Stuff a Pi-hole in your router because your browser is about to betray you A new, lightweight version of Pi-Hole is here. Just how easy is it to block advertising on your home network? Pi-Hole 6 appeared a few weeks ago. Since then, there have been a few small bug fixes and it's now up to version 6.0.5. The new release is lighter weight and has fewer external dependencies: it no longer needs PHP or …
Whilst the PiHole is excellent, for those who want to take it to a whole new level, I highly recommend utilising the free Community Edition (CE) of pfsense available via Netgate.
https://www.netgate.com/
Direct download link here (for those who don’t want to register)
https://atxfiles.netgate.com/mirror/downloads/
This is effectively (almost/is) a commercial grade firewall that you can run on your own kit (note Intel NIC’s strongly recommended) Obviously also has massive configurability as regards routing all types of traffic.
It has a longstanding third party package called pfblockerNG which is a piHole on steroids. Not only does it offer the functionality of DNS sink holing of the PiHole but it is also possible to block/allow IP’s (either via ASN or individual address) It also allows copious white/black listing at multiple levels (geographical/domain etc)
Certainly not one for the technically challenged, but given the target readership of this site, should be right up the average punters street.
Various links to pfblockerNG
https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
https://forum.netgate.com/category/62/pfblockerng
https://nguvu.org/pfsense/pfSense-pfblockerng-configuration-guide/ (from 2020)
https://www.privacyaffairs.com/ip-filtering-pfsense/ (2024)
Personally without NoScript, UBlock Origin and pfblockerNG I would feel naked wandering around online.
No I don’t, I have no connection with Netgate (or any affiliates) As it happens I’m retired and live in the UK.
All the software I suggested is free (obviously you will have to source your own hardware) I’m sorry if you found my enthusiasm offensive. More than happy to learn of comparable (free) solutions from you.
I am not offended. This site is awash with the bad consequences of accepting commercial "freebies" down the line. The product you mention (together with AdBlock itself) is only necessary because we all accepted a freebie from a company that was "committed" to "not be evil".
pfBlockerNG is a good solution if you're already running pfSense. Its hardware requirements are higher, and it does run on x86-64 CPUs only (Negate sells ARM versions, but there's no installer for them). It would be overkill to run a simple filtering DNS only - unless you replace your whole router/firewall with it and get a far more capable device, but more complex to configure, and more expensive to run. High speed PPPoE connections require a specific setup also.
Netgate is also now far less nice with the CE version, although for personal use you can get a license for free for the commercial version, but caveats apply.
Don't know if something alike exists for OPNSense.
>>Pihole works very well against the ads, the other half hates it as all her google ads links in search results break.
Yup - which is why I have a group on the Pi-Hole set to "do not block" and SWMBO's laptop and Phone are in that group - oh the TV is as well because the braindead apps on that (yeh I know - don't connect your TV to the internet) work for special values of work when Pi-Hole is enabled and my ears are not tolerant of the wails of protest when I am trying to whitelist things for the various apps, which obviously takes a while.
How about just disabling ip6 and just using ip4 along nat, deleting all cookies.
Fact is that Https doesn't prevent snooping since police etc snoop everyone longtime because they can so why identify yourself by using Https for Google etc if you don't need a " secure " connection
What we really need is for privacy is to go back to just http and no ip6
Still lots of http sites out there that your browser bitches about I wonder why that is.
might it be related to those who are spying on everyone also got to define the internet standards?
Wait... what? You believe that using HTTPS doesn't protect you, and that you "identify" yourself to "Google etc." when you use HTTPS?
What have you been smoking?
I thought that the "I have nothing to hide" and "I don't need a secure connection for everyday stuff" faction had long since dies out, but here we go... I think you might be wearing your tinfoil hat the wrong way.
Hosts doesn't scale.. it's a text file searched linearly. There are better solutions these days.
I think most modern Linux distro run a name lookup caching service which might obviate this. I recall nscd then sssd did some of that.
Failing that you could build db files or nis maps from /etc/hosts then listing db &/or nis before files in /etc/nsswitch.conf.
As I already run internal named instances (auth+recursive) I am wondering whether I can snaffle their blacklists into a backend database that bind groks.
Nothing wrong with using the hosts file as a "poor man's firewall". The file's contents are loaded into memory, I don't believe there's any performance hit, and the price is right. I've got a pi-hole as well, but defence in depth and all that.
https://someonewhocares.org/hosts/
I have a PiHole with over 980,000 blocked domains registered, from ads to known malware and China / Russian baddie sites.
It's not reasonable to even attempt to manually create and manage a hosts file that large. Just get a PiHole and stop thinking you can do it better because you're a 1337 h4x0r.
There’s ads and there’s ads. I have no problem seeing a small numbers of ads on sites that use the revenue to keep it going. The real problem for me is the likes of our now corporate owned local newspapers (and the Daily Mail) who have so many ads and sponsored posts (particularly the latter) that you can barely read the actual content. I only go to my local rag if there’s some major incident on the local highway, which I’m sure isn’t what they want, but it’s a circular problem. The Onion has more content than they do. Does Pi Hole address this problem?
The big problem with letting even some ads through is that every single ad network has been compromised by hackers to serve up malware ads, multiple times. Even the small 'good' ones. And these bad ads generally don't even have to be clicked, just being displayed is enough. So blocking them is just basic hygiene. And then I subscribe to sites that allow me to, like Ars. I would cough some up for El Reg, too!
>> only go to my local rag if there’s some major incident on the local highway, which I’m sure isn’t what they want, but it’s a circular problem. The Onion has more content than they do. Does Pi Hole address this problem?
