Recently, within the wireless community there has been a lot of noise around the ad-blocking project pi-hole – and why not? It’s a lightweight DNS and DHCP server which blackholes ads – it’s highly customisable and will run on pretty much anything that runs linux (or in a docker container).
I’ve personally used pi-hole for a number of years, and thought it would be a good idea to show some tips, tricks and highlight some of the drawbacks of such tools.
So, I don’t intend to write a blog on how pi-hole works in any sort of detail, instead I wanted to share my own experiences.
There is only one blocklist you should be using, https://dbl.oisd.nl
This is a list of c1m unique entries, and is basically a combination of all other known blocklists; it will block pretty much any add that can be blocked. There is a support page here: https://redd.it/dwxgld
A very important discussion point is the 33.9% blocked… that doesn’t mean a third of my traffic is ads, it means that some services hate being blocked, and will repeatedly make requests forever, and ever, and ever. It’s fine, let them, they want to call home – and remember, this is DNS requests, not traffic.
Some websites work better with ads, which is a clever trick. For tech savvy users, it isn’t an issue, but one thing I quickly found is that my family hated using Google with blocks, here’s why:
Google clearly marks ads, but sticks them at the top of the search results – I can ignore them easily, but my wife can’t, sometimes the result she wants is an ad. That’s fine, but by default pi-hole will drop DNS requests for these pages (due to a redirect), if those are dropped you get ‘Page cannot be displayed’ and an annoyed wife. Do you know what I like much less than ads? Annoying my wife – so that’s whitelisted straight away. Even using Twitter can be frustrating, as they force a redirect through their tracking platform.
In addition, some video streaming sites won’t play content if you use default block lists, or sometimes the default block lists don’t block the ads – this is where the pi-holes logs are super handy. Filter on your device and refresh to see the entries come in, and with a bit of trial and error you can blacklist/whitelist domains until you find the sweet spot – or just admit defeat and allow the ads.
One other very important feature is the temporary disable – it will allow you to quickly prove whether or not the pi-hole is to blame:
Some services, like Youtube and Amazon Prime are clever, and they stream their ads from the same source as the content – pi-hole can’t block those I’m afraid.
You can use regex in blacklisted entries, which is really useful, I use it to capture some of the more complex ad services which have numerous sources for ads (Roku is a prime example) or, if you don’t trust your cheap IoT devices you can blanket block by TLD – for example, a Chinese domain block is (^|.)cn$
When you first set pi-hole up you will see all entries in the logs are from your router, and thats because your router is forwarding the requests. Easy way to sort that, disable your routers DHCP and enable it on pi-hole, you get much richer reporting without losing any functionality.
BIND it with unbound
DNS by default isn’t very secure, and when your pi-hole doesn’t know the answer, it forwards to an upstream DNS server – can you trust them? Why would you, if you don’t control them.
One way of improving things is mixing pi-hole with unbound, which allows you to have a recursive DNS server, and this means the DNS request will be sent to the authoritative DNS server for that domain, starting with the TLD – instead of boring you directly, I’ll bore you indirectly, read this and install unbound and enable DNSSEC: https://docs.pi-hole.net/guides/unbound/
Pi-hole Version 5 (Beta)
If you’re feeling brave, jump to v5 – it has plenty of features, such as adding custom DNS entries (previously was done by editing the host file), creating groups of users (not blocking ads for the kids, as an example), CNAME inspection, plus much more, and it’s very stable.
echo "release/v5.0" | sudo tee /etc/pihole/ftlbranch pihole checkout core release/v5.0 pihole checkout web release/v5.0