The Pi-holeI've been having great success with my pi-hole. For those unaware of what pi-hole is, it is a DNS black-hole tailored to run on the rasperry pi. The way it works is, you set it up as the upstream DNS in your DHCP server (which is usually your router) and then when clients ask for an IP address the router also tells them to use the pi-hole as their upstream DNS.
So what happens now, is when a machine on your network asks for a domain like "google.com" the pi-hole receives it checks it against its list of malicious and tracker domains and then happily forwards it up to the real upstream DNS server (in my case CloudFlare) However, when a website tries to pull down some file like "https://someadnetwork.biz/tracker.js", the pihole will receive the DNS lookup for `someadnetwork.biz`, recognize it as a tracking domain and just pretend it cannot find it.
This will result in a significant reduction in ads you see on most websites and a snappier experience as the amount of traffic is reduced. In my case, I saw a rate of 14% of all DNS queries being blocked by my pi-hole. 14%!
The ProblemWhen you have good quality standard computer hardware, things work out just as outlined above. Proper network devices will honor the settings given to them by the DHCP server and use your pi-hole as their upstream DNS allowing it to filter their DNS requests.
Unfortunately in the ad-revenue-driven world of subsidized devices from Amazon and Google (to name two of many), the cost of the device is heavily subsidized by the manufacturer by means of collecting, storing and selling the ever-living-sh*t out of everthing they can. Sadly I am forced to have a few of these devices running on my network and I keep them pretty isolated, however I was noticing that I was still receiving ads on these devices and seeing some strange outbound traffic from them. I realized they were not playing nice, totally disregarding my configured upstream DNS and instead were using their own company's DNS (22.214.171.124 in Google's case). This is one way these companies manage to transparently track more and more of what you do and have it cost them very little. Google DNS servers store and track every request made to them and you can bet they are cross referenced back to your device and accounts
The Solution (mostly)There are other ways, but the easiest way is to use a firewall (in my case iptables) I have a Netlink router running the tomato firmware. With this tool we can break down what we want to:
- All outgoing DNS requests (port 53) from any hosts (other than the pi-hole) should be redirected to the pi-hole.
- All outgoing DNS requests (port 53) coming from the pi-hole should be allowed.
iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t nat -I PREROUTING -i br+ ! -s 192.168.1.10 -p tcp --dport 53 -j DNAT --to 192.168.1.10:53 iptables -t nat -I PREROUTING -i br+ ! -s 192.168.1.10 -p udp --dport 53 -j DNAT --to 192.168.1.10:53
-i br+apply to all bridged traffic (this may be different if your router's nic card are named differently?)
-p tcp and -p udpapply to tcp and udp
! -s 192.168.1.10apply to all ips except for 192.168.1.10
After doing this, my pi-hole went from blocking 14% of all DNS requests to about 24% (a ludicrous amount in my professional opinion). Success! Even more of my devices stopped firing ads at me at this point. However, there is one final gotcha...