[HN Gopher] Setting up a Pi Hole made my home network faster
___________________________________________________________________
Setting up a Pi Hole made my home network faster
Author : pmoriarty
Score : 204 points
Date : 2022-05-29 14:08 UTC (8 hours ago)
(HTM) web link (brianchristner.io)
(TXT) w3m dump (brianchristner.io)
| fareesh wrote:
| I use OpenWRT and Ad blocking on my router - is the pi hole
| solution superior?
| walrus01 wrote:
| for those who want something effective outside of their home
| network...
|
| ublock origin works fine as a plugin in firefox on android, and
| blocks ads just as effectively on firefox on desktop.
|
| the ability to install arbitrarily chosen firefox compatible
| plugins on firefox on android is a huge deal for me. it makes it
| almost as powerful and useful as firefox desktop.
|
| the only time I need to touch chrome anymore is when using some
| rare 1% of online shopping website that seems to think a firefox
| useragent is a bot.
| ggping wrote:
| > I can now block all unwanted Ads and Metrics network wide.
|
| I love pihole - but this is still slightly exaggerated. DNS-based
| sinkholin does have its limitations.
| kayson wrote:
| While the interface may not be as pretty, you can do the same
| thing if you're running pfsense using the pfblocker-ng package:
| https://docs.netgate.com/pfsense/en/latest/packages/pfblocke...
| You can also so geo-based IP blocking
|
| Combined with pfsense's recursive resolved (unbound), it makes
| for a pretty great home dns setup.
| lousken wrote:
| i am considering pfsense for my homelab setup - can you easily
| troubleshoot issues and whitelist addresses if you need to?
| zeroflow wrote:
| Yeah. You have a live logging tab and can either put the URL
| into a whitelist rule by clicking on the plus icon or
| manually input it into a whitelist setting.
| slickdork wrote:
| I recommend opnsense [0] over pfsense. I ran pfsense for 5
| years and it is great, but there was some bad blood [1]
| between the two projects and the community.
|
| [0] https://opnsense.org/
|
| [1] https://teklager.se/en/pfsense-vs-opnsense/
| lousken wrote:
| I am aware of opensense, and while e.g. the GUI looks
| cleaner and seems to have more plugins, when I started
| checking it more in depth I think that pfsense has more
| thorough documentation and things like traffic shaping
| which i plan to implement seems to be way easier on pfsense
|
| also have you done migration between the two? if so, how
| hard was it?
| technothrasher wrote:
| > have you done migration between the two? if so, how
| hard was it?
|
| I tried the auto-migration in OPNsense (backup from
| PFsense, restore to OPNsense) a couple times. Both times
| it got it mostly right, but whatever it got wrong blocked
| pretty much all traffic and was difficult to figure out
| why because everything looked right. I gave up and stayed
| with PFsense, but figured if I ever really did want to
| switch I would start from scratch.
| zeroflow wrote:
| I've also had to decide if I want to use pfsense or
| opnsense, but for me, the pfblockerNG plugin was what
| tipped the scales in favor of pfsense.
| harmon wrote:
| 867-5309 wrote:
| this is not for the faint-hearted!
|
| Pi-hole is to pfBlocker as a Raspberry Pi is to a custom-built
| router
| pdimitar wrote:
| I know some of these words. [cries in not being network-admin
| educated]
|
| Jokes aside, I'd love a blog post on this. Seriously. Very
| likely to apply the knowledge as well.
| monkellipse wrote:
| Can confirm, pihole is great. I put in two for redundancy, helps
| make sure nothing gets through. No negative impact on network
| perf, as it only touches DNS and plenty fast for that.
| albert_e wrote:
| you have them as primary and secondary for failover?
| 0daystock wrote:
| Won't be long now until IoT and other crap-ware devices catch on
| to this trend and start hard-coding DNS servers in code, or
| worse, using DNS encryption to avoid this sort of routine
| blocking by end-users. I wonder how people are thinking about
| solving this problem.
| DistractionRect wrote:
| I solve this with a DNS based firewall.
