Don’t fall for the trap that they recommend an expensive Pi 5: I am running Pi-hole on a Pi 2 but you can basically run this on obsolete hardware, whether that’s a Pi or a PC/laptop
I’m running Pi-hole and Pi-VPN on a Zero W (using a Geekworm case w/RJ45). It’s not very taxing at all.
I also run two other Pi-hole instances in my server cluster (one in Docker and one in an LXC container). Mostly just for uptime reasons, so I can take any one of them down at any time to perform maintenance and/or upgrade.
Can confirm. I have 10 year old pi2 that is dedicated to pi hole and even that is not utilizing all of its 1gb of memory
I run mine on a PI 0. Also use it as a samba disk partition for transferring files.
No performance impacts on regular browsing? I never dared to run a DNS on a wifi only device. Or are you using some kind of Ethernet over USB thing?
I’m running mine on a pi 0. Very slight latency difference - like 2-3ms. Totally worth it for blocking 30% of garbage on average. The decrease in time it takes to load anything more than makes up for the latency. We have over 20 devices on wifi. Both my son and I play online games and the only time I blame lag is when I suck lol.
I figured the latency would be no greater then going out to default dns, maybe a bit less.
You may even be able to run it on a NAS. My NAS supports docker, which means I can run a pihole on it. I have a Pi 3b as my dedicated primary, but my NAS runs as a backup.
The beauty is that you can shove Pi in it of course.
66.6% of all traffic is blocked with no functional impact on anything that I do
Okay. I’m convinced.
Misleading statement. It doesn’t block “traffic”, it blocks DNS requests… you don’t know how much traffic this corresponds to.
Correct. The payload of DNS requests is tiny compared to, say requesting a webpage. So there might not be a huge decrease of bandwidth usage reduction. However, having 66.6% less DNS requests is still a win. The router/gateway doesn’t have to work that hard because of the dropped requests.
It isn’t so much about the payload of the DNS requests, but about the content that would have been loaded if the DNS request hadn’t been blocked.
If you load a page that has 100kB of useful information, but 1MB of banner ads and trackers … you’ve blocked a lot more than 66%. But if you block 1MB of banner ads on a page that hosts a 200MB video, you’ve blocked a lot less.
Also a 66% blocked percentage seems very high. I have installed pihole on 2 networks, and I’m seeing 1.7% on my own network, but I do run uBlock on almost everything which catches most stuff before it reaches the pihole, and 25% on the other network.
I run a handful of instances across different networks, 1.7% is suspiciously low, you should make sure you’ve got the right lists. I like HageZi’s
I use firebog’s ticked lists, from what I can tell from the logs ad domains are blocked just fine.
But as I said, I have ublock origin on all my browsers which already catches most ads before they reach pihole, and I don’t use mobile a lot when I’m at home. Oh, and I also use Linux, so no Microsoft telemetry to block either.
1.7% makes perfect sense to me.
I was averaging ~1-2% blocked using the firebog and a few other lists, I also have ublock origin on everything I can. Added hagezi’s ‘pro plus’ list last month and it’s up to 39% blocked.
Yeah no ublock origin really won’t block all that many, the chattiest DNS comes from apps and smart devices, windows and mac laptops etc.
I also run ublock on all of my browsers
Yeah no ublock origin really won’t block all that many
Meh, it’s fairly easy to check this you know. If I turn off uBlock, my pihole logs do turn red. If it’s left on, pihole logs stay mostly green, with nothing suspicious or out of the ordinary getting through.
the chattiest DNS comes from apps and smart devices, windows and mac laptops etc.
I don’t have many of those. My work laptop is windows but it connects through a VPN only, and I have my smartphone that I barely use at home.
From my understanding, uBlock doesn’t have any impact on a pihole. Any browser-based ad blocker will work by detecting the ads after the DNS requests have been made. A properly functioning pihole would intercept the ads before the ad blocker. 1.7% seems suspiciously low; My primary pihole averages anywhere from 25-50%, depending on usage.
Your understanding is not correct. For page elements, uBlock prevents the domain from even trying to load, so no DNS request is ever made. Only if you go directly to an ad domain from the url bar (who does that?), does a DNS request get made.
