I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.
Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.
Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.
That is where OPNSense comes to play...
I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.
Devices trying to use DoT or DoH??? Blocked, PiHoles take over.
You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.
To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.
It is just me and my devices, at the time of this writing:
* Domains on List: 500k
* Total queries: 43k
* Queries Blocked: 17k
* Percentage Blocked: 39%
I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version. The apps themselves are fully controller and 99% of the access blocked. That is why I have a fairly low numbers after purging all the logs a few days ago.
How? I can see you only allowing some ports through the firewall, but presumably TCP 443 is one of those. According to Cloudflare [0] DoH uses that. What if Samsung uses that, or figures DoT on port 443 works better? Do you only allow specific destinations for these devices?
I actually use a similar setup, only I removed pihole and just use some lists in my opnsense's unbound (didn't notice much difference).
My "smart" TV is pretty awful, so it's just unplugged (which makes it dumb, so now I love it). I've tried putting it on a dedicated VLAN with no internet access so I could try using the built-in Chromecast functionality – didn't have much luck. I've set up the mDNS repeater and allowed ports through, but that doesn't seem enough.
[0] https://developers.cloudflare.com/1.1.1.1/encryption/dns-ove...
Like you said, you cannot just block 443, the dynamic firewall uses a public list, which contains all the public DNS known to man ( the last bit was just to sound a little dramatic haha )
So OPNSense will block anything within that list in both 443 and 853.
So my Samsung QLED TV can no longer use Google:443 for DNS resolution. OPNSense blocks it and redirect it to PiHole, a NAT is also required to avoid devices getting mad.
I didn't pay a kidney for that smartTV back in 2019 to make it dumb, when it is on, PiHole logs goes brrrrrrrr
It is also one of the reason why my whole network was going down, it was making too much request exhausting PiHole 150 concurrent DNS requests, there is a flag to increase that and no more issues.
Google:443: DNS request only, not actual 443 request gets blocked
Cloudflare:443: DNS request only, no actual 443 request gets blocked
etc etc Read that blog I shared to understand it.
If I run a dig google.com @8.8.8.8, PiHole terminal shows the request
If I run 8.8.8.8:443 on the browser, OPNSense firewall log shows access denied, the same msg when my TV turns on or my Home Assistant goes on.
DoT on 853 is simple to block on its own, no much secret there.
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/r... https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/r...
As an alternative, has someone tried running http/s proxy on the firewall and blocking the rest of client HTTPS (except maybe for whitelist devices)?
I want to know how to become a Pollack painting.
To your credit, I can block more stuff but I haven't bothered. I have spent many nights blocking stuff haha
Reddit doesn't work atm home because I blocked static.reddit.com Since the API drama, I never used it again, I used to waste hours of my life everyday there. Couldn't be happier to be honest haha
The only fight I gave up is YouTube, I do see value into YouTube Premium. Spotify is dogshit, YouTube Music allows to me listen to music available nowhere else like DJ remix, old music and the the offline music works which Spotify gave me the finger.
I watch YT only, TV News are complete useless nowadays. There are solid news channels so anyway, I do pay for it over trying to block its ADs from the free version. I mean, try listening music with ADs, nah thanks haha
EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
However, if the adversary decides to just query - and answer - DoH requests on the same hostname that you are trying to talk to ... isn't that a winning move ?
For instance:
If one had an application - or an appliance - that spoke https to endpoint.samsung.com, how would one block DoH requests addressed to the same endpoint.samsung.com ?
And if telemetry.example-iot.com belongs to an AWS IP, it could change to another IP in their space at any time so your only recourse would be to limit connectivity to all of AWS which would effectively prevent you from accessing most things on the internet
a) you stop accepting A lookups, because it's 2025 and IPv4 only is dead (let's pretend anyway)
b) for each AAAA lookup, return a new IPv6 address that you'll NAT to the real address (you can use this for NAT64 if you want to let clients connect to IPv4 hosts). Then only let clients connect to these IPv6 addresses you setup.
If someone smuggles address resolution through, outside of DNS, their clients can't connect.
(this is going to be a big PITA, but that's how these things go)
We employ exactly this technique for our Android firewall app. It can do IPv4 (by mapping hash(domain) name onto RFC6598 reserved subnet [0]) as number of unique AAAA/A requests on a client seldom exceeds 35k/mo!
Another (simpler) control we offer users is, to drop all connections made to IPs that the user-set resolver did not do name resolution for.
> (this is going to be a big PITA, but that's how these things go)
You don't say.
[0] https://github.com/celzero/firestack/blob/2191381f/intra/dns...
This sounds good, and I've wondered how I could implement such a thing.
However, with the clearly hostile approach all IoT appliances are taking, I wonder if they'll actually fall back to a "degraded" (for them) config with the network-provided DNS, or whether they'll just fail and complain the network is broken or something.
