[HN Gopher] Blocky - a DNS proxy and ad-blocker for the local ne...
___________________________________________________________________
Blocky - a DNS proxy and ad-blocker for the local network
Author : kaathewise
Score : 195 points
Date : 2024-04-08 10:07 UTC (12 hours ago)
(HTM) web link (0xerr0r.github.io)
(TXT) w3m dump (0xerr0r.github.io)
| poisonborz wrote:
| My problem with network-level adblockers, also PiHole is that
| they break a lot of services (yeah it's mostly sloppy or
| malicious intent from service provider but still). On a browser
| you can quickly disable uBlock for that site, it is much more
| tedious for these services - also because it's not even clear
| that the filtering is causing the problem, also because it maybe
| someone else on the network experiencing the problem.
| cyberpunk wrote:
| I've been using https://oisd.nl/ on my network for some time
| (just cronned into an unbound config file) and nothing breaks.
|
| If you report a website breaking to the maintainer, he removes
| the offending block.
|
| Works well, I can recommend it.
|
| And it reminds my to send them a little money in thanks.
| UberFly wrote:
| This looks really good. Thanks for suggesting it.
| martin_a wrote:
| Is that your experience? Honest question, because only
| yesterday, after several years with PiHole and uBlock Origin, I
| found that a Shopify shop wasn't working for me. But that's
| probably the only issue I encountered after all those years...
| Dalewyn wrote:
| I've come across a few borking issues, including online
| banking because card rewards are counted as advertising in
| the list(s) I use.
|
| Such problems are few and far between, though, and it wasn't
| that hard to figure out what to whitelist (granted I'm a
| computer nerd, not everyone is).
| jokethrowaway wrote:
| Not parent but yes, that's exactly why I stopped using PiHole
| davitocan wrote:
| Home Depot search breaks for me when using Blocky, and is the
| only consistent issue I observe.
| Marsymars wrote:
| Home Depot is the most fragile website I'm forced to deal
| with. It regularly breaks in novel ways for me when it
| can't load some random dependency that it doesn't actually
| need the functionality from.
| radicality wrote:
| And it doesn't load at all from outside the US! I once
| wanted to purchase before coming back, to learn I need to
| vpn back in to the US to order something. Crazy.
| dorianh wrote:
| Unfortunately yes, there are features on big websites which
| just don't work.
|
| Now every time, I have an issue with any website, my first
| instinct is to turn off pi-hole. Most of the time, pi-hole is
| not the even the issue, but sometimes it is. It's annoying to
| browse the internet while constantly thinking "Maybe there is
| an issue on my side".
| dspillett wrote:
| _> Unfortunately yes, there are features on big websites
| which just don 't work._
|
| It is _very_ rare that I find something stalker-blocking
| (pihole on my local network & VPN) causes to break that I
| care enough to turn blocking off for. It might have
| happened as little as twice, one of those occurrences
| predating PiHole. Information is usually in many other
| places or I really don't care that much, and shopping sites
| that break are waving a red flag by being broken so I'll go
| look elsewhere.
|
| I do have a bookmarklet on my devices to turn it off for a
| few minutes, but that was used more when testing it then it
| has been since.
|
| I mostly live alone so don't have the problem of other
| users, such as a spouse or kids, having trouble. Guests
| always have the option of using their normal mobile access
| instead of the local wireless if they experience
| insurmountable problems.
| dorianh wrote:
| That's good to hear. I'm going to try oisd, hoping for
| fewer false positive :).
| thangngoc89 wrote:
| What annoyed me the most is actually clicking on ads from
| Google Search. Sometime I searched a product and I couldn't
| clicked on the first result because they are advertisements.
| Spare_account wrote:
| Every time threads like this come up I am reminded that
| Google has ads. I don't see them, presumably because of
| uBlock Origin.
|
| I'm typing this response not to smugly boast, but because
| it's a lead in to the question that your comment raised
| within me:
|
| Are you using Pihole to block ads at a network level, but not
| also using a browser extension to block them at the client?
