whitelisting.
Example my Samsung TV took some effort :
multiple domains were blocked and had to restart my TV everytime, thankfully PiHole has a neat responsive web interface. After allowing 2 domains it started to work or else it wouldnt go online.
Easiest way: check the log to see what was blocked. It's as simple as that.
Happens so infrequently though - the lists are made up of domains you don't typically want to whitelist. Only 133,608 on my lists though, and that's pretty up to date.
I use AdAway on my phone to blackhole ads and trackers. I've seen some weird behavior in certain apps I assume is due to it but I've never had any app not work.
Same thing on laptop. I use a combination of blackholed DNS, a firewall, and uBlock Origin in the browser. Some sites won't work due to poor error handling which is their loss. I've never had a native app not work.
Exactly what my stance is towards sites that 'need' crap to work. My favorite are news sites/blogs whose primary content is text, but display a completely white blank page when the adblocker is up. (some even do this when you disable JS too. why JS is 'required' for displaying any text is beyond me)
3) not all readers just want plain text and there are JS based features that actually appeal to readers.
Things like backgrounded next page loading may not seem appealing to you, but stuff like that does fall into the category of "people actually like this" and not "implemented to intentionally force ads on people".
We use an express server to pre-render our text, which means you can always see the content, but when you strip out JS, you lose a lot of navigation perks.
I fully support you not wanting JS, but don't act like opting to use a ubiquitous tool is somehow either ignorant or malicious.
That's silly. Unless your users are on throttled dial-up inet, and you're trying to feed them several volumes worth of text (a MB or so?), pre-rendering text on the next page is not a good enough excuse. This must mean you are using some large framework to deliver text and present your website. HN seems to be able to deliver tons of text to users without javascript bullshit, why can't you?
Cost, I would imagine. It's there. It's working for most people. The "only people complaining" are those who want to take what you have to offer and stop you from getting advertising revenue for seeing it.
Your argument, whilst full of technical merit and other benefits which you have not mentioned, is perhaps not persuasive enough to those who control the purse strings.
I mean we pre-render our text before it hits the browser. So if you have JS disabled, you still get text.
Also, HN has a completely different userbase than most websites. The biggest complaint about Android in the early days was "it has UI/UX for engineers" (that I personally loved). 99% of people aren't looking for a website experience like HN. Most people WANT some sort of slight flashiness and style. Also, most people don't use noscript. It's a valid tool to use, even if it is abused by some. We still run tests to make sure our total delivered payload is small and monitor accessibility stuff. Just because some sites are built like a dumpster fire using modern frameworks doesn't mean all modern frameworks are bad.
There is a huge difference between "you have completely abused javascript and now I get a blank white page with JS off" and "you've used JS to make interacting with your page much nicer"
I wonder how tricky it'd be to serve a local copy of google analytics code that simply didn't report back to them. Or perhaps just redirect outgoing requests from GA to some internal resource that collects (for yourself instead of google) or drops the data and returns an expected response.
Then there would be no need to unblock their trackers to make websites function.
Due to SSL, it wouldn't be easy: you'd need to have SSL certs for some google.com subdomains, and they'd need to be trusted by every device. Blocking the traffic is much easier.
You're right that you'd need to trust the certificates on each machine, but really, you only need to trust a single CA on each device. With an SSL-replacing proxy you create and give control of a CA certificate and key to the proxy and set it between your computer and the network. It replaces the certificate of any (or some small subset if you want to specifically target) site with its own on the fly. Then it can inspect and manipulate the contents of that communication. If the machine trusts the CA, and the CA trusts the certificate (because it replaced and signed the cert itself.. so not so much trust, but.. you get the idea. You could probably limit it to certs signed by CA known by your browsers), the machines would trust the certificates.
Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).
It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.
I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.
However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.
One such open source project for an SSL replacing proxy:
> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands
I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.
The only way to do it is to have admin/root on all the devices so you can install your own SSL root certs and "steal" google's domain internally with suitable certs.
It's my home network, there are devices you can count on your finger.
Also DHCP lease times by default are in multiple hours on home routers so IPs don't often change.
also the web Interface shows hostnames
Ultimately, this is going to end badly for advertisers. All ISPs block port 25. In < 5 years, all ISPs will provide PiHole functionality on their networks. "Net Neutrality" is gone. This is going to be glorious. Thank goodness for the FCC making this protection available to the masses.
Web ads are the new spam. In response to email spam, all ISPs blocked port 25 by default. ISPs will ultimately do the same to web ads using traffic prioritization techniques like PiHole.
Users in general aren't sophisticated enough to do this themselves. ISPs will offer it for a price and users will pay more to have ad free internet while simultaneously benefiting ISPs with bandwidth reductions. Some ads will be allowed through of course, but with significant costs associated with the advertising, the volume will be reduced significantly, like the difference between spam email volume vs that of postal junk mail.
If big sites like Facebook decide to fight it in a cat and mouse game, ISPs can hit them with advertising fees directly or throttle their traffic in retaliation for cheating the system. If browsers like FireFox try to defeat it by doing DNS over HTTPS, then ISPs can funnel 1.1.1.1 directly into the trash. AT&T did this and said it was an accident. I'm sure it was more like a test. They are aware of what underhanded scheme FireFox is up to. Mozilla isn't fooling anyone with their "security" cover story.
I have no idea why you think ISPs would do something like that. American ISPs are anti-consumer to the hilt. They've been caught numerous times INJECTING ads into unencrypted http connections. Ads cause ISPs no issue whatsoever. Why would they block ads?
Also, Firefox has excellent extension support for browser-level adblocking. No ISPs I'm aware of do any kind of adblocking. If there is no ISP adblocking around, how on earth could DNS-over-HTTPS be a anti-adblocking move?!
I have no idea how you managed to convince yourself that ISPs are anti-ad pro-consumer crusaders while Mozilla are some kind of evil corporation trying to thwart their efforts. The reality is the exact opposite.
My experience with Pi-Hole is that there are too many sites that detect that their adverts and tracking scripts don't load and refuse to let you in. It's really hard to white-list for a site in Pi-Hole, as it's blocking for the whole network, so finding what domains you need to unblock is quite laborious. Additionally, if you are not around, and a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works.
