Scott Hanselman

Blocking ads before they enter your house at the DNS level with pi-hole and a cheap Raspberry Pi

April 11, '19 Comments [15] Posted in Hardware | Open Source
Sponsored By
image

Lots of folks ask me about Raspberry Pis. How many I have, what I use them for. At last count there's at least 22 Raspberry Pis in use in our house.

A Pi-hole is a Raspbery Pi appliance that takes the form of an DNS blocker at the network level. You image a Pi, set up your network to use that Pi as a DNS server and maybe white-list a few sites when things don't work.

I was initially skeptical, but I'm giving it a try. It doesn't process all network traffic, it's a DNS hop on the way out that intercepts DNS requests for known problematic sites and serves back nothing.

Installation is trivial if you just run unread and untrusted code from the 'net ;)

curl -sSL https://install.pi-hole.net | bash

Otherwise, follow their instructions and download the installer, study it, and run it.

I put my pi-hole installation on the metal, but there's also a very nice Docker Pi-hole setup if you prefer that. You can even go further, if, like me, you have Synology NAS which can also run Docker, which can in turn run a Pi-hole.

Within the admin interface you can tail the logs for the entire network, which is also amazing to see. You think you know what's talking to the internet from your house - you don't. Everything is logged and listed. After installing the Pi-hole roughly 18% of the DNS queries heading out of my house were blocked. At one point over 23% were blocked. Oy.

NOTE: If you're using an Amplifi HD or any "clever" router, you'll want to change the setting "Bypass DNS cache" otherwise the Amplifi will still remain the DNS lookup of choice on your network. This setting will also confuse the Pi-hole and you'll end up with just one "client" of the Pi-hole - the router itself.

For me it's less about advertising - especially on small blogs or news sites I want to support - it's about just obnoxious tracking cookies and JavaScript. I'm going to keep using Pi-hole for a few months and see how it goes. Do be aware that some things WILL break. Could be a kid's iPhone free-to-play game that won't work unless it can download an add, could be your company's VPN. You'll need to log into http://pi.hole/admin (make sure you save your password when you first install, and you can only change it at the SSH command line with "pihole -a -p") and sometimes disable it for a few minutes to test, then whitelist certain domains. I suspect after a few weeks I'll have it nicely dialed in.


Sponsor: Seq delivers the diagnostics, dashboarding, and alerting capabilities needed by modern development teams - all on your infrastructure. Download at https://datalust.co/seq.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Sunday, April 14, 2019 2:31:31 AM UTC
I went the docker route and have been very happy with the results so far.

To increase usability for other family members, I've added a bookmarklet to their browsers that, once clicked, will disable the pi-hole for 5 minutes. This is great when using services that have such a wide range of ad domains that it isn't practical to white list them (ebates, for example).
Brian Ball
Sunday, April 14, 2019 2:55:09 AM UTC
I've been running a PiHole for a few years now, it's great. It doesn't take long to learn the things it'll always break (suggested results on Google, Google shopping, etc). Otherwise it's been mostly upside for me.

Little pro-tip: put a bookmark on your bookmark bar that points to the disable url of your pi-hole, you'll just need to add your own auth key. Then when you run into something that PiHole is blocking your bookmark will disable PiHole for 30 seconds so you can load the page.

pi.hole/admin/api.php?disable=30&auth=<your_auth_key_here>
Brett
Sunday, April 14, 2019 4:33:36 AM UTC
Worth noting that PiHole won't block some naughty devices that hardcode their own public DNS servers and ignore the one DHCP hands out (Roku comes to mind).

Once I added a NAT rule on my router to redirect all outgoing DNS port traffic to the PiHole regardless of destination, I'm blocking those requests as well.
Kam
Sunday, April 14, 2019 4:46:56 AM UTC
Do try .NET Core based Technitium DNS Server on your Raspberry Pi! It got some nice features out of the box.
Sunday, April 14, 2019 9:12:15 AM UTC
Seeing as you have so many Pis performing in an array of different roles, do you have some form of central system management/provisioning in place? Would be interesting to know if you've managed to find something that supports the diverse selection of possible OSes as well as the limited resources of the Pi.
Sunday, April 14, 2019 7:30:14 PM UTC
Awesome little thing! Just checked, 61.9% blocked for me...
The bookmark thing pointed out by other comments is very cool, I'll absolutely add it to the bookmarks for everybody in the house.
Mark
Sunday, April 14, 2019 8:46:23 PM UTC
Make sure to also add the smart tv block list. https://github.com/Perflyst/PiHoleBlocklist

It's amazing how much "smart" devices phone home. I'm regularly at 70%-80% blocked because of my tv and roku. Last months stats include:


Client Requests
roku 316012
tv-samsung-ks8000 223902
chris
Monday, April 15, 2019 11:26:19 AM UTC
I do it by using the windows host file and copy paste this : https://github.com/StevenBlack/hosts
Teddy
Monday, April 15, 2019 12:24:13 PM UTC
I've been running Pi-Hole on an Ubuntu server in my basement for a few months, and it seems to be working well. I haven't noticed any ads being blocked, because I use browser addons for that. The hardest part of setting it up was configuring the router. (OpenWRT doesn't make changing the DNS server on DHCP easy.)
Monday, April 15, 2019 8:09:00 PM UTC
How is Pi-Hole different than a browser ad blocker?
Jake
Monday, April 15, 2019 8:33:16 PM UTC
@Jake
It works in your entire network and not just a single piece of software.
For instance; You'll get way less banners in (free) phone apps/games when you are connected to your wifi.
Ronald
Tuesday, April 16, 2019 12:08:25 PM UTC
@Jake

A browser based ad blocker stops your browser from requesting ads. Pi-Hole changes your internet's phone book to say that some addresses (the ones that host ads) don't exist.
Tuesday, April 16, 2019 1:52:08 PM UTC
I've just dropped this on a Pi I had knocking around and will give it a go on my desktop and phone before rolling it out for the whole family. It's already blocked a quarter of all traffic though! 😳
Richard Mercer
Tuesday, April 16, 2019 2:04:40 PM UTC
Thanks Scott. I just finished setting up pi-hole on my raspberry pi.
Wednesday, April 24, 2019 9:12:37 AM UTC
I use a first run Model B as a PiHole. On average it prevents 50-70% of the requests on my home network, seems whatever "social" sites my family uses are prolific. Best thing about it is as the router is configured to use the PiHole for DNS, everything on the network (including the guest wireless) automatically gets free blocking. I'm definitely a convert!
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.