The Beauty of Having a Pi-Hole (2024)
210 comments
·May 5, 2025h4kunamata
vladvasiliu
> Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
[0] https://developers.cloudflare.com/1.1.1.1/encryption/dns-ove...
h4kunamata
I followed this blog to get the firewall dynamic firewall in place: https://labzilla.io/blog/force-dns-pihole
Like you said, you cannot just block 443, the dynamic firewall uses a public list, which contains all the public DNS known to man ( the last bit was just to sound a little dramatic haha )
So OPNSense will block anything within that list in both 443 and 853.
So my Samsung QLED TV can no longer use Google:443 for DNS resolution. OPNSense blocks it and redirect it to PiHole, a NAT is also required to avoid devices getting mad.
I didn't pay a kidney for that smartTV back in 2019 to make it dumb, when it is on, PiHole logs goes brrrrrrrr
It is also one of the reason why my whole network was going down, it was making too much request exhausting PiHole 150 concurrent DNS requests, there is a flag to increase that and no more issues.
Google:443: DNS request only, not actual 443 request gets blocked
Cloudflare:443: DNS request only, no actual 443 request gets blocked
etc etc Read that blog I shared to understand it.
If I run a dig google.com @8.8.8.8, PiHole terminal shows the request
If I run 8.8.8.8:443 on the browser, OPNSense firewall log shows access denied, the same msg when my TV turns on or my Home Assistant goes on.
DoT on 853 is simple to block on its own, no much secret there.
illiac786
I have similar setup with adguard and opnsense, and here is another list for public known DoH servers (including IPv6):
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/r... https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/r...
silon42
Good stuff.
As an alternative, has someone tried running http/s proxy on the firewall and blocking the rest of client HTTPS (except maybe for whitelist devices)?
brewdad
While there is absolutely value in doing what you are doing and I commend you for fighting the good fight, the fact that 61% of your queries are still going through means your data is still getting out there. Maybe to a lesser degree but that doesn't mean the marketing target isn't being painted it just means you are an impressionistic painting rather than a modernist with straight, accurate lines.
I want to know how to become a Pollack painting.
h4kunamata
I see your point, I have no need to block 99% of everything. For instance, many apps like bank apps use Google to delivery notification (there is a name for it), so if you start blocking everything, you won't use anything.
To your credit, I can block more stuff but I haven't bothered. I have spent many nights blocking stuff haha
Reddit doesn't work atm home because I blocked static.reddit.com Since the API drama, I never used it again, I used to waste hours of my life everyday there. Couldn't be happier to be honest haha
The only fight I gave up is YouTube, I do see value into YouTube Premium. Spotify is dogshit, YouTube Music allows to me listen to music available nowhere else like DJ remix, old music and the the offline music works which Spotify gave me the finger.
I watch YT only, TV News are complete useless nowadays. There are solid news channels so anyway, I do pay for it over trying to block its ADs from the free version. I mean, try listening music with ADs, nah thanks haha
dayone1
Is there an updated set of instructions/great guide on how to set up unbound and pihole together along with forced DNS redirection (so all dns requests are forced through unbound/pihole)? I tried to do this a couple of years ago and gave up because of how complicated it was to setup.
h4kunamata
I shared the link before, we do need to have firewall rules in place to enforce that. I had done it before but was wrong, I could still bypass PiHole.
I had to recreate all my firewall rules because of a system crash, the order and place I had the rules created earlier were wrong.
I shared the blog link yesterday, that is all you need to follow.
mikestew
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
elashri
An increasing number of them also rely on hard coded DoH servers which is harder to block/redirect. You will need to will Pi-Hole/Adguard Home on router to block them based on some curtailed lists (i.e [1])
rsync
In this arms race you are saying a current "move" is a curated list of IPs that correspond to known DoH servers ... and that's fine ..
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
baby_souffle
That might work but if your Samsung example is behind cloudflare, you're basically going to have to block any and all access to cloudflare's Network.
