Blocking ads before they enter your house at the DNS level with pi-hole and a cheap Raspberry Pi
Lots of folks ask me about Raspberry Pis. How many I have, what I use them for. At last count there's at least 22 Raspberry Pis in use in our house.
- One runs our dakboard family dashboard that we built in a weekend but use every day.
- We have at 3 that are set up for retrogaming - one in a 3d printed Gameboy (A pi-grrl, in fact), one in a X-Arcade Tankstick, one in a tiny laser-cut arcade case for the desktop.
- I have a Raspberry Pi that runs one of my 3D Printers running Octoprint. This one also has as camera and does time-lapse videos of my 3D prints.
- We have another 3 that run little robots my sons and I have built
- 6 are running in a local Kubernetes Cluster
- These 6 Pis are my personal cloud, so maybe there's 16 Pis in the house and one Pi Cloud/Cluster.
- One is an internet radio in the 13 year old's room running PiMusicBox.
- One is a touchscreen tablet the 11 year old uses for Scratch. Imagine a Linux iPad.
- One runs Kodi as an entertainment center in the kids' play room.
- One lives in a CrowPi that we use for experiments and .NET Core remote debugging.
- Another three are Raspbery Pi Zero Ws for various experiments with one Pi Zero W acting as as backup Open Source Artificial Pancreas.
- and most recently one is a Pi-hole. A Black hole that eats tracking cookies, advertising, and other bad stuff. See also "shut your pie hole." AKA that place you put pie.
A Pi-hole is a Raspbery Pi appliance that takes the form of an DNS blocker at the network level. You image a Pi, set up your network to use that Pi as a DNS server and maybe white-list a few sites when things don't work.
I was initially skeptical, but I'm giving it a try. It doesn't process all network traffic, it's a DNS hop on the way out that intercepts DNS requests for known problematic sites and serves back nothing.
Installation is trivial if you just run unread and untrusted code from the 'net ;)
curl -sSL https://install.pi-hole.net | bash
Otherwise, follow their instructions and download the installer, study it, and run it.
I put my pi-hole installation on the metal, but there's also a very nice Docker Pi-hole setup if you prefer that. You can even go further, if, like me, you have Synology NAS which can also run Docker, which can in turn run a Pi-hole.
Within the admin interface you can tail the logs for the entire network, which is also amazing to see. You think you know what's talking to the internet from your house - you don't. Everything is logged and listed. After installing the Pi-hole roughly 18% of the DNS queries heading out of my house were blocked. At one point over 23% were blocked. Oy.
NOTE: If you're using an Amplifi HD or any "clever" router, you'll want to change the setting "Bypass DNS cache" otherwise the Amplifi will still remain the DNS lookup of choice on your network. This setting will also confuse the Pi-hole and you'll end up with just one "client" of the Pi-hole - the router itself.
For me it's less about advertising - especially on small blogs or news sites I want to support - it's about just obnoxious tracking cookies and JavaScript. I'm going to keep using Pi-hole for a few months and see how it goes. Do be aware that some things WILL break. Could be a kid's iPhone free-to-play game that won't work unless it can download an add, could be your company's VPN. You'll need to log into http://pi.hole/admin (make sure you save your password when you first install, and you can only change it at the SSH command line with "pihole -a -p") and sometimes disable it for a few minutes to test, then whitelist certain domains. I suspect after a few weeks I'll have it nicely dialed in.
Sponsor: Seq delivers the diagnostics, dashboarding, and alerting capabilities needed by modern development teams - all on your infrastructure. Download at https://datalust.co/seq.
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
Little pro-tip: put a bookmark on your bookmark bar that points to the disable url of your pi-hole, you'll just need to add your own auth key. Then when you run into something that PiHole is blocking your bookmark will disable PiHole for 30 seconds so you can load the page.
pi.hole/admin/api.php?disable=30&auth=<your_auth_key_here>
Once I added a NAT rule on my router to redirect all outgoing DNS port traffic to the PiHole regardless of destination, I'm blocking those requests as well.
The bookmark thing pointed out by other comments is very cool, I'll absolutely add it to the bookmarks for everybody in the house.
It's amazing how much "smart" devices phone home. I'm regularly at 70%-80% blocked because of my tv and roku. Last months stats include:
Client Requests
roku 316012
tv-samsung-ks8000 223902
It works in your entire network and not just a single piece of software.
For instance; You'll get way less banners in (free) phone apps/games when you are connected to your wifi.
A browser based ad blocker stops your browser from requesting ads. Pi-Hole changes your internet's phone book to say that some addresses (the ones that host ads) don't exist.
Comments are closed.
To increase usability for other family members, I've added a bookmarklet to their browsers that, once clicked, will disable the pi-hole for 5 minutes. This is great when using services that have such a wide range of ad domains that it isn't practical to white list them (ebates, for example).