Personally, I find a browser based advert/tracking blocker add-on to work better.
If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.
I couldn't agree more. Pi-Hole is essentially useless for real world scenarios.
I can't hear this short-sighted comments "it doesn't load with pi-hole? then I just close the tab!"
oh really? that's how easy it is in your world? and then you just don't buy that flight ticket? because that shitty online ticket agent uses third-third-party payment providers etc. whos domain is unfortunately blocked in pi-hole? even one single incident might force you to entirely disable pi-hole. most people can't afford to play around with that until it works.
you can't seriously maintain these block lists yourself. you have to rely on a 3rd party, usually some volunteers - great people btw - but even a huge crowd like them can't make sure, that from time to time, in some part of the internet, in some specific country and language, something will be blocked by mistake and you are stuck. with a browser plugin, at least you can disable it for that specific case. with pi-hole there is no such feature. i have to disable my browser adblocker at least once a month, because something doesn't load. and its always off for sites like paypal, because I really want that payment to work and not suddenly screw up the whole transaction.
> Pi-Hole is essentially useless for real world scenarios.
This is a surprising statement because I've used mine at home with 6+ devices and zero issues for almost two years now. It seems fair to say it's not ideal for your needs, but why say something like this that will only deter people from seeing if it works for them?
Same here, I've never even touched the PiHole other than checking stats and doing updates. I've got about 15-20 devices on my network (a few phones, multiple computers, smart TV, Hue Lights, Nest, WeMo, etc). Haven't had a single problem. My Pi just sits there running constantly without even having to reboot it. Can't say the same for any other device that I own.
We're running pi-hole network wide and we just planned a trip with no glitches. The only annoyance (if it's really an annoyance) is clicking on a link in a google search and it's blocked. Go back to Google, realize is was an ad, scroll down a little further and click the real link. No big deal. Nobody in the house is complaining about not reaching sites.
So, yes, it is possible to do this in real world scenarios.
This is my experience as well. I very rarely find sites that don't work because of pi-hole, other than their advertising links.
I can't actually think of a case where I've had to disable pi-hole because a site seemed to have broken functionality. I book flights on Expedia et al all the time.
Every once in a while I want to do competitive shopping, and disable pi-hole for an hour. It's a revelation now much crud shows up (and pops up) when I do.
Not the person you were replying to, but that was unnecessarily mean. Instead of just poking fun at someone else's ignorance, perhaps you can enlighten them?
Parties like Expedia do more tracking and analytics of what you look at, when you look at and how you look at offers on their site then most of the urls on the pi hole url lists, which are typically referral counting urls (many also just for adult sites), or just for counting traffic. And I wouldn’t be surprised if they sell this data too. Not saying they are, but I wouldn’t be surprised if they do.
Also since when is giggling mean? The assumption that I intended to be mean, is kind of mean too. This is about the same as somebody saying not to eat sugar yet eating lots of fruit that contain sugars, if somebody says that to you surely you giggle without being mean.
If something's really important you could use your phone with wifi off to get an unblocked version via cellular. It's one more step, but some people may find it to be worth the effort.
Have used a Pi-hole for two years and maybe had to whitelist one or two sites (easily found looking at the log), which was easy using Pi-hole's web interface
Additionally, you can simply disable Pi-hole for temporary timeframes using the web interface as well, it has options like "Disable for 15 minutes", if you don't want to bother adding things to a whitelist.
I've used all sorts of financial, ordering, etc. sites and generally have not run into an issue. A single credit card site was one of the two I had to whitelist, and it was easy.
> I couldn't agree more. Pi-Hole is essentially useless for real world scenarios.
As a user of pi-hole, I have no issues with small scale implementations (i.e. less than 20 users) but security is more important than access to random sites for personal use in the environments I work in.
It is just is for security-prioritized environments.
You wouldn't really be STUCK if you are blocked... you can just point your DNS to another IP (like 8.8.8.8 or something). This is DNS based, so if you don't use the Pi-hole DNS server, you aren't affected.
Agreed, sometimes you just NEED to use a shitty site. I have my main browser specially configured ad free and privacy secure but I always have a backup browser.
The people who build websites aren't thinking about us.
> Additionally, if you are not around, and a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works.
I ran into that issue with some household members, that had problems with certain websites that didn't work. Since I run my own DHCP server (not through pi-hole), what I ended up doing is giving them a different (e.g. 1.1.1.1) DNS resolver for their machine (based on their MAC address), and then installing uBlock Origin for them. That way, they can easily turn ad blocking on/off themselves, while I can still have network-wide adblocking on by default (especially useful for mobile devices).
I used to use a pi hole since YouTube on a Samsung smart TV is horrible both YoutTube and Samsung put ads in the same video (YouTube at the start and Samsung ...whenever). But Samsung inject ads frequently and aggressively. Even short ten minute videos are interrupted at least twice by ads sometimes a few seconds before a video ends, I mean really?!?
It worked great for a long time but then but changed my setup.
Then I wanted to try Pi-Hole again going through the setup again but the results were very different. For example my Samsung smart TV absolutely refused to connect. It is the same TV, same Pi device, same everything but no network.
Well that just sold me on never buying another Samsung TV ever. How in the hell does Samsung, a device manufacturer justify inserting ads over content thats not even theirs?
It seems worse for some videos too which made me think it was YouTube but I can't see YouTube inserting ads mid-video or a few seconds before the end of a video. It's local ads too for my small town so it's targeted very precisely to me.
Other crap is resetting the opt-out after a software update. And also putting the agree or disagree checkbox on a separate page than the actual terms you just read. You read it on one page then exit, look at a bunch of terms and scroll to find the matching document that has the agree or disagree checkbox for one of the TOS documents you read. It's a mess.
Never buy a smart TV just buy a monitor without any smarts.
The sound cuts out on it too you'll miss every few words almost as if it were censoring it.
I'm afraid someday it will not work if it can't update its OS.
What model Samsung do you have? I have been using the KS8000 for a couple years and have only ever noticed the small ad that looks like another app in the home screen. I've never had Samsung ads in 3rd party apps.
I tried to find the model in the menu but I can't see it. It's a 50 inch, 4K, UHD only about three years old. I think it has an OS that's different that what is currently available.
