I run PiHole for years in my home network, I cannot live without it.
With the years, I have made small changes to increase my control over it.<p>I have a recursive DNS setup, PiHole filters everything, and what is left is processed locally via Unbound which in turn, contacts the 13 root nameservers for DNS resolution. I don't use any third party DNS.<p>Add PiHole/Unbound caching capabilities, surfing on the internet is bloody fast.<p>Now, they alone cannot block everything like smartTV with hardcoded DNS, DNS-Over-TLS, DNS-Over-HTTPS, etc.<p>That is where OPNSense comes to play...<p>I have firewall rules in place that nobody but PiHoles can request name resolution. My Samsung smarTV trying to use Google DNS?? Blocked, PiHole takes over.<p>Devices trying to use DoT or DoH??? Blocked, PiHoles take over.<p>You can create dynamic firewall rule with OPNSense so it will only block 443 and 853 if the host match the list which is updated diary.<p>To make everything even better, OPNSense firewall makes sure no IoT can access the local network but I can access them like wireless printer, etc, and if I need to access anything while on road like my cat's cam or my Voron 3D printer camera, WireGuard VPN makes sure of that. No VPN equals no network access.<p>It is just me and my devices, at the time of this writing:<p>* Domains on List: 500k<p>* Total queries: 43k<p>* Queries Blocked: 17k<p>* Percentage Blocked: 39%<p>I run GrapheneOS on my Pixel phone and very limited apps, I prefer web version.
The apps themselves are fully controller and 99% of the access blocked.
That is why I have a fairly low numbers after purging all the logs a few days ago.
In case you’re like a lot of folks in HN, read the title, and say to yourself “already have one”, read TFA for the <i>iptables</i> config that fixes those apps and devices that bypass local DNS. For example, the New York Times app seems to now use its own hard-coded DNS servers. Without having tried it, it looks like TFA has the fix for that.<p>EDIT: replies indicate that I, a person who is barely competent at many network tasks, might be off-base on this one. Grain of salt, and all.
My router just ate itself after the breaker on the house got cycled a few times in rapid succession. The router is almost a decade old, so perhaps it's not surprising. As a consequence, my pihole is temporarily out of commission. When we first set it up, we had IOT, android, chromebook, etc. Currently the whole household is on Linux and we just have a couple of smartphones. (plus a steamdeck) My wife has a few ugly apps (facebook, instagram, etc) but outside of that we're in much better shape network-wise.<p>I used to spend a lot of time on my pihole trying to "fight the internet," but with this recent breakage, it just feels like what I need to be doing is just visiting fewer websites, owning less connected tech, and doing other things such as working outside or reading books. Blocking javascript goes a long way, but just avoiding bad websites, web apps, etc seems to be the only long-term solution.
Disclaimer: The below is not a complaint about the pi-hole itself, but the ways in which companies integrate ads into their online presence.<p>I've found my complaint about having a pi-hole is there are a number of services I use that expect/depend on ads existing in order to function. Things like, some shows on paramount+ (as an example) will fail to play (hang indefinitely) if an ad hasn't run before one of their shows, even though it theoretically shouldn't have ads?<p>Additionally, the other thing I run into, is that the first page of google is basically useless to me, even when the top result is an ad to the thing that I want, because when I click on the ad link, the pi-hole doesn't route me to the link I want. So I find I have to scroll down a half-page to get to the regular link I googled for.<p>If anyone has any workarounds for these issues, I've otherwise really enjoyed having a pi-hole. (Though my friends frequently tell me to stop talking about it, they'll say "shut your pi-hole", really weird).<p>Edit: Seems like they recommend tailoring the list of accepted domains for things in the article. (Will do this for paramount, I guess).<p>For Google, I separately stopped using an ad-blocker because it broke youtube when I did, even though I shouldn't get ads on youtube to begin with... God I hate the internet some days. But I imagine the easiest thing to do is to add that back so I can ignore those links.
For the cost and simplicity, NextDNS is way easier IMO. Nice quality of life apps that install on your phone and computer to toggle it on/off while on-the-go, while also being able to be setup on the router.<p>Makes it nice and easy for the non-technical members of the fam.
