[HN Gopher] Pi-hole v6
___________________________________________________________________
Pi-hole v6
Author : tkuraku
Score : 284 points
Date : 2025-02-18 18:31 UTC (4 hours ago)
(HTM) web link (pi-hole.net)
(TXT) w3m dump (pi-hole.net)
| Mossy9 wrote:
| Pi-hole is such a great tool. I've been running it for a few
| years on a raspberry pi zero, and am constantly astonished by the
| sheer amount of cruft it blocks for me.
|
| Congratulations to the team for the release - happy to support
| you via Patreon!
| hk1337 wrote:
| I have had many times click an article link on reddit where
| everyone in the post comments complains about how the site is
| riddled with ads that it makes it unreadable and all I see is
| the article with a lot of whitespace.
| martin_a wrote:
| IT department does not like that, but I had them install
| Firefox on the machines of my team, so we can install uBlock
| Origin. People are _amazed_ how the internet does look
| without ads.
| unsnap_biceps wrote:
| Does anyone know if pihole is ever going to add DoH or similar
| support natively? I've had such troubles with cloudflared awhile
| back that I gave up on DoH, but would love to encrypt those
| queries.
| zamubafoo wrote:
| I've been using https://github.com/DNSCrypt/doh-server for
| serving my DNS server via DOH for at least 2 years. Only had
| two issues with it and both were due to lack of maintenance on
| my part (ie. not updating the binary for one and then not re-
| configuring it after I changed configurations for the upstream
| DNS).
| hotpocket777 wrote:
| Assuming doh = dns over http
| unsnap_biceps wrote:
| Yes
| chgs wrote:
| I'm not sure why I'd ever want DoH, I block as much as I can at
| my firewall and have a canary domain.
|
| I want my devices to use my defined dns sever on my network,
| not some ad company (and all tech companies eventually become
| ad companies)
| unsnap_biceps wrote:
| I want pihole to talk encrypted to the upstream dns server. I
| don't actually care if my devices talk encrypted to pihole.
|
| I just don't want to leak dns requests to my isp. If there's
| a way to do this without DoH or DoT, I'd happily learn more
| about it.
| bjoli wrote:
| DoT has a standard port, meaning blocking (conforming)
| requests simple. DoH uses 443.
|
| Nothing says clients need to confirm to the port
| requirements, but most companies will be lazy and assume
| 853 will work.
| unethical_ban wrote:
| IIRC, there is not a native GUI method for Pihole to talk
| encrypted to DoH providers. You have to set up a daemon
| locally and configure via CLI, then set that as your
| "upstream" DNS provider in Pihole admin.
|
| Obviously the goal is to have your local clients talking to
| Pihole, but the goal of having remote DNS queries encrypted
| is to prevent ISP snooping.
|
| Though if you _really_ want to prevent ISP snooping you have
| all clients using VPN or configure your router to send all
| outbound traffic to a VPN endpoint.
| ndriscoll wrote:
| Speaking of not wanting DoH to exist on the local network,
| does anyone know if there is anything pre-existing that can
| hook into firewall rules to default deny outgoing traffic and
| only allow (until TTL expiry) in response to a DNS lookup?
| That way things cannot bypass your DNS filtering with DoH or
| hardcoded IPs.
| kube-system wrote:
| People use DoH/DoT so that their _upstream_ DNS lookups are
| not transmitted in plaintext across the open internet. You
| can do this and still run your own DNS server on your
| network. The parent commenter is asking about Pihole with
| DoH, which is exactly this.
| newman314 wrote:
| You can insert dnscrypt-proxy inline between PiHole and an
| upstream server. So it'll work something like the following:
|
| Client --DNS--> pinhole --DNS--> dnscrypt-proxy (localhost)
| --DoH--> upstream
|
| Not the prettiest but it works.
| eamag wrote:
| Want to highlight https://nextdns.io/ as a similar service, very
| happy with it
| poisonborz wrote:
| Pihole being a self-hosted service and this being a third party
| one, I would say the target group is somewhat different.
| whalesalad wrote:
| it's more than that - an app running on your internal network
| is going to have way better latency than nextdns
| zufallsheld wrote:
| However you can't use it on the phone while not at home
| (aside from using vpn/wireguard), but nextdns allows it.
|
| As for the latency - is it really noticeable?
| uncharted9 wrote:
| my biggest gripe with NextDNS is not having an ability to
| add custom blocklists. I'd gladly pay for it even if
| there was a paid tier with this feature.