It's quite obvious that it's Samsung ads as mentioned it's constant not at the start of a video like how YouTube would do it. And at odd times as if it injects every five minutes no matter what.
I'm not sure it's 50 inch, UHD, 4K so possibly UHDxxxx something.
It's is incredibly annoying to have numerous ads in every video. I even tried to see what was going on using Wireshark but it was beyond my capabilities.
I typically browse the internet with JavaScript disabled by default and rarely come across issues - when I do unless the website is appealing enough to white-list for js I go elsewhere.
I have also found the reader view functionality on iOS to be a godsend when visiting websites, no more cookie notices, GDPR popups or banners taking up 1/3 of the display - bliss!
To me it feels like the number of sources of information has grown exponentially in the past 10 years. So unless you're talking about a service that more or less locks you in (like a mail provider that you can't easily switch) you can find the same information on dozens of sites. Just pick one that either has reasonable ad practices or one that accepts adblockers.
That depends if you are reading original journalism or aggregated journalism. Something from Reuters or AP (or a tweet .. ) might be on hundreds of websites, but look at a list like this, https://www.aldaily.com/media/ , how many of these stories dont really get published elsewhere.
"Original anything" (read unique) by definition doesn't go well with the "just go elsewhere" concept. If you can go elsewhere then it's not that original or unique. Time has no bearing on this.
For "mass content" (aggregation or simply independently reporting on the same topic) you have vastly more choice today. And for unique pieces of information, only available in one place, you would have been just as stuck then as you are now. The uniqueness, not the time is what takes the choice out of the equation.
Yes, but you are part of the tech saavy bubble. That's not a solution for most users who don't want a downgraded version of their facebook/instagram/gmail/etc experience.
> many sites that detect that their adverts and tracking scripts don't load and refuse to let you in
I think I've only seen that once since running pi-hole (which I've done for about six months now), so I assume the rate of occurrence varies widely with what people are browsing. Do you see it a lot on sites with a particular pattern (i.e. pertaining to a certain industry or hobby/interest)?
> and refuse to let you in
I'm fine with that. I doubt the information isn't available elsewhere if I really care about it, and the most insidious stuff I'm blocking tends to be on less important content that I can live without anyway (imgur.com was the final straw that made me install network-level blocking - too many pop-unders, the occasional drive-by install attempt, adverts trying to access my microphone and/or camera, and less worrying but still annoying things like auto-playing audio - if such frivolous sites block me for blocking their ads because they can't police them properly I'm sure I'll live!).
> a family member or co-worker can't get to a site then they have no way to bypass it unless they also know how Pi-Hole works
> Personally, I find a browser based advert/tracking blocker add-on to work better.
Other people is why I run blocking at the network level ATM (as well as on my individual mobile devices). I'd rather deal with the occasional "I can't get into X, oh, it is because of the malware/ad blocker, try somewhere else" conversations than have the tech support load of undoing drive-by installs!
Also, I wouldn't want other people to easily add stuff to my network's whitelist.
Anyone who really objects can always use their own mobile data plan instead of using my network that runs just fine the way I want it to...
Agreed. Sounds like the Pi-hole is working exactly as intended.
As I see it, you have a choice between viewing an ad/malware laden cesspit, or avoiding it. And by installing a Pi-hole, you have already made that choice.
You can also use a remote service like outline.com, paste the url there, and still read the content without the ads and without being blocked by an ad-blocker-blocker, and often even without being blocked by view-limiting paywalls.
That's fine with me too, but doesn't cut it in a family environment. Further, some websites break with an adblocker, even when they don't have ads. E.g. Login with Facebook/Twitter, or some JS heavy sites which happen to have a bad keyword in the name of the file.
> many sites that detect that their adverts and tracking scripts don't load and refuse to let you in
>> I think I've only seen that once since running pi-hole
It used to be a daily occurence until I whitelisted sites. At least with an addon, my mum can just click the button and unblock and get on with her day.
If pi-hole could have some companion extension to make whitelisting easier that would be great.
This might be unpopular, but I hope Pihole remains untenable for non-technically savvy users. Advertisers and ad-blocking are always engaged in a game of cat and mouse. I'd prefer advertisers to see Pihole as a tiny niche of the market they don't need to seriously work to defeat.
The only way to defeat them would be to self-host ads. Which would actually be a good thing since publishers would now have an incentive to make them as light as possible since it's their bandwidth being used.
because of how pi-hole works (works on the DNS level), all they have to do is use some CDN domain, which can't possibly be blocked without serious collateral damage.
Yes, but as long as they don't pihole works beautifully because the ads are killed before they are downloaded, in stead of stripped after the download (like with uBlock).
Especially on data capped devices like mobile phones it works wonders.
> Yes, but as long as they don't pihole works beautifully because the ads are killed before they are downloaded, in stead of stripped after the download (like with uBlock).
> Especially on data capped devices like mobile phones it works wonders.
Are you implying that pihole works wonders on data-capped devices such as mobile phones? If the phone is connected to a network with a pihole, it isn’t using the capped cellular service. If it is using the capped cellular service, it isn’t going through a pihole. Am I missing something?
I guess you could also setup your pihole to be externally accessible and then point your phone's DNS at it, though I'm not sure that's a particularly good idea.
> in stead of stripped after the download (like with uBlock)
That's quite an erroneous statement, especially given how easy it is to verify.
You can see for yourself by using uBlock Origin along with your pi-hole: your pi-hole will see _less_ network requests with uBO (or any other similar blockers really).
Everything which is blocked by uBO will not be seen by your pi-hole, and this simple observation contradicts your statement.
This is what CDNs are designed for, the allow a few companies to get a monopoly on your browsing data. This is why I prefer uMatrix, it blocks all third party requests, a lot of stuff breaks but it breaks because their tracking you.
Agreed, I find that self-hosted ads tend to be the least offensive. Even if this changed, and some self-hosted ads were intrusive or malicious, it would certainly be a simple problem to solve: block site X.com and don't visit site X.com
I'm waiting for the next generation ad blockers where a cloud based html rendering engine renders the image of the page to a frame buffer, crops out the article or pictures, compresses them, and sends it to my device.
Hell, you could do a mechanical turk system and pay micropayments to 3rd world employees to crawl ad-infested crap and harvest the content for me (Or better yet, share it for the common good)
>Personally, I find a browser based advert/tracking blocker add-on to work better.
