I'm surprised this is the top slot right now. Troy, generally, puts out interesting info on security related news however this feels a bit minimal. Since the project has been around a number of years now, and it's not relegated to only a RPi I would have expected him to delve into things a bit more. Pi-hole will also break things. I think the common one I always heard from users on my network at home were that Google click-thrus for products always fail. But... Don't deploy it on an RPi. It's not worth the inconvenience of maintaining another entire device for a network service. There's an actively maintained container I'd recommend, or it's very easy to deploy as a VM. Troy also didn't hit on anything like DoH or DoT, surprisingly.
Troy's skill is taking security and privacy topics and translating them with practical tips to an IT enthusiast audience that is much broader than hn
Look at his comments and replies to gauge the audience for his content - deploying more privacy and security tools and knowledge can only be a good thing
It’s essentially dnsmasq which can be run directly on your wireless router if you are using custom firmware. No separate hw needed, no need to horse around with dockers or containers or any of that stuff. I’d guess a lot of people are already running dnsmasq for other purposes, so adding the blocklist and periodically updating it should be trivial.
I'd argue Pi-hole is quite a bit more than dnsmasq (it's actually a fork of dnsmasq called ftldns) out of the box. It's also very much more approachable by the majority and the web interface gives people immediate feedback and configurability without having to understand configurations for the services directly.
I was doing this using Tomato and it introduced serious stability issues in the two routers (both Asus) I tried it on.
Pi-Hole is a drop in replacement to an existing network setup that doesn't require hacking your router to install a custom firmware. It will also persist router upgrades.
My only gripe with Pi-Hole, which isn't their fault really, is that power losses can quickly corrupt the Raspberry Pi's SD Card. I have my network gear on a battery backup but when I was first validating Pi-Hole I had it sitting on my desktop and managed to corrupt the SD card with power drops.
Use a different root filesystem. Ext4 is not robust against power loss, as I've discovered in multiple embedded Linux systems where Ext4 was used.
The best filesystems for robustness against power loss seem to be log-structured filesystems like YAFFS2 or QNX's ETFS. The design of the filesystem basically means that a block is never modified on flash, only obsoleted by future writes. The trade-off is that the filesystem has to be reconstructed from the raw blocks at power-on but it's incredibly robust. And the filesystem also has to be garbage-collected before additional writes can be performed. But as long as you run your filesystem below capacity this isn't a big deal.
Back in the day (also before ext4) we solved this by mounting the root filesystem read-only. Depending on any other application for the machine, you may not need filesystem writes at all once it is set up. Bonus: it’s even friendlier to the flash.
This is how I've solved the problem in the past. Too bad systemd discourages this. It also doesn't protect the partition where your database and log files are kept.
I got cheap SSDs in cheap USB cases for my 2 Pis after getting annoyed with SD corruption. SSD prices have dropped recently after being flat for a long time. If you are really cheap the cases often go for $1 or free after rebate at newegg.
Do you know if it’s possible to deploy it on a virtual AP? E.g. have “MyNetwork” and “MyNetworkWithAds” - so that it is easier for nontechnical users to switch, and also doesn’t deactivate for everyone when just one user needs to (even if only for 5 mins)?
Possible but not that simple actually, as there is little to no documentation or shortcut for such a case available using dnsmasq. Afaik you can only realize this by running multiple instances.
Can anyone recommend a "2018 good choice" for a consumer router that can run custom firmware (including dnsmasq), or a trustworthy recommendation website? Wirecutter for example doesn't note third party firmware: https://thewirecutter.com/reviews/best-wi-fi-router/
Not really an off-the shelf consumer router, but since you want to install custom firmware anyways, you might want to consider the PC-Engines APU2 board [1]. You can either install any "normal" desktop x86_64 Linux distribution or a specialized router OS such as OpenWrt [2]. The AMD APU on the board supports hardware virtualisation, so you're able to run several VMs via KVM to isolate the services the router is providing.
Of course this board doesn't come with the features of a fully-fledged consumer router, such as built-in DSL/DOCSIS modem, DECT, WiFi, etc, so your mileage may vary. It comes with 3 independent Ethernet ports and 3 mPCIe slots though.
I second this. I've been running PC engines stuff for a few years and it's great. I currently have an APU and it handles my gigabit fiber no problem. I use a separate off-the-shelf wireless router in bridge mode which let's me upgrade that independent of the PC engines (wireless hardware tech moves faster than router hardware tech).
I run openwrt on it and use the "adblock" package which works like pi-hole (minus the nice web stats). Having it be a plain x86 CPU is nice—For example, I compiled Telegraf on my local Linux machine (since openwrt doesn't have a package for it) and was able to just drop it on with minimal problems.
I’ve been running the mid to high end Asus routers for years now and am very happy with them. Running wrt-Merlin firmware and AB-Solution via entware is everything I need and doesn’t complicate things with additional devices like pi-hole.
Yes, this is my preference as well. You can also run a vpn with this setup (as you can with other custom firmwares) so you can take advantage of this adblocking from outside your home.