I love my pi-hole but am surprised to see him recommending a $155 kit + keyboard, mouse, and monitor. My pi-hole runs on a Pi Zero 2W and connects via USB for power. The entire setup process happens over SSH and it cost me about $25. If someone can figure out how to configure their network for the pi-hole, I’m sure they can also figure out SSH.
What I want is something that amounts to a stateful firewall/allow list on top of PiHole ... if a device is attempting to connect to an ip address which was not resolved by PiHole then it gets blocked ... Similarly if the RDNS for an address resolves to a domain PiHole would block it gets dropped as well.<p>Far too many apps/IoT/appliances have gotten smart and use DoH (or similar methods of circumventing network control). Despite that they all require routing and can still be forcibly cut off.
Author of the article here (thank you mpweiher for the submission). Pi-Hole has been, hands-down, the best infrastructure investment in our household. At this point I have 2MM+ domains blocked and the performance has been great.
I really don't understand why people go to the trouble of using Pi-hole that only blocks at the DNS level, instead of using uBlock Origin which can block at the DOM level.<p>uBlock Origin is easier and cheaper to set up, less maintenance, and more effective.
I had been meaning to do this for the longest time. I even had a couple spare raspberry Pis laying around, but didn't want to set it up. Finally, I realized you don't need a raspberry pi at all. It's running in docker on my plex server. Much less friction. Don't get hung up on needing to run it on a raspberry pi.
i'd love a pihole, but networking has always been a bit of a blindspot for me. i never really understand what i'm doing, and when things break it's a game of guess'n'check which stackoverflow/gpt answer will fix it.<p>these walkthroughs always make it look easy, but no matter how easy the set up is you can't escape the fact that you're adding a layer of complexity to the network and i just don't want to maintain it. i fully expect that there'd be some weird conflicts that come up with work VPNs and I'd just have to disable it because i don't know what i'm doing.
My power went out today. Which means at some point my UPS' run out of capacity and my core infra VM host has to shut down. I run Adguard on that device ... so once it is gone, my ad-blocking is gone.<p>I loaded a few websites during the interim period between DNS services going down, and the entire core infra going down (about 30 mins of just rawdog internet usage) and it is truly unusable. I don't know how people use the modern internet without network-wide ad blocking.
Standard reminder for whenever Pi-Hole gets brought up: You don't actually need a physical Raspberry Pi for this functionality, and you don't even need the Pi-Hole software. It's all just wrappers around dnsmasq[1], which every Linux distribution makes available via their package manager. If you have an old spare Linux system on your LAN already, doing whatever, you can just install and set up dnsmasq and point your clients' DNS settings at it! You can run it on your Internet gateway or rooted WiFi router, too.<p>1: <a href="https://en.wikipedia.org/wiki/Dnsmasq" rel="nofollow">https://en.wikipedia.org/wiki/Dnsmasq</a>
> 66.6% of all traffic is blocked<p>I hear things like this a lot from PiHole users. But it's incorrect.<p>Correct would be: 66.6% of DNS requests have been blocked. This says nothing about the actual volume of traffic/data that has been blocked
After having some persistent issues with my previous pi-hole setup, running as an add-on on my Home Assistant rPi 5, I moved to AdGuard Home on dedicated hardware.<p>I run it on a rPi Zero 2W (15$), with the Waveshare Ethernet / USB HUB BOX (16$). Together with a power brick (5$) and a meh µSD card, it's very affordable. I did add a small heatsink on the CPU and left the lid off the box to improve the temperature situation (it's in a small room that easily gets warm).<p>Software wise I've opted for DietPi, which works great for this kind of "dedicated device" pi setup. Current up-time is 135 days, with the last reboot being likely due to a power/breaker issue. It's truly become a set and forget thing now. It also runs Tailscale (not as exit node due to USB 2.0 limited bandwidth for Ethernet) and a dynamic DNS refresh script on a timer. It still has some headroom, but I prefer to keep it rock solid and do more fancy stuff on my Home Assistant pi, which gets rebooted/updated more frequently.<p>I do have the option to set my DNS settings in my router (ISP provided routers don't have that option here typically), so all of my devices follow.<p>In combination with µBlock Origin and SponsorBlock in my browser, I almost cry every time I see the "raw" internet on other people's devices.
