Pi-hole v6(pi-hole.net) |
Pi-hole v6(pi-hole.net) |
Instead, use yout-ube.com [insert a hyphen into any URL] and ALL ads disappear.
I wish pihole or adguard would add support for change DNS records based on the query subnet. I believe this is called DNS views.
That way my local devices and wireguard devices can get the correct IP for internal services.
[1]: https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
That’s why I switched to affairs home but wouldn’t mind switching back
I am using Pi-Hole for about 8 years and can't imagine a world without it.
Another big THANK YOU to all list maintainers out there. You're doing an incredibly useful service to the community.
There are always some features that I wish it had, but ultimately it does a really good job.
It’s easy to take for granted the hard work that goes into creating and maintaining such awesome tools.
The service/device dedicated to killing connections (blocking dns, whatever) can't/won't serve my connection.
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
dhcp-option=tag:nospam,option:dns-server,x.x.x.x dhcp-option=tag:spam,option:dns-server,y.y.y.y dhcp-host=client1...,set:nospam dhcp-host=client2...,set:spam
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
I dread the day it dies.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
They probably do some tricks that blocking ads with DNS is not possible.
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls. - Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads. - Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
Yea i agree it's not super UX friendly.
The biggest risk is not samsung knowing what someone watched but what devices you have on your lan
Congratulations to the team for the release - happy to support you via Patreon!
I have some scripts to sync config between them and a Jenkins job if I want to pause blocking on them for a bit.
It looks like https://github.com/mattwebbio/orbital-sync and https://github.com/lovelaze/nebula-sync can sync configs with Pi-hole 6 now, but it’s quite a bit of code for what looks like just a few HTTP requests to get the config from one using the teleporter feature, then restore it on the others using the same.
[0] https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
I documented that process here in case anyone is interested: https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost) --DoH--> upstream
Not the prettiest but it works.
I want my devices to use my defined dns sever on my network, not some ad company (and all tech companies eventually become ad companies)
I just don't want to leak dns requests to my isp. If there's a way to do this without DoH or DoT, I'd happily learn more about it.
we block all meta and X properties from our home network, also ads
and it's self hosted on our own metal
it's a wonderful life
There's a difference between meta, X and ads?
With regards to X. Blocking it serves as a good reminder to use a proxy, or try and find the source elsewhere (Blue Sky, Mastodon). More often than not, these exist.
Finally, if required I can use Tor Browser. No cookies, no profiling, no ads.
The only reason I don't use one now is that I travel a lot more so it's irrelevant, and I have to work enough on tools with Google/Vercel/other analytics that it is just very inconvenient.
Regarding smart TVs, I have found that it's better to just use an Apple TV or Kodi box and never connect to them internet though. Having said, I gave my TV away because I never used it, so this might not be as up to date. A Pi hole will block ads on smart TVs though.
I’m not up to speed on this stuff but I thought pihole only blocked the simplest stuff from devices that play nice?
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].
Pretty good interface, and most people just have to connect using the app. Having a virtual network between devices with dedicated IPs is pretty nice too.
I checked that Pi-Hole can run on Raspberry pi zero as per the GitHub. But would you recommend to use Raspberry Pi 5 2 GB or 4 GB RAM instead of Raspberry Pi zero. I don't have any Raspberry Pi and I intend to make a new purchase.
I've been waiting for this - I wanted to play around with blocking distractions on various rules, but controlling pi-hole remotely was a huge pain and often didn't work until now.
I use two old PINE64 (one with FreeBSD, one NetBSD to make it more fun), and the Ansible configuration downloads https://github.com/ShadowWhisperer/BlockLists and creates a file dnsmasq can use. Which lists from the repo to use is defined as a variable.
Works very well and I feel I can understand what is going on.
I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by running a DNS proxy on my network.
I can get this to work great with github.com/adguardTeam/dnsproxy (running on a Pi 4B) but what I would really like is to have different devices (based on their IP on the network) get their queries forwarded onto a different DoH upstream.