| quickslowdown wrote:
| I'm in the same boat as you, but taking it a step further,
| I'm completely blind to the first 1/3rd of google search
| results. The first 3 are already ads, and then there's the
| "quick info" card on most searches. I've subconsciously
| trained myself to just flat out skip over those results.
|
| So in my case, I don't know that an ad blocker really even
| helps me on google, because I'm ignoring those first
| results anyway.
| maicro wrote:
| Yup, skip all sponsored and ad content. I do the same on
| Amazon and ebay - even when the advertised product is
| _exactly_ what I want, and the best price available, I
| refuse to purchase from a sponsored listing.
| quickslowdown wrote:
| 100%.
| scopeh wrote:
| personally i use both. PiHole and uBlock. But PiHole is
| network wide so smart TVs iPads, etc in the house also get
| the benefit.
| nkozyra wrote:
| > Are you using Pihole to block ads at a network level, but
| not also using a browser extension to block them at the
| client?
|
| A lot of Pihole users don't bother with browser extensions.
| In extension-only use cases, these results would just not
| show up. With Pihole, you have to copy and paste the URL
| and just enter directly in the browser. It's not like a
| huge roadblock.
| muppetman wrote:
| Ads exist on mobile devices. In iOS games. All sorts of
| places/devices that can't run uBlock origin. That's why you
| use a DNS level blocker as well.
| ceejayoz wrote:
| Honestly, I love this aspect of my Pihole. Stops Google
| stealing those pennies from the businesses who were already
| gonna be the #1 result anyways.
| xp84 wrote:
| The "sponsored ads on your own name" extortion racket
| really is the worst.
| derpymcderpface wrote:
| Yeah, this is always my hurdle implementing house wide. I can
| toggle it on and off when I have the stubborn link but my
| girlfriend just gets utterly annoyed. I just manually point
| some of my devices at my local server and leave it at that.
| Guess I should look into aws free tier and set it up there as
| well or just say screw it and use dns.adguard.com again.
| lencastre wrote:
| Pi-Hole Remote (iOS app) is your friend
| nirav72 wrote:
| Yep. There are also browser extensions that will allow
| pausing pihole blocking temporarily.
|
| or simply these URLs:
|
| Disable URL : http://<pihole ip address or
| hostname>/admin/api.php?disable&auth=[your pihole password]
|
| Enable URL : http://<pihole ip address or
| hostname>/admin/api.php?enable&auth=[your pihole password]
|
| Disable for [X] Seconds: http://<pihole ip address or
| hostname>/admin/api.php?disable=[X]&auth=[your pihole
| password]
| ai_what wrote:
| I have a silly "trick" for this. In Firefox you can add a
| SOCKS5 proxy and click "Proxy DNS with SOCKS5 proxy". This
| bypasses the system DNS.
|
| So for example, if you make a container with this, then you can
| just quickly open the URL that's blocked in the other container
| and it will bypass the network-level DNS adblock.
|
| There are other ways to do it without a container, I'm sure,
| maybe with an add-on/toggle or something.
|
| My VPN provider gives free SOCKS5 access to a few servers, so
| it didn't cost me anything more.
| belthesar wrote:
| That's a clever trick. It's also pretty trivial to set up a
| SOCKS5 proxy with Shadowsocks if it's desirable to keep that
| DNS resolution local.
| ranger_danger wrote:
| How are you using a different proxy per container tab? I've
| tried FoxyProxy but it leaked DNS requests through the local
| network resolver even with SOCKS5 proxies.
| AwaAwa wrote:
| Go into the main extension settings of 'Firefox Multi-
| Account Containers' that lists your containers and click on
| 'Manage containers'. Select any container and the last
| option on the new page is 'Advanced Proxy Settings'. This
| setting is per container.
| squaresmile wrote:
| I use a quick setting to quickly switch between ad blocking dns
| and normal dns for bad websites or captive portal.