I can confirm that Pi_hole makes Reach Media/News sites (most 'local' news in the UK) actually readable! Sadly many "quality news" (their words not mine) are getting wise and I am seeing many more detecting the dns hole and demaning payment for ad free access...
A PiHole should be just one of several layers of protection - you should be using a browser that allows installation of uBlock Origin and Privacy Badger at the minimum, ideally along with NoScript. On top of all of the above on my computers and phone, my phone even has the addition of its own block list in the form of NoRoot Firewall.
That's been my setup for quite a few years - pair of pi-holes and Firefox running uBlock Origin and Privacy Badger. Looks like I will be investigating LibreWolf real soon now. Oh and shout out to fbpurity for allowing me to continue using FarceBook to keep in touch with family and friends.
Before I moved to Privacy Badger I tried using uMatrix for fine-grained script control but every time I wanted to make a purchase on a new website I found that I needed to repeat the payment process five or six times whilst adjusting settings, often resulting in a failed payment or even worse a duplicate payment. Would I be right in thinking that NoScript will have the same issue?
I have a PiHole with over 980,000 blocked domains registered, from ads to known malware and China / Russian baddie sites
I've got several countries IP range blocked on my OpenWRT firewall (Russia, China, NK, Pakistan etc etc) - all countries that regularly hit my honeypots. I'm pretty certain that there's an OpenWRT version of PiHole - must give it a go.
dual pi-holes that use local bind servers that query DNS over TLS at home and all my mobile devices wireguard home automatically when they're not on my home network.
Having symmetrical gig helps here. But you could host a pi-hole in the cloud and do the same thing for pennies a day.
Version 6 mashed my server. The server that also performs some other essential LAN tasks that require a Nginx - like to control all my smart switches.
I've used Pi-hole for years and updates just worked. Unsuspectingly - there was no warning - it upgraded to version 6 and everything stopped. It even required sudo to try and sort. I also tried the fixes that other panic struck Admins had posted but losing your DNS and other LAN functions is not a nice feeling. Of course I had a cloned backup which I chucked at it and have resisted upgrading until I know the issues are fixed and it will either work with other software again or whether I need to spin it off onto a dedicated server.
New versions of software are invariably more buggy than the last. For vital apps a warning is really necessary so the unbrave can await the hiccup reports of the brave which alphas, betas and RCs don't reveal.
But devs, I still love you!
I suspect it’s that the settings from /etc/dnsmasq.d are no longer read and are directly embedded in the Pihole toml config.
There’s a env var you can set to revert the behaviour (FTLCONF_misc_etc_dnsmasq_d)
When I upgraded I had switchable terraform config based on the docker image (2024.07.0 used v5 config etc) while I was testing it out.
A couple of weeks later I’m finding it exactly the same functionally for DNS but the HTTP api has changed massively so if you have tooling that uses that I would still hold off until the tooling catches up.
There was supposed to have been a warning during update, but I was one of many that didn't appear for. And sod's law I skipped the backup on this update. Doh!
What also didn't appear was the warning to disable lighttpd.
A fix here:
https://discourse.pi-hole.net/t/pi-hole-update-caused-web-to-stop-and-no-resolution/76412/3
Also need to carefully read the scrolling text of the update as there is an easy to miss line in there with your new webpage admin password.
Of course, trying to diagnose the network and read online details is tricky when you have no network. LOL. Which meant I had to do some research via my phone's 4G to get this fixed.
All running lovely again now. Have use a PI and PI-Hole for many years.
>>What also didn't appear was the warning to disable lighttpd.
Interesting - I upgraded Pi-Hole to V6 over the weekend and definitely got a message saying something like "I have a built in web server now, do you want to disable lighttpd?" with Yes as the default....
>>Also need to carefully read the scrolling text of the update as there is an easy to miss line in there with your new webpage admin password.
Not applicable to my upgrade either - I just logged in using the old one (cached by FF on my phone) and it worked first time-ish; the saved page on the phone pointed to a page that no longer exists on the upgraded software.
!M (NoMachine) also continued to work on the same host.
I guess its a typical Linux YMMV issue depending on exactly how you had Pi-Hole set up and how you use the box it's running on.
Using containers and docker-compose for this kind of thing makes it much, much easier to test upgrades, pin to specific versions of a stack, and roll back upgrades that go awry if needed.
Like you I'm also running nginx on the same box, but am also running Home Assistant, Dump1099, Joplin (with its own postgres), and Bookstack (with its own mariadb). All safe in the knowledge that an update to one is vanishingly unlikely to cause issues with any of the others. And none of them took more than 10-15 minutes to get a stack up and running in the first place.
I use docker-compose and the update still broke my setup. Because I was using dnsmasq for wildcards and it now requires adding an environment variable.
I didn't know something broke until a couple of days later because Watchtower did the update and it only affected my tailnet addresses. Then I did some wild goose chasing before homing in on pihole.
This post has been deleted by its author
You may want to check here.
"On modern Debian/Ubuntu-based Linux systems, you'll also have to add an AppArmor exception for this new file so unbound can write into it.
In my case, the upgrade to v6 did not complete (still worked as intended) had to purge AppArmor even though it was disabled at the kernel command line.
.
... Is it really worth setting up a dedicated ad-blocker on your own network?
Yes, definitely so.
I have been running Pi-hole as a recursive DNS server on a VM in my Linux box (Devuan) for over three years now and it performs quite well.
Had no issues updating to v6.
Kudos to the Pi-hole devs for their work.
.