>If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.
I think he's describing a local network ad-blocker that you can control and configure from any browser with a simple extension. This means that you can update rules from any device in your home/office and it would still apply for all devices in your network.
It would be ideal if the workflow could be something more like "click this link" (and pi-hole's GUI would then give you a prominent button to redirect you to an unfiltered version of the last request from your device (or maybe a list, since who knows how many background ones are being silently killed), which would be whitelisted for an hour.
A 1-click option (or maybe 2) is a much better solution for tech-averse users :). And extensions already exist to enable/disable Pi-Hole, the functionality could be expanded to include quick whitelisting.
I would have the same concern, I imagine the Pi-Hole is best for households only inhabited by tech-affine people. I installed the uBlock Origin addon for some family members and even there they can be easily confused when a website breaks due to it (occurs rarely, but it happens). At least there I can easily tell them to temporarily disable ad-blocking by pressing that big uBlock button.
I don't think it would be feasible for me to explain to them how to temporarily whitelist things on the Pi-Hole.
In my experience, most adblock blockers take a lazy approach - it's just a piece of JS loaded together with the main document. So it's ridiculously easy to protect against: just switch off JS with a click and you can read the page in question. Of course it works for documents only - if you need to use an app, things are much trickier and you need to dig up a bit to understand which script you have to block.
Due to bandwidth constraints I surfed with images and JS disabled (safari developer options) and oh my god what an improvement it was. No trackers. No ads. No auto-playing video. No newsletter pop ups. No cookie notices. This was GDPR but I imagine that would be gone on most sites too. I'll probably switch back soon. I long for the speed, the elegance...
This is a very useful skill. I run into a surprising number of pages where invisible elements prevent you from continuing (unintentionally, eg payment forms).
Also that crap on the bottom of every Medium article.
Sending the pihole admin password in a non-https url query string seems like a bad idea. You might argue that your network is 'trusted', but then I'd remind you that this pihole device is designed to intercept all dns on your network, and would be used quite maliciously if compromised.
It's best to just not go to those sites. Never whitelist, it defeats the whole purpose if you care one bit about tracking. If I come across enough links to a site that does that, I add them to my url blacklist, so I never see them again. I wish uBlock Origin would add that feature so I did't have to maintain my own junky plugin to do it.
Simple phrasing could change this. If the site was deemed "unacceptable", not just "blocked", with no particular detail people would find alternatives (even pick up the phone?). This could be done at both the browser and ISP level, as well as something like Pi-Hole.
>If Pi-Hole had a webpage where you could put in a domain, i.e. cnbc.com, and it went off and loaded the html of that page, worked out all the other domains that html connects to, and then gives you a 'unblock' button to click, that would improve usability significantly, as even a non-techie user could use it.
It kind of already has this. Just tail the log in the web admin, then hit the site in your browser. Unblock the sites that were blocked on that request.
I've been using pihole for a year and have only had one site that refused to load. Was pretty easy to figure out which request it was and whitelist it.
I've found that most sites which attempt to block access due to ad-blockers typically do so with a full-page pop-up element which hides the (fully loaded) content underneath. With uBlock Origin it's easy enough to use the element-picker to remove the blocking elements of the webpage.
I'd really really like a simple whitelisting interface too. Sometimes I just need to get shit done for a minute, and then I'd just start blocking again. All or nothing is incredibly frustrating sometimes.
I run a Pi-hole (mostly for my phone and paired with OpenVPN and iOS/MacOS content blockers) and run into the same "problem". My advice is to stop patronizing those sites at all. Just like paywalled articles linked on HN, just stop visiting.
Seriously, just stop. It's the only way we're going to move to something less damaging and invasive than the current ad/data economy.
I should note that I do pay quite a lot for journalism and art via subscriptions, Patreon, Kickstater, etc, but I'm not going to tolerate sites clogging up search results with paywalled articles or piles of tracking scripts and media downloads.
Why? I've been running pi-hole on the home network for over 2 years already, and indeed sometimes I get complaints about shopping sites not working, but there is always an alternative site that does work so we order there instead. Just last week it even saved us money because it turned out a different site had the same product at a significantly lower price.
Apart from a few non-important edge cases literally every major site works without problems with a pi-hole. I think 'simply stop using sites that refuse to work unless they can track you' is a very valid and workable solution.
> In other words my current smartphone will be unsafe for everyday use after September 2018, but it may have some life left in it by protecting its operating system with some network level security.
I stopped paying attention when I read this.
Pi-Hole is an ad blocker and it is fit for that purpose. No argument from me. However, to give this advice to people for whom device and network security is not a major or even minor concern is frankly dangerous.
Buy an iPhone. Buy a Mac. Keep your Windows PCs updated. Get a mesh WiFi solution that takes care of firmware patches automatically. Run a browser-based blocker that updates in the background without interaction.
These are the low-hanging fruit that should be done long before you are trying to set up what is essentially MITM-as-an-appliance without any paid support or guarantee.
It seems to be primarily targeted at highly-technical people, such as those who might stumble on this article via HN, or who casually frequent websites with "crypto" in their name.
These audiences naturally would have a higher tolerance to technical adoption barriers than the average consumer, which is who your other advice seems to be targeting.
It's pretty simple: buy a device that is supported by the manufacturer for the lifetime of the device. The Nexus 5X was released in 2015, so it's abandoned after three years. The oldest supported iPhone is the 5s, which was released in 2013 and will be supported by iOS 12 which means it gets security updates until at least fall of 2019 (maybe longer).
A straight-from-Google Android phone is out of support after 3 years, while a comparable iPhone is still supported after 6 years.
An iOS device tracks a lot of what you do, especially if you don't opt out of anything iCloud. But the bulk of the tracking is done by one "evil" corporation, who takes the majority of its money from selling devices.
With a normal Android device, you are tracked every step of the way, by apps, by Google, by Samsung and their awful software quality or by random Chinese entities.
If you don't spend a lot of time, an iOS device is the lesser evil when it comes to tracking. An iOS device with automatic app updates turned off, no iCloud, and where you say no to most apps asking for permissions on first run, is pretty locked down.