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
toast0
If you're really serious about DNS interception, you'd setup something where
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
pimeys
I run Zenarmor in addition to Adguard at home, which can detect DoH traffic and intercept it. You have to pay for this enterprise level tool, but if you are worried about DoH, Zenarmor is so far the easiest tool to block it.
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
jeroenhd
And before DoH was a thing, several Chinese apps I've used also used to do plain HTTP for DNS resolution (I only caught them by chanbecause they were doing HTTP). PiHoles only work for apps that stick to the standards and don't mind being caught.
TacticalCoder
Browsers allows corporations to prevent DoH and force DNS through company-owned DNS servers:
https://support.mozilla.org/en-US/kb/dns-over-https
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
wang_li
> read TFA for the iptables config that fixes those apps and devices that bypass local DNS. For example,
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
mikevin
Would certificate pinning also remove the first option? I wonder if we are moving to a system where inspecting your own traffic isn't a viable option anymore, am I missing a workaround?
null
jcalvinowens
If you control the machine you can always defeat pinning, given enough effort. But for an IoT device, yeah, we're already there.
gbuk2013
To be fair, if you are geeky enough to run a PiHole you will have no trouble finding the config option to turn off DoH in your browser.
int0x29
Don't turn it off in your browser. If you have control of that setting just install an ad blocker. The point of DNS block lists is to get rid of ads on phones, TVs, and other non configurable things.
freedomben
True, but I want all the devices on my home network to have DoH disabled too. Most of them I can't change directly.
gosub100
The arms race will continue. I think the next gen will be a self hosted archive.ph style host that lets all the garbage load and distills it into a PDF or Web 1.0 style file ready for consumption. I would be fine with a browser extension that learns what I watch the most and preloads it for me, and/or an on demand service that shares prerendered sites bundled into torrents that group together common interests.
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
DrillShopper
That's what The Internet Junkbusters Proxy / Privoxy excelled so good at.
wkat4242
Yeah DoH was a solution to a really niche US-only problem where their laws provided the ability for providers to sell their users' DNS logs. In normal countries with privacy protections this isn't a thing anyway.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
diogocp
Your comment makes no sense. The DoH providers can still log requests and sell them.
DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.
Sending anything in clear text over the internet in 2025 is criminally negligent.
notarealllama
Jokes on you, I do have a fortinet which does this.... Oh wait, only up to TLS 1.1 or something and it's slow.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
gbuk2013
You need to get an F5 box instead. :)
bongodongobob
No, that's not a fix and those iptables settings are on the router. It will only catch DNS requests on port 53. Doesn't catch DoH which you can't do on a router, you need a firewall for that.
tenacious_tuna
Also, doesn't that break the network if the pihole is offline? Before I'd just override DNS on my workstation, but that iptables config would block any "unsanctioned" DNS traffic
bongodongobob
It would, yes
ignoramous
> For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
shaky-carrousel
You can block known DoH servers.
iugtmkbdfil834
I was going to say, as a person who used pihole pretty extensively at one point, it may not be enough anymore. I am by no means a network expert, but I do recognize those shortcomings and try to compensate for them. Blanket pihole recommendation may be disservice at this point.
RachelF
I've seen Windows 11 ignoring DNS settings too, for Microsoft telemetry, ads and updates.
silverwind
Apps that open arbritrary UDP/TCP ports? Isn't that something the app store policies should reject?
01HNNWZ0MV43FF
They're not opening listening ports on the local system, they're just ignoring the system's DNS and saying "Take me to this IP and this port" and then doing a DNS lookup themselves
epcoa
What is an arbitrary TCP port? Ports in isolation from an IP address aren't inherently arbitrary, they're nothing, and the IP:port pair is arbitrary. Once you allow connections to any host on the internet the port doesn't really matter - you can do whatever nefarious shit over port 80. And not allowing apps to connect to external internet servers seems pretty limiting.
everdrive
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
mberlove
I know I'm not alone in maintaining a strong feeling that we've "gone the wrong way" with tech in a lot of ways, as the meme goes, and forgotten (societally) that tech is there for us rather than the other way around. I like your approach - take a light touch using technology; use tech where it helps and ignore it where it doesn't.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
xracy
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
chihuahua
Edge browser + uBlock Origin, and YouTube works perfectly without ads.