|
| https://f-droid.org/en/packages/com.jpwolfso.privdnsqt/
| avel wrote:
| Pretty cool. If you have adguard home and google assistant,
| you have access to a switch that can enable/disable adguard
| home protection. So with the homeassistant app you can add
| that as a quick tile as well. The only caveat is that this
| will disable it across all devices.
| illnewsthat wrote:
| I created a bit.ly link that points to
| http://yourpiholehost/admin/api.php?disable=300&auth=api_key
|
| Bookmark it for myself and other people in the house and then
| turn it off for five mins whenever there is an issue.
| ceejayoz wrote:
| Would be fun to hook this up to one of those IoT Amazon
| buttons.
| xp84 wrote:
| Home Assistant can definitely do this. I just now
| successfully got my HA connected to an Aqara Zigbee button
| (which, hilariously, only briefly functioned when I was
| using it with Aqara's garbage hub).
| nirav72 wrote:
| I use both Pihole and ublock. While ublock is fine for desktop
| browser , pihole is useful for mobile devices, as well as
| blocking access for devices and apps that tend to be chatty
| with data it sends out. For example - I unfortunately bought a
| few Eufy security cams long before it was found that Eufy was
| sending user data out to its AWS instance. It was easy to block
| that access via AWS in Pihole. Of course, it doesn't always
| work. I've found some devices absolutely need to call home
| before they'll function.
| qwertimus wrote:
| I've had the most luck with OISD as the blocklist; others have
| the exact problems you describe (in fact all other blocklists
| I've tested have had frequent issues). Since changing, I've had
| maybe 2 sites that didn't play nice with the filtering. These
| issues are not inherent to network-level blockers, but the
| configuration of those blockers.
| avel wrote:
| It's not that tedious.
|
| In adguard home you have a switch on/off in the web UI. You can
| also expose that switch to homeassistant.
|
| And there are some other good ideas in this thread as well for
| android and ios.
| zzyzxd wrote:
| After disabling it on the UI, your device may still cache the
| DNS records for a few minutes. There's no immediate feedback
| on whether disabling adblocking changed anything. It is
| extremely tedious especially for non-technical users, and
| adds "tech-support" burden to their technical friend/family
| who set it up in the first place.
| theideaofcoffee wrote:
| I have a handful of different wifi SSIDs set up on my network
| at home to help with this, some route their DNS queries through
| a pihole instance and others (say, without the "AB" for
| 'adblock' suffix on their ssid names), don't. Each ssid is
| their own vlan and each has their own dhcp listening that doles
| out the pihole instance address on the Adblock-enabled nets.
|
| It's easy enough to just connect to a different ssid if I see
| anything breaking, but it's rare enough that I keep it
| connected to the pihole/adblock network at all times. Works
| super well.
| jakjak123 wrote:
| That is a great idea. What do you use to run multiple wifis
| with separate vlan?
| JackGreyhat wrote:
| An AP or wlan router that supports vlan to ssid mapping.
| apexalpha wrote:
| Yes, I ran into these issues when I installed PiHole in my
| family home.
|
| Most issues were with Google Ads inside Google Search. Often
| these are relevant and actually what you're looking for. But
| they don't work.
|
| I tried rewriting the "this is blocked" page that PiHole would
| serve so it included a button to temporarily disable blocking
| for said url but it turned out to be harder than I thought.
| efitz wrote:
| PiHole has an API that can be used to enable and disable the ad
| blocker.
|
| I have a bunch of home automation set up, and through the use
| of HomeBridge and a plug-in I have a button in my Apple Home
| app on my iPhone to enable or disable the ad blocker. Since
| it's exposed as a smart home thing, you could hook it up to a
| voice assistant like Siri or Alexa.
|
| I built an integration once for an Elgato StreamDeck.
|
| You can also download apps that do the same thing; I have one
| called "Pi-Hole Remote" that works great.
|
| Yes, ad blocker blockers are annoying, but they are trivially
| worked around.
| pnw wrote:
| Pi-hole Remote for iOS has a disable for X minutes feature
| which is invaluable when you do run into one of these sites. I
| use it maybe once a week.
