antipaucity

fighting the lack of good ideas

rethinking pi-hole (again)

About 2 years ago, I started running Pi-hole as a DNS resolver and ad-blocker. Then last year, I ditched it.

After seeing a recent post by Troy Hunt, though, I thought it might be worth revisiting..but I needed a better way to control how it worked.

Enter OpenVPN – a service I already run on three endpoints. Here’s what I did:

Install Pi-hole per the usual (curl -sSL https://install.pi-hole.net | bash if you’re feeling brave, curl -sSL https://install.pi-hole.net, inspect, then run, if you’re feeling a little more wary).

This time, though, I set my upstream DNS providers to Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) instead of Freenom and Google.

I also did a two-step install – once with Pi-hole listening on the primary network interface on my OpenVPN endpoint (ie the public IP), and then, once I made sure all was happy, I flipped it to listen on tun0 – the OpenVPN-provided interface. This means Pi-hole can only hear DNS queries if you’re connected to the VPN.

Why the change from how I’d done it before? Two reasons (at least):

First, if you leave Pi-hole open to the world, you can get involved in DNS amplification attacks. That is muy no bueno.

Second, sometimes I don’t care about ads – sometimes I do. I don’t care, for example, most of the time when I’m home. But when I’m traveling or on my iPhone? I care a lot more then.

Bonus – since it’s only “working” when connected to my VPN, it’s super easy to check if a site isn’t working because of Pi-hole, or because it just doesn’t like my browser (hop off the VPN, refresh, and see if all is well that wasn’t when on the VPN).

Changes you need to make to your OpenVPN’s server.conf:


push "dhcp-option DNS 10.8.0.1"

This ensures clients use the OpenVPN server as their DNS resolver. (Note: 10.8.0.1 might not be your OpenVPN parent IP address; adjust as necessary.) Restart OpenVPN after making this change.

My setupVars.conf for Pi-hole:


PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=10.8.0.1/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
WEBPASSWORD=01f3217c12bcdf8aa0ca08cdf737f99cd68a46dbdc92ce35fd75f39ce2faaf81
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=1.1.1.1
PIHOLE_DNS_2=1.0.0.1
PIHOLE_DNS_3=9.9.9.9
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
CONDITIONAL_FORWARDING=false

I tried getting lighttpd to only listen on on port 443 so I could use Let’s Encrypt’s SSL certs following a handful of tutorials and walk-throughs, but was unsuccessful. So I disabled lighttpd, and only start it by hand if I want to check on my Pi-hole’s status.

Speaking of which, as I write this, here is what the admin console looks like:

admin console screenshot

Hope this helps you.

pi-hole revisited

Back in November, I was really up on Pi-hole.

But after several more months of running it … I am far less psyched than I had been. I’m sure part of that is having gotten better internet services at my house – so the impact of ads is less noticeable.

But a major part of it is that Pi-hole is just too aggressive. Far far too aggressive. Aggressive to the point that my whitelist was growing sometimes minute-by-minute just to get some websites to work.

Is that a problem with the site? No doubt somewhat. But it’s also a problem of blacklists. When domains and IPs are just blanket refused (and not in a helpful way), you get broken experience.

Pi-hole has also gone to a quasi-hijack approach: when a domain has been blocked, instead of it just silently not working, it now returns a message to contact your Pi-hole admin to update the block lists.

I hate intrusive ads as much as the next person .. but that shouldn’t mean that all ads are blocked. I have unobtrusive ads on a couple of my domains (this one included).

But even with Pi-hole, not all ads are blocked.

Part of that is due to the ever-changing landscape of ad servers. Part of it is due to the inherent problems with the blacklist/whitelist approach.

Content creators should be entitled to compensation for the efforts (even if they voluntarily choose to give that content away). Bombarding visitors with metric buttloads of advertising, however, makes you look either desperate, uncaring, or greedy.

The current flipside to that, though, is the pay-wall / subscription approach. Surely subscriptions are appropriate for some things – but I’m not going to pay $1/mo (or more) to every site that wants me to sign-up to see one thing: just today, that would’ve encumbered me with over $100/mo in new recurring bills.

