This is the way. No need to individually configure all your devices. My DHCP will hand out a local DNS to each client that maps all the ad/malware domains to 0.0.0.0, so if you’re on my network, even as a guest, you get blocking for free.
I've always been hesitant to use DNS to block ads because it's difficult to turn off for non techies. Did the pi hole cause any issues in your experience?
Vanishingly few. Occasionally, I'm browsing the web and hit a text link that takes me to the browser's "I can't find this site" default screen. This usually happens with sponsored links that are not served from ad networks yet link to known ad sites.
My wife frequently complains about sponsored Google searches not resolving. She doesn't want to use an in-browser adblock, so the links will still appear, but aren't usable. Also, many redirecting analytics services from emails get blocked.
Personally, I don't find these to be breaking issues for my use. My only issue is that the PiHole interface's administrative features are authenticated via the PiHole's service user account password. This is the Ubuntu user password for the user the service runs under when installed on Raspbian or whatever. There's no secondary credential store. There isn't even a list of users. To log in, you enter the user's password. If there was a way to assign credentials to network users and allow them to whitelist/blacklist entries and audit that, it could easily be much more non-technical user friendly.
One final half complaint. If a link is direct to a blocked site that is served over ssl, you won't get the nice "This site has been blocked" page. It will just show the standard Chrome/Safari/Firefox "could not connect" error. As a technical user, this is normal and makes sense. For others, it makes "the internet" appear "broken". Obviously this isn't something a PiHole can fix on it's own, and I don't expect it to. It's a slippery slope to add a trusted root or intermediary cert to each of my network devices and allow a random box on my network to dynamically "poison" my DNS and serve fraudulent dynamically generated site certificates just to show me an informational page to allowing a random box on my network proxy and DPI my SSL traffic. It's not something I'm comfortable with maintaining.
All good points. I avoid some of the headache by not using the actual PiHole software, and therefore not bringing along whatever credential baggage that comes with. Just dnsmasq, and cron to update the blocklist. My setup runs directly on my router as well, eliminating the need to maintain another box.
Are you using a Ubiquiti router for this by any chance? Would love to hear more details as I have been thinking about implementing something like this on an EdgeRouter Lite.
I run pihole in a docker container on linux, so the password thing isn't a problem.
Also to people redirecting ad servers to 0.0.0.0, that can cause page damage particularly with things like iframes. Pi-hole instead redirects them to its own webserver and serves up 1x1 pixel transparent images to avoid this.
Plus, you get free ad blocking for most of the native apps on your mobile devices when using wifi at home or outdoors with VPN (haven't tested the latter yet).
Why is your pi-hole exposed to the internet? That's not a great idea. You could have other people using your DNS service also.
It's true it's security through obscurity and won't slow down a spear fisher, but I always change the SSH port to something like 22022 when I have to expose it to the internet and find this eliminates almost all of the portscanning/doorknob rattling. Same thing with wordpress, changing the /wp-admin directory is immensely helpful.
Could have been a number of things - most likely culprit I've seen is that it was left exposed to the internet, ssh most likely, and the default password wasn't changed.
[0] https://pi-hole.net