Pi-hole v6
304 comments
·February 18, 2025andy_xor_andrew
I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
MyOutfitIsVague
> It's also not possible (or not clear) how to have different behavior for different clients
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
paxys
It's slightly more complicated. What you are suggesting works if (1) you are using Pi-hole as a DHCP server or (2) all your devices are individually configured to use the Pi-hole IP address for DNS resolution. What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
jimsmart
> What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
That depends entirely on what capabilities your router has.
Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.
Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.
But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).
Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.
FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.
mikestorrent
The better option is to configure DHCP to hand out the Pi-hole as your DNS server. If your router cannot do that, but you want to go deep enough to configure your home network with a Pi-hole, you should probably also invest in either a better router or OpenWRT on your current one to get a few more features.
Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.
DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.
MyOutfitIsVague
It works for me and I don't use Pi-Hole as a DHCP server or have any of my devices individually configured. I have my router acting as a DHCP server and have it tell clients to use my Pi-hole for DNS. Some routers' default firmwares don't let you do this, but most OpenWRT and Tomato and the like should.
bolster8505
Using clients and groups works fine for me. I'm able to block youtube on my kids' devices, but allow it on others. I have pihole running in a container without being my dhcp server.
doron
That's my only gripe with the current pi-hole; there is no easy way to configure DHCP options.
sneak
Not all routers proxy DNS; many have DHCP settings so you can give the pi-hole’s address as DNS server to clients via DHCP.
I imagine this is how it’s usually done. There’s no reason to double proxy.
aulin
I use pihole for dhcp and it's extremely easy with dnsmasq. Hope their settings overhaul does not break this.
dhcp-option=tag:nospam,option:dns-server,x.x.x.x dhcp-option=tag:spam,option:dns-server,y.y.y.y dhcp-host=client1...,set:nospam dhcp-host=client2...,set:spam
jimsmart
Previously, PiHole used /etc/dnsmasq.d/ with best practice being to put one's own additional config, or overrides, in separate file(s) in that folder.
PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).
But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.
windexh8er
One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
ge96
I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
b3lvedere
Most non-smart 4K screens are more expensive than 4k-smart tv screens though. Really weird, because there's less stuff in it. I just want a nice 50" 4k screen with hdmi and display ports. I don't use all the other junk anyway, since i watch tv via a computer and sounds goes to a surround set.
Jeremy1026
> Really weird, because there's less stuff in it.
It's also not subsidized by selling your user data.
baltimore
> Really weird
No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.
progbits
Is there an equivalent of DDWRT/OpenWRT but for TVs?
Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?
Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.
lotharcable2
I have a 'smart tv'. I don't allow it to connect to any network.
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
themadturk
I just have never connected my Samsung TV to the Internet. My streaming all goes through my Roku. When the TV turns on it displays a splash screen asking me to connect to the network, which disappears after about 15 seconds and never comes back until I turn the TV back on.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
reddit_clone
I am hanging on to my 15 year old Vizio for dear life (With a Roku box). We don't watch much TV anyways. Its just Youtube playing.
I dread the day it dies.
oz3d
does pi-hole actually block youtube ads ? last time I tried it did not really work (on pc and phone). Switched back to UBO
They probably do some tricks that blocking ads with DNS is not possible.
AstralSerenity
If you use an Android device, you have the potential to live an ad-free life:
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls. - Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads. - Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
JKCalhoun
My thought is to develop a headless, Smart TV like device that just sends random bullshit data to the servers that collect it.
josephg
> For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates
Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.
timoteostewart
I imagine software updates might bring improved support for various media codecs, or UI enhancements, or better Bluetooth compatibility, etc.
hsbauauvhabzb
Or more likely: reduced privacy settings, increased analytics, and in-menu advertisements.
prmoustache
Why would the manyfacturer spend money on that if it had your sale already and you aren't paying any support subscription?
null
globular-toast
Yes, those are the "smart" features. Just plug in a Raspberry Pi and don't touch the TV after its initial setup. I'm still using the same Raspberry Pi 2 I've been using for more than 5 years now. Beats "smart" TVs that you can buy today.
sneak
I let one of my cheap smart TVs update for this reason (and not the other two identical ones I have) and now that one crashes and lags all the time, despite none of them being on the internet.
Embedded device software development quality is usually even worse than webapp software development quality.
hsbauauvhabzb
My tv after a recent update has begun randomly crashing with audio looping for a few seconds before rebooting. When an update comes through for that you can he damned sure I’ll be disabling all future updates.
psychlops
Same, my smart tv has never heard of the Internet.