Maybe there needs to be a per-hour, per-article, per-something option – a penny for an hour, for example (which, ftr, comes out to a monthly fee of about $7)- so that viewers can toss some scrilla towards the creators, but aren’t permanently encumbered by subscriptions they’ll soon forget about (though, of course, that recurring subscription revenue would surely look enticing to publishers).

As with the per-song/episode purchase model that iTunes first made big about 15 years ago, you could quickly find out what viewers were most interested in, and focus your efforts there. (Or, continue focusing your efforts elsewhere, understanding that less-popular content will not garner as much revenue as popular content will).

Imagine, using my example of $0.01/hr, how much more engagement you could end up garnering while visitors are actively on your site! A penny is “nothing” to most people – and probably just about all who’re online. Maybe you’ll have a handful of people “abusing” the system by opening a thousand pages in new tabs in their hour … but most folks’ll drop the virtual coin in the nickelodeon, watch the video / read the page / whathaveyounot, and move on about their day.

And not everyone will opt for the charge model. Sites that do utilize it can have some things marked “free” or “free for the next 24 hours” or “free in 7 days” or whatever.

Ad companies like Google could still work as the middleman on handling transactions, too – any time you visit per-X content, there could be a small pop-up that indicated you’d be withdrawing Y amount from your balance to view the site (I’m sure there’ll be competition in the space, so PayPal, Facebook, Stripe, Square, etc etc can get in on the “balance management” piece). And at the end of whatever period (day, week, month), Google can do a mass-settle of all the micropayments collected for each site from each visitor (with some percentage off the top, of course).

No ads. You’d actually Get What Your Pay For™, and issues like the recent Admiral thing would go in a corner and die.

results from running pi-hole for several weeks

I came across pi-hole recently – an ad blocker and DNS service that you can run on a Raspberry Pi in Raspian (or any Debian or Ubuntu (ie Debian-like)) system. Using pi-hole should obviate the need for running ad-blockers in your browser (so long as you’re on a network that is running DNS queries through pi-hole).

I’ve seen some people running it on CentOS – but I’ve had issues with that combination, so am keeping to the .deb-based distros (specifically, I’m running it on the smallest droplet size from Digital Ocean with Ubuntu 16.04).

First the good – it is truly stupidly-simple to get setup and running. A little too simple – not because tools should have to be hard to use, but because there’s not much configuration that goes in the automated script. Also, updating the blacklist and whitelist are easy – though they don’t always update via the web portal as you’d hope.

Second, configuration is almost all manual: so, if you want to use more than 2 upstream DNS hosts (I personally want to hit both Google and Freenom upstream), for example, there is manual file editing. Or if you want to have basic auth enabled for the web portal, you need to not only add it manually, but you need to re-add it manually after any updates.

Third, the bad. This is not a pi-hole issue, per se, but it is still relevant: most devices that you would configure to use DNS for your home (or maybe even enterprise) want at least two entries (eg your cable modem, or home wifi router). You can set only one DNS provider with some devices, but not all. Which goes towards showing how pi-hole might not be best run outside your network – if you run piggy-back DHCP and DNS both off your RPi, and not off the wireless router you’re probably running, then you’re OK. But if your wireless router / cable modem demands multiple DNS entries, you either need to run multiple pi-hole servers somewhere, or you need to realize not everything will end up going through the hole.

Pi-hole sets up lighttpd instance (which you don’t have to use) so you can see a pretty admin panel:

pihole

I added basic authentication to the admin subdirectory by adding the following lines to /etc/lighttpd/lighttpd.conf after following this tutorial:

#add http basic auth
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/.htpasswd/lighttpd-htdigest.user"
auth.require = ("/admin" =>
( "method" => "digest",
"realm" => "rerss",
"require" => "valid-user" )
)

I also have 4 upstream DNS providers in /etc/dnsmasq.d/01-pihole.conf:

server=80.80.80.80
server=8.8.8.8
server=8.8.4.4
server=80.80.81.81

I still need to SSLify the page, but that’s coming.

The 8.8.* addresses are Google’s public DNS. The 80.80.* addresses are Freenom’s. There are myriad more free DNS providers out there – these are just the ones I use.

So what’s my tl;dr on pi-hole? It’s pretty good. It needs a little work to get it more stable between updates – but it’s very close. And I bet if I understood a little more of the setup process, I could probably make a fix to the update script that wouldn’t clobber (or would restore) any custom settings I have in place.