|
| Essentially it's just DNS filtering on steriods. You start with
| an empty (or preseeded) ipset, and a firewall rule that says to
| reject/drop all outbound traffic if the destination isn't in
| the ipset. Dnsmasq is setup as the default dns provider in
| DHCP, and it's setup to add all resolved IPs to the ipset (with
| an expiration so stale entries get removed).
|
| Then it's just DNS filtering per the usual. DoH, DoQUIC, DoT,
| etc don't work as their hardcoded IPs are blocked by default,
| and DNS filtering knocks out domain resolution of the
| endpoints. Even if an alternate resolver is allowed through the
| firewall, none of it's responses get into the ipset, so it's
| still broken (and is a sign I need to update the DNS filter).
|
| Works a treat on my IoT devices
| BLKNSLVR wrote:
| I really like the concept of this approach, I'd say it's
| worth writing a blog post / article describing the process
| and details so others can duplicate it.
| timbit42 wrote:
| Have your gateway/firewall block all traffic from the LAN IP of
| the device from exiting the LAN.
|
| If it's running on Win/Mac/Linux/Android/iOS, block the app
| from talking to the gateway, or even the entire LAN.
| Group_B wrote:
| One of many reasons why I don't even bother with IoT devices.
| Don't need all this crap to be connected to wifi. There was
| nothing wrong with it before.
| Deritiod wrote:
| It's not crap just because you don't see a benefit.
|
| In my opinion, additional being a curios software engineer I
| find it quite interesting.
|
| Necessary? Perhaps not but helpful.
|
| Heating valves for example.
| aksss wrote:
| Not that I'm terribly experienced with it, but a lot of
| home automation can be done without "IoT" -- specifically
| without the crapware Trojan controllers that come with
| consumer solutions from Best Buy. ISY994 for example. Easy
| solutions for remote access via apps (vpn to home) and
| notifications as well. It's not as easy to set up as a plug
| and play controller from Google, but it's far more private.
| Deritiod wrote:
| I include your example.
|
| The definition of iot from Wikipedia also does it.
|
| But honestly why I hate my iot window blinds device it's
| the perfect excuse to use vlan at home.
| dylan604 wrote:
| Can you not just block the specific addresses? Sure, you'll
| probably have to do some log digging to find out which ones,
| but I'm guessing someone else on the internet has already done
| it.
| Gigachad wrote:
| Sure, then the devices throw up an error and refuse to
| function. I noticed that most smart TV streaming apps refused
| to run if they failed to connect to their ad servers.
| zeroflow wrote:
| There is a workaround by enabling NAT and forcing all traffic
| to piHole / pfblockerNG
|
| https://docs.netgate.com/pfsense/en/latest/recipes/dns-redir...
| rsync wrote:
| How does this help with DoH?
|
| If the dns request is over 443 _and_ the DoH server is the
| same host as the served resource, what can be done ?
| jamiek88 wrote:
| Could you MITM and inspect for dns request packets?
| rsync wrote:
| Yes - I postulated this elsewhere in this thread.
|
| The next step in the arms race would then be to implement
| DoHoH.
|
| Sigh.
| lapser wrote:
| This is already happening. The likes of Google Home et al
| already hardcode their own servers. I noticed that no DNS
| requests were being made through my Pi Hole, so when I looked,
| it turned out their DNS servers were hardcoded.
|
| However, I'm more worried about when they start hardcoding DoH
| servers.
| doubled112 wrote:
| Same on DoH.
|
| I can't filter it or redirect it like I can with plain old
| DNS.
| lapser wrote:
| Yes, really the only way would be to set up a MITM proxy on
| your network and enforce all traffic goes through that.
| Also means accepting a CA.
| 1vuio0pswjnm7 wrote:
| Been using this solution myself for a number of years.
| Works remarkably well. I do not even use DNS recursion or
| any remote DNS requests because I can load bulk DNS data
| into the proxy's memory. There is only ever one
| nonrecursive request to a localhost authoritative DNS
| server and the answer is always the same: the address of
| the proxy. Ironically perhaps, DoH outside the browser
| can be used to gather the bulk DNS data, thanks to
| HTTP/1.1 pipelining.