BHSPitMonkey
Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
progbits
I recommend putting all these things on their own VLANs with strict routing rules.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
JB_Dev
Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.
temp0826
Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.
xrisk
It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
nothrabannosir
Smart TV opt-out telemetry is malicious.
btreecat
There's also adguard home
guhcampos
I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.
hotstickyballs
It's destructive if you can't reach your remote devices anymore. See also jeff geerling's "It was DNS T-Shirt" https://www.redshirtjeff.com/shop/p/it-was-dns-shirt
OJFord
Only if they're configured to explode if not pinged for 30s or something.
master_crab
The only times I have seen this happen is when the remote devices were communicating with something on blacklist (which should be concerning anyway, but also a quick fix if not) or doing something naughty like not using the DNS server broadcast by DHCP.
jkingsman
I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
LeoPanthera
I've been using AdGuard Home, which does pretty much the same thing, but is slightly better polished, with things like support for DoH and OSs other than Linux.
laweijfmvo
I went from PiHole -> AdGuard -> NextDNS. My patience for tinkering and maintaining wasn't high enough to not just pay someone else to do it :)
sph
I used to use NextDNS, but pi-hole is such low maintenance it makes no sense to pay for a third party service and additional latency to do ads filtering. I set up pi-hole on an Arch Linux for ARM installation on a rPI 3 like 5 years ago and haven't touched it since. Still chugging along nicely.
LeoPanthera
The big benefit of running a DNS server locally is caching. Using any external provider means you have to go out to the internet for every single request.
With a local server, most requests are fulfilled from the local cache.
Novosell
Hmmm, my router caches DNS queries.
natrys
You can just run something like dnsmasq locally though.
pseufaux
You can run NextDNS on your router to solve this.
mrmuagi
Same except skipping AdGuard.
Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.
I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.
martin_a
I think my PiHole is up for 3+ years on a Raspberry Pi dedicated to that task. Did not fail once since then, so not sure if "DNS is going down" is really an issue. But maybe I've got survivorship bias.
sph
DNS issues during power outages is the least of your problems, as chances are your Internet and all your PCs are down as well.
weirdkid
But you don’t have to run pi-hole on a pi. I run it in an Ubuntu Linux container on my Proxmox server.
LeoPanthera
I run AdGuard Home on the same device as my router, so anything that would take it down would also take down the entire router anyway.
vosper
Yeah +1 for NextDNS. It's so easy to setup and manage, and works really well.
pixxel
[dead]
brynx97
DoH is possible on pihole using cloudflared-- https://docs.pi-hole.net/guides/dns/cloudflared/.
> The cloudflared binary will also work with other DoH providers.
roger_
I moved to AGH a while ago too.
Is there anything in Pi-Hole v6 that would make someone switch back?
zzyzxd
And it's much easier to customize.
- I run it in Kubernetes with multiple replicas behind a load balancer for high availability.
- A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.
- Configuration as code, which gets mounted as a secret.
- Query logs from all replicas forwarded to loki for visualization and performance review.
mattrighetti
Switched to AGH too a few years ago because from time to time pi-hole would get stuck upon unplanned reboots of the Raspberry Pis on which I had it installed
nocchedure
Pet peeve: I wish there was an (easy) way of installing Adguard directly on my Dream Machine.
2OEH8eoCRo0
I love AdGuard Home but the single binary container from a Russian company makes me nervous. I may move to building it myself. Is this criticism unfair?
sunaookami
>Is this criticism unfair?
Yes because you judge people by the country they live in. AdGuard has made their stance clear if something like this is important to you: https://www.reddit.com/r/Adguard/comments/t15gr4/announcemen... & https://adguard.com/en/blog/official-response-to-setapp.html
sfRattan
> Yes because you judge people by the country they live in.
This is an extremely uncharitable reading of the preceding comment. The comment is clearly concerned about the national jurisdiction from which the AdGuard binary originates, not the national origin of a human.
American government initiatives against Huawei telecom hardware at critical junctures aren't making a personal statement about Chinese individuals. European regulatory skepticism of American-located cloud services isn't a personal statement about American individuals. Russia and China requiring the on-shoring of data-centers doing business in their internal economies aren't making personal statements about foreigners by doing so.
Whether or not you hold all those governments as roughly equal, none of them mistrusting each others' jurisdictions is "judging people by the country they live in." It is judging the trustworthiness of the governments of those countries. And the people in those countries are inevitably subject to the jurisdictions of the governments that rule them.