There are downsides, of course. It's kind of sad that you can't buy a mobile device which is just a network node by default, not a spying machine by default.
Agree with this. Android is unfortunately a bit of a disaster in terms of privacy and security. The easiest security advice you can give to say friends and family would be to just buy an iPhone. As for asking them to buy a Mac - I can list a few dozen reasons why that is also a good idea.
> After meanwhile four weeks "leisure mode" of the Pi-hole in my network this comes up stately 12245 DNS inquiries, of which 7102 DNS inquiries were blocked. That's 58%. It's interesting, if not surprising, that six of the top 10 blocked domains come from Microsoft, two from Google, and one each from Amazon and Vungle.com.
If you block Windows telemetry domains and run Windows, naturally those domains will be at the top... I have a lot of blocklists, but I think one of the default ones includes Windows telemetry.
For some reason, I was reminded of the message iOS’s original top-selling as blocker posted when pulling their app [1]. (TL; DR They felt bad about denying advertisers their revenues.) While the web is gnarly and unforgiving, we’ve progressed—as a culture—in our general treatment of ads and ad blockers.
> People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply you're not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you. You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity. Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. It's yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head. You owe the companies nothing. Less than nothing, you especially don't owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, don't even start asking for theirs.
Wonderful quote. The concept I have been playing with I call "consensual communication". We dont allow people to run up to us and shove food in our mouths, and yet we allow information to be shoved into our minds - and as the quote notes, they have the gall to place restrictions on the object of assault.
> We dont allow people to run up to us and shove food in our mouths
"You can trespass my private roads as you like, you just have to take this new experimental medication and report the results..." - sounds like an intriguing new business model! /s
That's actually close to reality. A lot of US universities have some kind of for-pay drug research going on. Since college kids are notoriously low on cash, they sign up to get injected with something and report the results afterwards.
My university didn't offer it but my sister's did. She made a few bucks getting injected with a trial flu vaccine and reporting if she got sick afterwards.
Personally, it's not primarily about the actual ads, but all the tracking and JavaScript and shady UI patterns.
Somebody trying to tell me I should keep all ads on because ads pay for the content? Fuck that, tracking my every move pays for the content, and I want no part of that, even if I lose access to the content.
The ad industry wired the consumers to expect things for free to begin with, so I don't know why I should feel any guilt at all for trying to block ads and gigabytes worth of unnecessary and often down right malicious JavaScript code.
When I am on home wifi, no ads in my mobile thanks to PiHole. So many apps are filled with ads while on the move. Clearly pihole version of web feels more snappy.
There are apps serving the App Add tiles BEFORE they load real content from their own far-away (by latency) servers.
What we need is for the blog to explain things as nicely as the GitHub repo does - unfortunately, it's a topic that's a bit hard to concisely explain in one line.
Maybe they added it after you read it, but when I read the post they specifically mention it's bad and provide a link to read more on why it's bad.
Sure an alternative would be great but the point of the article is to get up and running with the pi-hole software so they went with the fastest install.
The more realistic fear is what happens if your connection goes away mid-download. While a partial binary won't run, a partial shell script will, and it might just do something bad to your system if you're unlucky.[1]
That said, the chances of your connection crapping out in the second or two it takes to download the average sub-couple-kilobyte shell script is minuscule. The fear is seriously overblown.
I reckon the biggest problem is normalising the pattern.
Piping (https) curl to shell from a site who you were going to trust and download software/run from if they had an alternative method anyway - is no less secure than downloading a tarball or .dmg from the same site.
Getting into the habit of piping curl to shell is a bad idea though. It's gonna be easier when you're in a rush to not notice you're copy-pasting "curl -sSL https://install.pi-hole.ru | bash" from some "helpful" forum post...
I’m not sure why Pi Hole doesn’t even maintain a Raspbian apt repo; I’m guessing at least 95% of users use it since it’s the ‘default’ OS for the Pi. Failing that, Debian itself.
Where the hell did this argument come from? “If you don’t personally inspect your .deb you might as well be piping curl | sh?”
You can sign a .deb, there’s a whole infrastructure around distributing PGP keys for repos, and plenty of us do examine .deb file from strange places before installing them (like ok, this package runs a service but with appropriately restricted privileges, or that package just has data in it, and yes, some of us examine the source). And when someone distributes a bad .deb we have the ability to put together the package and its signature to get basically a smoking gun that person X is compromised and their key should be revoked immediately. The thing is, with a .deb you don't actually have to detect everything ahead of time you can archive the .deb and figure out what happened after you get pwned.
With curl | sh it’s basically impossible. There's no signature, just a bit of TLS at best which is gone to the ether. You can't sign curl | sh and there are some pretty nice attacks which you can use to thwart people who try to read the script sent from the server. I've seen reports of spear phishing attacks sent to otherwise sophisticated developers that use curl | sh as their vector... because curl | sh is fucking perfect for spear phishing. A .deb... is not.
Yes, I absolutely do know people who do this. I know people who accidentally let a GPG key expire and spent some long nights figuring out a way to get the thing trusted again so they could sign .debs, because dammit, THEY sign the .debs not some maintainer somewhere else. I know people who run their own deb mirrors (this is really common! I know SHITLOADS of people with Debian mirrors!). I know people who do everything from control servers that have a minimal set of software, people who run new software in locked down testing servers before wider release. And I know people who are Debian maintainers who actually do review the code that gets built, even if it's not a line-by-line audit. I know people who compile from source and compare executable checksums to see if it matches the official repo, ever since reproducible builds is a thing.
Some of these people are crazy because they're paid to be crazy by a software firm. Some of these people are too crazy for the software firms, they work as consultants and in their free time they're constantly trying to get firmware dumps of their game consoles, phones, and laptops.
And yes, a bunch of these people are on your side. But if you curl | sh it's harder for anyone to help you, including yourself, when shit goes south.
> Someone actually reviewing the source code is in a different category entirely, they don't need a download at all.
This isn't an all-or-nothing deal. Just because you read the source code for a package doesn't mean that you can't also download the binary. Reproducible builds give you some additional confidence that something weird hasn't been snuck in through a single compromised machine, and additional confidence that the binary package corresponds to the source code even if you didn't personally build it.
Malicious software is also not the only thing you're looking for, but things like unsafe practices in the code or insecure defaults.