I have a pair of adguard servers (they don't sync but are on physically separate machines) plus my normal dns. I've been thinking of collapsing it all into a bind9 dlz adblock (https://github.com/Trellmor/bind-adblock) as I don't need a UI most of the time, except when I need to temporarily disable it.
I haven't tested the new Pi Hole but for older Pi Holes I find AdGuard Home a much better solution. The interface looks much cleaner and offers all necessary things:
- adding filter lists
- set local domain resolution
- easy un/blocking
...
I know Pi Hole can do a lot more things than AdGuard Home but I'd say for 99% of the people AdGuard Home will suffice.
As an ex Pi-Hole user, I also recommend AdGuard Home. The biggest reason is that it gives you more control, you can map certain domains to certain DNS servers.
Eg, while Pi-Hole has a private IP block setting for your reverse DNS (in-addr.arpa), it only has 1, so it doesn't work if you have IPv4 and IPv6 reverse zones. Or if you need to map a certain domain to some internal DNS server for some other reason. My hack with Pi-Hole was to point Pi-Hole to dnsdist, and then use dnsdist to handle the mapping. With AdGuard Home, I don't have it.
AdGuard Home is OSS (it's on github), just like Pi-Hole, so the "Do you work for..." comments really don't make any sense.
Full disclosure: I was an AdGuard customer long before I ever found out about the Home product.
> I find AdGuard Home a much better solution.
Awareness is a problem.
I haven't heard of this before. I just spent a few min scanning their web presence. It's rather advertorial in tone.
There's a nasty mix of "you don't need to know the techie stuff, just trust us!" and "here is the source code, read it for yourself."
The first of these always makes me distrust a project. The second of these just pisses me off.
I looked at the home page, the wiki, and the github. NONE of them tell me clearly, simply and concisely what it is, what it does, how it does it, and what you need.
My result is to close the tab and walk away.
PiHole does that. It is helping. It was easy.
I do not like projects that try to get coy and clever with me. Fly your flag, say what you do front and centre, and tell me how you pay for it.
I decided to go with Adguard home because its supported DOT and DOH out of the box, and I mainly wanted to use it on my 'smart' devices such as my TV and Firestick which had hard coded DNS (Google 8.8.8.8) and ignored whatever DHCP is providing.
So to get around it i installed a app called intra which is a DOH client for Android based devices and pointed it to the domain name of my Adguard instance, which actually running on VPS I got on the Oracle free tier in 2021 and it still going strong. So I actually have some praise for Oracle for once.
I know I could achieve the same with Pi-hole and a few additional tools, but it was less work to get the same result with Adguard. And bonus since its running on a VPS I can allow friends and family to access from outside my home it by setting them up a client ID on there.
Heartily endorse running on a separate Pi propped on an old christmas peanut selection tin[1] next to the router.
As much as I have fun at home, playing around with VMs[2] and running three separate LANs in the one tiny household[3], it is so much more relaxing to have a simple little appliance sitting well out of reach of that madness: no need to worry that a little oopsie will bring down the wifely wrath.
[1] ok, tin is optional, but useful for holding backup SD card, just in case; and the nuts were tasty.
[2] keep meaning to try Docker, but NAS is FreeBSD and just never got around to it; VMs sem to do the job. One day, Real Soon Now...
[3] And, by sheer luck and random cheap purchases, I now have a small box with 5 NICs available - mwaaa ha ha!
I've run pihole for a few years now, it's great, just works. I did have a similar issue to another commenter when it upgraded to v6, it took over another service's ports without telling me, not great but I survived.
Based on a homebrewed Pi CM4 NAS so very low power use.
I've managed to extend use of pihole to my mobile phone when out and about using free Tailscale. Tailscale have a blog with instructions.
Plus a tasker app to connect to Tailscale when I leave the home, and disconnect when on my home wifi.
You should be able to run it as a docker container on OpenWRT if your router's a supported chip architecture and has enough resources. I run OpenWRT on a Raspberry Pi 5 and it's plenty good enough to run both (I only have 80Mbps broadband and not much LAN-LAN traffic so the Gigabit port on the Pi5 split into multiple VLANs is plenty sufficient)
This doesn't I think stop adverts actually written into the page, with images if necessary, served from the server that delivers the page.
Which I find less objectionable, and also probably quicker.
And available for inspection by the page owner.
When the Web was mostly HTTP I made some use of the Squid proxy, which allowed analysis of the page, and replacement of some material with a short text: advert, or occasionally vile advert.
But building Squid with HTTPS and being Squid-in-the-middle is a step I've not taken, and I think neither have the distros.
squid and HTTPS is doable, especially if you control the downstream network connections and systems, and in that case is not particularly difficult. Perhaps it helped that we had CA level certs that we could use to sign things, and indeed could drop those certs on all the systems downstream. Since it was an enterprise we could manage redirects at the core routers.
I makes no comments on the nightmare fallouts that security had to cope with after the fact............
I've been using a pi-hole for a while, running on a Raspberry Pi Zero W. As a rule it's blocking about a third of all accesses.
The Zero W also serves as a streaming radio receiver using Mopidy, and an Airplay receiver using Shairport Sync.
Plan is to update that to a Zero W 2 as occasionally the current one is worked a bit hard and the 2 will have more grunt.
Upgrading my current pi-hole to 6 caused me a bit of an issue where the service was running but the web interface wasn't, due to complaining about unsupported OS.
I disabled lighttpd using "sudo systemctl stop lighttpd.service" and "sudo systemctl disable lighttpd.service"
Then I had to run the upgrade again using the command "sudo PIHOLE_SKIP_OS_CHECK=true pihole -r" and that fixed it up so now it's all good.
It's an invaluable addition to your network!