If someone actually attacks people on the basis of national origin, have at it, but please don't brow beat individuals for making common-sense risk assessments.
2OEH8eoCRo0
I actually didn't know this. Thanks!
seemaze
I built it myself for a while but as I mentioned elsewhere, it's now being packaged in the Alpine Linux testing branch. That makes a container image an 'apk add' away.. whether you trust Alpine Linux more or less than the AdGuard Home teams is up to you.
LeoPanthera
Given that the whole thing is open source and it is possible to build it yourself, I'm willing to give them the benefit of the doubt.
Not that it means all that much, but AdGuard is headquartered in Cyprus, for what it's worth.
skotobaza
> Is this criticism unfair?
Only if you don't trust only Russians and no one else.
2OEH8eoCRo0
I don't trust Iran, North Korea, or China either. It's not hard, I'm an American and it's 2025. These are our adversaries (I didn't choose them) who currently commit cybercrimes against us. Hopefully in 2035 that won't be the case and we can all sing kumbaya.
null
lawn
I even run Adguard Home on my router that runs opnsense.
samplatt
What routers are compatible with opnsense? Or does it need a full-blown server/container?
Been happy with my pihole for a few years, and this thread is full of new information for me.
gh02t
Opnsense is not like OpenWRT, it targets running on relatively powerful generic x86 hardware. Intel CPUs and networking hardware usually works best because of driver support on BSD, but it will work on others. I say "relatively" because even low power old embedded CPUs are more than enough to route at a gigabit or more with lots of firewall rules and services running. Opnsense's cousin Pfsense also has some support for ARM, but that version is only really available on their commercially supported hardware.
Most people either buy a generic box that can be had for ~$250, or recycle an old PC and stick in a network card. You can also buy commercially supported hardware for Opnsense or Pfsense's parent companies, though the value proposition isn't worth it for home users IMO as you will pay a steep premium versus loading up something yourself.
lawn
I bought my router from this site: https://teklager.se/en/products/routers/
They have some guides and stuff that explains the hardware requirements that might be helpful for you.
Mossy9
Pi-hole is such a great tool. I've been running it for a few years on a raspberry pi zero, and am constantly astonished by the sheer amount of cruft it blocks for me.
Congratulations to the team for the release - happy to support you via Patreon!
hk1337
I have had many times click an article link on reddit where everyone in the post comments complains about how the site is riddled with ads that it makes it unreadable and all I see is the article with a lot of whitespace.
martin_a
IT department does not like that, but I had them install Firefox on the machines of my team, so we can install uBlock Origin. People are _amazed_ how the internet does look without ads.
ed_mercer
Can’t you just use uBlock for this?
saltymug76
Pihole catches a lot of the trackers and crap coming out of my android tv. On my pc I see it as an extra line of defense after ublock.
alimbada
You can't use uBlock everywhere, .e.g phones, tablets, TVs.
_fat_santa
Pi-hole is a killer application and I've loved it since I got it setup. One other app I highly recommend to run on your Pi in addition to Pi-hole is Nginx Proxy Manager[1].
robk
Do yourself a favor and move from nginx to caddy
jccalhoun
I've been using Technitium for a couple years and been pretty happy with it https://technitium.com/dns/
JamesBrooks
I moved from pihole to Technitium a few months back because I wanted more DNS features than just adding A and CNAME records.
For example the split horizon features to return different responses to DNS queries depending if I'm connected to my Tailscale network or not has been pretty slick.
I documented that process here in case anyone is interested: https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
tailspin2019
Excellent write-up. As a Tailscale + Pi-hole user you may have just inspired me to switch to Technitium. I’ve wanted that kind of split horizon functionality for years, for all sorts of things!
malmeloo
Technitium is great. Rock solid, plenty performant and it has more features than you'll ever need. Pretty wild when you consider it's being maintained by a single dev.
bjoli
So have I. I found it more approachable once I started having more advanced configurations.
2bluesc
Switched to Technitium (from piHole via Docker on amd64 and manual dnsmasq before that) primarily for DNS over HTTPS and never looked back. Used it for DHCP and DNS.
seanp2k2
I’ve been happy with AdGuard Home on two Pi4s and a little home server for years now: https://adguard.com/en/adguard-home/overview.html
I have some scripts to sync config between them and a Jenkins job if I want to pause blocking on them for a bit.