|
| Many years ago I anticipated that "developers" would no
| longer allow end users to choose DNS servers. The
| developers' work, i.e., software, was dropping in market
| value and they began to adopt a Trojan Horse "business
| model". End users could use the software for free with
| the expectation that few would notice/complain about
| increased surveillance and data collection, or injected
| advertising.
|
| The so-called "MITM proxy" is neither a new nor radical
| idea. Corporations routinely "MITM" TLS traffic from
| their networks. Enterprise hardware/software companies
| have provided turnkey solutions.
|
| The issue is not limited to addresses for DNS servers.
| For example, WhatsApp hardcodes IP addresses in their
| mobile app. For that problem I use an application
| firewall.
|
| The PiHole is essentially a slightly modified version of
| dnsmasq running on a RPi. It is funny that no one has
| tried using other DNS software. Given a choice of DNS
| software, I would not choose dnsmasq. It also still seems
| that no one has presented a "PiHole" that uses a forward
| proxy instead of a DHCP/DNS server. Similar to
| corporations, home users need a turnkey solution for
| monitoring their home networks.
| ClumsyPilot wrote:
| " Similar to corporations, home users need a turnkey
| solution for monitoring their home networks."
|
| You'd think thats thr job of the router companies - they
| sell you hex-core routers for $390 or whatecer, but no
| usefull functionality
| willis936 wrote:
| On my router I redirect all outbound port 53 traffic not
| coming from my local recursive DNS server to my local
| recursive DNS server.
|
| The next step in the arms race is DoH. Afaik no one has a
| generic answer to that beyond "treat devices behaving
| hostilely as hostile".
| chollida1 wrote:
| What is a DoH server?
| thinkmassive wrote:
| DNS over HTTPS
| [deleted]
| guerrilla wrote:
| DNS over HTTP
| vladvasiliu wrote:
| In the case of just using a PiHole, a hard-coded server would
| easily get around it.
|
| But if the network outright blocks random DNS requests, that
| only leaves DoH, which would require fixed IPs, which should
| be able to be detected and blocked, right?
|
| Sure, the setup becomes a bit more involved...
| mnd999 wrote:
| Surely you can have firewall redirect rule that bounces all
| outgoing dns to your Pi hole?
|
| This doesn't work with DNS over https of course.
| jamiek88 wrote:
| I can see people MITM their own https traffic in the near
| future!
| asix66 wrote:
| Actually no. By blocking 53 at your router to anything
| except your pihole, even a hard-coded IP like 8888 is
| blocked.
| cgriswald wrote:
| You'd have to do packet inspection. Otherwise a hostile
| hardware manufacturer could just run their DNS on a non-
| standard port.
| rsync wrote:
| Remember- there is no reason you can't serve DoH from the
| www host (the web server).
|
| So you won't necessarily even get to play this cat and
| mouse game - the dns requests are indistinguishable from
| your web requests.
|
| I _guess_ you could mitm your own ssl traffic and strip out
| dns answers there?
|
| But then ... how soon until we see DoHoH?
| ignoramous wrote:
| > _how soon until we see DoHoH?_
|
| _DoH over Tor_ already exists, but more importantly,
| _Oblivious DoH_ (kind of like DoHoH) is being
| standardized by the IETF:
| https://datatracker.ietf.org/doc/draft-pauly-dprive-
| obliviou...
| cgriswald wrote:
| Unless I understand incorrectly, this doesn't seem to
| make the problem any worse. You'd just have to block the
| proxy rather than the DNS server. Like DoH, only a
| problem if that's also the web server.
| 1vuio0pswjnm7 wrote:
| I believe there was a proposal for something like this a
| while back, before the DoH we see now. IIRC, the idea was
| that DNS information could be contained inside the web
| page, maybe enclosed in a tag. Addresses for ad servers
| perhaps.
|
| Few of these ideas can be expected to work unless Evil,
| LLC controls the program the end user chooses to read the
| web. When an advertsing services company is also the
| majority share "web browser" vendor, then ideas like this
| become feasible. Whereas if web users can choose any
| client to access the web,[FN1] then these ideas would be
| non-starters. The open source text-only browser I am
| using is not going to read the IP address of an ad server
| embedded in a web page and connect to it automatically.