Is this possible in a simple way?
https://www.perplexity.ai/search/i-d-like-to-use-cloudflare-...
Edit: OP edited their comment, was previously a very long AI-generated response.
oh noes!
Any details on what HTTPS support provides, other than a TLS connection to the admin dashboard?
With a local server, most requests are fulfilled from the local cache.
Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.
I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.
> The cloudflared binary will also work with other DoH providers.
Yes because you judge people by the country they live in. AdGuard has made their stance clear if something like this is important to you: https://www.reddit.com/r/Adguard/comments/t15gr4/announcemen... & https://adguard.com/en/blog/official-response-to-setapp.html
Not that it means all that much, but AdGuard is headquartered in Cyprus, for what it's worth.
Only if you don't trust only Russians and no one else.
Is there anything in Pi-Hole v6 that would make someone switch back?
- I run it in Kubernetes with multiple replicas behind a load balancer for high availability.
- A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.
- Configuration as code, which gets mounted as a secret.
- Query logs from all replicas forwarded to loki for visualization and performance review.
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
You don't have to (and I assume most users don't), but you can if you want per-device reporting. You just set your router's DHCP server to hand out NextDNS's DNS servers.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
Most of the time when I visit test.nextdns.io it shows as "unconfigured" even though the NextDNS client is installed and configured with a NextDNS profile (and approved in Settings as a VPN provider on these OSes). Sometimes it will work on its own.
I wouldn't recommend NextDNS unless the user is comfortable installing a (somewhat) permanent Profile on these devices with no temporary "off" switch to stop blocking. For me it's important to stop the blocking once in a while.
At least on macOS, there's Little Snitch (paid application), which can subscribe to the same blocklists used by ad blockers and has a working toggle.
Obviously the goal is to have your local clients talking to Pihole, but the goal of having remote DNS queries encrypted is to prevent ISP snooping.
Though if you really want to prevent ISP snooping you have all clients using VPN or configure your router to send all outbound traffic to a VPN endpoint.
It could certainly try... but usually you would block that in your firewall. Fixed DNS servers or fixed server IP addresses are tricky because if you ever need to change them, you can't, because you'd need to update the hardware (which you can't since it sits behind a firewall).
It could try to use things like Google's DNS server, but that is easily blocked in your router.
Not a lot that could be done except trusting your (internal) DNS server...
I don't KNOW of any doing it but I can't imagine it'd be too hard for them to do.
PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).
But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.
This is an extremely uncharitable reading of the preceding comment. The comment is clearly concerned about the national jurisdiction from which the AdGuard binary originates, not the national origin of a human.
American government initiatives against Huawei telecom hardware at critical junctures aren't making a personal statement about Chinese individuals. European regulatory skepticism of American-located cloud services isn't a personal statement about American individuals. Russia and China requiring the on-shoring of data-centers doing business in their internal economies aren't making personal statements about foreigners by doing so.
Whether or not you hold all those governments as roughly equal, none of them mistrusting each others' jurisdictions is "judging people by the country they live in." It is judging the trustworthiness of the governments of those countries. And the people in those countries are inevitably subject to the jurisdictions of the governments that rule them.
If someone actually attacks people on the basis of national origin, have at it, but please don't brow beat individuals for making common-sense risk assessments.
Instruct your Tailscale invitees to download the app and voila, simply toggle it on or off as needed.
Nothing says clients need to confirm to the port requirements, but most companies will be lazy and assume 853 will work.
Isn't that the one with the network speed capped at 100MB/s and no capability to stream HEVC files?
I don’t have any HEVC media so I’m not sure there, but the lack of 4K output would be a big stopper for me.
I’m also not sure about the streaming services it would support, but chances are if your running off of a Pi2, you’re sailing the seven seas for media. Will that thing even play YouTube in a browser at this point?
Embedded device software development quality is usually even worse than webapp software development quality.
And do you use any kind of reference for determining which ranges/countries are wise to block or has this just been something you’ve evolved over time?