| zufallsheld wrote:
| It seems you can add domains to the deny list via their
| api: https://nextdns.github.io/api/#profiles
|
| So atleast there's that.
| whalesalad wrote:
| dns latency is the single biggest reason people think
| their internet is slow imho
| 8fingerlouie wrote:
| I'm currently seeing 12ms latency to my upstream NextDNS
| server. On my home network I "proxy" it with a
| forwarding/caching DNS server on my router, so for "the
| usual suspects", latency is not an issue.
|
| On the go, over 5G, those 12ms won't make much of a
| difference.
|
| Considering that people deploy PiHole on Raspberry Pi W
| models, over wifi, you won't lose much running NextDNS,
| but you gain dns blacklisting on all networks, as opposed
| to just your home network (or via VPN)
| 8fingerlouie wrote:
| Define latency ?
|
| This is my latency (ping.nextdns.io):
| zepto-cph (IPv6) 12 ms (anycast1, ultralow2)
| zepto-cph 13 ms (anycast1, ultralow2)
|
| # anexia-cph 13 ms (anycast2, ultralow1)
| anexia-cph (IPv6) 15 ms (anycast2, ultralow1)
| system7rocks wrote:
| Same for me.
|
| I had Adguard running on a Pi 2 I think and it died. Couldn't
| access my network remotely. Learned my lesson and switched to
| NextDNS on a bit more solid device.
| leca wrote:
| NextDNS is SASS, you can't self-host it.
| system7rocks wrote:
| Right! When my Pi died, my network didn't look for a backup
| DNS, so everything became inaccessible. It was weird -
| probably the classic SD card issue. With NextDNS, while I
| do use DNS over TLS, if my Synology fails, it just kicks
| back to regular NextDNS domain name servers.
| zymhan wrote:
| Pi-hole isn't a "service" though. It's just FOSS.
| hk1337 wrote:
| This actually seems rather nice. Not the same as PiHole but I
| can see its upsides.
|
| One upside I like about PiHole is that I can set it up to
| distribute the DNS to all my devices. This seems like I have to
| manually configure each device?
|
| ATT doesn't let you set the IPv6 DNS, so I either have to
| disable IPv6 on the network or setup PiHole to pass IPv6 and
| the DNS I want to the device.
| shmoogy wrote:
| If only they had a stop blocking function.
| LeoPanthera wrote:
| I've been using AdGuard Home, which does pretty much the same
| thing, but is slightly better polished, with things like support
| for DoH and OSs other than Linux.
|
| https://github.com/AdguardTeam/AdGuardHome
| lawn wrote:
| I even run Adguard Home on my router that runs opnsense.
| roger_ wrote:
| I moved to AGH a while ago too.
|
| Is there anything in Pi-Hole v6 that would make someone switch
| back?
| laweijfmvo wrote:
| I went from PiHole -> AdGuard -> NextDNS. My patience for
| tinkering and maintaining wasn't high enough to not just pay
| someone else to do it :)
| vosper wrote:
| Yeah +1 for NextDNS. It's so easy to setup and manage, and
| works really well.
| LeoPanthera wrote:
| The big benefit of running a DNS server locally is caching.
| Using any external provider means you have to go out to the
| internet for every single request.
|
| With a local server, most requests are fulfilled from the
| local cache.
| Novosell wrote:
| Hmmm, my router caches DNS queries.
| mrmuagi wrote:
| Same except skipping AdGuard.
|
| Having the DNS live on a pi sounded like fun for me but it
| gave me stress due to power outages. There is safety in
| knowing you aren't adding a point of failure that only you
| know how to solve.
|
| I also had issues with adding backup DNS, since a backup DNS
| would be queried if the pihole blocked the DNS query -- so I
| would have to maintain two seperate blocklists, one local and
| one offsite.
| LeoPanthera wrote:
| I run AdGuard Home on the same device as my router, so
| anything that would take it down would also take down the
| entire router anyway.
| martin_a wrote:
| I think my PiHole is up for 3+ years on a Raspberry Pi
| dedicated to that task. Did not fail once since then, so
| not sure if "DNS is going down" is really an issue. But
| maybe I've got survivorship bias.
| brummm wrote:
| Living in a North American city with power wires being
| above ground, I have had so many power outages in the
| last five year, it was kind of a crazy thing to get used
| to. My Pi would not deal well with power outages when
| running through the SD card and so I stopped using it.
| mrmuagi wrote:
| I live in Vancouver BC, we have a power outage every 1-2
| years due to high winds or fallen power poles. I noticed
| some devices on my home network whilst connected to power
| have power quality issues too, no doubt a UPS would help
| here.