| Even if it did, I would simply edit the source code to
| disable that behaviour and re-compile.
|
| 1. In theory they can but in practice they generally
| don't.
| jacquesm wrote:
| Have you tried blocking them explicitly? That might cause
| them to fall back through the advertised ones.
| mmcnl wrote:
| It's already happening, but hardcoding also causes other
| issues. You have to be really big before you can depend on a
| hardcoded DNS server.
| asix66 wrote:
| I couple PiHole with a pfsense router. In pfsense all DNS
| queries are blocked except to my pihole. This thwarts an IoT
| device or streaming devices, etc., from bypassing pihole. Then
| I block known DoH servers on both pfsense and pihole---which is
| not perfect, since it's really a game of whack-a-mole, but
| better than not.
| n4bz0r wrote:
| > I wonder how people are thinking about solving this problem.
|
| Not sure what potential issues are are being mentioned here,
| but I'd say a separate VLAN for IoT devices + QoS [0] should
| rule out most of the concerns.
|
| [0] https://en.m.wikipedia.org/wiki/Quality_of_service
| phillipseamore wrote:
| I already translate all port 53 traffic to my local resolver
| and block known DoH addresses.
| gruez wrote:
| If they're really evil, they'd proxy all traffic through a
| single host (eg. d2v3i0u0qtn52v.cloudfront.net), so you have
| to choose between no IOT features, or getting subjected to
| all the ads/telemetry.
| rsync wrote:
| No - as I've said upthread, the real evil is running DoH on
| the www host.
|
| Now what ?
| everdrive wrote:
| >so you have to choose between no IOT features I'll bring
| out the fainting couch. These devices are enough of a
| poison pill that you're better off without them. You can
| problem block them with Pihole, but you're one update away
| from either circumventing the Pihole, or breaking your IoT
| device because something got changed on the manufacturer's
| end.
| gruez wrote:
| At that point you're better off not connecting the device
| to the internet at all.
| bee_rider wrote:
| I think we might be at that point currently.
| teeray wrote:
| DNAT ftw
| anthropodie wrote:
| You solve that by not buying such crap-ware. You buy open
| hardware systems.
| ghostpepper wrote:
| I would love if there was an open 4K HDR TV but I think only
| a very niche audience actually cares about this so most
| manufacturers will not see a market opportunity
| ctur wrote:
| For those not wanting the overhead of running a service on your
| network, NextDNS sells what is basically managed pihole. I've
| used it for about a year and have been very happy. It also lets
| you use it on mobile devices for when you aren't on your home
| network.
| jen729w wrote:
| Very slick try-before-you-buy experience. And excellent,
| realistic pricing. I'll be giving this a go.
| notRobot wrote:
| +1. Been using it for a year too, highly recommend!
| nukemandan wrote:
| you can configure to use a self hosted DNS. I do this coupled
| with a VPN that was very easy to install and configure:
| https://dietpi.com . this VPN I access with ddns for free.
|
| only fixed cost was the pi to run in (pi version 1 ram if by
| far enough for just pihole +unbound)
| sphars wrote:
| I moved to NextDNS after my SD card died on my Pi. One of the
| biggest features is that I can enable this on my phone using
| Android's Private DNS feature, which means it works for mobile
| data without having to run a VPN. Covers all networks with no
| extra configuration. Highly recommend.
| quyleanh wrote:
| I would like to use Adguard Home instead of Pi Hole for better up
| stream DNS query.
| 2OEH8eoCRo0 wrote:
| I prefer Adguard as well.
| NelsonMinar wrote:
| I use the free level of NextDNS. Not self-hosted, for better
| and worse.
| vladvasiliu wrote:
| What do you mean? What's wrong with PiHole's upstream queries?
| beebmam wrote:
| If only it were possible to buy a Raspberry Pi at MSRP!
| prometheus1909 wrote:
| I keep seeing posts about Pi Holes and it looks good, but I have
| previously dealt with ads by appending their delivering sites to
| my /etc/hosts, i.e.
|
| 0.0.0.0 trashsite1.com
|
| 0.0.0.0 trashsite2.com
|
| The only downside I see is that my approach is not network-wide.