I was looking for an openwrt-compatible router a few weeks ago, this is 2018's consensual cheap & able & easy-to-install router. It's easily the most frequently recommended home router for openwrt these days. And yes, openwrt's Adblock package is awesome.
Netgear R7800 and any other router with the same Qualcomm chipset work great with OpenWRT.
Take care that the router has a boot mode which allows you to overwrite the firmware via TFTP. That comes in handy in case of trouble with a particular firmware version (e.g., router stuck in a boot loop).
I buy my routers from flashrouters.com. A little overpriced, but I trust them and their testing. I have the Asus N16rt (I think) running shibby tomato and it's great.
Despite this, I run pi-hole on an RPi that I have done so much as a reboot on in two years.
It may be more full-featured than you are looking for, but have a look at the Turris Omnia. It is extremely customisable and you can add an internal SSD to run LXC containers on (including one running Pi-hole, which is what I do).
Not cheap, and sometimes unforgiving if you don't know exactly what you are doing, but worth every penny in my opinion.
This happened to me too, and what I learned is that the Omnia uses the Knot DNS resolver, which re-enables itself after updates and this breaks everything if you have made certain customisations.
The fix is to disable this with "echo 'Uninstall("knot-resolver", { priority = 60 })' >> /etc/updater/conf.d/user.lua" over SSH so it stays disabled. You can do this for any service you modified or disabled, and the documentation barely mentions this (it's a real showstopper bug until you diagnose it - no connectivity whatsoever).
It’ll be more involved for you to set up, but pfSense is what I use. I basically forget it’s there until I want to change something (add a new VPN user, monitor bandwidth usage). I’ve set up an IPSec VPN that works well with my Apple devices, especially with a configuration profile that enables on demand VPN (connect via VPN when certain conditions are met, like not on my home WiFi). For hardware I use a cheapish “industrial” computer from AliExpress. Probably not the best thing security-wise (no firmware updates in the past few years, it feels like it’s just shipped directly from a random factory in China), but it’s been great so far.
How do you instruct an iPhone or iPad to use VPN when you are not connected to your home Wi-Fi? I used their former Workflow automation app (now dubbed Shortcuts in iOS12) and it did allow reacting to such an event (going out of range of 1 or more wi-fi networks) but did not realize one of the possible actions was to be able to enable VPN.
Assuming I'm only interested in blocking ads in one computer, is there a software solution for this on Linux or Windows? (I know that Mac has Little Snitch).
Why not use a browser extension? uBlock Origin is pretty good from what I hear. I use uMatrix by the same dev, and it serves me well. Both work on major browsers (FF, Chrome, Opera, etc..).
That doesn't work the same as pihole. PiHole blocks ads on ALL devices on your network. Your computer, your laptop, your phone, your kids kindle, etc. As long as they are on your network, they are protected (and browsing web pages on an older phone, things are much faster)
Yeah this is something I've been thinking about lately as well. Pi-Hole seems cool but what about most of the time when I'm somewhere else than my local network?
I use AdBlock https://www.adblockios.com on iOS which runs a local DNS server that can blackhole domains. It doesn't work well on very large host files so I gave up trying to import https://github.com/StevenBlack/hosts, but it does work well for smaller lists.
(1) Install "1Blocker X" -- not free but it's cheap.
(2) It has a huge number of rules and protects your Safari pretty damn good.
(3) You can disable the existing rules if you so choose.
(4) You can add new ones based on URL regexes or CSS rules.
I am still using it actively both on my iPhone and iPad, one of the best investment in apps I ever did.
The issue with that is DNS resolution. I noticed that when I disconnect/reconnect my interface, it took >30 seconds for DNS resolution to properly resolve. Why? Because I was using a 65,000 entry host file on my modern Windows 10 machine.
It seems to only impact during NIC changes, but I VPN and was moving my computer enough that it was causing me issue.
Of course I have deployed it on a Raspberry. I don't have another always-on computer, and while it's not the only supported target, it is the one most Pi-Hole users have, so I get maximum community support.
I'm doubting whether electricity cost might be too high (it's getting mighty warm), but I haven't measured it, yet.
So far, I love my Pi-Hole. Absolutely no problems with it.
On an RPi I can plug it in to the USB on my router for power and connect with ethernet. Otherwise I have to run a full powered server perpetually to manage DNS for the home network. Made sense to me.
I stopped using it as mine was seemingly hacked (100,000 lookups or so in a short time, presumably some sort of page-impression generation?) and I hadn't the time to trace if it was a problem with the project or not.
I wasn’t aware of that - thanks. I think I’ll be safe as there will be no peripherals plugged in, but that’s something that needs considering it seems.
I've gone the route of using another box to do PoE -> 5V USB, but unfortunately the TP-Link converter is outputting 4.8V instead of 5V (the Pi3b will technically run on this, but it's not a good idea).
Thanks for the link. I guessing this would handle the use case of being able to acess Pi-Hole while traveling or in a coffee shop correct? This seems to be a limitation of having this on a Pi.
Container link: https://hub.docker.com/r/pihole/pihole/
Edit: word