| 2OEH8eoCRo0 wrote:
| I love AdGuard Home but the single binary container from a
| Russian company makes me nervous. I may move to building it
| myself. Is this criticism unfair?
| skotobaza wrote:
| > Is this criticism unfair?
|
| Only if you don't trust only Russians and no one else.
| 2OEH8eoCRo0 wrote:
| I don't trust Iran, North Korea, or China either. It's not
| hard, I'm an American and it's 2025. These are our
| adversaries (I didn't choose them) who currently commit
| cybercrimes against us. Hopefully in 2035 that won't be the
| case and we can all sing kumbaya.
| skotobaza wrote:
| But if the binary came from US even with some malicious
| code, it would be OK simply because the origin is
| different?
| ziddoap wrote:
| > _with some malicious code_
|
| Obviously not.
| h4ck_th3_pl4n3t wrote:
| I hope that you at some point will understand that these
| are minorities among a huge population that you are
| talking about.
|
| It sounds like you think that every butcher, barber,
| dancer, teacher, software dev etc in China is just
| thinking of how they can hack the US.
|
| Guess what: that's the image propagated by propaganda and
| very far from the actual truth.
|
| If you don't trust people, study their code and make a
| formed opinion about it.
| LeoPanthera wrote:
| Given that the whole thing is open source and it is possible
| to build it yourself, I'm willing to give them the benefit of
| the doubt.
|
| Not that it means all that much, but AdGuard is headquartered
| in Cyprus, for what it's worth.
| sunaookami wrote:
| >Is this criticism unfair?
|
| Yes because you judge people by the country they live in.
| AdGuard has made their stance clear if something like this is
| important to you: https://www.reddit.com/r/Adguard/comments/t
| 15gr4/announcemen... & https://adguard.com/en/blog/official-
| response-to-setapp.html
| 2OEH8eoCRo0 wrote:
| I actually didn't know this. Thanks!
| seemaze wrote:
| I built it myself for a while but as I mentioned elsewhere,
| it's now being packaged in the Alpine Linux testing branch.
| That makes a container image an 'apk add' away.. whether you
| trust Alpine Linux more or less than the AdGuard Home teams
| is up to you.
| brynx97 wrote:
| DoH is possible on pihole using cloudflared-- https://docs.pi-
| hole.net/guides/dns/cloudflared/.
|
| > The cloudflared binary will also work with other DoH
| providers.
| bangaladore wrote:
| Ironically their website has been hugged to death.
| piyuv wrote:
| Why is it ironic? They're not providing load balancing or
| anything similar
| bangaladore wrote:
| Sorry if the point wasn't clear.
|
| The service/device dedicated to killing connections (blocking
| dns, whatever) can't/won't serve my connection.
| antonvs wrote:
| You should let Alanis Morissette know.
| NeckBeardPrince wrote:
| I don't think you know what irony means.
| bangaladore wrote:
| Maybe you'd better define it as an "amusing twist".
| triyambakam wrote:
| At this point we should accept the vernacular use of the word
| as correct.
| zymhan wrote:
| > The web interface has been completely overhauled with settings
| split into Basic and Expert modes. This allows users to customize
| their experience based on their comfort level and needs.
|
| This sounds helpful for setting up a Pi-Hole for family or
| friends that aren't DNS admins by day.
| _fat_santa wrote:
| Pi-hole is a killer application and I've loved it since I got it
| setup. One other app I highly recommend to run on your Pi in
| addition to Pi-hole is Nginx Proxy Manager[1].
|
| [1]: https://nginxproxymanager.com/
| kmfrk wrote:
| Lots of great memories using Pi-hole and messing with RPi. I
| eventually ended up putting my devices on Tailscale and managing
| DNS through it, eventually using Mullvad VPN as the exit node.
|
| Pretty good interface, and most people just have to connect using
| the app. Having a virtual network between devices with dedicated
| IPs is pretty nice too.
| andy_xor_andrew wrote:
| I set up pi-hole recently after hearing about it for years. I was
| kind of surprised at a lack of really basic features (imo):
|
| There isn't any kind of "dry run" or "phantom" mode, where
| requests are not actually blocked, but appear marked in the log
| UI as "would be blocked". This is super important because I want
| to see all the things my home network is doing that _would be_
| blocked before I actually hit the big red button. I want to fix
| up the allow /denylist before going live.