| Any other reasons I should reconsider?
| mFixman wrote:
| Similarly, why is PiHole better than using a browser ad-
| blocker?
| majkinetor wrote:
| You should have both. One is for network wide effects, so
| anything on your network will have ads blocked (smart TV,
| projector, phones etc.), another is for youtube and friends.
| makeitdouble wrote:
| If you're willing to add and maintain an ad-blocker in every
| single of your browsers (and potentially your family's) and
| don't care about non browser apps it's virtually the same.
| eyluo wrote:
| My understanding is that PiHole stops the ads from being
| downloaded in the first place, hence the increased network
| performance.
| dserodio wrote:
| uBlock prevents then from being downloaded too
| aulin wrote:
| ublock only works inside Firefox on mobile, this blocks
| most ads in every app, smart tvs, iot devices
| newscracker wrote:
| I don't know how you maintain your hosts list, but with a
| solution like pi-hole, you can easily subscribe to multiple
| blocking filters and have them update periodically without any
| intervention. Of course, you could automate your hosts update
| too, but pi-hole comes with this built-in.
| user3939382 wrote:
| There's an app for macOS called Gas Mask that helps you
| manage these lists easily
| pcl wrote:
| Probably the biggest two selling points are the crowdsourced
| deny list and the fact that all types of devices will benefit,
| including "smart" TVs etc.
| otachack wrote:
| Like you said, convenience of propagating the blockage to all
| devices, a central place for configuration, stats/diagnostics
| built into PiHole dashboard. I do like your DIY approach,
| though!
| jasode wrote:
| A big limitation with _/ etc/hosts_ is no support for
| wildcards.
|
| Previous subthread about it:
| https://news.ycombinator.com/item?id=22535387
|
| (But it doesn't look like wildcard pattern matching doesn't
| work for the substring middle part of the string like your
| example.)
| neurostimulant wrote:
| Not sure about now, but before I'm using pihole, I was using
| hosts file to block ads and found a significant increase in
| network latency. Turns out the huge hosts file significantly
| increased DNS lookup time in my system (>1 seconds).
| more_corn wrote:
| This is essentially what pihole does, but automatically, using
| shared lists of ad networks (you can add your own easily). And
| it's available to things on your network where you can't or
| don't want to edit etc/hosts (My smart tv used to love to shove
| ads in my home screen)
|
| It's an elegant and efficient way of taking back control of
| your network and the content It shows you.
|
| I run it in a pi zero w with a little wooden case and a low
| power phone charger (500ma) I Velcroed it to my router.
|
| I highly recommend that everyone do it.
| russellbeattie wrote:
| You'll need to make sure that you block popular DNS IPs like
| 8.8.8.8 because some devices (like Amazon's Fire Tablets) hard
| code the DNS address as backups.
| [deleted]
| hackerbrother wrote:
| Side note- Pi Hole's client activity graphs are great for seeing
| how much you slept at night, or how long you've been out of the
| house!
| godelski wrote:
| Every time I've tried pihole it has failed on services like
| YouTube. Can someone explain this to me and how I solve it? I
| know it's not just me, it even happened to Linus Tech Tips but I
| constantly hear responses "works for me" which are unhelpful. If
| ublock works fine, why can't pihole? I'm actually interested in a
| technical answer.
| doliveira wrote:
| If Linus didn't bother to clarify the reason that must have
| been a pretty bad video.
|
| PiHole works at the DNS level, it can't block things if they're
| served from the same domain
| datfrojo wrote:
| Pihole only works if ads are served from a distinct domain name
| from content. This works in most cases but YouTube serves ads
| and content from the same place so pihole can't prevent. As
| uBlock works client side it does not face this limitation
| ziml77 wrote:
| PiHole blocks at a DNS level, uBlock blocks down to the page
| element level. If the ads are coming from the same domain as
| actual content, a DNS block can't be used since you'd be
| blocking the content that you're trying to view.
| anthropodie wrote:
| PiHole works by blocking domains. Few years ago it was like
| youtube.com served videos and ad.youtube.com (just an example)
| served ads.