In practice I do review source code from time to time before I install something, and sometimes I decide not to install it after looking at the source.
> Practically speaking the TLS bit is the important thing. Your package signature doesn't offer more in practice.
No, actually, the signing bit is important. You can MITM TLS, and it's easy to miss it if you are not verifying that the cert is from the host you expect it to be from. Meanwhile, the only way signing can be compromised is if the maintainer loses their private key. That's not unheard of, but is much harder/rarer.
Signing says "craftyguy created this package". TLS says "This script comes from pi-hole.net (which only pi-hole approved admins have access to".
The difference is marginal and uninteresting.
Sure, if you don't care about non-signed or self-signed certificates, then you've got a problem. But that's just the same as not verifying a package signature.
The key piece is whether curl performs hostname verification of the cert, or not. Their ssl certs page is unclear[0] (they go off into the weeds about self-signed certs). If they are not verifying the hostname, then your argument is completely off base since it's basically "you trust a person who signed a thing" vs "you trust a thing you got from someone who has a cert that is trusted by a CA on your system" (and that's pretty trivial to get considering how many 'trusted' CAs distros/OSes ship by default).
In practice the difference is real. Web servers are much more difficult to secure than package signing keys. Imagine, for example, someone gets kicked out of the project and people forget to revoke the developer's SSH key. Or imagine social engineering attacks against the hosting provider. Or think about teams that run outdated and vulnerable blog software on the same server that hosts their curl|sh script.
The difference ends up being substantial once you look at typical web hosting infrastructure. There's a reason why people don't copy code signing keys to their web server.
But, it is known that there are state-level actors which can forge certificates (because they can coerce CAs). This has happened. You may take a moment to consider whether state-level actors are part of your threat model (and not everyone has an answer to that which they like).
I'm not saying that curl|sh is the golden standard for software deployment.
But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".
I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.
I'm not entirely sure what you mean here, are you poking fun at people who put state-level actors in their threat models? Because for some of us, the choice is between ignoring attacks from state-level actors and figuring out ways to mitigate the attacks, there is no third option where the state-level actors do not attack us.
> I just feel triggered by this security absolutism where everything is shit, and unless you're doing an offline multi-way key generation with subsequent physical destruction of the equipment used, you should just shut up and not release software.
Honestly? I feel you've described my complaints with your argument. Security is a matter of degrees, threat models, evaluating likelihoods and potential severity of attacks, weighing the cost of prevention against the cost and likelihood of a successful attack.
The fact is that curl|sh has a lot of problems that a .deb and src .deb signed by some random developer's key doesn't have. It's not some kind of black-and-white world where curl|sh is inexcusable, it's just a world where on the sliding scale of security versus convenience, some of us think curl|sh is just a little too insecure for what little convenience it provides. I would get a headache trying to write the kind of shell script that makes a cross-distro curl|sh work at all.
> But the choice is not really between "curl|sh pi-hole" and "pi-hole in a well-known package archive, with signature". It's "curl|sh pi-hole or no pi-hole at all".
The third choice is to clone the Pi Hole repository from GitHub and build that.
> And the "smoking gun" part is something nobody cares about. By then their systems are compromised.
This is such an obvious falsehood I'm surprised we're even discussing it here. Security is a mix of prevention and detection. The ability to do forensics on compromised systems is important. Sure, it would be better if we could not compromise our systems in the first place but we don't live in some kind of bizarro binary world where if you have a compromised system you have to curl up and die. Life goes on after your system is compromised and it's better to have more information about attack vectors than less.
And realistically speaking, what happens here is some developer's credentials get compromised, the bad .deb gets uploaded somewhere with a good signature, people freak out about it, maybe the developer issues a key revocation, things improve. If you are curl|sh it's that much more difficult.
The problem is that curl|bash isn't authenticated, I don't really know whether the executable I'm getting was really built by the maintainer or if a malicious attacker was able to sneak in and replace it (like what happened with eslint a few weeks ago[1]). Passing off a signed package (as .debs are) as genuine requires getting a hold of the signing key as well, which increases the difficulty of the compromise.
No, it doesn't. We're not talking about the Debian package archive.
We're realistically talking about the hypothetical where a .deb is sitting on pi-hole.net, with a GnuPG key right next to it and instructions to trust this key.
I'm also running it on a VM because I had spare capacity on an existing VM host, so it was essentially a no-cost addition.
Also Pi-Hole has been great. I'm reminded of how effective it is every time I load up web pages on mobile or at work, or anywhere else that doesn't filter out the large percentage of the Internet that I didn't ask to see.
Marginal speed gains (though Pi hole isn’t super resource-intensive so the speed up isn’t huge unless you’re piping through a ton of DNS traffic), and you don’t need a Pi at all :)
I only ever played 2-player super bomberman on the SNES, but it was once of the most fun games I've ever played. Now I've gotta make this possible for / with my kids!
Back in the 90s I read about this new HDTV thing they had in Japan and how they could play TEN player bomberman on it - mind blown.
SNES bomberman 3 I believe actually supports five players (one on joypad port 1 and four more via multitap on port 2). Runs great on Retropie, my nephews love it.
Just got one a month ago. Doesn’t work for YouTube ads, which was my primary use case. In Canada, we don’t have YouTube Red, and thus there’s no way to buy out of the ads.
Also I loaded all block lists marked as safe. Yet many sites are broken.
Now I’m contemplating as to how best to repurpose the Pi.
You'd have to be connected to the VPN at all times to use it. The minute you're not using it, all the Red features disappear, regardless if you have an active subscription or not[0].
So your option is to have an always-on VPN. If you're doing that from your phone, you might as well install NetGuard, which is a no-root open source adblocking solution that MitMs your connections by pretending to be a VPN, and is available on Google Play. Works with YouTube, and doesn't require monthly subscription.
[0] Source: Activated the YouTube Red trial when I was on a travel to the US, and lost all the benefits the moment I landed home.
It says in verbatim "However, I do have a problem with: Pop-up and pop-under ads that hi-jack my internet browsing experience".
However, the site itself has a "subscribe" overlay that has to be removed with developer tools or manually blocked if uBlock Origin is enabled with annoyances filters.
Alternative for those who run OpenWRT on their modem/router: you can opkg install adblock, and also get an easy web based administrator interface via LuCi.