|
| It's also not possible (or not clear) how to have different
| behavior for different clients. For my "smart tv" which I
| begrudgingly have to allow on my network occasionally for
| software updates, I want to treat it with the strictest possible
| list. But for my phone, I don't want that same list. There's a
| concept of "groups" so perhaps this is user error on my part, but
| the UI does not make this clear.
| jkingsman wrote:
| I think log-don't-enforce and per-client block profiles are
| probably basic to people who work with networking regularly,
| but are probably pretty far out of reach for the average home
| user who are probably needing to expand their networking
| knowledge just to distribute custom DNS via DHCP.
|
| So, I agree that those would be lovely features but are, I
| think, a ways beyond what I would assume the p90 of pihole
| users would need or be able to use.
| bdcp wrote:
| For the seconds question, it is indeed Groups. I have my SO's
| phone bypass everything. It's the way she wants it.
|
| Yea i agree it's not super UX friendly.
| ge96 wrote:
| I think I'll never buy a smart TV what an ultimate ahole move
| to put ads in there. It's like the Kindles where you have to
| read these ads before you can open your book (of course you can
| pay a 1-time fee). Like buying a movie on YouTube and having to
| watch ads in it or can't see full res unless you're on an
| allowed device. If UBO actually stops working on Chrome I'll
| either leave or use pihole.
|
| My cheap android phone installs games by itself eg. candy crush
| ugh. My own fault I get it buy a $2K phone instead of $160
| b3lvedere wrote:
| Most non-smart 4K screens are more expensive than 4k-smart tv
| screens though. Really weird, because there's less stuff in
| it. I just want a nice 50" 4k screen with hdmi and display
| ports. I don't use all the other junk anyway, since i watch
| tv via a computer and sounds goes to a surround set.
| progbits wrote:
| Is there an equivalent of DDWRT/OpenWRT but for TVs?
|
| Most often those are some embedded linux board running some
| Android fork, shouldn't there be some TV models on the
| market that are a good hardware/price deal with firmware
| that can be replaced?
|
| Even something that just permanently shows HDMI input with
| no popup overlays would be good, but AOSP + VLC/Jellyfin
| would be even nicer.
| RandomDistort wrote:
| Isn't a TV that permanently shows HDMI input a big
| monitor?
|
| Weirdly they always seem to be more expensive than a TV
| though.
| b3lvedere wrote:
| Well yes, but i guess either big monitors use different
| panels or there's some shady business going on.
| bee_rider wrote:
| Inclusive or.
| progbits wrote:
| Yeah exactly, as also others point out in the thread, if
| you want "TV-sized monitor" you will pay more than for a
| TV, and probably get worse panel, lower brightness, etc.
| Hence it would be useful to buy "smart" TV and turn it
| into a monitor instead.
| b3lvedere wrote:
| Would be fun if some could hack those os'es indeed.
|
| It could make a nice CrowdSupply project, except for the
| cheap distribution of the huge packages. Sounds not that
| hard though: Just get some nice 50" 4k smart tv's and
| remove all the junk. Cool features like DP daisy chain or
| something and one could have a nice project. But i'm
| guessing there is (too) much money to be made in user
| info and ads. :(
| lotharcable2 wrote:
| > Is there an equivalent of DDWRT/OpenWRT but for TVs?
|
| Get a used mini-pc, install Linux on it, and don't allow
| the TV to connect to any networks. This is a 50-75 dollar
| solution. Good if you are on a budget and are not
| interested in any wiz-bang features like HDR.
|
| There are a few TV-dedicated Linux systems out there,
| like libreElEC.
|
| Or get a more powerful system with a AMD GPU and install
| Bazzite on it. That way you get something like "SteamOS
| for your TV". Pairs nicely with controllers like 8BitDo.
|
| It would be nice to have TVs as open as PCs, but the
| manufacturers and media companies are ran by dirtbags and
| would rather have victims then customers.
| Jeremy1026 wrote:
| > Really weird, because there's less stuff in it.
|
| It's also not subsidized by selling your user data.
| b3lvedere wrote:
| Is this really true? The margin must be huge. I've seen
| 4K smart tv's for half the price of 4k monitors.
| emaro wrote:
| TVs usually have lower requirements regarding frame rate
| and latency compared to computer monitors. That's
| probably also a factor.
| FirmwareBurner wrote:
| Probably more to do with the economies of scale. More TVs
| are sold than PC monitors so therefore cheaper.
| alabastervlog wrote:
| I've had a little insight into this world. To make the
| BOM costs work at the retail prices they charge for
| things like common set-top streaming boxes (e.g. Roku)
| and, now, TVs themselves since they incorporate the same
| stuff, they _have to_ be selling data. Otherwise they 're
| selling at a loss, once you factor in middleman margins
| and such.