For example, on my own webserver, I created a simple static html file with an <img> tag pointing to an ad domain that I know is blocked on uBlock as well as on the pihole. Like so:
<html> adblock test <img src="https://track.adtrue.com/some/bannerad.png"></img> </html>Loading that page, uBlock showed 1 blocked ad on that page, pihole only logged a DNS request to my webserver, not to
track.adtrue.com.Once I turned off uBlock in the browser and reloaded the page, pihole did log the request to
track.adtrue.comand blocked it. My browser showed a broken image.
Of course, because ads have zero bandwidth. /s
Are you an idiot?
As per the article
on my own network a whopping 66.6% of all traffic is blocked
I stated it’s actually 66.6% DNS requests being blocked, not the raw bandwidth utilization. Raw bandwidth savings (by not downloading the non-zero ads) would be much lesser.
Can’t we be nicer on the internet?
No, raw bandwidth savings would likely be very significant. You do realize that for many webpages the ads are most of the bandwidth? On my network (I have capped internet so this is important) if I run dns ad blocking my total bandwidth is 40% less.
I’m not sure whether it makes sense trying to discuss with you but let’s try…
You couldn’t know how much traffic you saved because you didn’t load the ad. The ad could be 1KB, 1MB or 1GB, but because you didn’t load it you wouldn’t know it’s size. Without knowing it’s size, you wouldn’t be able to calculate the savings.
As mentioned somewhere is in the thread you would have to directly compare two machines visiting the same pages and even then it’s probably only approximate because both machines might get served different ads.
I’ve compared average monthly bandwidth before and after implementation of dns based ad blocking and it has reduced my usage from anywhere from 33% to 45%.
They have been implying that ad blocking only saves the dns request, which is the most ridiculous ignorant claim I’ve ever seen.
You can easily find out. 2 machines (even virtual machines) one set it’s DNS to the PiHole, one not.
Both hit the same sites in the same order. Compare network traffic.
That’s only for a single case comparison. You can’t draw statistically meaningful conclusions about what percentage of traffic the pihole has blocked over a longer period of time.
I’ve been thinking of setting one up for a while, if I have a home server would I be better off hosting it on that or as a separate device? What are the alternatives to a raspberry pi? They’ve shot up in price over the years.
If you have a server running, I wouldn’t buy more hardware. They have good example documentation for just such a configuration:
https://docs.pi-hole.net/docker/
If your server already has those ports bound (specifically the DNS port 53) you are going to have to get creative; otherwise it’ll work well!
Worst case, a cheapo pi 3 will do the job. At one point I had it running on a pi zero, so hardware requirements are pretty low.
If your using docker and the ports are bound you can just use the network mode host so the container gets it’s own ip. It’s how I have adguard running on my unraid server
edit: Sorry I mixed up the details as @starkzarn@infosec.pub pointed out. It’s a macvlan configuration. My intention was to point out it’s possible. Here’s some documentation https://docs.docker.com/engine/network/drivers/macvlan/
That’s not how that works.
network_mode: hostshares the network namespace with the container host, so it doesn’t do any NAT, it only exists on the host’s IP. It would be akin to running a natively installed app, rather than in a container.macvlannetworking is what gives a container its own IP on the logical network, without the layer of NAT that the defaultbridgemode networking that docker typically does.Thanks for the clarification I had mixed up the details and went to check my containers. You sir are correct. I added some documentation to my post regarding macvlan network creation.
Thanks, PoopMonster, that’s a good tip!
I personally like it on a dedicated Pi simplly because I don’t want DNS to die if i’m doing other server maintenance. the Pi is pretty much set it and forget it.
But i guerss you might as well try it on your server first and you can always buy a Pi if you find it to be too much of a pain.
Setup and run two.
This way if one goes down, the other takes over (also makes updates / maintenance easier)
I put it onto my home server and it is working great. I can’t tell you about all the options, but it was so easy to start another VM for it that I didn’t look at other options too carefully.
Definitely dont bother with buying a pi if you’ve got other hardware.
I have one physical (a 3b I had no use for anymore), and two running as containers. The containers do most of the heavy lifting, since they are so much faster than a pi they respond far faster, but the physical is nice for when I take down the clusters for maintenance (or when I lose power, the clusters shut down after about 3 minutes, the pi will keep going for a while on UPS).
if you’ve already got something running 24/7, you could just put it there. it doesn’t need much for resources.
pihole does not need it’s own box. it can run as a container (docker instructions in the official docs) or in a small vm.
i have two small vm running dietpi and used that to install pihole. i fully expected to run a few more things on them, that’s why i chose dietpi–just have never gotten that far (it’s only been like three years now).