|
| Back then you could simply block ad.youtube.com and there would
| be no ads but today Google is serving ads via their main
| domain. You can't block ads unless you block youtube.com.
|
| So now no DNS based adblocker can block YouTube ads. uBlock is
| the only option which works inside browser only.
| codemac wrote:
| I found this basically _only_ helped for laptops.
|
| Our phones and smart devices all use either DoH or hardcode a
| specific DNS resolver. I haven't spent the time going all the way
| down to re-routing all port 53 traffic, but I doubt it'll do
| much.
|
| To me the future of the home network is largely dead as long as I
| can't reasonably manage the software on these devices.
| goodburb wrote:
| Hardcoded devices/software is a very good point, not sure why
| the text is faded/downvoted.
| Gigachad wrote:
| Proprietary software and hardware is malware. Stallman told us
| this decades ago.
| cassianoleal wrote:
| > Our phones and smart devices all use either DoH or hardcode a
| specific DNS resolver
|
| My phone uses whatever DNS I configure it to use. When I'm at
| home, it uses my PiHole.
|
| If you mean individual apps going their own way, that's a
| different problem.
| amq wrote:
| A hosted alternative to pi-hole which will work wherever you go,
| also with a smartphone on mobile data: NextDNS.
| anthropodie wrote:
| If you liked PiHole I think you will like AdGuardHome more!
| jrmg wrote:
| _Like any other project I run everything in a Docker container,
| and this project should be no different._
|
| What is the advantage of this in this case?
| dspillett wrote:
| > What is the advantage of this in this case?
|
| Not specific to PiHole, but perhaps keeping the OPs
| infrastructure management consistent may have monitoring and
| maintenance benefits.
|
| And specifically mentioned in the _very next sentence_ :
|
| > The Pi Hole project already has a nice Docker project
| utilizing compose.
|
| It is a supported configuration for PiHole so it fits in
| nicely, no need to even product their own docker based
| solution.
|
| Not much of a docker user myself (I've tinkered, and we use it
| for some things in DayJob, but for my own stuff I use VMs or
| occasionally LCX if I do want a container instead), but the
| answer to your questions was really quite obvious.
| rektide wrote:
| > _What is the advantage of this in this case?_
|
| That you can manage & think of this machine
| (program/process/container/vm) the same was as every other
| machine & dont have to ever ever ever ask "what should i do in
| this case?" or "what's right for this case?" because it's a
| unified answer that works well & operates the same everywhere.
|
| Uniformity & no special cases. Death to pitiful old ways.
| hinkley wrote:
| My experience is that as long as a rule has only one
| exception, people are pretty good at keeping on top of them.
| But that always leaves you the question of whether you want
| to burn that exception on the current project or save it for
| something better. Which then makes you very nervous when your
| coworkers start getting clever ideas and trying to volunteer
| (over-engineered) things as the exception. In the same way
| the best leaders often didn't want the job, the best
| exceptions are the ones you accept grudgingly, not
| enthusiastically.
|
| Much more recently I realized that this phenomenon of One
| Rule, One Exception falls under the umbrella of - or perhaps
| explains the effectiveness of - the Rule of Three. Two
| exceptions are bad, and work is partially pre-empted to
| correct that problem.
| NegativeLatency wrote:
| Specifically relating to pihole (as of previous versions) it
| wasn't the cleanest install uninstall experience and left a
| bunch of crap behind on my system.
|
| I now run it in a docker container because of this, but I can't
| speak to OPs motivations
| mmcnl wrote:
| I run everything in a Docker container because I have 50+
| services running, and I don't want to spend any time on their
| inner workings. I truly couldn't care less. I only manage the
| access layers (configuration parameters, volumes, ports and
| reverse proxy). Using Docker every application is the same
| from a management perspective.
| ocdtrekkie wrote:
| Any special setup amongst your network takes excess work to
| maintain. In the case of Pihole, I gave up on maintaining it
| because I was running it on a Raspberry Pi, and found that it
| was annoyingly hard to keep a Pi running stable for a long
| period of time.