|
| You can try to compete by charging a reasonable amount
| for your hardware and software, but you'll be competing
| against economy of scale and wrestling for shelf-space
| with products that are (don't forget retail percentage
| mark-up) at least 30% cheaper than yours, which means
| your units don't move, which means you don't get (or
| keep) shelf space, and hello death spiral. Also if you
| somehow manage to make it despite that, as soon as an MBA
| gets in charge you'll just switch to selling data, too.
| ranbato wrote:
| In 2019 the Vizio CEO went on the record saying there was
| no money in dumb TVs. They sell near cost and make it all
| up in ads and metrics.
|
| https://boingboing.net/2019/01/11/telescreens-r-us.html
| baltimore wrote:
| > Really weird
|
| No, not weird. The extra stuff is there to show you ads
| and/or track your behavior, which generates a stream of
| revenue for the TV maker. W/o the extra stuff, the only
| revenue comes from the one-time purchase.
| lotharcable2 wrote:
| I have a 'smart tv'. I don't allow it to connect to any
| network.
|
| The only really annoying thing about it is that noises from
| tv shows or the house sometimes triggers the voice
| recognition, which fails, and then you have to click through
| the error message.
| josephg wrote:
| > For my "smart tv" which I begrudgingly have to allow on my
| network occasionally for software updates
|
| Why install software updates if you don't use the "smart"
| features? Our smart tv has been banned from the internet for
| years.
| timoteostewart wrote:
| I imagine software updates might bring improved support for
| various media codecs, or UI enhancements, or better Bluetooth
| compatibility, etc.
| hsbauauvhabzb wrote:
| Or more likely: reduced privacy settings, increased
| analytics, and in-menu advertisements.
| hsbauauvhabzb wrote:
| My tv after a recent update has begun randomly crashing with
| audio looping for a few seconds before rebooting. When an
| update comes through for that you can he damned sure I'll be
| disabling all future updates.
| nkrisc wrote:
| The way I handled this issue for my family and devices is just
| by having two SSIDs - one with pihole blocking and one without.
| If it's interfering with something me or my wife can just
| switch to the unblocked network temporarily.
| MyOutfitIsVague wrote:
| > It's also not possible (or not clear) how to have different
| behavior for different clients
|
| There's a menu item for that: Clients. You create a group, add
| a client to that group, and configure blocking for that group.
| To have what you want, you create a group that has just one
| client in it.
| paxys wrote:
| It's slightly more complicated. What you are suggesting works
| if (1) you are using Pi-hole as a DHCP server or (2) all your
| devices are individually configured to use the Pi-hole IP
| address for DNS resolution. What's more likely though is that
| you just point your router's DNS setting to Pi-hole, and in
| that case there is only one client on the Pi-hole dashboard -
| your router.
| jimsmart wrote:
| > What's more likely though is that you just point your
| router's DNS setting to Pi-hole, and in that case there is
| only one client on the Pi-hole dashboard - your router.
|
| That depends entirely on what capabilities your router has.
|
| Many routers have a setting for the DNS info they give to
| clients via DHCP, which would mean every client is indeed
| using PiHole directly for DNS resolution.
|
| Other less capable routers, only have a setting for which
| upstream DNS server(s) the router should use, which of
| course isn't going to allow you to do anything with
| PiHole's group stuff.
|
| But an easy solution is simply to disable the DHCP server
| on the router, and simply use what is built-in to PiHole.
| It uses dnsmasq behind the scenes, and as DHCP servers go,
| it's pretty capable and configurable. This is how I use
| PiHole on my own network, and have done for years now (with
| some customised dnsmasq config, because I have strong
| preferences about my network setup and services).
|
| Most routers do nothing particularly special regarding DHCP
| anyhow, so no big deal to just turn it off, and use
| PiHole's stuff.
|
| FWIW, and tangent to these specific points, my upgrade to
| the new PiHole 6 earlier today was pretty smooth -- with
| the exception of it defaulting to having its dashboard on
| port 8080 instead of my previous 80. Plus I had to tweak a
| couple of settings to ensure it loads my custom dnsmasq
| config. But no deal breakers at all.
| MyOutfitIsVague wrote:
| It works for me and I don't use Pi-Hole as a DHCP server or
| have any of my devices individually configured. I have my
| router acting as a DHCP server and have it tell clients to
| use my Pi-hole for DNS. Some routers' default firmwares
| don't let you do this, but most OpenWRT and Tomato and the
| like should.
