Pi-hole - a network-level adblocker

How many of you use Pi-hole or similar solutions for advertising and other crap online?

I set one up a few days ago. Before I had an Asus router with Diversion to block ads. Worked fine, but was locked to Asus routers which I did not like. I used Pi-hole a few years ago. So this is not new to me. But I like it!

We can share some tips and blocklists in this thread.

I do not have many lists in Pi-hole. Some I use are:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://mirror1.malwaredomains.com/files/justdomains
https://dbl.oisd.nl/

With them activated, I have around 1,104,894 blocked domains.

A screenshot for those of you who have not seen Pi-hole before:

9 Likes

Mine’s now close to 3 years old, but didn’t do much on the blocklists, all pretty standard.
What I did change though is to also install https://en.wikipedia.org/wiki/Unbound_(DNS_server) on the same Raspi.

1 Like

I’m using pfBlocker with DNSBL in pfsense.
It works flawlessly, just need to disable DOH in Firefox.

2 Likes

which are the advantages over a DNS DOH or DOT with adblocking?

1 Like

Unbound is a DNS resolver in pfsense, which receives the DNS requests.
Then, it sends to pfblocker DNSBL which filter the requests based on feeds lists.
In case a match happens, it gives you an internal IP address instead of the requested URL IP address.

If you are using DOH (DNS over HTTPS), the request doesn’t reach Unbound, it goes through port 443 and not through port 53 in which Unbound is listening… In this case, it won’t work.

Same happens with DOT (DNS over TLS), but the request now is for port 853.

3 Likes

I have a few PIs and heard about Pi-hole (weird name). Is it easy to setup?

1 Like

Yes, it’s easy, bunch of tutorials out there.

2 Likes

Have not tried yet, but share it here:

2 Likes

I got one running. Pretty basic set up though, so appriciate this thread. :+1:

1 Like

I have a docker installed on UNRAID.

My block lists are:

https://mirror1.malwaredomains.com/files/justdomains	
	
	
http://sysctl.org/cameleon/hosts	
	
	
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt	
	
	
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt	
	
	
https://hosts-file.net/ad_servers.txt	
	
	
https://v.firebog.net/hosts/AdguardDNS.txt	
	
	
https://v.firebog.net/hosts/Easylist.txt	
	
	
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt

Plus I also block th.ad.lgsmartad.com to remove ads from my LG TV.

I only have just under 100K blocked.

2 Likes

Using these lists:

Malicious:

http://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt - AntiSocial_BD
https://blocklist.cyberthreatcoalition.org/vetted/domain.txt - C19_CTC
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt - D_Me_Malv
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt - D_Me_Malw
https://www.malwaredomainlist.com/hostslist/hosts.txt - MDL
https://mirror1.malwaredomains.com/files/justdomains - MDS
https://mirror1.malwaredomains.com/files/immortal_domains.txt - MDS_Immortal
http://winhelp2002.mvps.org/hosts.txt - MVPS
https://www.stopforumspam.com/downloads/toxic_domains_whole.txt - SFS_Toxic_BD
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt - Spam404
https://someonewhocares.org/hosts/hosts - SWC

ADs:

https://adaway.org/hosts.txt - Adaway
http://sysctl.org/cameleon/hosts - Cameleon
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt - D_Me_ADs
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt - D_Me_Tracking
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml - Yoyo

EasyList

https://easylist-downloads.adblockplus.org/easylist_noelemhide.txt - EasyList
https://easylist-downloads.adblockplus.org/easylistportuguese.txt - EasyList_Portuguese
https://easylist-downloads.adblockplus.org/easyprivacy.txt - EasyPrivacy

Also, blocking known malicious IPs and allowing only Brazilian IPs to reach my VPN server.
That is why I prefer pfBlocker, it’s not a simple DNS filter, you can use geoIP, and use IPs lists for firewall rules…

1 Like

I run DoH in my Raspberry pi too. I followed this and got everything working without difficulty:

You are using cloudflare instead of querying the root servers directly.
This means that you are changing your point of trust from your ISP to Cloudflare.

Your DNS queries goes encrypted until Cloudflare, so your ISP can’t read it.

There a few choices, some people use DoT inside their network, which means that you are going encrypt your DNS packets to your DNS server, which is your Pi, and then these requests go to the server of your choice, using DoH, Dot, or without encryption.

I personally don’t like big companies, so I just forward my DNS queries directly to the DNS root servers, using DNS SEC.

I know. My ISP can save data for 6 months. Cloudflare should delete logs after 24 hours. Says them anyway.

Yeap, that’s what they say until someone find otherwise…
root servers still seems to be a better choice for me.
But as I said earlier, you have so many choices, just use what fits better for you…
I’m kind of a privacy freak, don’t listen to me :slight_smile:

1 Like

I have read that they should have something automatic that removes logs after 24 hours. They should also have some who check so everything is handled correctly.

Unfortunately, I can not find where I read it now.

But you have to check everything carefully before. Then you always have to trust someone at some point.

1 Like

Exactly, this is what Internet is all about, someone is always watching.
Also, this is something I learned during my life, there is no free lunch…
So these free services… I really avoid those…

1 Like

If a service is free, you’re the product, not the customer.

9 Likes

Those are very different questions.

You can setup your pi-hole to use DOH or not and you can setup your browser to use DOH or not. If you set your browser to use DOH, it will bypass the pi-hole.

None of those things are good or bad, it is all personal choice. There are reasons to do any or all of those things.

As for “What are the advantages of using a pi-hole over an browser based ad-blocker” there are a couple of things.

  • The biggest one is that it is network wide. It impacts everything on your network including things which have no ways to block ads on their own.
  • Since it is just blocking DNS, it is also very fast and uses no resources on the client.

But their are also disadvantages. It blocks at the domain level so it will never be as effective as a browser-based adblocker which can block things more specifically and do rules-based blocking.

My recommendation is to use both. Use the pi-hole to protect everything on your network and use a browser-based adblocker such as ublock origin in your browser.

3 Likes

Arch consumes me everyday!! :scream:

2 Likes