|
| Had I a convenient way to set it up in a Docker container, it
| would've been better. Of course, since I don't run anything in
| Docker at home, that would also constitute a special setup I
| have to maintain.
| BrandoElFollito wrote:
| I do discaster recovery tests for my home lab from time to
| time. This is bare metal recovery (from empty hardware).
|
| - I download the ISO for my system (Arch Linux)
|
| - I install it on a drive
|
| - I install docker and a (very) few other things
|
| - I recover /etc/docker and data from a backup
|
| - I run my docker-compose
|
| - the server is up
|
| Time: around 30 min to 1 hour without any documentation.
|
| For me - THAT is the real power of docker.
| mmcnl wrote:
| In short: the power of declarative configuration management.
| Way less error-prone than imperative shell scripts.
| goodburb wrote:
| You can get similar/higher speeds without ad-blocking by using
| DNSmasq's "all-server" with at least two upstream servers for
| forwarding.
| ferminaut wrote:
| I know some folks are anti Ubiquiti Unifi on here, but you can
| run pihole (along with a bunch of other stuff) right on a
| UDM/UDM-Pro. IMO it makes the most sense to run this on the
| router, and you can run it in a docker container. If you're
| looking for a fun hour or two project, check out:
|
| https://github.com/boostchicken-dev/udm-utilities/tree/maste...
| pcl wrote:
| I run a PiHole and a Tailscale exit node on my Unifi routers
| (previous generation). The Tailscale exit node lets me do both
| site-to-site VPNs and site-specific egress. The one thing
| keeping me from site network nirvana is that I haven't quite
| figured out how to set up a wifi network on the Ubiquiti device
| that routes all traffic through a given other exit node,
| however. Someday!
| fossuser wrote:
| I just setup tailscale yesterday to access a local urbit node
| and it's seriously great!
|
| They really solved what has always been a major pain with
| local hosting and made it really easy to use.
|
| I ended up using NextDNS over pihole, but only because it was
| just easier to get the same result.
| [deleted]
| para_parolu wrote:
| I have another point of view as a non-pro user. The leas thing
| my router is doing the better. I want my router software be as
| simple as possible to reduce possible bugs. Plus I want it to
| put all cpu time onto processing packets. I would consider
| using pihole like functionality if it's baked in firmware. But
| definitely don't want to install extra software.
| asdkhadsj wrote:
| What sort of cost is associated with pihole, with respect
| mostly to very latency sensitive things like competitive
| gaming. Is it problematic?
| BrandoElFollito wrote:
| You will not have any extra latency once the DNS resolution
| is done.
|
| The resolution has to be done a way or another, by default
| this is your ISP and they usually suck. I had hand-picked
| DNSes before (there is a utility that tests plenty of them
| from your connection) and after adding a pihole on a simple
| RPi it was even faster.
| more_corn wrote:
| No expected impact. If for some insane reason a game is also
| calling as servers your performance will be improved.
|
| Consider the case of a web page. The content you want (the
| news article) consists of say 100 get requests totaling 1mb.
| The content you don't want (ads) consists of 120 get requests
| totaling 1.2mb.
|
| When pihole is in use the content you want does not have to
| contend with adversarial content. You have half as many
| requests, there's 50% less data in the pipe, you get what you
| wanted faster.
|
| Gaming is not impacted because your games don't call
| advertising servers. If they did (for some insane reason) the
| real game requests get served immediately not having to wait
| in line behind the ad content.
| [deleted]
| milgrim wrote:
| There should be no cost. Which game will constantly use DNS
| to resolve addresses after being launched?
| Brybry wrote:
| I caught a bug related to this in Project Zomboid in an
| early multiplayer version.
|
| Often when someone joined a server there would be a tiny
| bit of lag for all of the users.
|
| I figured out the server was using a java method that
| indirectly was doing a blocking DNS lookup. I think it was
| reverse DNS but I forget which method it actually was, and
| if it was blocking the main thread or just the networking
| thread.
|
| (PiHole still wouldn't have created an additional cost
| though.)