| bolster8505 wrote:
| Using clients and groups works fine for me. I'm able to
| block youtube on my kids' devices, but allow it on others.
| I have pihole running in a container without being my dhcp
| server.
| everdrive wrote:
| You can definitely set client groups, either based on CIDR, MAC
| (if on the same network segment) or individual IP. From there,
| you can assign different domains and list to the specific
| groups.
| BHSPitMonkey wrote:
| Is a DNS blackhole the right way to restrict your TV from doing
| bad things? The software running on the device might not even
| use DNS lookups to connect to hosts as it pleases. Your router
| is probably the better place to add guardrails.
| progbits wrote:
| I recommend putting all these things on their own VLANs with
| strict routing rules.
|
| For example my STB is on a VLAN that has WAN access
| (otherwise it won't do anything), but that makes it
| untrustworthy so it is completely isolated from rest of LAN.
|
| On the other hand some "smart"/IoT devices are on a VLAN that
| has no WAN access so that they can't phone home, become a
| botnet, or download firmware updates that remove
| functionality in favor of subscription services. Only a VM
| running homeassistant can talk to them.
|
| This will work until amazon sidewalk / built-in LTE modems
| become too frequent, at that point I'll have to start ripping
| out the radio modules from things I buy.
| JB_Dev wrote:
| Call me pessimistic, but as the sidewalk pattern becomes
| more common for IoT, I wouldn't be surprised if a
| "malfunctioning radio" just results in the device not
| working properly.
| xrisk wrote:
| It's a start for sure, a TV that's really out to track you
| might well be able to circumvent these blocks, but most TVs
| (and indeed most tracking technologies on the web) to my
| understanding are not so sophisticated. For the average
| person who wants to enjoy some of the smart features of their
| TV this is a good compromise.
|
| And I'm not sure what you mean by the router being the better
| place to add guardrails. What sort of guardrails can you
| possibly add outside of blocking internet access outright to
| the TV? It would be near impossible to distinguish between
| legitimate traffic and ad/tracking traffic without resorting
| to something like SNI sniffing which again can be bypassed.
| nothrabannosir wrote:
| Smart TV opt-out telemetry is malicious.
| xrisk wrote:
| Edited to clarify what I mean.
| temp0826 wrote:
| Smart/iot devices using DoH (or other encrypted DNS) is a
| headache that would need to be solved at the router
| (mitming/redirecting to your preferred provider? or straight
| up blocking) with a big blocklist. Unfortunate what a double-
| edged sword DoH is becoming.
| kayson wrote:
| I wish pfblocker-ng was as easy to use and polished as pihole. It
| seems silly to run an extra DNS resolver if I'm already running
| one on pfsense, but the interface makes it tempting
| jedisct1 wrote:
| I just use dnscrypt-proxy directly.
| seanp2k2 wrote:
| I've been happy with AdGuard Home on two Pi4s and a little home
| server for years now: https://adguard.com/en/adguard-
| home/overview.html
|
| I have some scripts to sync config between them and a Jenkins job
| if I want to pause blocking on them for a bit.
|
| It looks like https://github.com/mattwebbio/orbital-sync and
| https://github.com/lovelaze/nebula-sync can sync configs with Pi-
| hole 6 now, but it's quite a bit of code for what looks like just
| a few HTTP requests to get the config from one using the
| teleporter feature, then restore it on the others using the same.
| seemaze wrote:
| A Raspberry Pi with Alpine Linux makes a sweet little DNS
| server. AdGuard Home is even packaged in the testing branch[0]
| these days
|
| [0]
| https://pkgs.alpinelinux.org/packages?name=adguardhome&arch=
| plg wrote:
| love pi-hole
|
| we block all meta and X properties from our home network, also
| ads
|
| and it's self hosted on our own metal
|
| it's a wonderful life
| andrewinardeer wrote:
| > we block all meta and X properties from our home network,
| also ads
|
| There's a difference between meta, X and ads?
| google234123 wrote:
| Good way to teach other members of your house to use VPNs to
| bypass your censorship regime
| sciencerobot wrote:
| meta and X are both heavily censored so I guess it's censors
| all the way down?
| corey_moncure wrote:
| I'd like to hear more about this. Can you provide an
| example of censorship on X?
| xrisk wrote:
| https://en.wikipedia.org/wiki/Twitter_suspensions
| corey_moncure wrote:
| Let me put it another way; can you provide some examples
| of ideas, topics or opinions that I are likely to be
| censored if I posted them on X?