squigz
Firefox works well too. 10.2M blocked requests on my uBlock, and YouTube - and every other site - works perfectly fine.
happyhacks
youtube was likely broken because
jnn-pa.googleapis.com
was likely in one of the lists - add it to "Exact allow" list
Similarly you can allow
googleadservices.com
but that is too much IMO - I just have a habit now to not click on such results.
bluescrn
Plus staying logged out of YouTube, which seems to avoid their ad-blocker-blocking for now.
NoPicklez
To fix that you just need to look through the logs through the native pi-hole UI and whitelist those domains which cause friction with your browsing habits.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
foobahhhhh
Or don't use hostile services
NoPicklez
That is also an option yes, however it is challenging in todays world to find products that aren't hostile. Usually its a question of to which degree are they hostile and what can I live with or control.
perdomon
For the Google issue, I’ve been using Kagi as a search tool for the last 2 weeks and love it. No ads and great results that can be personalized. I’m on the free version but will likely start the subscription soon.
itchyouch
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.
Makes it nice and easy for the non-technical members of the fam.
n_ary
I personally use it on my devices as well as on TV and SmartPhones of my non-tech-savvy family. However, deep in my mind, I have a feeling that, any day they will turn face and sell off to some data brokers and suddenly all of my traffic history is centralized there. I used to run a personal AdGuard-Home on cheap VPS, but after NextDNS decomissioned it. May be need to go boot it up again.
glial
I tried a Pi Hole a few years ago. I just discovered NextDNS and configured my home router to use it as a DNS and wow, it's SO much easier.
AnonC
NextDNS is not the answer if someone is looking for apps to toggle on or off the blocking easily. The NextDNS apps on iOS and iPadOS have not been updated for about five years and the toggle is broken (I know this because I’ve been troubled by it for years). If using the app on iOS/iPadOS (and not a permanent VPN profile), anytime you wish to know if NextDNS is on or not, go to test.nextdns.io on a browser and see if it shows “unconfigured” or some specific NextDNS endpoint. For me this test has proven how it randomly works or doesn’t work.
perdomon
I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power. The entire setup process happens over SSH and it cost me about $25. If someone can figure out how to configure their network for the pi-hole, I’m sure they can also figure out SSH.
sgbeal
> I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power.
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
tonymet
Original pi zero with usb Ethernet also runs fine
perdomon
1. You’re totally right about that, but I couldn’t find one as easily 2. I was initally hesitant about using WiFi for DNS, but after reading comments it seemed that no one really had any issues. Mine has been kicking for 6 months sitting right next to my router without any noticeable delays, so I think it’s okay.
sgbeal
> I was initally hesitant about using WiFi for DNS, but after reading comments it seemed that no one really had any issues
FWIW, that was also an initial concern of mine. Almost three years later, i've never once had an issue with running my pi-hole over wifi.
tonymet
it's mostly fine, only edge cases. with original zero W and 2.4ghz radio, microwaves were real interference.
I mostly used USB as an experiment and I didn't know what else to do with the regular-zero
Very cool how a $5 board could work so well! I was glad to see your post.
iramiller
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
dend
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
jstanley
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
dvratil
With pi-hole, you can also block telemetry from smart devices (TVs, dish washers and stuff), and if you run it on a VPN that your phone is connected to, you can also block ads and tracking in phone apps.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
timbit42
I just don't connect those devices to any internet.
ThrowawayTestr
Some people like to watch YouTube on their TV
godelski
You don't connect your phone to the internet?
crtasm
uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc.
It's best to run both.
rsync
"uBlock is only for your web browser - it can't help with other apps, smart devices, game consoles, etc."
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
timeinput
I mean I expect devices and apps to move to DoH, but they haven't yet, or at least not all of them. My experience generally on my phone at home (with DNS blocking) is better enough than my experience away from home that I'm glad I took the half a day or there about to set up a DNS blocking tool a couple years ago.