I have it on my Pi, and it does the job just fine. But if you have a home server with a little more power, do it there instead.
The last thing you want is your DNS to bottleneck. Never had a problem with my Rasp5, but it all depends on how many other services you try to run.
I run mine on a Intel N100 based mini PC from Beelink running Proxmox. It’s just about the only thing it does at the moment so I’ve had no concerns about bottlenecking.
It’s much more powerful than a pi and costs a not too dissimilar amount to one after you factor in a case, storage, power supply.
I run my main pihole on a pi and the backup on a NUC mini pc. Le Potato is a cheap pi alternative.
Any reason to use this instead of a free NextDNS?
Local hosting
Additionally you have control over it. Sure, you don’t need local since you’re using it in conjunction with the internet. You control it though. You decide entirely what you want to trust and don’t have to delegate that trust as much.
Raspberry Pi 1b > DietPi > Pi-hole > Unbound <3
I never hear anyone else talk about dietpi, I install that more than raspbian
Same
DietPi looks interesting, especially for a 0W and my older B+ model that’s just hanging around doing nothing…
I’m running mine in Alpine.
I use adguard home in conjunction with NextDNS.
I find adguard a little better in the UI department. Have it in a docker container so it’s a set and forget.
That was a great read. Really enjoyed that.
Getting an error trying to access this:
https://den.dev/blog/pihole has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
Works for me
Perhaps it’s blocked for you.
Are you getting MITM’ed by your work WiFi or something? You should be able to connect to it securely. If that security handshake is failing for some reason, it’s a red flag that someone is likely mucking with your traffic.
My work’s filter tagged the link as “Phishing”. Seems suspicious. That said, it works fine on my personal device; got a valid certificate and everything.
I played with a pi-hole setup for a bit. It was nice. I got distracted and set up NextDNS. That’s where I am now.
I like I can easily turn it on/off when I just need to do something and no time to fuss with it.
I’ve got a home server, just not fully setup and going yet, but someday…
Any thoughts on why I might do pi-hole over something like NextDNS? I think the cost is roughly $1/mo.
If that’s what you’re happy with and works for you, continue.
Personally, I’m creating an environment in which I’m not dependent on any cloud provider on the front end.
I do have a cloud backup solution for all my data files on the off chance I lose every single on-site backup and closely-held remote backups (read: not in main building but still on property…).
Just trying to get away from reliance on the existence of someone else’s computer/datacenter…
🤷♂️
Thanks for sharing the reasons for your approach.
There’s so many ways to accomplish this, such as ad guard or portmaster then add on the drivers for our choices. Finding the balance between privacy and easy of use is tough as it is. Then add in the rest of the family that’s more interested in things “just working”.
Used pihole for years. Loved it. Made the switch to nextdns a year ago. Not going back to pihole. There is nothing wrong with pihole. I got tired of all the time I spent tinkering with it. But, the biggest win for me…nextdns works when I’m off my home network. So I don’t have to deal with the whole vpn back into my home network for dns thing.
Anyone have recs for a site that I can pick up simple hardware for this purpose. Maybe not a pi but like a nuc? Or a refurbed.
You can try refurb NUC or mini PC on Amazon with N100 that you can find easily between $150-$200 range.
deleted by creator
eBay for NUC. Le potato for a pi alternative.
Ive got a pi hole running, but I’m not sure if it’s worth the hassle. To me it feels like it breaks more things than it helps.
If it’s websites that are breaking, maybe you are using some really aggressive blocklist. Also, you can use multiple blocklists and assign clients to them however you please.
What issues do you have?
Nothing in this article describes it solving any problem that isn’t better solved by an ad blocker. In fact they even admit that you still need an ad blocker anyway. So why bother with the pi hole?
Excellent question. You can set the Pi-hole as a default DNS provider on your router which will the set it as a DNS provider for any device connected via DHCP (which in a home network should be basically everything). This means ads will be blocked across all devices and apps instead of just your browser where you installed adblock.
That means you can play free games on your phone and have no pop up ads.
You can use Netflix ads tier and crave ads tier and the pi hole blocks them It’s amazing!!
Does that also work with a VPN?