The only remaining source of ads is if I watch YT via my TV, so if someone has ideas to make that stop, I'm all ears. (I used to pay for the discontinued Premium Basic, but I refuse to pay double for a bunch of crap "features" I don't want/need.)
How do folks deal with Pi-hole unintentionally breaking normal websites? I used it for a couple of months until one day I spent 30 minutes trying to log in to a payment website with no success. Then I remembered I had Pi-hole running. I know the solution was probably to whitelist certain URLs, but at the time I just gave up and disabled Pi-hole.
it's a good post, however I agree with the comments there and here that a raspberry pi 5 with 8gb ram is an overkill for just running pihole. a good old Raspberry Pi 3 Model B with 1gb ram it's enough and it will still have capacity to run other things there. And of course pihole can run on an old laptop or desktop box you already have so no need to buy a device just for the sake of it. I would rather not run it as a docker container thou but that's just my preference
> (You will need) A monitor, mouse, and keyboard that you can plug into the Raspberry Pi as you set it up.<p>Raspberry pi can be set up to boot with ssh login/password, so you don't even need wired mouse and keyboard.
<3 my pihole.<p>Currently im at 28% blocked. Typically im above 50% like OP.<p>They have significantly higher number of domains blocked. time to update my lists: <a href="https://firebog.net/" rel="nofollow">https://firebog.net/</a>
Always wanted to do this but if I get a call from home and I am either<p>1) at work
2) out of town
3) or just not home<p>Then, my family's ability to troubleshoot if PiHole goes down is extremely limited. Even if I had two.
+1 for using a picture of "the little mole"
<a href="https://www.ceskatelevize.cz/porady/898287-o-krtkovi/" rel="nofollow">https://www.ceskatelevize.cz/porady/898287-o-krtkovi/</a>
<a href="https://www.youtube.com/channel/UC8ZKvF049Iku9y41WpIUUCA" rel="nofollow">https://www.youtube.com/channel/UC8ZKvF049Iku9y41WpIUUCA</a>
I did this in March:<p><a href="https://www.theregister.com/2025/03/08/pi_hole_6_flyby/" rel="nofollow">https://www.theregister.com/2025/03/08/pi_hole_6_flyby/</a><p>TBH I was surprised how easy it was, how unobtrusive it is, and how a bit of borderline e-waste that was in my spares box now helps every device on the network, including things like phones where I can’t so easily add ad-blocking.
Does it really have to be installed in the local network? I would like to set it once in a server and then be able to configure the box of all my friends, family, etc.
Posted on 28-aug-2024<p><a href="https://news.ycombinator.com/item?id=41382231">https://news.ycombinator.com/item?id=41382231</a>
I used to have one on my network. Then I wanted to use my RPi for some other experimentation and just kind of forgot about it. I run adblockers on my browsers anyway, but been feeling the need to start using pi-hole again recently.
Some years ago I used Privoxy on my computer to filter unecessary request.
It worked great and is an alternative to consider if you don't want a computer plugin 24/24 on your network.
I wonder if anyone has made it easy to run the Pi Hole software on regular Unix-like systems without containers and without machine specific binaries. Perhaps I'll have to give that a try some time.
I wouldn't bother buying a raspberry pi 5 to run this shit though, as the article suggests. It's way overkill.<p>Just run the docker on another server you're running anyway, or run it on a raspberry pi zero 2W for $15. A pihole does so little work, it doesn't benefit from a pi 5.<p>I just run it on a VPS that costs me 3€ per month and runs lots of other stuff too like an IRC bouncer. That way I can access it from everywhere.
I like the idea, but also it wouldn't feel fair for some services that I use like Twitch, or some cooking websites. I get that they sometimes really abuse all that stuff, but also I feel like they deserve some kind of compensation.