| ranbato wrote:
| How about blocking links to Signal, allegedly since US
| Government workers are using it to coordinate responses
| to DOGE requests?
|
| https://www.forbes.com/sites/dimitarmixmihov/2025/02/17/x
| -is...
| butshouldyou wrote:
| Lots of screenshots circulating of posting the word
| "Cisgender" being flagged by Twitter. Not sure if they
| just flag or remove it though, as I don't use Twitter any
| more.
| Fnoord wrote:
| I also block Twitter ASN (yes, it is called Twitter ASN), and
| a whole bunch of IP ranges from not so democratic countries
| with very bad hostile actors. They don't have rule of law
| there, so I don't need these.
|
| With regards to X. Blocking it serves as a good reminder to
| use a proxy, or try and find the source elsewhere (Blue Sky,
| Mastodon). More often than not, these exist.
|
| Finally, if required I can use Tor Browser. No cookies, no
| profiling, no ads.
| jccalhoun wrote:
| I've been using Technitium for a couple years and been pretty
| happy with it https://technitium.com/dns/
| bjoli wrote:
| So have I. I found it more approachable once I started having
| more advanced configurations.
| malmeloo wrote:
| Technitium is great. Rock solid, plenty performant and it has
| more features than you'll ever need. Pretty wild when you
| consider it's being maintained by a single dev.
| JamesBrooks wrote:
| I moved from pihole to Technitium a few months back because I
| wanted more DNS features than just adding A and CNAME records.
|
| For example the split horizon features to return different
| responses to DNS queries depending if I'm connected to my
| Tailscale network or not has been pretty slick.
|
| I documented that process here in case anyone is interested:
| https://blog.jamesbrooks.net/posts/technitium-dns-server-wit...
| ConanRus wrote:
| We've integrated a new REST API and embedded web server directly
| into the pihole-FTL binary. This eliminates the need for lighttpd
| and PHP"
|
| oh noes!
| ncrmro wrote:
| Nice.
|
| I wish pihole or adguard would add support for change DNS records
| based on the query subnet. I believe this is called DNS views.
|
| That way my local devices and wireguard devices can get the
| correct IP for internal services.
| VTimofeenko wrote:
| In unbound those are indeed views[1]. I moved from pihole to
| unbound+nsd a couple of years ago for precisely this use case.
| Block filters courtesy of[2].
|
| [1]:
| https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering...
|
| [2]: https://github.com/StevenBlack/hosts
| Marsymars wrote:
| I managed this by getting a gTLD (digit-only .xyz is cheapest)
| for internal-only services and then running a Caddy instance to
| reverse-proxy to my internal services. I don't port forward or
| open ports to that Caddy instance, so it's not available
| externally.
| unethical_ban wrote:
| Slightly off topic, but it annoys me that protonvpn does not
| allow split tunnel of DNS to an internal host. It calls this DNS
| leak protection, which is a good default. But I want to run my
| own DNS server and I know what I'm doing, and the Proton GUI
| won't let me.
| miningape wrote:
| Ha! I bought a Pi5 as a Christmas present for myself, I've only
| done some basic setup and gotten sidetracked by other projects -
| but setting up pi-hole is near the top of my list of sh*t to get
| done
| RandomDistort wrote:
| Not sure if this is the right place to ask, but I've got a semi-
| obscure DNS question.
|
| I'd like to use Cloudflare's Zero Trust DNS filtering with DoH by
| running a DNS proxy on my network.
|
| I can get this to work great with github.com/adguardTeam/dnsproxy
| (running on a Pi 4B) but what I would really like is to have
| different devices (based on their IP on the network) get their
| queries forwarded onto a different DoH upstream.
|
| Is this possible in a simple way?
| woleium wrote:
| Perplexity thinks so:
|
| https://www.perplexity.ai/search/i-d-like-to-use-cloudflare-...
| LeoPanthera wrote:
| Please don't use AI to write your comments. If I wanted to
| know what AI thinks I could ask it myself. I read the
| comments to get feedback from humans.
|
| Edit: OP edited their comment, was previously a very long AI-
| generated response.
| woleium wrote:
| Noted, won't do it again :)
| Etheryte wrote:
| Please don't spam HN with LLM generated slop. The value of HN
| is the human discussion, everyone here is perfectly capable
| of asking an LLM of their choice.
| wkyleg wrote:
| In my experience Pi hole is a very worthwhile investment. People
| who used my internet when I had one would remark how much faster
| it was. Everything in general seems faster, even things that you
| wouldn't think of. I typically use Brave for browsing which has
| good ad blocking capabilities, but this adds a whole additional
| layer.
