I came across pi-hole recently – an ad blocker and {{DNS}} service that you can run on a {{Raspberry Pi}} in Raspian (or any {{Debian}} or {{Ubuntu}} (ie Debian-like)) system. Using pi-hole should obviate the need for running ad-blockers in your browser (so long as you’re on a network that is running DNS queries through pi-hole).
I’ve seen some people running it on {{CentOS}} – but I’ve had issues with that combination, so am keeping to the .deb-based distros (specifically, I’m running it on the smallest droplet size from Digital Ocean with Ubuntu 16.04).
First the good – it is truly stupidly-simple to get setup and running. A little too simple – not because tools should have to be hard to use, but because there’s not much configuration that goes in the automated script. Also, updating the blacklist and whitelist are easy – though they don’t always update via the web portal as you’d hope.
Second, configuration is almost all manual: so, if you want to use more than 2 upstream DNS hosts (I personally want to hit both Google and Freenom upstream), for example, there is manual file editing. Or if you want to have basic auth enabled for the web portal, you need to not only add it manually, but you need to re-add it manually after any updates.
Third, the bad. This is not a pi-hole issue, per se, but it is still relevant: most devices that you would configure to use DNS for your home (or maybe even enterprise) want at least two entries (eg your {{cable modem}}, or home wifi router). You can set only one DNS provider with some devices, but not all. Which goes towards showing how pi-hole might not be best run outside your network – if you run piggy-back {{DHCP}} and DNS both off your RPi, and not off the {{wireless router}} you’re probably running, then you’re OK. But if your wireless router / cable modem demands multiple DNS entries, you either need to run multiple pi-hole servers somewhere, or you need to realize not everything will end up going through the hole.
Pi-hole sets up {{lighttpd}} instance (which you don’t have to use) so you can see a pretty admin panel:
I added basic authentication to the admin subdirectory by adding the following lines to /etc/lighttpd/lighttpd.conf after following this tutorial:
#add http basic auth
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.htpasswd/lighttpd-htdigest.user"
auth.require = ("/admin" =>
( "method" => "digest",
"realm" => "rerss",
"require" => "valid-user" )
)
I also have 4 upstream DNS providers in /etc/dnsmasq.d/01-pihole.conf:
server=80.80.80.80
server=8.8.8.8
server=8.8.4.4
server=80.80.81.81
I still need to SSLify the page, but that’s coming.
The 8.8.* addresses are Google’s public DNS. The 80.80.* addresses are Freenom’s. There are myriad more free DNS providers out there – these are just the ones I use.
So what’s my tl;dr on pi-hole? It’s pretty good. It needs a little work to get it more stable between updates – but it’s very close. And I bet if I understood a little more of the setup process, I could probably make a fix to the update script that wouldn’t clobber (or would restore) any custom settings I have in place.
Regarding: ” if your wireless router / cable modem demands multiple DNS entries, you
either need to run multiple pi-hole servers somewhere, or you need to
realize not everything will end up going through the hole.”
Every device I’ve encountered that allows/requires multiple DNS entries uses the first as primary, and the 2nd as secondary (And sometimes a 3rd at tertiary). Meaning that as long as the 1st (primary) DNS server is up, the second entry is not used. The 2nd entry would only be used if the primary server were to stop responding.
I’ve been relying on this behavior on my own home network for years. I have my own DNS server set up and it’s the “primary” for all my other devices (Smartphones, media servers, Roku boxes, etc) and I’ve never had an issue with any of those devices bypassing my private DNS server (unless it was down).
Have you ever actually tested this and/or encountered any devices which treat the DNS entries as round-robin rather than primary / secondary?
PI-hole itself doesn’t just use the primary upstream DNS provider – it seems to round-robin of some kind
My router won’t let you save a config unless at least two DNS servers are listed
It’s not true for all devices, I’m sure – but it is for some