I tried pi-hole (a few months back on an rpi3) and am pretty sure it got hacked, making something like 100,000 DNS requests in a few minutes during a low use period. I'd guess that's some sort of advertising impressions hack.
Unfortunately I didn't have time to sort the issue, so can't guarantee I didn't err. But I stopped using it; which was a shame as I really liked the device usage reporting in particular.
Anyone else had similar? Make sure to check your stats.
why is it based on the raspberry when it has so terrible network interface? literally a +6 year board with a cual core and a gigabit interface can do this for better.
Because the pi-hole is a dns server. So it doesn't need to filter all traffic. It just replies to dns requests. And you need a LOT of traffic to completely saturate a 100Mbit link with dns requests :)
IIRC the bus of the NIC is shared with USB which is USB (v2) which is 480 Mbps or about half of 1 Gbps. If you care about throughput, don't use the USB ports when you care about it. But either way, 100 Mbps is more than fine for a Pi-Hole. I'd worry more about any possible latency overhead.
mostly nitpicking, but it's not gigabit lan; the interface is limited by internal bus to 300Mbs
It doesn't matter if you dedicate it to this single use, you'll see more lag if it's also doing file serving stuff in the background for instance (also because of CPU use, not just networking)
It really seems like the only reason I need this device is that most of my devices are not truly under my control.
The fact that my phone does not have these features baked in and comes with apps that violate my privacy and serve me ads without regard for malware those ads may contain is because my phone doesn't truly obdy me first.
Internet without ad and tracking blocker is unwatchable and unusable at this point. Occasionally I get taste of it while browsing on the iphone (unable to edit the hosts file) and it is a nightmare. Advertisers and tracking providers hijacked the web.
I do it differently on my own DNS ad blocker: it returns the IP of my "happy" webserver that always returns `204 No Content`, whatever query you send to it. Of course, there's still the issue of https failing, but I've never had any performance issues - much more the opposite actually.
There's a persistent bug with my Pi-Hole where every time it's active it causes my wife complains that several of the websites she wants to visit are unusable. :-D
Pi-Hole has dnsmasq built in so it is also handy for doing things like connecting to ssh servers in your network with your own hostnames instead of just ip addresses.
I could be on the wrong track here, but the MACE ad-blocker built into the PIA VPN seems to work very well by itself. It's not free like PiHole is, but pretty cheap, and a VPN is probably a better starting point for security than a local blocker. Am I missing something here?
> and a VPN is probably a better starting point for security than a local blocker. Am I missing something here?
Why? A VPN is just another (S)POF. I'm not afraid my ISP will MITM me. With a VPN, who knows what they log or not? Also, OpenVPN's performance is terrible. If you want to avoid detection of BitTorrent, sure, but then just route only that over a VPN. If your ISP MITMs you, and you're paying them, consider to jump ship.
I see uBlock being mentioned throughout this thread. uBlock Origin is (very) nice, but its client-side overhead and you can't use it on "apps". What I do is catch all DNS requests and forward them to my DNS-based adblocking (I basically run Pi-Hole on an ER-L) and forward that to DNS over TLS (which works with Quad9). This is all used even if I'm roaming (via WireGuard, ie. very low overhead). So it is irrelevant which network my roaming clients use.
The performance of my network is certainly not terrible when connected to the VPN. Download speed is not noticeably affected and my ping to quake servers (I run VPN all the time, even while gaming) is often lower with the VPN connected.
Regarding your 'why is it more secure' question - because I live in the UK where the government and a myriad of its approved bodies are now allowed to look at user traffic and see my IP and what websites I've visited. I don't have to worry about that now - although yes I need to trust that PIA really are not logging.
The problem with "no logging" policy is you cannot verify it. They can log if they 1) want to 2) mistakenly do so 3) while claiming they really don't 4) are obliged to by (secret) court order (with whatever collateral damage). Its also not anonymous (e.g. correlation attacks). So it seems to be just snake oil to me. I'd rather depend on something like Tor.
Tor is way more secure and anonymous of course, but not at all practical for high bandwidth / low latency applications. Yes you need to trust the VPN that they don't log (your points 1-3). If you trust them not to log, then there is nothing they can reveal under court order (your point 4). It's not snake oil if it does what the seller says it does.
Yeah, that's why I use a VPN; for BitTorrent solely. Which here falls under private law; not criminal law. So the equiv of the RIAA cannot do the correlation attacks whereas (the equiv of) 3 letter agencies can. But the latter don't do private law cases.
I also download over Usenet, over TLS. Its basically impossible to catch those who download over Usenet for copyright infringement since its again private law, and they don't have the power to sniff my ISP's network (though they'd also see encrypted data flowing from a Usenet server).
I use wireguard with DNS routed to an `unbound` instance on the wireguard VPS. The VPS costs me $1/mo. The only problem I've gotten is when `unbound` crashes because it uses ~400MB of RAM to hold the blacklist and the little vps only has 256MB of RAM (and 1GB of swap)!
Does anyone use Pi-Hole for larger-than-home networks, e.g., for an office, cafe, school...?
Also, it seems like Pi-Hole ought to be a router feature rather than requiring a separate device. Does any router vendor or router OS distro integrate Pi-Hole?
I like the idea of running a Pi-hole, but my crappy ISP provided router is unreliable enough as it is, I don't really want to add a second layer of software that can break. So I'll just stick with UBlock.
I also prefer a blocking list and blocker on each terminal device rather than central on the network. It is unpleasant otherwise to open one's laptop at the library or at a friend's house and be bombarded by ads.
Yeah, this is a valid point. But, you can also just keep something like uBlock installed and just disable it when using pi-hole and then enable it once you’re on something like a public network.
I can recommend to buy your own router instead (e.g. Turris Omnia/Mox or Ubiquiti EdgeRouter series) and put your provider's in bridge mode. If you're from the EU, you might be able to compel your ISP to do just that.
Does anyone have experience with the optional network ad blocker built into the eero? I think it’s an additional charge so I haven’t tried it. Does it use this same rule set?
In my experience, Windows is the worst offender for this. *Nix, macOS and iOS will always prefer the first resolver if all other variables (ping, availability, etc) are equal.