|
| The only reason I don't use one now is that I travel a lot more
| so it's irrelevant, and I have to work enough on tools with
| Google/Vercel/other analytics that it is just very inconvenient.
|
| Regarding smart TVs, I have found that it's better to just use an
| Apple TV or Kodi box and never connect to them internet though.
| Having said, I gave my TV away because I never used it, so this
| might not be as up to date. A Pi hole will block ads on smart TVs
| though.
| _chris_ wrote:
| Wouldn't a smart tv do something ... smarter than just using
| the default dns given to it by the network?
|
| I'm not up to speed on this stuff but I thought pihole only
| blocked the simplest stuff from devices that play nice?
| dark-star wrote:
| > Wouldn't a smart tv do something ... smarter than just
| using the default dns given to it by the network?
|
| It could certainly try... but usually you would block that in
| your firewall. Fixed DNS servers or fixed server IP addresses
| are tricky because if you ever need to change them, you
| can't, because you'd need to update the hardware (which you
| can't since it sits behind a firewall).
|
| It could try to use things like Google's DNS server, but that
| is easily blocked in your router.
|
| Not a lot that could be done except trusting your (internal)
| DNS server...
| netsharc wrote:
| Why should the programmers of the TV's OS look for edge
| cases, and do you think the TV makers would give them budget
| for that? For 90+% of users the standard config of trusting
| the DHCP server will work fine, and the Pi-Hole users will
| probably not give them money anyway, and will be dedicated to
| defeat their workarounds...
| natebc wrote:
| I've been worried about companies that make software like
| this (applications with embedded telemetry or advertisements)
| starting to do their on DoH style lookups.
|
| I don't KNOW of any doing it but I can't imagine it'd be too
| hard for them to do.
| mrbluecoat wrote:
| 5+ year development cycle. Impressive! https://pi-
| hole.net/blog/2023/10/09/pi-hole-v6-beta-testing/
|
| Any details on what HTTPS support provides, other than a TLS
| connection to the admin dashboard?
| thomassmith65 wrote:
| That works for me. It means I don't need to relearn everything
| every year, and the major versions probably won't be riddled
| with bugs.
| Sohcahtoa82 wrote:
| I love PiHole.
|
| I run my PiHole on a small cloud VM that I use for several
| projects, but put it behind a VPN that's configured to only
| forward DNS lookups, then VPN into it from my phone. So many
| advantages behind this setup.
|
| - Since only DNS lookups are tunneled, I don't have to worry
| about tunneling ALL my traffic and paying egress fees
|
| - Blocks ads in ALL apps, not just my browser
|
| - If it's acting up, I can just disconnect from the VPN to
| disable PiHoling
|
| - Don't have to expose my home IP address and open a port for the
| world to start banging on
| TheArcane wrote:
| > Don't have to expose my home IP address and open a port for
| the world to start banging on
|
| Is that really an issue if all you're exposing is the VPN port?
| Wireguard for instance has industrial-grade encryption. Even
| open port 51820 should be fine
| Sohcahtoa82 wrote:
| I mean, probably not. But I like the idea of keeping
| everything closed anyways.
| 8fingerlouie wrote:
| With wireguard in particular, you're probably not running
| much risk, as wireguard runs over UDP, and as long as you're
| not connecting with a correct (recognized) key, it will not
| even generate a response, so a potential attacker has no way
| of knowing for sure that wireguard is running on a given
| port.
| lanthade wrote:
| The big feature miss for me in this announcement is baked in
| support for configuration sync between servers. Redundant DNS is
| common and it would be nice if pi-hole supported this oob. Making
| it even better would be an ability to see stats across all synced
| servers from one location.
| reboot81 wrote:
| I'm using https://github.com/ShiromMakkad/docker-pihole-sync To
| sync my two piholes. But I haven't figured out how to keep my
| third pihole (ip-failover) to get in the loop...
| TriangleEdge wrote:
| I have a script update my hosts file to route domains to 0.0.0.0
| and ::0 . I get the domains from
| https://github.com/StevenBlack/hosts.
| nirav72 wrote:
| Still no wildcard domain support for local DNS.
| Netcob wrote:
| Finally a REST API!
|
| I've been waiting for this - I wanted to play around with
| blocking distractions on various rules, but controlling pi-hole
| remotely was a huge pain and often didn't work until now.
| nirav72 wrote:
| Have they added more to the existing API? They already had an
| http API to enable/disable blocking.
___________________________________________________________________
(page generated 2025-02-18 23:00 UTC)