Currently, I have IPv4 only (will change end of year to dual stack), and to block AS13414 (NetName TWITTER-NETWORK) blocking 104.244.40.0/21 to block x.com is suffice. However, if you follow [1] you have a more complete blocklist. In a *BSD you can use cron and curl to update these lists based on if a change occurred, OPNsense allows the same in their webUI. In that vein, I also have Tor exit node block list (this is public data), I have a Censys (& Co) blocklist. You name it.
I don't use DNS-based in this instance (I do for example, for porn, cause I have children). I use a firewall-based one in OPNsense. PF (and therefore OPNsense) have a feature called anchors (alias in OPNsense) which basically allows you to use OOP to develop lists.
I'm pretty sure Linux like OpenWrt can do the same, and you can also use DNS-based blocklists. You can even outsource the hosting to e.g. NextDNS. Because these blocklists, whether firewall or DNS-based filtering, they do use some RAM especially. Back when I started w/this in early '00s this was an issue on my Soekris OpenBSD machine. Nowadays, I assign 8 GB RAM to the VM and call it a day.
Most people either buy a generic box that can be had for ~$250, or recycle an old PC and stick in a network card. You can also buy commercially supported hardware for Opnsense or Pfsense's parent companies, though the value proposition isn't worth it for home users IMO as you will pay a steep premium versus loading up something yourself.
They have some guides and stuff that explains the hardware requirements that might be helpful for you.
ATT apparently removed overriding the DNS for IPv4 and IPv6. I had to double check because I thought I could do IPv4 but no.
There’s supposedly several options around it to use your own router but it’s not really worth setting up and my speed is slower using a second router.
https://www.forbes.com/sites/dimitarmixmihov/2025/02/17/x-is...
It sounds like you think that every butcher, barber, dancer, teacher, software dev etc in China is just thinking of how they can hack the US.
Guess what: that's the image propagated by propaganda and very far from the actual truth.
If you don't trust people, study their code and make a formed opinion about it.
Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...
But my point wasn't literally to use a Raspberry Pi 2, just that you can get cheap low power devices that beat "smart TV" crap. You can of course get much more recent ARM-based boards that support all the latest HD standards etc. I don't do the hedonic treadmill, though, so I'm still happy with 1080p Blu-ray.
Smart TVs really aren't very smart and a nicely ripped 1080p Blu-ray often looks better than what the streaming services will stream you anyway.
I don't think I'd even have a TV if it were just me. Wife and kids seem to need one though, so simplicity counts. What would they do if they couldn't watch people who watch people play games?
As for the latency - is it really noticeable?
Unbound, recommended for use with Pi-hole, can be configured to log this by enabling "log-replies" in unbound.conf⁽¹⁾ where the time to resolve will be logged in seconds.
⁽¹⁾ https://docs.pi-hole.net/guides/dns/unbound/ ⁽²⁾ https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound...
So atleast there's that.
On the go, over 5G, those 12ms won't make much of a difference.
Considering that people deploy PiHole on Raspberry Pi W models, over wifi, you won't lose much running NextDNS, but you gain dns blacklisting on all networks, as opposed to just your home network (or via VPN)
This is my latency (ping.nextdns.io):
zepto-cph (IPv6) 12 ms (anycast1, ultralow2)
zepto-cph 13 ms (anycast1, ultralow2)
anexia-cph (IPv6) 15 ms (anycast2, ultralow1)so if your dns is slow, there is a tremendous amount of latency added to virtually everything that you do. just because you can hit nextdns in 12ms does not mean the e2e duration for a single dns-then-fetch is going to be in the realm of 12ms. if nextdns doesn't have the answer it needs to go find it.
Yes, if we were in the "good old days" of slim websites, 12ms may be noticable, but today, with webpages taking up lots and lots of storage that is served with every connetion, i seriously doubt you'll notice.
Besides that, every browser and modern operating system will cache DNS records for whatever the TTL from the upstream DNS is set to.
