[vaishaksuresh]

In my home network, I run https://pi-hole.net on a Raspberry Pi that is plugged into a USB port in the wall where it can't be seen. Almost all generic ads are blocked and those that do get through can easily be blacklisted. No need for any help from Apple/Google/Amazon. I wish I could somehow make it portable.

[subway]

Don't worry, the marketers will get to you soon enough.

Google has already wedged themselves in as the "gold standard" dns provider. My gut says eventually Apple/Google/Amazon will start forcing blessed devices to use their own name services. For the good of the user, of course. Ahem.

[blattimwind]

> Google has already wedged themselves in as the "gold standard" dns provider.

Run. Your. Own. Resolver [full stop]

I'm both amazed and devastated how even seasoned privacy hackers will just pop 8.8.8.8 into their respective resolv.confs. What are they thinking?

I know how people tell stories about how 8.8.8.8 (or 1.1.1.1) are so nice and fast (which simply sounds like they are mirroring the advertising for these services by the letter), but honestly, that doesn't matter: The first visit to any site is slow, and has been slow for years (downloading all those megabytes from a dozen origins simply takes its time); waiting another half-second to have your own resolver look after some unknown hostname – which will be cached, locally, much faster than anything 8.8.8.8 could do for you – really isn't worth spilling your entire browsing history onto Google's reception desk. Not for me, anyway.

[secabeen]

I think that's unlikely, as there are too many internal services within corporate networks that will never show up in the global DNS. Google would rather people use Chrome at work.

[imglorp]

That's okay if you run your own router. Point your device to that as default gateway, then the router can catch any DNS connections and do pi-hole style lookup mapping.

Pfsense is one good example.

[subway]

That's a hard game to win in the end. Odds are the new and improved name services you're required to use won't really look much like DNS today.

Initially they'll be implemented as DNS over HTTPS, with devices being shipped preconfigured to favor those HTTPS endpoints over name servers provided by the local network. From there the traditional DNS bits will eventually be removed in favor of whatever proprietary mechanisms defined by Google/Amazon/Apple.

The only way to use Google/Amazon/Apple services will be by bootstrapping from hardcoded list of bootstrap ips in their product, secured by a similarly hardcoded CA certificate.

[yourapostasy]

Would a Pi Zero W powered by four 18650 Li-ion cells in parallel with a charging board [1], and a 4G HAT module [2], that runs a little over 24 hour continuous operation, work for your definition of "portable"? The drawback with this approach is you would own a separate SIM and plan for the 4G data. I'd also like to figure out how to cram another WiFi board on to run WiFi As WAN, but HAT stacking is hit and miss.

[1] http://www.samplerbox.org/article/howtopowerrpiwith18650

[2] https://www.pianywhere.com/product/pianywhere-4g-raspberry-p...

[Lownin]

How do you deal with https traffic? Wouldn't you need to MITM proxy everything and install CA certs on the client? And wouldn't that reduce client side security since all certs would be signed by the same CA?

[Mister_Snuggles]

Pi-Hole is just a DNS-based adblocker. It returns 127.0.0.1 (I believe) for ad-serving domains, so it happens before https even starts to be negotiated.

[dredmorbius]

Actually, the local address of your Pi-Hole server, though that's configurable.

https://docs.pi-hole.net/ftldns/blockingmode/

For hosts files, 0.0.0.0 is generally preferred, which marks the host as unreachable, rather than localhost (127.0.0.1, etc.), which might well recieve and try to process the request.

https://serverfault.com/a/300410

[Mister_Snuggles]

Neat! I'm going to have to play with that a bit.

I'm using the defaults, but from the sounds of the documentation having it return 0.0.0.0 might be beneficial. It certainly explains some weirdness that I've seen when using Pi-Hole.

Thanks!

[0xfeba]

DNS isn't (yet) encrypted. It happens before HTTPS is negotiated.

[Max_aaa]

PiHole acts as a local DNS server. So it blocks ad network domains.

[jrowley]

You could run it on a vpn and just connect through it all time on your devices.

[allanbreyes]

I have this on my mobile device. I'm using Wireguard as a VPN and the DNS sinkhole is on the server. I haven't noticed any severe latency problems, but yea, I've noticed that the battery runs out sooner. Encrypting/decrypting adds enough overhead that it's noticeable.

[scrollaway]

This doesn't help when running on non-wifi though, where adblockers are even more important (bandwidth saving).

[EA]

You can run PiVPN (via, say, OpenVPN) to tunnel back to your PiHole. Just tell PiVPN to use your PiHole DNS. You can VPN into the same rPi as PiHole and get an ad-free experience when you are not at your home.

[vaishaksuresh]

Works for everything that goes through your router if you set your router's DNS to be the piHole's IP.