It looks like https://github.com/mattwebbio/orbital-sync and https://github.com/lovelaze/nebula-sync can sync configs with Pi-hole 6 now, but it’s quite a bit of code for what looks like just a few HTTP requests to get the config from one using the teleporter feature, then restore it on the others using the same.
seemaze
A Raspberry Pi with Alpine Linux makes a sweet little DNS server. AdGuard Home is even packaged in the testing branch[0] these days
[0] https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
eamag
Want to highlight https://nextdns.io/ as a similar service, very happy with it
poisonborz
Pihole being a self-hosted service and this being a third party one, I would say the target group is somewhat different.
whalesalad
it's more than that - an app running on your internal network is going to have way better latency than nextdns
zufallsheld
However you can't use it on the phone while not at home (aside from using vpn/wireguard), but nextdns allows it.
As for the latency - is it really noticeable?
8fingerlouie
Define latency ?
This is my latency (ping.nextdns.io):
zepto-cph (IPv6) 12 ms (anycast1, ultralow2)
zepto-cph 13 ms (anycast1, ultralow2)
anexia-cph (IPv6) 15 ms (anycast2, ultralow1)zymhan
Pi-hole isn't a "service" though. It's just FOSS.
hk1337
This actually seems rather nice. Not the same as PiHole but I can see its upsides.
One upside I like about PiHole is that I can set it up to distribute the DNS to all my devices. This seems like I have to manually configure each device?
ATT doesn't let you set the IPv6 DNS, so I either have to disable IPv6 on the network or setup PiHole to pass IPv6 and the DNS I want to the device.
CharlesW
> This seems like I have to manually configure each device?
You don't have to (and I assume most users don't), but you can if you want per-device reporting. You just set your router's DHCP server to hand out NextDNS's DNS servers.
hk1337
That’s a good point, assuming your router allows you to do that.
ATT apparently removed overriding the DNS for IPv4 and IPv6. I had to double check because I thought I could do IPv4 but no.
There’s supposedly several options around it to use your own router but it’s not really worth setting up and my speed is slower using a second router.
system7rocks
Same for me.
I had Adguard running on a Pi 2 I think and it died. Couldn’t access my network remotely. Learned my lesson and switched to NextDNS on a bit more solid device.
leca
NextDNS is SASS, you can't self-host it.
system7rocks
Right! When my Pi died, my network didn't look for a backup DNS, so everything became inaccessible. It was weird - probably the classic SD card issue. With NextDNS, while I do use DNS over TLS, if my Synology fails, it just kicks back to regular NextDNS domain name servers.
shmoogy
If only they had a stop blocking function.
AnonC
NextDNS has not updated its client applications on multiple platforms (iOS/iPadOS/macOS) for several years. Those client applications did have the ability to stop the blocking (or not), but now it's just a toggle that does nothing.
Most of the time when I visit test.nextdns.io it shows as "unconfigured" even though the NextDNS client is installed and configured with a NextDNS profile (and approved in Settings as a VPN provider on these OSes). Sometimes it will work on its own.
I wouldn't recommend NextDNS unless the user is comfortable installing a (somewhat) permanent Profile on these devices with no temporary "off" switch to stop blocking. For me it's important to stop the blocking once in a while.
At least on macOS, there's Little Snitch (paid application), which can subscribe to the same blocklists used by ad blockers and has a working toggle.
KomoD
They do let you switch it off, it's just a bit buggy sometimes (like having to toggle twice), I know because I use it all the time. https://i.imgur.com/YpSkS93.png
munbun
I use Tailscale as my primary interface for handling this. Simple as adding your nextdns id number in the DNS settings and you are done.
Instruct your Tailscale invitees to download the app and voila, simply toggle it on or off as needed.
CharlesW
FWIW, in my years of using NextDNS I think I've needed to do this only twice. On Macs, the menubar app lets you enable/disable NextDNS. The average HN reader can probably automate switching to a non-blocking profile for a given length of time. https://community.home-assistant.io/t/nextdns-integration-te...
zymhan
> The web interface has been completely overhauled with settings split into Basic and Expert modes. This allows users to customize their experience based on their comfort level and needs.
This sounds helpful for setting up a Pi-Hole for family or friends that aren't DNS admins by day.
Sohcahtoa82
I love PiHole.
I run my PiHole on a small cloud VM that I use for several projects, but put it behind a VPN that's configured to only forward DNS lookups, then VPN into it from my phone. So many advantages behind this setup.