That depends entirely on what capabilities your router has.
Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.
Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.
But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).
Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.
FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.
DNS doesn't have redirection like HTTP has, so what you describe can only be implemented using port forwarding (or SSH tunnelling, but I've never seen a router with the ability to tunnel DNS in this fashion?).
Port forwarding used like this, won't enable one to use the 'groups' functionality on PiHole — which was the (g)parent thread here — because all requests arriving at the PiHole will come from the same client, i.e. the router. Because port forwarding is more like a proxy than a redirect (to use HTTP terms).
The correct solution here if one wishes to use PiHole's groups — and not have a janky network configuration like you describe here (an extra unnecessary hop for local DNS) — is to either (a) use the router's DHCP settings to tell the clients to use the PiHole IP for their DNS, or (b) disable the router's DHCP and simply use the DHCP that PiHole provides, which is at least as good as what most routers provide (and more configurable than most routers also, should one need to)
It's also not subsidized by selling your user data.
Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.
DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.
I already run OpenWrt on x86 hardware so I have plenty of RAM and disk.
I imagine this is how it’s usually done. There’s no reason to double proxy.
To block Youtube I use:
youtube-ui.l.google.com - exact
youtubei.googleapis.com - exact
(\.|^)googlevideo\.com$ - regex
(\.|^)youtube\.com$ - regex
It's probably overkill but it results in no Youtube until chores are done.
You can try to compete by charging a reasonable amount for your hardware and software, but you'll be competing against economy of scale and wrestling for shelf-space with products that are (don't forget retail percentage mark-up) at least 30% cheaper than yours, which means your units don't move, which means you don't get (or keep) shelf space, and hello death spiral. Also if you somehow manage to make it despite that, as soon as an MBA gets in charge you'll just switch to selling data, too.
Looking at Vizio's financial records[0], the numbers make it clear.
They seperate everything into 2 distinct businesses, Device and Platform+.
Device represents their hardware business of selling physical TVs and soundbars. Platform+ covers all of their other "software-related" business, mainly consisting of ad delivery and selling user data to third parties.
2019:
- Device Net Revenue = $1.7 billion
- Device Gross Profit = $125 million
- Platform+ Net Revenue = $63 million
- Platform+ Gross Profit = $40 million
2023:
- Device Net Revenue = $1.0 billion
- Device Gross Profit = -($8.6 million)
- Platform+ Net Revenue = $598 million
- Platform+ Gross Profit = $364 million
So over the course of just 4 years:
- hardware revenue is down 40% and is actually losing money (confirms they are indeed selling the TVs at a loss)
- Ad/user data revenue, however, is up almost ten-fold (+949%)
- total gross profits of the two combined are up over 54%
[0] https://investors.vizio.com/financials/quarterly-results/def...
No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.
Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?
Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.
Get a used mini-pc, install Linux on it, and don't allow the TV to connect to any networks. This is a 50-75 dollar solution. Good if you are on a budget and are not interested in any wiz-bang features like HDR.
There are a few TV-dedicated Linux systems out there, like libreElEC.
Or get a more powerful system with a AMD GPU and install Bazzite on it. That way you get something like "SteamOS for your TV". Pairs nicely with controllers like 8BitDo.
It would be nice to have TVs as open as PCs, but the manufacturers and media companies are ran by dirtbags and would rather have victims then customers.
As someone who tried that route I'd strongly recommend against it for anyone who isn't core HN audience or just loves tinkering. You're much better off with an Apple TV or an Nvidia Shield unless you really want the "beefy gaming media center".
I walked the mini-PC/RPi road and they came up short every time even for me, let alone the rest of the family. Even when I put in place the perfectly optimized initial setup I was still left with a bad compromise of performance, power consumption, noise, boot time, ergonomics, and the constant trickle of things breaking down or needing tweaking because of some update.
When trying to watch a movie with the family the last thing I want is to troubleshoot random issues.
