I've just set up a pihole on my home network, and whilst it's working reasonably well with the default list by Steven Black, there's still some ads getting through. I was wondering if any of you use pihole and could offer advice on adlists and general setup to maximise the benefits without hindering the browsing experience. Cheers.
What DNS servers are you using. Some ISPs route certains domains through "internal" (to the ISP) IPs to avoid certain blocklists. I saw this a lot in the US while using DNS66 on my Android phone, but not so much here in the Netherlands.
I've set the IP of the pihole as my DNS within Unifi so all devices on the network use the pihole - and then within the pihole, I've set CloudFlare as the DNS as they have slightly more privacy friendly policies with regard to logging of DNS queries.
You can avoid this by using DNS-over-HTTPS (or any of the other DNS-over-something-that-isn't-DNS alternatives). For Pihole, you do it using Cloudflare's cloudflared. I use the following lists, in addition to Black's: https://phishing.army/download/phishing_army_blocklist_extended.txt https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt https://urlhaus.abuse.ch/downloads/hostfile/ https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts https://blocklistproject.github.io/Lists/phishing.txt https://blocklistproject.github.io/Lists/abuse.txt https://blocklistproject.github.io/Lists/scam.txt https://v.firebog.net/hosts/Easylist.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext https://adaway.org/hosts.txt In total, that blocks around 724,000 domains, and I see about 22 percent of my network's queries filtered - though the overwhelming majority of those blocks aren't adverts but tracking, primarily from devices like the kids' Amazon Fire tablets trying to phone home every 20 minutes... I also run uBlock Origin, DuckDuckGo's extension, PrivacyBadger, and Decentraleyes in the browser, on top of the network-level filtering. Oh, and my DNS goes over DoH to Cloudflare's 1.1.1.2 and 1.0.0.2, which do abuse blocking at their end.
Perfect, thanks Gareth. I'll add those to pihole and see what the experience is like. Do you find any issues with media or smart TVs? I've read that some users have introduced issues with Netflix, Prime etc with certain pihole configs.
I don't have a smart TV, but I do stream Netflix, Amazon Prime Video, BBC iPlayer, and Disney+ on a PS4 and an Xbone - not had a single problem.
That's good to know. I'll go ahead and get those adlists updated then, much appreciated. Did you make any other changes to the pihole default config that you would recommend?
I'm aready using CloudFlare as the upstream DNS within pihole, so should be good to go then. Thanks again.
Nup: that's not DNS-over-HTTPS, it's straightforward DNS - which means your ISP knows exactly what DNS queries you're making ('cos they're not encrypted) *and* can hijack queries as per @yuusou above. You need to manually install cloudflared, set it running on Cloudflare's DoH servers, and then disable all upstream DNS on the Pihole apart from localhost on whatever port you've got cloudflared using. Sounds complicated, but really isn't - should only take a few minutes.
Ah ha! Right, I shall give that a go too then. Thanks for explaining that, as that's quite a big difference to what I previously understood (or not as it seems!).
While you're at it, look into your router and forcing all DNS traffic to your pihole - A lot more 'Smart' devices are hardcoding their DNS these days, so will bypass local DNS blackholes like PiHole. Also, pray you're not using Unifi kit, because doing that is a right pain in the rectum. Oh, and I dunno if they fixed it, but the cloudflared thing described above, I had issues with that on a Zero because it's either not maintained for the old ARM architecture, or at the time wasn't, so if you have a problem installing it, and you're using an older ARM device, that might be why! I had an issue with Xbox achievements popping with the Pihole, apparently some of the XBL services are blocked on the default lists. I have had issues with The Escapist and their CDN, brid.tv & pico.tools are in my list, and I'm quite sure that's just for Escapist content. As for lists I use; https://github.com/deathbybandaid/p...scribable-Lists/CountryCodesLists/Germany.txt - Likely useless to you, if you're not in Germany. https://dbl.oisd.nl/ - Fairly comprehensive, includes a lot of the default stuff too though, so YMMV These I must have had a reason for, but have honest to god forgotten what it was; https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://mirror1.malwaredomains.com/files/justdomains http://sysctl.org/cameleon/hosts https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt https://hosts-file.net/ad_servers.tx I explicitly whitelisted these domains for XBL (There might be some other MS domains.. I can't remember what else I whitelisted..); mobile.pipe.aria.microsoft.com halowaypoint.com vortex.data.microsoft.com telemetry.svc.halowaypoint.com playfabapi.com www.msftncsi.com outlook.office365.com products.office.com c.s-microsoft.com i.s-microsoft.com login.live.com login.microsoftonline.com g.live.com dl.delivery.mp.microsoft.com geo-prod.do.dsp.mp.microsoft.com displaycatalog.mp.microsoft.com clientconfig.passport.net v10.events.data.microsoft.com v20.events.data.microsoft.com client-s.gateway.messenger.live.com xbox.ipv6.microsoft.com device.auth.xboxlive.com title.mgt.xboxlive.com xsts.auth.xboxlive.com title.auth.xboxlive.com ctldl.windowsupdate.com attestation.xboxlive.com xboxexperiencesprod.experimentation.xboxlive.com xflight.xboxlive.com cert.mgt.xboxlive.com xkms.xboxlive.com def-vef.xboxlive.com notify.xboxlive.com help.ui.xboxlive.com licensing.xboxlive.com eds.xboxlive.com www.xboxlive.com v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com
Thank you very much! Those whitelists may be particularly useful for me too, so very much appreciated.
That's the default list that comes with Pi-hole. You'll want to remove that one, 'cos the Malware Domains lists were deleted months ago. At the moment, they're just 404ing - but if someone with malicious intent takes over at the domain, it could end up causing you problems.
Noted! I knew one of the lists would be default, but as mentioned, the memory is fuzzy having had this running for longer than ten minutes.
Thanks to everyone for the recommendations. Over the last 24hrs, the adlists and whitelist suggestions have increased the amount of blocked traffic with no noticeable detrimental effect to browsing. I’ll get round to DoH later this week or weekend! So far, so good. Wish I’d sorted this PiHole out sooner!
Aaaaah, *that's* why it's stopped working: Can't find any evidence of the so-called "free, non-commercial version of our threat intel, ShadowNet" existing anywhere, though.
I haven't used PiHole since 2019 and am solely relying on browser level blocking because of ever-changing living arrangements, but these are a few of the sites I pulled my lists from back in the day. Lists are in alphabetical order, otherwise in no particular order: AdAway AdBlock AdGuard EasyList Fanboy HostsFile Malware Domain List Peter Lowe Phishing Army Shalla SomeoneWhoCares Steven Black WinHelp2002 Collection of various lists The Big Blocklist Collection FilterLists And perhaps this wiki may be useful, as well? Wikipedia: Comparsion of DNS blacklists
I just got a Pi-hole setup last night, I need to work on getting all your suggested blacklists added tonight. Do you all leave DHCP up to your router or are you using the Pi-hole to do it? I ask because when I logged into the admin panel this morning, only my router showed as having seen blocked traffic, I guess if I run DHCP though the Pi-hole I can see what traffic is hitting each individual device.
I've left my router as DHCP and from the router settings, set your pihole's IP as DNS. If you have an ISP supplied router, you may struggle with this, depending which ISP...