- Since only DNS lookups are tunneled, I don't have to worry about tunneling ALL my traffic and paying egress fees
- Blocks ads in ALL apps, not just my browser
- If it's acting up, I can just disconnect from the VPN to disable PiHoling
- Don't have to expose my home IP address and open a port for the world to start banging on
TheArcane
> Don't have to expose my home IP address and open a port for the world to start banging on
Is that really an issue if all you're exposing is the VPN port? Wireguard for instance has industrial-grade encryption. Even open port 51820 should be fine
8fingerlouie
With wireguard in particular, you're probably not running much risk, as wireguard runs over UDP, and as long as you're not connecting with a correct (recognized) key, it will not even generate a response, so a potential attacker has no way of knowing for sure that wireguard is running on a given port.
Sohcahtoa82
I mean, probably not. But I like the idea of keeping everything closed anyways.
TriangleEdge
I have a script update my hosts file to route domains to 0.0.0.0 and ::0 . I get the domains from https://github.com/StevenBlack/hosts.
precommunicator
The point of pihole is setup blocking on multiple devices though, some of them which you don't control like your PC e.g. smart tvs
unsnap_biceps
Does anyone know if pihole is ever going to add DoH or similar support natively? I've had such troubles with cloudflared awhile back that I gave up on DoH, but would love to encrypt those queries.
newman314
You can insert dnscrypt-proxy inline between PiHole and an upstream server. So it'll work something like the following:
Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost) --DoH--> upstream
Not the prettiest but it works.
chgs
I’m not sure why I’d ever want DoH, I block as much as I can at my firewall and have a canary domain.
I want my devices to use my defined dns sever on my network, not some ad company (and all tech companies eventually become ad companies)
unsnap_biceps
I want pihole to talk encrypted to the upstream dns server. I don't actually care if my devices talk encrypted to pihole.
I just don't want to leak dns requests to my isp. If there's a way to do this without DoH or DoT, I'd happily learn more about it.
bjoli
DoT has a standard port, meaning blocking (conforming) requests simple. DoH uses 443.
Nothing says clients need to confirm to the port requirements, but most companies will be lazy and assume 853 will work.
ndriscoll
Speaking of not wanting DoH to exist on the local network, does anyone know if there is anything pre-existing that can hook into firewall rules to default deny outgoing traffic and only allow (until TTL expiry) in response to a DNS lookup? That way things cannot bypass your DNS filtering with DoH or hardcoded IPs.
kube-system
People use DoH/DoT so that their upstream DNS lookups are not transmitted in plaintext across the open internet. You can do this and still run your own DNS server on your network. The parent commenter is asking about Pihole with DoH, which is exactly this.
chgs
DoT sure. The whole “tunnel everything over http” is a terrible pattern
unethical_ban
IIRC, there is not a native GUI method for Pihole to talk encrypted to DoH providers. You have to set up a daemon locally and configure via CLI, then set that as your "upstream" DNS provider in Pihole admin.
Obviously the goal is to have your local clients talking to Pihole, but the goal of having remote DNS queries encrypted is to prevent ISP snooping.
Though if you really want to prevent ISP snooping you have all clients using VPN or configure your router to send all outbound traffic to a VPN endpoint.
zamubafoo
I've been using https://github.com/DNSCrypt/doh-server for serving my DNS server via DOH for at least 2 years. Only had two issues with it and both were due to lack of maintenance on my part (ie. not updating the binary for one and then not re-configuring it after I changed configurations for the upstream DNS).
I make these suggestion during all conversations about PiHoles:
Use Class A2 SDmicro cards (they'll last significantly longer... particularly if you keep logs). There are additional 3rd-party installations which can write into RAM, but IMHO it's easier for most new users to just buy better NANDs.
Set up more than one physical Raspberry Pi, running multiple versions of PiHole software on multiple IP addresses.
Have your main DHCP router auto-issue DNS information for your "most permissive" PiHole, with a minimal list of choice URL-blocks (e.g. pagead2.* , doubleclick). Individual clients can then manually change DNS server to 2nd (3rd... 4th...) PiHole(s) which are each more-restrictive.
This allows non-technical users to still browse somewhat ad-free, but also won't block banking/govt/etc for novices. As a failsafe, teach users to enter your router's IP as DNS x.x.x.1 [should they ever need to bypass local filtering, entirely].
I use sequential IP addresses [192.168.0.6, x.x.x.7, x.x.x.8, x.x.x.9] so it's easier to explain/teach my networks ad-blocking capabilities. YES, I understand that Pi-Hole allows different clients to follow different rulesets, but if you can afford to buy redundant hardware it's just so much easier to change the client DNS server information when a specific website isn't working correctly [due to erroneously blocked host].