Currently running Pi-Hole on 2x RPi4, 4GB. One does most of the work, and the other is the second DNS server, doubling as a failover and upgrade test. It runs well, and I have plenty of resources left to run different VPN access on each one, so I can get in to my home network, PiAlert, NAS and lots more.
I can even ask Siri or Alexa to pause the blocking for 10 mins, with a bit of help from TriggerCMD
Unfortunately Gravity-Sync (a script to keep multiple Pi-holes in sync) is no longer supported with V6, which makes running >1 Pi-hole not quite as simple as it used to be.
Hopefully there will be a way to sync the settings (mainly manually-added domain blocks) before too long!
Very happy with it though - have it running on an old Model B and a Zero WH (and would use QNAP Container Station if it wasn’t such a RAM hog even with no load…)
Although it is mentioned in passing, there are BIG advantages to switching off DHCP on your router and enabling it on the Pi-Hole
By doing this, the P-Hole can identify each client individually (by MAC address) and so set up black/whitelisting rules per-client. This is incredibly useful - eg, you can whitelist some evil-but-necessary-because-it-won’t-work stuff for specific devices (tv, gadgets etc) without exposing your general PC’s and laptops to the same
If you use the router’s DHCP then as far as the Pi-Hole is concerned, all DNS requests will look like they come from the router. And so you can’t apply the per-client rules
The Pi-Hole DHCP is optional but it’s very easy to install and get going so there’s really no point in not doing it
I’ve been using v5 of Pi-Hole for about 3 months and my experience is that it takes a bit of work to “train” it (so stuff is blocked without breaking too much) but once it’s working ok, it’s great. I think I’ll hold off updating it to 6 though. At least for a while
And just to give you an idea, I’ve just checked the stats and so far it has blocked over 65% of all DNS requests. That’s an awful lot of crap it has stopped
That MAC to machine name DHCP feature has kept me happily oblivious to local IP addresses for more than two decades now! I also used a hosts file from GitHub configured as an additional DNS source. A simple cron job to git pull, then restart dnsmasq, and you have an even simpler Pi-Hole.
If you have dnsmasq (on a machine with static IP address) and don't know about this feature, look at the examples in the config file.
Taking your router out of the equation makes your backups more effective too as all the config is on one machine that you control.
> By doing this, the P-Hole can identify each client individually (by MAC address) and so set up black/whitelisting rules per-client.
> This is incredibly useful - eg, you can whitelist some evil-but-necessary-because-it-won’t-work stuff for specific devices (tv, gadgets etc)
That's a good idea... like blocking any Brother websites for printers so they don't download newer firmware.
Tried that, had issues with DHCP on the pi-holes. Nope, separate DHCP server it is.
No, my old age brain fog won't let me remember exactly why it kept breaking, but it kept taking the network down.
My pi-holes are VMs on 2 separate servers so I've got redundant DNS on my network. And because I caught my ISP hijacking port 53, they're running a proxy that does DNS over HTTPS to get clean lookups.
>> If you use the router’s DHCP then as far as the Pi-Hole is concerned, all DNS requests will look like they come from the router.
Configure your router to hand out the Pi-Hole IP as the DNS server when queried for DHCP info rather than the router IP. Then clients will query the Pi-Hole directly, not relay through the router. You already are configuring the router to use the Pi-Hole as its DNS server so it's just one more setting.
>>Configure your router to hand out the Pi-Hole IP as the DNS server when queried for DHCP info rather than the router IP.
Exactly this - Can't understand why tech savvy people don't do that by default.
I guess some ISP supplied routers won't let you mess with the DHCP setup (in which case install your own router inside the ISP one and connect to that; benefit is you get a DMZ for free and a 'guest' wifi from the ISP router. Ok the double NAT might be a problem for some things but that is solveable as well)
I've never seen an ISP router/gateway that won't let you modify the LAN configuration including the subnet to use and the DNS servers to hand out. (I did run into one that simply wouldn't let me use the 10.x.x.x range.) It's usually best to disable everything in the ISP device if you want to use your own router; it's not exactly hard to turn on a "guest" Wi-Fi in whatever router you might use so there's no need to depend on the Wi-Fi in the ISP gateway. And depending on how your ISP's router works, even if you do leave the Wi-Fi enabled, the "double-NAT" issue can be hidden and doesn't cause problems. Fiber gateways generally allow you to enable a pass-through mode so your router will think it has a public IP when it's really the IP of the gateway, so both of them will work at the same time.
I have the opposite of the Midas touch when it comes to Raspberry Pis. For whatever reason, sooner or later, they’ll simply refuse to boot and I have to start from scratch. That’s with three different Pis, vanilla installations and quality SD cards.
And I have a VPN on a DD-WRT router which adds a layer of complexity and increases muchly the risk of total lack of success.
So, to my eternal shame, I’m declaring myself incompetent and I’m ooot.
I have bought more-or less two of every generation of Pi, and have never once had an SD card failure. This might be because I only use good quality SD cards (look at the "official" RPi cards to see the manufacturer).
The other thing I do (in /etc/fstab) is to mount a tmpfs ramdisk on /tmp (try compiling with and without, or use vifm to monitor /tmp while you compile to see what I mean). Systemd (spit!) also makes heavy use of /tmp.
/var/log is another source of "drip-drip" writes, so do the same with that (of course you can comment it out if you really want to debug something!).
zram can help avoid swapping writes, depending on your use case and memory (look into zswap instead if you cannot avoid physical swap).