|
| https://apps.apple.com/nl/app/pi-hole-remote/id1515445551?l=...
| Havoc wrote:
| > Uses random upstream resolvers from the configuration -
| increases your privacy through the distribution of your DNS
| traffic over multiple provider
|
| Is that the consensus? I thought this would just increase the
| amount of parties that have insight. eg if today it sends my CNN
| news reading to cloudflare and tomorrow it sends it to 9999
| resolver then that seems worse than sending both to cloudflare.
| cj wrote:
| > Uses random upstream resolvers from the configuration -
| increases your privacy through the distribution of your DNS
| traffic over multiple provider
|
| The whole project is really interesting but this line caught my
| eye.
|
| For spreading DNS providers, would randomly routing to different
| ones be more or less private than rotating providers every X
| minutes? It feels like so many sites request so many different
| resources that if you make DNS resolution distributed across
| providers, you might be exposing your "trail" to multiple
| companies at the same time, compared to an alternative approach
| of switching every X minutes so that any individual company only
| sees a snapshot of your queries in time rather than your whole
| journey.
| ignoramous wrote:
| _rethinkdns dev here_
|
| > _For spreading DNS providers, would randomly routing to
| different ones be more or less private than rotating providers
| every X minutes._
|
| Less private for the simple fact that now you'd have to rely on
| multiple upstream resolvers to respect your privacy. Stick to
| one; ideally the one with better privacy guarantees like the
| Mozilla endpoints to Cloudflare DNS.
|
| Or, use anonymizing protocols like Oblivious DNS over HTTP and
| DNSCrypt v3.
| dngray wrote:
| 100% agree. Not sure why you'd randomly play round robin with
| a bunch of DNS servers. What purpose is this feature even
| for?
|
| If privacy is what you're intending however, DNS is only one
| part of that and there are other ways in which things can
| leak https://www.privacyguides.org/en/advanced/dns-overview/
|
| Generally I just recommend to people to use their internal
| VPN provider's DNS servers and call it a day, or of course
| Tor.
| nobody9999 wrote:
| I use (and recommend) local recursive resolvers.
| DyslexicAtheist wrote:
| not novel but a standard feature in dnscrypt-proxy
| intuxikated wrote:
| why would I use this over something like Adguard Home?
| _ache_ wrote:
| Very interesting project too !
|
| https://adguard.com/adguard-home.html
| jedisct1 wrote:
| Or dnscrypt-proxy, especially if you care about not disclosing
| your IP address to resolvers.
| different_base wrote:
| I run dnscrypt-proxy on my OpenWrt Router. It's like
| Syncthing. Install and forget, like how softwares should work
| in general.
| figmert wrote:
| One thing I like about AdGuard Home is that it supports normal
| AdGuard's block list, similar to the ones used in browsers. Of
| course, it ignores the items that it is unable to block (e.g.
| cosmetic, or third-party etc), but it is nice being able to
| take the lists I use in uBlock Origin, and just feeding it into
| AdGuard Home.
| zikduruqe wrote:
| Also AdGuardhome will use optimistic caching, which is great.
|
| https://github.com/AdguardTeam/AdGuardHome/discussions/4002#.
| ..
| _ache_ wrote:
| It's a DNS proxy, like pi-hole, but it seems _a lot more
| powerful_ than Pi-hole that is basically just a configured
| dnsmasq server to be user-friendly.
|
| https://docs.pi-hole.net/
| thangngoc89 wrote:
| Usually pi-hole is installed together with Unbound [1] for the
| function of Blocky.
|
| [1] https://docs.pi-hole.net/guides/dns/unbound
| MrksHfmn wrote:
| i have stopped using local dns resolvers. too many pitfalls, dns
| leaks or the dns resolver is down and the devices can't resolve
| the addresses.
|
| I have simply set https://dnsforge.de in my router.
| mikl wrote:
| The amount of effort that goes into blocking ads and tracking
| really says a lot about how messed up the web is these days.
