Privacy @lemmy.ml sixtyfourK @scribe.disroot.org 7mo ago

My experiences with Pi-hole

Pi-hole has helped improve my "relationship" with Firefox, or better phrased with Firefox forks like LibreWolf and Tor browser. Cool thing with Pi-hole is that you can watch the query log and see what happened in the background while you were surfing the Internet. I learned that :

After removing the sponsored shortcuts in Firefox and putting your own shortcuts there Firefox will make connections each time you start the browser. So, if you would have icons on your quick start page in Firefox for let's say EFF, Lemmy, Mastodon, HackerNews, with each Firefox start up, it would query these sites. which I didn't like so much. Since then I've gone back to a complete blank start page, removing search and all those quick start icons, using just toolbar folders with bookmarks.
Pi-hole defaults to blocking telemetry for Firefox and Thunderbird.
Signal uses Google servers I saw via Pi-hole. I thought that they were using Amazon servers, but looking at Wikipedia for the history of Signal hosting I learned that Signal went back to Google for hosting.
Firefox push notification services are hosted on Google servers. LibreWolf removes a lot of Google things that Firefox has by default, but not the push parts. With Pi-hole it is very easy to block that.

48 comments

Pi hole is an amazing tool and gives a lot of insight on what is being queried and blocked against the block lists. Also, makes completely transparent on the entire network to have nasty things blocked. One thing I will mention to make the setup better: make sure on the firewall level you can have a rule that makes every request for a DNS to go through pi hole. Some devices will use a hard coded DNS instead of respecting the one on the network
- Dns over https is immune to that firewall method, right?
  
  Yes but I think OP is referring to plain DNS requests to a preferred server.
  
  You can hijack port 53 and redirect them to your preferred server. Also acts as a method of hardening DNS for devices and apps that do not support encrypted DNS.
  
  I was making a quick check, and yes, the DoH situation is a bit more dicey. From how I see it, the best way to make this work is to, at the firewall level, either block as much as possible any requests that look like DoH (and hope whatever was using that falls back to regular DNS calls) or setup a local DoH server to resolve those queries (although I am not sure if it is possible to fully redirect those). In that sense, pihole can't really do much against DoH on its own
  
  EDIT: decided to look a bit further on the router level, and for pfsense at least this is one way to do this recipe for DNS block and redirect
  
  Who do you think developed DoH? Google has it's paws on everything. It may be private, but as soon as I see Google, I'm out of there.
  
  With most firewalls, there is an option to download ip lists for blocking. There are several list I don't recall right now, that aggregate DoH services. It's not perfect, but better than nothing.
- What does something like this look like? I have an Orbi pro but have never really messed with firewall settings
  
  Hm.... I am not familiar with that device myself, and since I use opnsense for a while I forget most people do not use routers outside of the provided one.
  
  But in a theoretical sense, this firewall rule should look something like this:
  
  origin of traffic is any IP that goes into port 53
  
  outgoing traffic has to go to pi hole on port 53
Oh man glad you have learned about the favicons issue it's insane that we just accept such an easily fingerprintable method of getting TINY IMAGES. Is there a way to cache all of it? I just disable everything lol
After removing the sponsored shortcuts in Firefox...

with each Firefox start up, it would query these sites.

I don't like that. Sponsored sites get a free ping from FF?! I thought those icons would be preloaded.
- It's for the thumbnail/logo
- Yeah. I thought about that. When you add an icon to your rows of shortcuts in Firefox and it fails to fetch the correct icon and gives it a generic letter instead and you want to add an icon yourself you cannot just upload or insert an icon to your Firefox, you will need to point it to some web link where the remote icon is. I can imagine Firefox wants to check at each startup whether the remote icon has changed or not (Not completely unreasonable. Think about Twitter changing to X).
  
  Come on, who are we kidding. 😄 It's done for pings. The privacy implication is so in-your-face there's no way they missed it. 🙂
The icon thing can be worked around with something like heimdall. I host my own docker container of it and just set that as my startup page in my browser. Looks much nicer than a blank page and everything happens in my own network.
How does pi-hole help with Tor Browser? Does DNS not go through the Tor network?
- You're right. My point was that Pi-hole made me appreciate the Firefox forks more because the plain Firefox is FULL of GOOGLE!
  
  That's what 500 million dollars of google money per year does to a "private" browser :)
  
  Anti Commercial-AI license
- It does. Probably op meant something different
Ever since using comouters I wonder why it is not built in to monitor your queries.
I haven't used it in quite a long time but not because it was bad but just because it only worked on my wifi and I didn't want to try to set up a VPN to get it to work on mobile but I found that Control D has a free ad block and malware block DNS that can be done with DNS over HTTPS and so that is what I use
I am more interested in Technitium
- Looks overly complicated ~~and needing Winblows commands is a huge no for me.~~ Using anything Winblows is a huge nope.
  
  Edit: I was mistaken. Technitium DNS server does not have anything to do with windows, but their Get HTTPS product does.
  
  It doesn't need Windows. Its a docker container and a full fledged DNS server unlike Pi hole.
Pi-hole is OK, but for good measure it's easy to set up a "hosts" file that blocks all that stuff locally. You can use your findings from Pi-hole. On Linux you just pop your entries in /etc/hosts, or other OS equivalent. Here are some curated lists. For Mozilla telemetry - https://github.com/MrRawes/firefox-hosts/blob/firefox-hosts/hosts Massive list for everything - https://github.com/StevenBlack/hosts
- That's for one device.
  
  Where does a smart TV keep it's hosts file? IPhone? Android?
  
  DNS (PiHole) works for all devices on your network, which I'd argue is better than a hosts file.
  
  That’s for one network. That’s why I switched to Next DNS and have protection at home and everywhere else.
  
  Use both.
- DNS services with blocks lists such as Pi-Hole, AdGuard, NextDNS, etc, provide a centralized config file for all devices on a network, so you only configure once, collect statistics, have built in block lists that can be easily modified and updated either automatically or manually and are fast.
  
  Using large lists in a host file will slow local resolution. It wasn't designed for this use case as it's acting a flat file database with a limited amount of RAM allocated for the process and will get slower the longer the list. While this latency won't be noticeable in the thousands of lines, once you start hitting hundreds of thousand or millions of entries it will start to crawl.
  
  Hosts file are also unable to RegEx or Wildcard entries which means you would have to duplicated lots of variations in domains...
  
  I mean I can also statically assign IPs to ever client and keep a spreadsheet, but why don't I just use DHCP?
- That is pretty cool for folks that want a quick and easy way to block ads.
  
  Absolutely. These lists are created by server admins who collect what the firewall rejects, much like you see with the Pi-hole. They'll automatically block some ads and many threats too. Another tip if you're using Librewolf, Mullvad browser or Firefox with uBlock, enable more of the filter lists.

48 comments