The Beauty of Having a Pi-Hole
74 comments
·May 5, 2025mikestew
elashri
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
iugtmkbdfil834
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
bongodongobob
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
wang_li
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
gbuk2013
To be fair, if you are geeky enough to run a PiHole you will have no trouble finding the config option to turn off DoH in your browser.
int0x29
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
freedomben
True, but I want all the devices on my home network to have DoH disabled too. Most of them I can't change directly.
mikevin
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
notarealllama
Jokes on you, I do have a fortinet which does this.... Oh wait, only up to TLS 1.1 or something and it's slow.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
gbuk2013
You need to get an F5 box instead. :)
ignoramous
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
silverwind
Apps that open arbritrary UDP/TCP ports? Isn't that something the app store policies should reject?
epcoa
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
01HNNWZ0MV43FF
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
xracy
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
chihuahua
Edge browser + uBlock Origin, and YouTube works perfectly without ads.
itchyouch
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
n_ary
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
jstanley
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
dvratil
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
timbit42
I just don't connect those devices to any internet.
ThrowawayTestr
Some people like to watch YouTube on their TV
crtasm
uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc.
It's best to run both.
macawfish
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
Twirrim
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
FredPret
For me it's because:
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
swiftcoder
> When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser
I'm not sure how a blocker would work if it couldn't see the content of the page...
FredPret
Exactly, that's why I do it on the DNS level
mikestew
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
BenjiWiebe
uBlock Origin only works in the browser. And on mobile it only works in Firefox (I think).
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
null
HelloUsername
Posted on 28-aug-2024
parpfish
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
3abiton
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
TechDebtDevin
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
bongodongobob
Did you not give the pihole a static address or something? What is breaking?
bongodongobob
It's very straightforward. You set the IP of the pinhole for DNS in the settings of whatever is doing DHCP on your network. That's it.
Dries007
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
Gucio
Check out smarttubenext if you are on an Android TV.
lambdaba
Tailscale with NextDNS is a simpler alternative to this and is easy to set up on all your devices.
eamag
Why is tailscale needed?
vaxman
So people with access to the TailScale control plane can easily add and remove devices from your network.
bix6
Is there a tutorial you recommend?
the_dude_
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
ryandrake
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.
crtasm
Another option is to run Pi-Hole on any device that can use docker: https://docs.pi-hole.net/docker/
mikestew
I was shocked that TFA’s recommended kit was $155! When did Raspberry Pi’s get so pricey?
GuB-42
The latest, overpowered version with all the accessories is that pricey.
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
jamesgeck0
I don't _think_ you need a whole Raspberry Pi 5 kit. It seems like an older Raspberry Pi 3b+ would get the job done for $35 or so. Maybe even a Raspberry Pi Zero ($5) with an micro usb ethernet adapter.
m000
RPi5 is definitely a huge overkill. Plus, it needs a power adapter, probably some cooling, and some space to seat it.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
GloriousKoji
I recommend against the Pi Zero. Once you add in the cost of the microUSB to USB-OTG adapter and the ethernet USB adapter you might as well buy a 3B or 4. Price aside it adds an extra mechanical point of failure as microUSB is not very robust.
mikestew
Oh, it will definitely work on older ones. The one I have, w/o logging in and explicitly looking, is a 3-$SOMETHING, probably 3b+. Works just fine.
null
ChrisLTD
Same. I thought it'd be ~$50.
hoherd
There are also official docs on how to run it using `docker run` and `docker compose` https://docs.pi-hole.net/docker/
sixothree
I run it under Hyper-V on a NUC sized device that is always on.
M95D
For those who think DNS-over-HTTPS can't be blocked: just disable routing and use a whitelist filtering proxy server instead.
flaburgan
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
rement
Be aware that if you run it on the internet other people will find it. I had one open to the web for a bit and was a bit surprised how many systems started making requests to it.
freedomben
No, but it won't have auth in front of it so it will eventually be discovered and used by people who aren't you. That could get you wrapped up or even implicated in a cyber attack.
potatocoffee
Pi hole devs recommend running it locally only and discourage exposing your pi-hole to the internet. I used pi hole for years but have been using NextDNS lately and it works well outside of my home network, and even has a free tier.
Larrikin
You can run it on your phone and outside of your net work with something like Tailscale as your vpn
the_dude_
it depends on your needs, but for me I set it up as the dhcp server and configure the router to go through the pihole. If you want to share it family and friends there is no better tool than tailscale, you can configure the pihole as an exit node.
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.