In our house the only device that tries to use DoH is my partner's iPhone. It tries a few times, fails, then uses the Adguard DNS, which blocks the trackers.
https://support.mozilla.org/en-US/kb/dns-over-https
I use these settings on all my browsers to prevent DoH and make sure traffic goes through my Pi (I run unbound directly on the Pi though, not Pi-Hole: in my experience unbound is a bit harder to set up initially but it's also more powerful than Pi-Hole... For example unbound accepts wildcards in blocklists).
It's not incompatible with also blocking, at the firewall level, all known DoH servers of course.
Nor is it incompatible with forcing your router to also use your Pi as a DNS.
Don't worry. All the browsers and stuff are bypassing this level of control by moving to DNS-over-HTTPS. You'll either have to deploy a TLS terminating proxy on your network, or give up on this arms race.
Yes, and...It's not just to block ads. It's also to block various trackers and unwanted/surreptitious "telemetry" and "updates" to those devices you can't control/configure.
In this model, DoH is only a bad thing because it evades local DNS control.
I know that apps can always roll their own or even hardcode servers, but I hate the way that DoH was seen as some kind of saviour even though it adds zero benefit to European users and only adds negatives.
DoH protects against intermediaries spying on your requests and potentially forging responses. Exactly the same as HTTPS.
Sending anything in clear text over the internet in 2025 is criminally negligent.
Encapsulating DNS packets in HTTP payloads still feels a bit strange to me. Reminds me a bit of DOCSIS, which encapsulates ethernet frames in MPEG-2 Transport Stream packets (this is not a joke).
And yeah I also think it's a really bad idea to run everything over https. But I don't think it'll happen.
Here the ISPs are intermediairs too, but we have laws to prevent them from using our data using DPI etc. And even if you use their DNS.
I agree encryption is important but DoT is much better then. DoH mainly took off because of this in the US.
I forgot the name of the software but there used to be a few tools to terminate and reencrypt. But yeah dnssec is it's own challenge
Edit: as much as I dislike AI, I concede it would be lovely to tell it to replace all ads with pictures of flowers.
Those commands in TFA simply reroute traffic on port 53 to Pi-Hole, which isn't enough to prevent apps from doing their own name resolution. For instance, the Telegram app has built-in DNS-over-HTTPS, which those iptables chains could do nothing about.
I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
(The challenge of course is when you can't or aren't allowed to ignore it, its own challenge).
FWIW, even a Pi Zero 2 is overkill. My pi-hole has been running for the better part of 3 years on the same microSD card on a first-generation pi zero, powered via a USB port on my router.
FWIW, that was also an initial concern of mine. Almost three years later, i've never once had an issue with running my pi-hole over wifi.
on good wifi with no interference you can get good 2ms avg and 0.2-0.4 ms SD ping distribution.
ethernet will have 0.2 ms avg and 0.01 SD
it's the outliers that will cause headaches, when there is radio interference.
wifi is a dynamic system with every base station migrating bands for interference.
i opine that there's no _functional_ difference between those speeds for purposes of a home LAN. Both values are far below humans' ability to perceive the difference.
I mostly used USB as an experiment and I didn't know what else to do with the regular-zero
Very cool how a $5 board could work so well! I was glad to see your post.
I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?
Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.
If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).
Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).
For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
jnn-pa.googleapis.com
was likely in one of the lists - add it to "Exact allow" list
Similarly you can allow
googleadservices.com
but that is too much IMO - I just have a habit now to not click on such results.
The google sponsored search issue was one I also fixed quite quickly.
As for the others those services depend on, again you just need to find them and whitelist them which isn't too tricky to do. Unfortunately pi-hole won't stop everything.
Makes it nice and easy for the non-technical members of the fam.
Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
As mentioned in the article, pi-hole complements a browser ad block, doesn't replace it.
My wife likes to cast youtube videos from her phone to the TV, so the experience is nearly the same to her on her phone as it is watching on TV. Maybe if she only used the PC interface she wouldn't mind, but she likes to search / scan / scroll youtube on her phone, and cast the bits she's going to actually watch.
She was very frustrated by having to find the video she wanted to watch on her phone on the PC using the some what finicky mouse touch pad to get the cursor to open the web browser, navigate to youtube, enter the title in the search box (possibly) scroll to find the video, and then a couple more steps getting it playing full screen.
I'm happy we have options to block ads that aren't uBlock Origin in firefox, even though that works great, and better than other options.
My best guess at why people don't want to do this is that we're conditioned not to do anything that isn't advertised to us, and nobody is running adverts telling you to hook a laptop up to your TV for a superior smart TV experience.
But I also get why people just want to sit on the couch, find a nice video on the phone and with the press of a button want to see it on the TV. No computer boot time, no updates, no writing on the keyboard while laying down.
I get that you can buy a fanless pc, install linux with unattended-upgrades and you have something more powerful. But most people don't know how or don't want to go through that hassle.
Again, for you yes. But some lay down on the couch and a keyboard in that posture is just annoying.
And copying a youtube video from the app, into firefox app to just send it to the computer is bonkers complicated when you could just press the cast icon.
A lot of people interact with their phone all the time, but rarely use the computer. I'm telling you, it's more easy to use the build in Youtube app for a lot of people.