To see how you are doing, try adding the following lines to your config.txt (not for Pi5 or Pi500 though):
dtparam=pwr_led_trigger=mmc0
dtparam=act_led_trigger=actpwr
The green LED is now a power/activity indicator, and the red one signals SD card access (both reads and writes though).
One thing I wish pi-hole did by default is to send the DNS lookup logs to RAM disk rather than the SD card to save hammering the latter. You can switch the logs off but they are too useful.
I sorted this by creating the RAM disk and then setting appropriate symlinks from /var/log to it. Not difficult to do but it would be nice if it was an out-of-the-box option
I've had it running on a Pi4 for a few years now - never a blip. Some minor wobbles with the upgrade to v6, but easily fixed (I waited for the first few point releases to come out). It's really nicely designed and so easy to setup. Now, where's that allowlist the El Reg? Happy to add that in if someone can provide pointers. Or I suppose I can just load a few pages on here, watch the block logs and build it up that way?
> Now, where's that allowlist the El Reg?
This was my first time installing the product so I have no idea of the required syntax or anything.
If it was AdBlockPlus or µBlockOrigin, I'd add:
https://www.theregister.com
https://www.theregister.co.uk
https://www.devclass.com/
https://www.blocksandfiles.com/
https://www.nextplatform.com/
https://theregister.com
https://theregister.co.uk
https://devclass.com/
https://blocksandfiles.com/
https://nextplatform.com/
I think that ought to do it.
I will probably now realise I've forgotten something ...
I've been running Pi-hole for a few years here. A neat trick is to set up the Pi-hole host as a Wireguard VPN server and your moblle devices at clients. You can set it up such that the VPN is used only for DNS queries. This way you get all the advantages of Pi-hole ad blocking while mobile, without the slowdown of routing all your traffic through the VPN. As far as I can remember, there are instructions on how to do this in the Pi-hole documentation.
For me, this is a two pronged approach with the pi-hole (these are the v6 environment var specs, true is the default, but I like to make sure I'm doing it in case they change the defaults.).
"FTLCONF_dns_specialDomains_mozillaCanary" = "true"
"FTLCONF_dns_specialDomains_iCloudPrivateRelay" = "true"
And then I also subscribe to the hagezi DoH block list via https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh.txt
So, the answer is 'yes' you can relatively easily with the pi-hole.
Of course, for the extra tinfoil; there's more firewall blocking that you need to do (for DNS requests other than from the pi-hole, and the IP addresses of the well known DoH hosts).
Nope. They go right around my PiHole.
My opinion... DNS over HTTPS is overblown. This is something browsers are 'selling' to keep your evil ISP from spying on you....but letting the browser company spy on you instead. You can setup the PiHole to use DNS over HTTPS if you are worried about your ISP spying.
I have a lot of lists in my PiHole, and it is sometimes too aggressive. I will have a secondary browser (usually Chrome) set to use DNS over HTTPS. If I reach an incompatible website, then I will use that browser for the task rather than my primary browser.
I learned that streaming media sites will NOT work if the PiHole is blocking anything. Even when I have paid the streaming site for their ad-free service, it still breaks. So they get a dedicated browser for just that purpose, and all the interesting stuff they really want to spy on happens via a different secured browser.
Actually, now I have had an evening to ruminate on this....
It's called a Pi-hole. Does the upgrade work on a Pi? No.
If you look on the discord forums, Reddit posts or github issue tracker, it's obvious there are problems (and problems in how the devs are handling user push-back), but especially with trashed SD cards and the Pi 1.
There's a long line in this world of people trying to tell you that bad is good: the 1 star Skype app, Sonos, Firefox Daylight, Thunderbird SuperNova, and my evolved response is best summarized by Tony from LC Signs: "Don't care". It becomes an institutional problem when people try and tell you it's your fault that they've done a bad job, there's no method to downgrade to a previously working version, and the upgrade was prompted by a "you can upgrade with pihole -a" message displayed on the v5 dashboard.
AdGuard Home, here I come.
> Actually, I just upgraded to v6 (it looked so simple), and the web interface is, of course, broken.
It is a RasPi FFS.
Can you still buy an 8GB SD card? If so, I bet it costs less than a pint.
There are some reports of breakage on upgrade. So, don't.
Remember the KISS principle.
New card. New OS image. Update it. Install Pi-Hole 6. Does it work? Yay! Job done.
Have you uploaded fancy customisations? Put the old card in the free card reader doodad you got with your card. Extract the file. Re-upload it.
I am a tightwad and buy as little kit as possible and even I have half a dozen of the things among my desk kipple and I use them to store cards in, because microSD cards are slightly bigger than my damned toenail clippings. If they had labels on I couldn't label the damned things because I can't hand-letter 4 point text, and if I could, I couldn't read it without taking my specs off anyway.
Don't back up the old card. Keep it. There's your backup. Why waste your time? Downloading a new copy of Pi OS took me about 30sec on the cheapest slowest broadband I could buy.
Why do people actively try to make their own lives difficult when it is quicker, cheaper and easier to just follow the KISS principle?
Do you do it because you like whinging so much you have to actively find ways to break things so you have stuff to whinge about?
Is it not KISS to simply press the upgrade button rather than build a whole new instance and restore the backup with then fettling to fix things that don’t carry over to the new version correctly?
People clearly have different meanings for KISS.
There has been a history of buggy updates for pihole, I used to run it in containers and I’d clone an instance, upgrade the clone and ensure all was happy before just keeping on using it, worst case was I’d delete the clone and use the original and try again after a month or so.
That was my KISS.
Yes. It on a pie but I was KISS
"The main drawback of a filtering proxy is that you need to run copies on all your computers – and it won't help with phones, tablets, smart TVs, and other devices on which you can't do that."