| simon04 wrote:
| This issue might relate to Java's URL class
| equals/hashCode doing DNS lookups which is specified in
| Javadoc https://docs.oracle.com/javase/8/docs/api/java/ne
| t/URL.html#... but reported by various linters such as
| https://errorprone.info/bugpattern/URLEqualsHashCode
| milgrim wrote:
| My question was meant rhetorically, but I guess there
| might be some even more interesting exceptions to this
| out there.
| doliveira wrote:
| If anything, PiHole might make it go faster because some
| requests don't go to out in the world, wouldn't it?
| milgrim wrote:
| That would probably depend on the the cache hit/miss
| ratio.
| yzerd wrote:
| PiHole is just a different DNS server - I would assume that
| is probably a once on connection kind of thing.
| vorpalhex wrote:
| I run two piholes, rackmounted and battery backed (just
| plugged into a ups).
|
| DNS performance is very fast, better than ISP dns usually.
|
| General web usage is much, much more pleasant.
|
| No issues with gaming.
| asdkhadsj wrote:
| Any recommendation on hardware piholes? I have a UDM Pro
| but honestly i don't know how much i trust modifying it at
| all - i've found Ubiquiti software to be iffy... so i'm a
| bit hesitant to modify anything.
| nickthegreek wrote:
| I run mine on a good old fashion rpi for years with a
| 100% uptime.
| theshrike79 wrote:
| You can run Pihole on any crappy raspberry pi you have
| around.
|
| I ran mine on a Raspi Model B. You know, the one with the
| RCA plug and SD card slots. From 2012. At some point the
| SD was so messed up I couldn't ssh into it any more, but
| it still worked.
|
| Now Pihole is running on my Thinkcenter minipc as a
| Socker image along with a good dozen others. I don't have
| to worry about SD corruption or sudden shutdowns any
| more.
| dmead wrote:
| there will be issues if you play halo. it depends on some
| telemetry stuff in windows that is typically blocked by
| this sort of thing.
| sbarre wrote:
| I've been running a pi-hole for years and played Halo on
| Windows 10 and had no problems.
|
| If you add a bunch of extra-aggressive blocklists maybe
| you'll have issues but if you stick with the recommended
| OOTB lists, you'll be fine.
| dawnerd wrote:
| Huh, I never even considered running containers on my udm pro.
| I'm definitely going to look into this.
| moffkalast wrote:
| Ah I just opened this thread to ask why isn't this a standard
| feature on routers at this point, and lo and behold.
|
| I hope it becomes more ubiquitous (hah) even on lower cost ones
| eventually.
| pledg wrote:
| It's not a standard feature on UniFi either. It's possible
| but not part of the OOTB OS.
| Vaslo wrote:
| I have the UDM pro but have been running AdGuard home. I will
| definitely have to check this out. Thanks!
| goodburb wrote:
| For OpenWRT users, I managed to easily get it working with LXC.
| Sources are in "SmoothWAN" project at Github. OpenWRT natively
| supports LXC now. Shortcut:
| https://github.com/TalalMash/smoothwan-feeds/tree/main/pihol...
| ronjouch wrote:
| For OpenWRT users, there's even simpler: use the "adblock"
| and "luci-app-adblock" packages :) .
|
| https://github.com/openwrt/packages/blob/master/net/adblock/.
| ..
|
| https://openwrt.org/docs/guide-user/services/ad-blocking
|
| https://forum.openwrt.org/t/adblock-support-thread/507
| cassianoleal wrote:
| Never heard of smoothwan but I've been running PiHole on LXC
| on OpenWRT for years. It was never difficult to set it up, I
| just created a Debian (or Devuan, can't remember now)
| container and ran the PiHole install on it.
| agomez314 wrote:
| How does this compare to using Brave Browser with ad blocking?
| sneak wrote:
| It blocks a lot of the phone-home from Apple devices that is
| built in to the OS and happens outside of the browser.
| newscracker wrote:
| It's different but has some similarities. This blocks all kinds
| of configured (DNS) requests from your devices, even from apps
| and operating systems, whereas Brave browser only blocks ads on
| the browser. One drawback is that this solution does DNS level
| blocking, and cannot handle any web page element-level blocking
| that may be possible in some browsers.
___________________________________________________________________
(page generated 2022-05-29 23:00 UTC)