It's best to run both.
Yes, but don't we expect all of those devices (and apps) to move to DoH resolution if they haven't already ?
In that case the pihole (or nextdns, etc.) are bypassed ...
I suppose you could proxy all TLS traffic and block it but if the DoH is being served by the same FQDN as the traffic you want in the first place aren't you out of options ?
A couple years ago it was like night and day. Now it is still better than nothing, and in a year or two it might not be worth running.
It's definitely a moving target, but "we expect ... to move to DoH resolution" means that they haven't all moved yet, and a DNS based ad/telemetry/etc blocker still works today (for some apps / smart devices). If it works for some things today why would I turn it off because it might not work for a subset of those things tomorrow? Agreed the value proposition of setting one up is probably dropping, but I still prefer it to nothing.
Now that I think of it I should probably start logging how many DNS look ups "fail" because of the DNS blocking list, and monitor for changes. If it ever gets to less than one a day it's probably not worth the couple of W to power the RaspberryPI
On the "less maintenance" front, I honestly don't pay any attention to the pi-hole in any given month. It has automatic updates running, and reboots when it needs to. It pretty much just works and I forget about it.
* I haven't actually used PiHole itself that much, mostly AdGuard and PfBlocker. Same basic idea, though. The cost for me to run PfBlocker on my router is basically zero, it's pretty much set-and-forget.
Pi-hole blocks for IoT devices, all apps across all smartphones on the network, all programs across all OS's on your network.
- I need it to work within phone apps, my TV, on Safari, and on Chrome
- I just don't trust Chrome addons. When you go to install an ad blocker, there's an extremely ominous warning about how it can read everything shown on my browser.
What's worse - apparently these addons can change hands down the line, and the new owners can simply push new code.
I don't want this thing phoning home with screenshots of my bank and email.
I'm not sure how a blocker would work if it couldn't see the content of the page...
Best to run both if you're in a position to do so
When I ran it, I ran into various hard-to-diagnose compatibility issues on different devices. Or, guests coming over and having their various websites be broken in ways that I'd have to troubleshoot.
these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
I hear things like this a lot from PiHole users. But it's incorrect.
Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
It would be pretty difficult to measure by more typical measures (e.g. bandwidth) because if you block DNS resolution you don't know the size of the resources you are blocking...
In my case, a single "smart light" in my house hammers iot-auth-global.aliyuncs.com all day, every day. Three other identical lights running the same firmware don't however.
But you can do for much cheaper. For example: https://www.canakit.com/raspberry-pi-3-model-b-plus-basic-ki...
Add a MicroSD card (if you don't already have one) and a case (if you need one) and you get to ~$75.
You can do even cheaper by getting a $15 Pi Zero 2 W and an Ethernet adapter off AliExpress. You probably already have an old phone charger and microSD card somewhere, but if you don't they are less than $5 each on AliExpress, so maybe a total of around $30 plus shipping.
All can be bought for around $100 and are upgradeable with standard parts AND are multiple times more powerful than any raspberry pi.
Pi Zero 2W + micro usb ethernet adapter works perfect for Pi-Hole, and has an almost invisible physical footprint: Small enough to hot-glue on the back of your router, happily runs with power from one of the router's USB ports, and you get a 10cm ethernet cable to avoid network cable management.
I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).
Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.
I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.
In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices. The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
I enabled `unattended-upgrades` and set it to do all types of update. I've never caught it in a reboot but it's always current. It swaps to ZRAM for less load on the µSD card.
Raspberry pi can be set up to boot with ssh login/password, so you don't even need wired mouse and keyboard.
https://www.theregister.com/2025/03/08/pi_hole_6_flyby/
TBH I was surprised how easy it was, how unobtrusive it is, and how a bit of borderline e-waste that was in my spares box now helps every device on the network, including things like phones where I can’t so easily add ad-blocking.
Currently im at 28% blocked. Typically im above 50% like OP.
They have significantly higher number of domains blocked. time to update my lists: https://firebog.net/
IoT devices which constantly phone home will skew things.
1) at work 2) out of town 3) or just not home
Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
You could also set up 2 ssids depending on your WiFi set up. Point one to pi hole and the other to a different DNS provider. Instruction if pi hole breaks is just switch WiFi.
I run Pi-hole in docker on a NanoPi that I setup as my router (running OpenWRT). In the rare occurrence that it misbehaves, I could just tell my spouse to power cycle it. I did think of having a failover, but there's always going to be a single point of failure with my ISP router anyhow.
I have done so for four or five years.
Well, with x86_64 binaries -- but I could compile the code myself if I wanted.
No containers, just a Linux (Fedora) VM.
Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.
I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
PS, I didn't mean the word 'shit' negatively. 'stuff' would have been better. But I meant it more as in 'check this shit out' :)
Pihole is actually a really nice project even though it's just a wrapper around dnsmasq.
And how do you block access to non paying customers? DNS isn't autenticated.
It's also not really a great method for adblocking anymore (which would make the support problem worse, "why am I still seeing ads?")
Good luck with whatever it is. Can't go there.