Huh? That's not right. You can (a) configure your devices to all point to the filtering proxy (I have Privoxy running on my OpenWRT router, and it's a simple enough process to change any device - including phones, tablets, and I believe even my smart TV supports a proxy) to point at it.
You absolutely do NOT need to run it on "all your computers". You *may* want to run it on your laptop if you take it on the road and can't be bothered (or don't have the bandwidth) to configure a VPN connection back to your home (which actually isn't that hard to do if you use a router with a VPN server built into it). Or if you travel a lot, it might be worth investing in a travel router that has Privoxy built into it or available for it.
Please go back and re-read the article.
The line you quote is clearly in the section, at the bottom, labelled "Alternatives" and, as the first paragraph says:
> For instance, it is possible to run an OS-level ad blocker
and then name-checks Privoxy as an example of a filtering proxy, which can be installed into your client PC's OS instead of expecting to be installed on a separate server, such as a Raspberry Pi or an OpenWRT router or (see above for other suggestions).
As you point out, you have determined that you can *also* run Privoxy under OpenWRT - in which case, you are using it in the same way as Pi Hole is being recommended - i.e. you are *NOT* running it as "an OS-level ad blocker" but as a LAN-wide blocker. Good. Neat. You have demonstrated that Privoxy can be run in BOTH modes. Splendid.
However, if you *had* installed Privoxy in "an OS-level ad blocker" mode - or run some other potential "OS level ad-blocker", especially one[11 which had decided not to allow connections from any non-local process, then you'd be in the situation that the article describes: needing a copy per computer.
[1] if there are any - I'd bet that some paid-for proxy works like this, if only to prevent its use LAN-wide without buying more copies
Regardless of whether Privoxy is installed on the machine or on the router, other clients can certainly use it. You configure client usage the same way regardless of whether it's installed on your system or on a router, NAS, or other device - you configure your web browser (or system) proxy settings to point to the privoxy server on port 8118 (by default).
Just because the service runs on your system as opposed to a router doesn't make it an "OS-level ad blocker". The OS still needs to send all outbound http/https requests through the proxy, because privoxy is *fundamentally* a filtering proxy.
Regarding phones, I've been running Block This! on my Adroid phone for several years and it keeps the noise down remarkably well. I think it was recommended here on El Reg a while ago.
It is a side load, of course, because. . . well. . . Google.
I've used pi-hole for years. It works.
I, a 71-year old male euro-american, get ads, in Spanish, for feminine hygiene products. The ad networks really can't tell much about me.
If you use it, run apt updates, and pihole updates, about once a month. And zing the pi-hole developers a few bucks.
Use chrome Pi-Hole extension, it will allow you to whitelist/blacklist any site you're on currently as well as disable pihole for x amount of minutes. recently been updated to pihole6 compatibility. I think there are Chrome/Firefox versions available. https://github.com/badsgahhl/pihole-browser-extension
I want to setup Pi-Hole or use AdGuard or something else network-wide, but you can't selectively filter on an individual machine with those. You can't say I want this browser to accept ads from this domain because the site doesn't work without them. Or say for 5 minutes, turn off filtering for this browser. At best you can log into the Pi-Hole and bypass filtering for an entire machine (which seems difficult too). You can't filter JavaScript which is even worse than ads in many ways, since Pi-Hole is just DNS. If I'm going to have to run client-side stuff anyway, I just want to do it all on the machine instead. My browser extensions for filtering can sync between devices. Chrome on my phone is the only one that's a problem but AdGuard DNS is good enough for that. But now I have multiple extensions that are going to be disabled permanently soon because they are Manifest V2 or "don't follow policy" or whatever Google's excuses are. I need to find a new Javascript filter most especially, if that's even possible with V3, but even my HTML5 Autoplay filter is going to go away.
I'm pretty sure you can do per-client settings via a Pi-hole. Or rather, you can add clients to 'groups', and customise the filtering per-group.
For example, I can put my work laptop into a group I imaginatively call "work stuff", and I can add a rule to whitelist my work domain which only applies to that group.
Per-client, yes, though not with a quick click in the browser (unless the one comment is legit about an extension to do it), but you can't do per-app settings. Having to manage the Pi-Hole to allow a single domain in a single app temporarily isn't possible, and but I can do it by just clicking twice in the browser on an extension. Javascript filtering and bypassing those blocks per-domain is just as important to me and there simply isn't any way to do that centrally other than a proxy, which would have the same limitations.
It has been over a decade since I've been annoyed by popups or audible ads. I've bandwidth to spare nowadays compared to the old modem or DSL days, so I just don't bother with blocking.
I actually find it quite amusing that people still go to such extreme measures and get so upset because there are ads; tech pages have few ads. Stop surfing PornHub and maybe you won't have those problems...
> so I just don't bother with blocking.
Either you are blocking and have forgotten that you are, or you are lying, because the unfiltered WWW in 2025 is a flashing neon nightmare.
I live on a desolate rock in the middle of a cold, polluted and mildly radioactive sea in the middle of the banana ~republic~ _monarchy_ of Brexitania, thanks to the waste reprocessing plant whose lights I can sometimes see on a clear night. I have the cheapest broadband I can buy. It costs 5x what I paid in Prague.
I do _not_ have more bandwidth than the nonexistent hypothetical deity. If you do, good for you, I type, lying through gritted teeth.
"whitelist El Reg"
I do have my ad blocker disabled for your site, the problem for you is that I have google advertising blocked by way of my hosts file, and you don't seem to have any other advertising. I don't apologize, you know what you need to do - there are other ways to show ads without using Google.