| girishso wrote:
| Can't block Youtube shorts with these DNS adblockers, I know I
| can use browser extensions on a computer (and I do), but I really
| want to block shorts on iOS/Android apps. Tried the squid https
| proxy rabbit hole, but could not get it to work with mobile
| devices.
|
| Any hints?
| that_guy_iain wrote:
| Just don't go to the shorts section? Or are you talking about
| the ads in the shorts section?
| moe_sc wrote:
| The shorts section on mobile is kinda inbetween all other
| videos. If you don't pay attention you can end up on one
| quite easily...
|
| And then it's back to doom scrolling
| tremarley wrote:
| There are YouTube clones for iOS & Android that have Adblock,
| Shorts Block & Sponsor Blocks
| shadowpho wrote:
| Which ones for iOS?
| imhoguy wrote:
| NewPipe for Android has no shorts
| UberFly wrote:
| Came to say this. NewPipe is great. Superior to the default
| android YouTube app in many ways.
| a_subsystem wrote:
| I use Orion on ios.
| MehdiHK wrote:
| I use revanced for this on Android. Pretty cool, adblocker,
| sponsor block, customization like removing shorts. It patches
| YouTube APK, so you retain same UX, no need to use a new app.
|
| Edit: forgot to add link - https://revanced.app/
|
| Be aware of the fake ones.
| kiicia wrote:
| I stopped using yt app on iOS and instead use browser (safari)
| with addons
| ahmetozer wrote:
| What is benefits when it is compared to dnsmasq and hostblock
| list ?
| epstein wrote:
| No for windows?
| himurae wrote:
| Blocky is best adblocker its lightweight unlike adguard just a
| simple yml file its dns queries are faster than adguard imo i
| run it as a container on VYOS (best router software imo)
| mrbluecoat wrote:
| > Blocking of ... response IP addresses (against IP lists)
|
| So blocky can block IP addresses? If so it's more powerful than
| traditional DNS blockers like Pi-Hole and AdGuard Home.
|
| > Logging of DNS queries per day / per client in CSV format or
| MySQL/MariaDB/PostgreSQL database
|
| May want to include a time series database, like InfluxDB
|
| For those needing layer 7 control,
| https://github.com/andybalholm/redwood is a nice Go option.
| belthesar wrote:
| > May want to include a time series database, like InfluxDB
|
| Seems to have native support for Prometheus, so that seems to
| be the TSDB to use for the project. That said, if you're at the
| point where your record density takes advantage of the benefits
| of a time series DB vs a well indexed RDBMS, I'd also imagine
| that you're beyond the scope of this little service.
| beaugunderson wrote:
| super useful for being able to use cloudflare dns but still
| resolve the archive.* domains using a different resolver (because
| archive.* blocks cloudflare for ideological reasons):
| conditional: mapping: archive.is: 8.8.8.8
| archive.today: 8.8.8.8 archive.md: 8.8.8.8
| archive.ph: 8.8.8.8
| teamspirit wrote:
| Is that why? I've been having this problem intermittently for
| years now and never understood it. Wow.
| Cody-99 wrote:
| The CEO/cofounder of cloudflare has written about this issue
| here on HN https://news.ycombinator.com/item?id=19828702
| silverwind wrote:
| here's the same in dnsmasq:
| server=/archive.today/8.8.8.8
| server=/archive.ph/8.8.8.8 server=/archive.is/8.8.8.8
| server=/archive.li/8.8.8.8 server=/archive.vn/8.8.8.8
| server=/archive.fo/8.8.8.8 server=/archive.md/8.8.8.8
| server=/archive.to/8.8.8.8
| efitz wrote:
| Why would I use Blocky vs. Pi-Hole? It seems like a nice project
| but pi-hole is really mature; I'd love to see a feature
| comparison or a brag sheet showing what it's better at.
| adr1an wrote:
| It's a bit faster, yet it lacks a web UI. I prefer it, because
| I use it directly on the PC/ Laptop via Docker and I like text
| files more than binding web UIs to ports..
___________________________________________________________________
(page generated 2024-04-08 23:00 UTC)