Pi Hole for LAN ad blocking - Fritzbox Configuration

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Pi Hole for LAN ad blocking - Fritzbox Configuration

1 | 2 | 3

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2096687 26-Sep-2018 11:16

gbwelly:

vulcannz:

That is incorrect. SSL encrypts the entire session, including the URL and host name.

Hey Mark, I know that you know your stuff, but you have the wrong end of the stick on how the Pi-hole blocks adverts. It doesn't care about protocols, it's a DNS based blocker. To fetch an advert the client must resolve the name of the server hosting the advert. This is the point where the Pi-hole returns nxdomain to the client.

Ahhh ok gotcha!

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2097017 26-Sep-2018 18:14

timmmay: Ad block plugin can deal with first party ads. Fortunately there aren't a huge number of those.

Grrrr YouTube on Android TV mutter mutter.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#2097133 26-Sep-2018 22:13

gbwelly: Grrrr YouTube on Android TV mutter mutter.

PieHole success

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10914

Moderator

ID Verified

Trusted

Lifetime subscriber

#2097148 26-Sep-2018 22:40

Just thought I'd mention something.

I personally, like you guys run Pi-Hole but there are also some sites that are very reliant from ad revenue to stay up. As you can't whitelist sites with Pi-Hole then flicking a few dollars to sites and content creators every now and then is a good thing to do. I personally donate to content creators on platforms like YouTube directly and donate to sites that I often use - it is a way of showing my appreciation for their work as otherwise they make no revenue from me.

Just remember that. Not saying you have to, but a donation does mean quite a bit as earning money by other means when everyone uses ad blockers is becoming harder each day and equipment costs money to do these things.

Also, I see a number of you are not subscribers and admitted to using Pi-Hole. If you get value from Geekzone then it is worth subscribing (https://www.geekzone.co.nz/subscribe.asp). Not only does it make the site load faster (as many scripts are not sent to your browser), you're supporting everyone who volunteers their time on here such as myself by doing your part to keep the site alive.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2098053 28-Sep-2018 10:49

Whitelisting sites doesn't really work, as the advertisements are typically not hosted on that site. If the ad was hosted on geekzone itself then it doesn't get blocked. Most people block advertising as it becomes quite intrusive, sometimes loading stuff you don't want running (like cryptominers). Some advertising companies simply cannot behave themselves and cannot be trusted. And there are many examples of advertising being used to deliver malware.

I know it doesn't help, but I think advertising needs to change the way it operates. Smaller sites should consider hosting locally rather than embedded off-site methods. That way websites can earn revenue, and users can trust/expect websites to not deliver some of the terrible advertising behaviour we see these days.

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41065

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2098066 28-Sep-2018 11:22

vulcannz:

I know it doesn't help, but I think advertising needs to change the way it operates. Smaller sites should consider hosting locally rather than embedded off-site methods. That way websites can earn revenue, and users can trust/expect websites to not deliver some of the terrible advertising behaviour we see these days.

Small sites don't have time or people to go out and sell ad space, hence solutions like ad exchanges or Google AdSense being popular. I don't have a sales team to go hunting for ad buyers to then host on my domains.

A valid alternative is subscription but it seems some people are great at saying they would support but then don't.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2098072 28-Sep-2018 11:39

I'm a subscriber here because it's a great site I find really useful. I pay for any site I use regularly and find useful.

I block ads largely because they're intrusive, but also because they slow page loads. My wife plays an online game of soduku, the whole page flashes around the game and is super distracting.

This thread was really meant to be a technical one about the best way to implement the Pi Hole. Let's not take it too far off topic.

I've found that my original model of putting the Pi Hole into the DNS servers of the router doesn't work. If it goes down at all the Fritzbox switches to secondary DNS and as far as I can tell, never switches back. So I'm having DHCP hand out the Pi Hole IP to all clients directly. This gives better stats too.

Right now around 25% of domains are blocked, yet every website I regularly use works just fine.

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41065

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2098075 28-Sep-2018 11:52

There is also AdGuard DNS and Alternate DNS.