Maybe there are smart TVs out there with a SoC that's been reverse engineered enough to do something with. If there is, that should be shouted from the rafters. But I kinda doubt it.
Weirdly they always seem to be more expensive than a TV though.
Configuring subpixel-layout per monitor is something that most OS won't allow. So if you use several monitors, you usually have to mount the BGR-ones upside down. (Otherwise fonts will be blurry...)
For some time now there are really cheap 4K Monitors with BGR-layout available. If you mount those upside down you're fine... (I use LG 4K Monitors mounted upside down in combination with other screens)
It could make a nice CrowdSupply project, except for the cheap distribution of the huge packages. Sounds not that hard though: Just get some nice 50" 4k smart tv's and remove all the junk. Cool features like DP daisy chain or something and one could have a nice project. But i'm guessing there is (too) much money to be made in user info and ads. :(
I'm currently using Blocky as my DNS resolver. It works fine and is super fast because of the fine control over caching, but I'm disappointed with its memory footprint. 400MB for a total blocklist of 1.3M domains
I also regularly reboot the pi by simply cycling power.
The solution was fairly simple. Send the linux log files to /dev/null (or whatever it is actually called, i.e. RAM) and disable query logging in pihole.
That's it. Helps greatly!
Or: in the rare eventuality that your raspberry pi dies, it takes 15 seconds to open your router interface and reset to the ISP DNS. Work smart, not hard.
Now youtube.com and all of its subdomains are blocked, for all clients.
If you wish for it to only be blocked for some clients, then assign your clients to groups, and set the setting appropriately on the domains page.
But yes, that’s what I have, two of them in fact. Tried a Shield, sucked, should have just gone straight for Apple TV instead of trying to pinch pennies.
I think you would need to explain your definition of 'best' here — I mean: explain why you think it is better.
> making regex blocks are appropriate.
I guess here you actually mean inappropriate?
Perhaps. But I think you misunderstand what I am doing, and how that then works in PiHole.
The method I describe, uses the Domains tab on the Domain Management page — and not the RegEx Filter tab.
The distinction is somewhat of importance, because the implementation of PiHole uses a different code path for exact-match denies/accepts, vs regex denies/accepts. (Type 0 and 1, vs type 2 and 3, detailed here[1]). Adding a domain the way I describe, creates an exact-match type entry in that table, not a regex match type.
But even if it were still using regex, the cost of that isn't as high as one might imagine, due to the fact that subsequent repeat queries to the same domain, do not get checked against regexes again: the result is cached.
As described here [2]: "Our implementation is light and fast as each domain is only checked once for a match. When you query google.com, it will be checked against your RegEx. Any subsequent query to the same domain will not be checked again until you restart pihole-FTL."
In summary: adding a domain the way I describe doesn't create a regex filter anyhow. But PiHole's regex matching isn't a naive implementation, it caches the results, so that it only actually performs the regex matching on first query to a domain not seen before (since last restart).
So really it makes no difference at all if one blocks a domain the way I describe, or the way you describe. They both end up doing the same thing: they insert an exact-match filter entry into the database.
In which case, it's simply down to one's own preference: do you prefer looking through the query log to find the site to block... or do you prefer just typing in a domain name.
dnsmasq has grown up a lot in the last few years and does have the ability to redirect domains. It's that time again got to read the man page
If you don't understand this, then you are perhaps lacking some knowledge as to how HTTP redirects work, and/or how DNS lookups work, and/or how they are quite different concepts.
HTTP has redirects. DNS doesn't - but sure, it can be intercepted / hijacked.
> It's that time again got to read the man page
No need for the snark, this is HN, not Reddit.
But I'm already well aware of the feature you describe (after all, PiHole/similar relies on exactly this kind of interception) — but it isn't actually new at all, dnsmasq has had this since the the very beginning, literally day one.
It's still not redirection like HTTP though, it's interception: serving an IP number from a conf file when a matching domain is requested instead of querying upstream. Very similar to adding an entry in your local hosts file.