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
Twirrim
I use both, blocking all sorts of non-browser traffic. I find I can tell whenever the pi-hole isn't running.
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
nativeit
Yeah, blocking the bloated Adobe telemetry from their CC apps has been worth the cost of entry alone.
gh02t
Used to be to catch ads in places outside of browsers like apps, smart TVs etc, or when mobile browsers didn't let you have ad block plugins, plus catching outbound connections like devices trying to phone home. Less effective now, unfortunately, but I find it still catches a lot of ads in mobile apps even if more and more apps are working hard to circumvent DNS blocking. Also have set up PiHole* to block ads for non technical family members who don't know how/can't be bothered to use a browser plugin. Another perk is it gives you some high level overview about what devices across your whole network are up to, though there are other (and often better) ways to achieve this.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
macawfish
Could be nice to have both! Plus, it's not clear that chrome will always support manifest v2. I recently learned that you can still use unlock origin in chromium by going to the extensions page and manually turning it back on, but who knows how long this will last?
mikestew
uBlock Origin works only in the browser, right? Pi-hole works on phone apps that have ads (well, most of them, anyway), ads on your TV, and anything else on the network trying to ping servers you don’t want them talking to.
BenjiWiebe
uBlock Origin only works in the browser. And on mobile it only works in Firefox (I think).
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
FredPret
For me it's because:
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
swiftcoder
> When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser
I'm not sure how a blocker would work if it couldn't see the content of the page...
FredPret
Exactly, that's why I do it on the DNS level
imgabe
I had been meaning to do this for the longest time. I even had a couple spare raspberry Pis laying around, but didn't want to set it up. Finally, I realized you don't need a raspberry pi at all. It's running in docker on my plex server. Much less friction. Don't get hung up on needing to run it on a raspberry pi.
parpfish
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
3abiton
I started like you, but slowly with more debugging and customized use-cases I started understanding more and more. That's the way for people with limited free time. That said, now with LLMs, honestly anything is easily learnable.
TechDebtDevin
It still shouldnt break all the time. You shouldnt havr to get good at debugging a tool like this. I use but it dors destroy my network once a month and have had to build cleanup/reinstall scripts for this scenerio. I would not recommend to most people.
happyhacks
Don't know about your network - but I have been running it for years without any issue, just a docker pull to update the containers once a while
bongodongobob
Did you not give the pihole a static address or something? What is breaking?
danparsonson
What do you mean 'destroys your network'? It's just a DNS server - maybe something else is wrong and the presence of the pihole is a coincidence?
bongodongobob
It's very straightforward. You set the IP of the pinhole for DNS in the settings of whatever is doing DHCP on your network. That's it.
blooalien
Yeah, and set the IP of the PiHole as DNS for any device you've set static network settings on as well, but yes, it is indeed "very straightforward" for anyone that's able to set up their local network (or able to ask a "nerdy" friend or family member to do it for 'em).
bongodongobob
If you've set static IPs, I don't see how picking where DNS comes from is out of your wheelhouse.
lambdaba
Tailscale with NextDNS is a simpler alternative to this and is easy to set up on all your devices.
eamag
Why is tailscale needed?
lambdaba
You don't strictly need it, it just makes it a tiny bit more convenient since you can set it up to override DNS on any connected device, and Tailscale sets up a private VPN mesh between your devices I've come to get take for granted - a tangential feature that goes well with centrally managed DNS.
JamesSwift
It lets you leverage it while physically outside of the network (eg at a hotel)
benhurmarcel
But NextDNS isn’t on your network anyway. You can access it from anywhere.
dockerd
And also benefit from Tailscale drop feature
vaxman
So people with access to the TailScale control plane can easily add and remove devices from your network.
I run PiHole for years in my home network, I cannot live without it. With the years, I have made small changes to increase my control over it.
I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version. The apps themselves are fully controller and 99% of the access blocked. That is why I have a fairly low numbers after purging all the logs a few days ago.