Just want to warn you all about a few issues.
1. Many sites have ad blocking detection and don't allow you to browse their site when you are blocking ads with pi hole
2. If you are upgrading pi-hole from an older version on a raspberry pi, you have to uninstall dnsmasq that was used on older pi hole versions. I fought with that for days before I got it up & running.
3. when setting up DNS on your router, don't set up a secondary DNS. If you do, your computer may use the secondary DNS to serve ads. If you must enter a secondary DNS in your router, use a public pi hole. I'm not going to post the public IP I found, but some good google-foo should fine something.
< "Pi-hole doesn't block YouTube ads..."
Thanks, I thought I had read somewhere in the past that this was the case, and was scrolling the comments looking for confirmation. I still may set up Pi-hole at some point, but am in no hurry if it can't do this.
I watch a decent amount of YouTube lately, and most of the time this is via the app in my Roku smart TV (I know, I know...) I am very close to subscribing to YouTube Premium, even though I have an aversion to giving Google any money. At least some of it would go to the content creators, who I do wish to support.
I have used both pihole and currently pfblockerng with pfsense for several years now and they are both great. On occasion if I am roaming and forget to activate my wireguard VPN to route traffic through my home network, the normal news websites I use are almost unrecognisable with their horrific background add images and inline ads. After one nauseating incident when I was confronted with a particularly visual add for earwax removal whilst eating breakfast, I decided to discard all browser based Adblock solutions and use a network based blocker instead, and have never looked back. The only caveat with pfblockerNG is that “sponsored” google search engine listings are also blocked, which is OK because I always ignore these anyway.
Just rebuilt my Pi3B OS and installed Pi-hole 6.0.5.
V6 looks good and does the same job as V5. A few small bumps in the road, but mostly, basic function seems unchanged.
I have a pair of Pi3B's; one pi-hole and one Adblock Home.. They both do the same job extremely well, so I switch between them from time to time.
Adblock Home does make it much easier to use an upstream DoH/DoS DNS. No need to install the Cloudflare app that Pi-hole needs.
(before some person asks, no I don't work for them...)
> What the heck is that system status screenshot from?
Good, innit?
It's "btop", latest in the line from bashtop/bpytop/gotop/bottom etc.
https://github.com/aristocratos/btop
I picked it 'cos it's right there in the Raspbian repos; `htop` was already installed, but I like the btop summary.
> worth the effort compared to [...] setting Adguard DNS or Mullvad DNS as the DNS server
Yes. YES!
It is _less_ effort than setting a custom DNS on... well, on anything. Sod that for a game of soldiers.
One tiny silent cool-running gadget built 100% from my junk pile, i.e. FREE, plus one setting on my router.
It is not _instead of_...
> just using a browser with uBlock Origin support and
I am doing that _as well_.
But I can't trivially easily do that on gizmos with OSes in ROM. So this is an extra layer.
TBH I have been meaning to do it for years, but there is never time and an adequate supply of Round Tuits (or any other shape).
But v6 came out and that was enough to justify a news story, and it looked like it'd be a very thin news story unless I actually _did it_.
Finding the kit, the PSU for the thing, an adaptor for the Czech PSU, and a card with nothing important on it so I could just wipe it, and tracing what the blazes the root password was, and finding that a copy of the Raspberry Pi imager app remembered settings from an old copy that I don't remember ever installing on a machine I never knew had it on before, and those old settings included a password I have no recollection of ever setting, but 100% could have guessed instantly if I knew were there...
... took longer than installing it.
YES it's easier.
If you are farting around setting custom DNS settings in Internet-of-shite gadgets, then You Are Doing It Wrong.
Doing it right is easier, and quicker, and cheaper, than bodging it.
And also, doing a clean install is easier than trying to do an in-place version upgrade -- an important lesson that half a dozen more more Anonymous Cowards in these comments _really_ should have learned by now.
Do not do in-place upgrades on £10 gadgets running fron £3 storage media.
Don't even waste time backing up £3 storage media.
Install a new copy on a new medium and the old medium *is* the backup.
Quicker and easier.
Look for the easy route in life. Always remember the KISS principle.
> The result is you see fewer ads.
It is also that you are now using less bandwidth. It will not be much, but even if it is only 1% of the bandwidth on each and every webpage that means that the page will load 1% faster because you are not wasting packets, that you are paying for, downloading text and images that you did not want in the fist place.
As a (simple and lazy) alternative I have a Firewalla Gold on my network which does an excellent job of blocking ADs.. I have run a few rudimentary tests on a few sites to see whather firewalla + pihole adds any additional value but I couldn't really discern any great improvement.. Happy to be corrected if any reg'ers know better ;-)
I have a far simpler solution.
Any website that has advertising on it that I find distasteful in its execution, prevelance or subject matter - I stop visiting.
I've thus not needed any ad-filtering (despite spending much of my career implementing caching/filtering/reverse/etc. proxies, including building my own) on my home network at all.
Sorry, but as time goes by, having something read every network request, break open every secure page in order to mess with the code on that page isn't something I want on my home network, authorised or "internal" or not. If it becomes necessary for me to do so for a particular site, then I'll just stop using those sites. It's that simple. (And with HTTPS Everywhere, you have no choice but to do so, because pages will break if you just block DNS of known advertisers and they'll just all move to AWS and similar CDNs).
And I'm not on a particularly fast connection (75Mbps at best) so when things start trying to play video etc. and it gets out of hand... I just close those tabs and don't go back.