Redirect isn't a term that is really ever used in DNS configuration. Except in the context of NXDOMAIN responses. And that's certainly not the topic of this thread.
With HTTP redirection, the server responds with 'moved' and the URL of the new location of the requested content. But all one can do with DNS requests, is to respond: this is the IP for the domain A/CNAME you requested (or respond no-such-domain). In HTTP, that kind of inline interception can only be done with a proxy (transparent or otherwise) — and that's not the same as a the HTTP redirect mechanism at all.
Some folk might argue that this is only a semantic difference. But it's not at all: they're quite different mechanisms, different traffic-flow / communication patterns. And the distinction is quite important to anyone who manages both DNS and HTTP, at a certain level.
But if you want to call it DNS redirection, then good for you. But the old-timers will call it out nearly every time, because it's not actually redirection. — DNS doesn't have redirection like HTTP. Not in the same sense as HTTP at all. Anyone who claims otherwise, really just needs to brush up on their DNS knowledge / terminology.
HTH
That's the first time such a thing has been mentioned in this thread.
But I now get what you're trying to say in your comment above.
Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.
But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.
And of course it wouldn't work if the device is using DoH.
But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.
It’s not meant to answer your direct question, but pointing out what’s possible. Because yes, there are a lot of IoT and other devices that misbehave on a network.
And it’s incredibly trivial to port ban or port forward a selection of IPs and not affect the behavior of your Pi-hole. Packets carry last hop ip and source ip. I do it all the time on my gateway device.
DoH is a completely different story. Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.
Different strokes for different folks, having to use a keyboard to control my TV is for me one of those usability compromises I preferred to avoid. It's probably related to how I use the TV, things like browsing the web were never on the list of requirements. I'll have a phone, tablet, or laptop at hand for that.
This is diverging quite a bit from "a smart TV replacement". Especially if Steam is a requirement.
The gaming PC you have there is probably exactly the combination you want. But for most others it's the compromise to avoid I mentioned above. It delivers the console and TV/media center experience but with the full PC power consumption, noise, boot times, maintenance effort, and inconvenient controls.
The cheapest Trident I can find on eBay costs more (by 2-5x) than an Xbox and an Apple TV together. And these 2 deliver their respective experiences with far fewer compromises.
> They know how to browse the various streaming services
Knowing how to use it is just the bare minimum requirement. With an Apple TV for example you can do the same with almost instant startup time, 0 noise, 0 maintenance, ~1-2W streaming, and a small remote control. And probably has less ads than the average Windows computer :). I found the "right tool for the job" more appropriate for my use case but that might not work for everyone or all the time.
Yes. And that's why, in the context of misbehaving devices, carrying their own methods of doing DNS, I mentioned it.
> Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.
No, not at all. Anything can use DoH. Doesn't need to be browser-based, nor using Apple private relay, nor anything of the kind. A device simply needs to be coded to make its DNS queries over HTTP. In a similar fashion to how it might have a hard-coded value for its DNS lookups, the developer can simply include a small library to do DoH instead. And that's not going to be so easily filterable by a rule for outgoing traffic / port forwarding.
I have all of my PiHole DNS lookups going over DoH. Have done for years now. Because when I originally setup my secure DNS, DoH was a better choice that DoT, because DoT was very much still in flux. And by comparison, DNS over an existing standardised transport is pretty much a known quantity. So that was my choice. And it works great.
So all of my network's DNS lookup go out over DoH... there's lots of DNS providers that provide DoH nowadays, including plenty of very big providers. My secure DNS proxy cycles between different servers.
DoH functionality is even just built-in to Bind these days.
In reality, DoH isn't in any way restricted just to the services you describe here. Far from it. It can be used anywhere. It's just a protocol. With plenty of destination endpoint support, out there in the real-world.
And if some device wants to control its DNS to that kind of level, then, beyond simply having a hard-coded DNS server value, using DoH is pretty easy.
No browsers needed, no Apple Private Relay needed.