[ascagnel_]

I run a Pi-Hole on my local network, and I still see YouTube ads -- they're served from the same CDN as the videos. The way in which YT delivers ads (pre-, mid-, and post-roll videos on the same CDN/domain as the content) seems, on the surface, to thwart any type of static ad detection.

[Dah00n]

This is more of a rant on Pi-hole than related to Youtube ads but...

Pi-hole can be fine but it isn't effective if you want it to block not only the lowest hanging fruits which a browser adblocker could easily block too but also stuff that doesn't follow the rules and might use hardcoded DNS IPs if they can't get the reply they want from the DNS server. With some Windows PC's, Apple devices, Chromecasts and Androids I quickly saw Pi-hole hang because of tens of thousands of requests if I tried to force all DNS through it. Because I'm a geek I turned to my homelab instead of the RPI4 and ended up with two nginx load balancers with two Pi-holes behind each (yes, 4 Pi-holes). Even though they were now running in virtual machines on a dual Xeon HP Proliant they still died when they got flooded. The hardware could easily take the hammering of requests but the software not so much (often the counter skyrocketed to 40000 requests before it died). Now I just block 100% of DNS requests at the gateway/firewall (OPNsense) instead and oh boy does it catch and log a lot of stuff the Pi-hole didn't. The amount of software that use hardcoded DNS, make example.com requests and try to reach RFC TEST-NET IPs is just staggering.

Sorry about the rant but just in case you didn't know that Pi-hole is only effective against good network citizens like, well, now you know.

[bozzcl]

Last year, I added firewall rules to my router to block:

* Any outbound DNS and DNS-over-TLS requests coming from anything other than my Pi-Hole * Any outbound HTTPS requests to DNS-over-HTTPS providers that I know of

It's surprising how many hits I got to those block rules. Makes me very worried about the adoption of DoH: all its privacy and anti-tampering advantages also apply to devices that violate privacy, like smartphones and smart TVs. I want to keep those under control.

I'm curious about your setup: how many devices do you have in your network that you need a load-balanced Pi-Hole setup!? My RPi4 has been rock-solid, but it sounds it doesn't have to handle nearly as much load as yours. Makes me wonder if my next hardware purchase should be a small server to host a hypervisor instead of a single RPi.

[Dah00n]

>Makes me very worried about the adoption of DoH

Yes, this is what made me look closer at what happens at my LAN and got me into this mess. It is a loosing battle but I try to block things like DoH and DNS IPs via blocklists[1]. Pfsense add-on pfBlockerNG does this pretty well. I then strictly only allow DNS over TLS from the DNS server out on WAN.

>how many devices do you have in your network that you need a load-balanced Pi-Hole setup!?

I can see it wasn't very clear in my comment but it wasn't the amount of devices that caused the problem. It only takes one or two misbehaving devices that hammers pi-hole to make it hang. Pi-hole worked wonderfully until I forced all DNS requests to be redirected to it. I then got many many requests a second from some devices (Edit: because they didn't like the NXDOMAIN reply they got). Try refusing access to Google DNS if you have some Cromecasts. As far as I can remember they really don't like this. Any Android phone with only one DNS IP set will also default to Google DNS as a secondary DNS IP...

1: Blocking DNS servers really isn't easy. Not only do some devices use other ports but they aren't all well known. I had requests to 216.239.32.10 for example and had no idea this is yet another Google DNS IP (ns1.google.com?).

[atommclain]

would love to know more about this setup... I'm very worried about DoH

[Dah00n]

Sadly I don't think you can ever win a battle against DoH unless you control all devices on the network and can live without any that try to use it. I would hate to run an enterprise or school network these days!

My home LAN is a total overkill setup because I like tinkering with this stuff. If you want more control then my advice would be to look at enterprise hardware as often used enterprise hardware can be found cheaper than way worse equipment made for home users. Just make sure it doesn't have loud fans or that they can be disabled (which they mostly can outside hot server rooms). I swapped out my switches with some cheap HP 1910-24G managed switches and connected them with fiber. I got 3 of those cheaper than the one crappy Linksys I had before which last had a firmware update months before I bought it! But if I had to recommend a single easy solution I would buy a ready to go OPNsense device. I only know this shop in Sweden though: https://teklager.se/en/products/routers/

Basically what I did after I stopped using pi-hole was to setup pfsense (later switched to OPNsense when I found out that pfsense isn't actually open source) and broke up my LAN (via VLANs, which is where the HP 1910's came into the picture) into three pieces:

-DMZ that is totally open for Playstation etc. No access from or to this to/from anything on LANs

-LAN1 where only whitelisted things have WAN access. This is where all normal traffic is at.

-LAN2 where anything that need access from WAN are connected (this also have its own WAN IP)

Geeky!

[jcastro]

Have you tried self hosted adguard? It's very performant and can use any of the lists you can use with pihole: https://github.com/AdguardTeam/AdGuardHome

Switched a few years ago and it's great!

[Dah00n]

No I haven't tried Adguard but as far as I know it is another DNS server that blocks ads like pi-hole? To block everything there has to be a firewall like OPNsense in the mix and at that point I might as well use it as DNS too.