Not using either so can't vouch for security, although AdGuard is on GitHub.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2098077 28-Sep-2018 11:58

Does pihole flag the geekzone adblock detector?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#2098082 28-Sep-2018 12:10

Just my two cents in terms of PiHole backstops:

I've got several separate VLANs + SSIDs set up using an EdgeRouter and WAPs. The primary network uses the ISP DNS servers without PiHole/network ad blocking. The kids' network uses PiHole to filter out the ads and other junk on the flash shovelware games they insist on playing (I haven't won that fight yet). I try and support content creators as best I can, but don't lose any sleep over keeping advertising off the kids' network (they don't have any money to spend anyway). If PiHole goes down, Mrs MDF is perfectly happy switching wifi networks until I am able to sort it out.

I've not used a fritzbox, but I'm guessing from context you can't assign separate DNS servers to VLANS/wifi networks. So entirely unhelpful for the OP's initial query, but if anyone else is looking for a solution, this works well for me.

As an aside, I've struggled to make PiHole work for parental controls if anyone is thinking about it from that perspective. Enforcing safe search works, but from memory, [naughtywebsite].com is caught, but www.[naughtywebsite] .com sails through (or maybe vice versa?). I gave up trying to figure this out and just set the PiHole's upstream DNS server to cleanbrowsing.org.

EDIT: Whoops. Fixing cleanbrowsing.org

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#2098085 28-Sep-2018 12:15

I have not tested it, but I assume you have tried the wildcard blocking feature of the domains you wish to block?

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

muppet

2644 posts

Uber Geek
+1 received by user: 1661

Trusted

#2098193 28-Sep-2018 14:30

vulcannz:

That is incorrect. SSL encrypts the entire session, including the URL and host name. All anything in between can see is the IP addresses and ports.

Wikipedia Link - Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted,[2] so an eavesdropper can see which site is being requested.

There was a lot of discussion and a paper about fixing this in TLS1.3, but I don't think it was changed.

I have a PiHole at home, running as a LXC Container. It's the only DNS server I give to my hosts. Also Android and Chromecast will often try to use 8.8.8.8/8.8.4.4 regardless of what they're told via DHCP, I had to block all other DNS in my firewall to force these devices to talk to the PiHole.

dfnt

1553 posts

Uber Geek
+1 received by user: 1036

Trusted

Lifetime subscriber

#2098199 28-Sep-2018 14:38

muppet:

vulcannz:

That is incorrect. SSL encrypts the entire session, including the URL and host name. All anything in between can see is the IP addresses and ports.

Wikipedia Link - Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted,[2] so an eavesdropper can see which site is being requested.

There was a lot of discussion and a paper about fixing this in TLS1.3, but I don't think it was changed.

I have a PiHole at home, running as a LXC Container. It's the only DNS server I give to my hosts. Also Android and Chromecast will often try to use 8.8.8.8/8.8.4.4 regardless of what they're told via DHCP, I had to block all other DNS in my firewall to force these devices to talk to the PiHole.

Don't know if you've seen the Cloudflare birthday week posts, but they're creating a new rfc (?) for encrypted SNI aka ESNI https://blog.cloudflare.com/esni/

Only Firefox has/will have support for ESNI at this stage, but quite interesting

muppet

2644 posts

Uber Geek
+1 received by user: 1661

Trusted

#2098200 28-Sep-2018 14:40

dfnt:

Don't know if you've seen the Cloudflare birthday week posts, but they're creating a new rfc (?) for encrypted SNI aka ESNI https://blog.cloudflare.com/esni/

Only Firefox has/will have support for ESNI at this stage, but quite interesting

I had not, thank you. This is great to see, be nice to see this hole closed up.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2098203 28-Sep-2018 14:43

Has anyone tried running Pi Hole alongside Kodi? It's meant to be compatible.

I have OpenElec, a Kodi distribution, running on a R.Pi2. It's currently only coming on with the TV, but it's on Ethernet, has a good quality power supply, is mounted well, and has good cooling. It would be more efficient to put Pi Hole on that than to run a second Pi.

Are there any downsides? There might be an occasional restart of the Pi2 if Kodi locks up. I guess there could be a software conflict.

I can use Win32DiskImager to backup Kodi and try this.

1 | 2 | 3