I can't remember the details but something changed in Ubuntu defaults to make default to distribute the DNS calls rather than order nameservers, it can be set to use order preference.
In short, don't assume strict ordering on Ubu, at least.
I bought a pi exactly for this and couldn't get the to work. it broke YouTube because the commercials wouldn't load. have you managed to get that to work?
Sorry — didn’t try with YouTube — it was working with Crackle and if I remember correctly the AMC app. That’s odd though because I’m pretty certain it blocks the YT adds on my phone (unless that’s the Purify/1Blocker add block apps which it may be).
what about path based blocking for https websites?
this dns-based method isn't really effective unless for known ad and tracking domains, I guess most of the time you need to block a certain path and that cannot be known for the case of https except inside the browser itself after decrypting the TLS payload. Also this could break some websites and users don't even recognize this is due to pi-hole. This is why I believe that adblockers at the endpoint like ublock-origin are the most effective way to block ads.
What's the advantage over just using ublock everywhere? Why go to all this effort and include another point of failure in your network when you can just install an extension?
Pihole manages your hosts file which redirects domain names to a configured IP-address; a local one when the goal is blocking. It is a bit overhyped but useful when you understand what it's for.
It uses the same lists as uBlock, but only the rules which filter the entire domains. Meaning, uBlock covers a lot more ground and preserves the operability of most websites.
As such, just for browser activity it is a redundant measure.
The difference is, for everything else it affects all your traffic; that is, Android or Windows apps, telemetry, bad content in HTML emails, etc.
If you install it on a router, you can cover all your devices. That can immediately or later cause issues with websites and apps inhibiting usage when ads or trackers are blocked. So you need to be available for whitelisting.
To think it only costs $100 and a few days' shipping time to get all the benefits of a software ad blocker than anyone can install for free in less than 60 seconds.
Pi-Hole offers more than a simple software blocker, or rather, something a bit different.
Everyone on my wifi or LAN benefits from adblocking. Even guests that are just there for the day. Devices that cannot run adblockers benefit. It doesn't require any installation at all.
And if you bought a compatible raspi plus PSU for 100$ you go scammed pretty hard, I'd pay 40$, maybe 50$, for that combination tops.
Adblockers have been available on the Android and iPhone app stores for a while now.
> And if you bought a compatible raspi plus PSU for 100$ you go scammed pretty hard
I'm quoting from the article, which admittedly uses Australian dollars. But I still don't see a need to pay any amount of money for the benefit of hypothetical visitors who already don't care enough to install a free adblocker on their phone.
I'm sure there are valuable use cases for the Pi-Hole; in an small office environment, or if you fear some very specific malware, or if you really, really want a bulletproof way to block ads in free phone games. I object to the article making it sound like it's something everyone needs in their home, giving no coherent evidence and ignoring the real drawbacks. (The first thing I do when a site doesn't work is try disabling AdBlock Plus; even ignoring anti-adblockers, quite a few poorly-designed sites just break if an adblocker is running. A hardware adblocker that can't be locally or temporarily disabled with a few clicks is a bad idea.)
>Adblockers have been available on the Android and iPhone app stores for a while now.
There are more devices than Android and iPhone, esp. some Android devices with higher lockdown. Additionally some of them either require Root or routing all your traffic through a VPN (either local or to some remote server) which costs battery and bandwidth.
>But I still don't see a need to pay any amount of money for the benefit of hypothetical visitors who already don't care enough to install a free adblocker on their phone.
You're not paying money for those visitors, you pay some cash if you need hardware to run a simple adblocker solution that protects all devices on your network instead of just the ones you can install software too.
>I object to the article making it sound like it's something everyone needs in their home, giving no coherent evidence and ignoring the real drawbacks.
Not quite, in your comment you object to the existence of a software based solution running on any hardware (though preferably on an RPi) over a software solution running in your browser.
The Pi-hole isn't purely restricted to the RPi and can run on a VPS or old laptop you have lying around.
Pi-hole can be easily temporarily disabled and I've done so to disable anti-adblock detectors in the past or debug some DNS issues. It's not hard.
There is definitely some advantage to setting it up for a family, on top of the advantage of protecting visitors, it's set-and-forget; I haven't touched our local pi-hole installation in about two years. It's essentially maintenance free.
I don't block so aggresively that all websites break, the only ones that break are cancer anyway and people begin to use them less so there is no point in giving these websites a free pass anyway.
For anything more I still rely on uMatrix due to finer control.
If you want to object to the average family having on of these you should consider formulating it other than "why buy hardware when I can install software?" because that's neither covering the argument not particularly convincing.
I installed it on my NAS. No extra hardware cost. The benefit of pi-hole is that also mobile devices now have ads blocked. Also build in tracking from Windows is blocked.
Software ad blockers don't block in-app ads. And I'm open to suggestions of how to use an ad blocker to keep my Nest thermostat from pinging Google's servers four times a second. Using Pi-Hole, it was a matter of, "WTF is that thermostat doing? <click "add to blacklist">. sigh, I'll deal with it later." [0]
[0] Yes, there are at least a half dozen ways to deal with this w/o Pi-Hole. But Pi-Hole: 1. brought it to my attention and 2. offered a (at least temporary) solution with the click of a mouse.
* By a huge margin the nosiest device is my Android Phone. >40% traffic is coming from just my phone (which is crazy!)
* I have 650,000+ in my domain blacklist and folks complaining about "it doesnt work on pihole" just have taken that tiny bit of error to unblock some domains like "ssl.googleanalytics.com" which break a lot apps. It took me about 1 day to see what isnt working (ex Facebook app break if graph.facebook.com is blocked)
* On avg 28% of my requests are blocked and 42% are cached. I am quite sure generally my surfing experience is snappier
-- Things like learn running PiHole :
How prevalent tracking really is across the web. A lot of apps dont go "online" if google analytics is blocked (example Toggl)
Manufacturers like Xiaomi are spamming the network with requests - mostly for notification spam
How amazingly scalable, stable RPi+PiHole is - we ran a workshop with 150+ DHCP leases and nearly a few 100k DNS requests without a glitch. Pi didnt even heat up a bit
SmartTV are freaking noisy. Samsung TV makes ~300 DNS requests in <5 min of startup. Literally every button press in the "smart home" is tracked