There is nothing on the Internet currently so fantastical and required that I feel I "have to" let it advertise at me in obnoxious fashions. I allow places like The Reg to get their little advertising revenue if they want / need it (though I never click on ads). But no government services, banking, etc. require it so I see no need to go about filtering it (and if I did, I'd filter it only for those necessary URLs and seriously consider how to leave such a dystopia).
Youtube got obnoxious ads? Cool. YT-DLP it is then. And I get to keep the video file forever as a bonus. And so on.
Websites should seriously consider this... there's a point at which I just switch off, as do most people. I'm not going to go out of my way and compromise my own browsing security just to cope with their ads. I'm just going to go elsewhere.
Sorry, but I have a bunch of spare Pis sitting right here, I have the knowledge to create a Linux / Apache / nginx / Squid-based proxy with filtering, caching, etc. at any point, and have done so in the past, and I really don't have the time to be doing that just because of obnoxious websites that will continue to do so.
Because that's easier to do. No hardware or software to acquire or maintain. Less faffing about.
And it works when you're away from your home network, which is 'often' for mobile phone users, and laptop users.
Something like NextDNS, or similar?
I'm open to alternatives, but the general idea seems sound to me.
> Why not use a cloud-based Pi Hole equivalent?
Hey, you do you, but TBH I read this with astonishment and incredulity.
1. Most cloud instances cost money: recurring payments. Something small and cheap on your own system is a one-off payment. You own it.
2. You're outsourcing part of your own system. Why would you want to do that?
3. You have to maintain that cloud box. That's a lot more work. Why take on a big task that's not essential?
4. For devices outside your network, use a local blocker, or outsource the problem to someone else, e.g. with AdGuard's free DNS: https://adguard-dns.io/en/public-dns.html
I mean those are just the first 4 reasons why not off the top of my head, but I am sure I could come up with more if you'd like.
The idea is barking mad to me, but look, if it works for you, then good.
I use a lot of apple stuff and pihole doesn’t work with vpn connections and private relay
Solution is a com profile, google it.
Easy to install works as well as pihole etc.
I also use dns over https profile on my ucg-ultra and drop port 53 outbound so every thing in my household is using the same adguard dns over https
works even when not in the home, uses dns over https and is less hassle than pihole for which I needed 2 Ubuntu docker hosts on my vm with a pihole each so that containers in 1 could use pihole in the other as they wouldn’t reach pihole in the same docker instance & occasionally 1 would crap out & I’d only notice when the things in 1 docker broke.
In fact since I got the ucg-ultra I no longer have my home server on as it was just doing opnsense (was pfsense till negate got nasty) pihole, prtg, plex (replaced with OTT clients), a download client, freenas (replaced with iCloud) and now occasional network labs (labs now at work), it’s so much quieter in the study now.
I simply don't use stuff like that. Too much work, ties me into payments to 3rd parties I don't want, it's more complexity than I need.
Again: KISS principle.
What you are doing sounds horrendous to me: gratuitously complex, ergo fragile. No thanks. The same applies to the docker thing.
As a general rule I choose the simplest possible solution.
Docker is the exact opposite of what you imply.
Updating to PiHole 6 didn't break Docker installs the way it broke normal installs. I didn't have to futz around with lighttpd, or uninstall dnsmasq, or whatnot. You recommended a clean install instead of updating PiHole. Guess what, that's what updating a container is, it is a clean install every time.
Containers are the lifeblood of modern self-hosting. It makes everything simple.
I run a bare metal Debian server for my home services. About 40 separate services and databases and so on, plus things I try out and then remove.
Now imagine if I just installed everything to the base OS. I doubt I would even manage that before my patience runs out or I break the OS, given all the potential conflicts.
Then imagine constantly updating those 40 apps to keep them secure, every time there's a new update. My OS would likely be broken within months, not the 3 years I've been running mine without a hitch.
Or imagine reinstalling the entire OS and apps every time I need to update anything (as recommended).
Containers are pretty much what enable me to have a functional home server. Docker+Portainer makes it very simple. Only basic system services run on the base OS, the rest go in containers that I can update all day and nothing will ever break. In fact, I have everything set to auto-update with Watchtower.
Been using Pihole 6 for a weeks now and it's working really well here on a Pi Zero 2W. A couple of gotchas and observations:
1. It's perfectly happy on wifi. No need for ethernet. I use a pi zero 2W and it's absolutely fine. If you have a UPS for it, so much the better.
2. If you're running v5, don't do the automatic upgrade to v6. Nuke the SD card and start again.
3. Use the 32-bit edition of Raspberry Pi OS Lite. Not the version with the desktop, not the 64-bit version, and not the DietPi alternative (which isn't official and therefore can lead to additional issues). You'll need to use Raspberry Pi Imager to download it, which also includes a method for burning your wifi credentials etc into it. Otherwise you won't be able to connect to your Pi when you first put the SD card in the machine.
4. Run Raspberry Pi Imager as admin. It helps. And as well as putting in your wifi creds, remember to enable ssh.
5. Do a sudo apt update and sudo apt upgrade (plus a reboot) before installing pihole.
6. When setting a static IP address (using sudo nmcli), allocate an IPv4 address that is OUTSIDE of the range your dhcp server hands out.
7. At the end of /etc/rc.local, add "/sbin/iwconfig wlan0 power off". It helps stop occasional losses of connectivity.
8. Edit /etc/sysctl.conf and change vm.swappiness to 70, so the Pi doesn't swap so often.
9. Edit /etc/dphys-swapfile and change conf_swapsize to 2048 (from the default of 512 on the Pi Zero 2). You'll need to disable swapping first, then turn it back on after.
10. "sudo systemctl disable hciuart.service && sudo systemctl disable bluealsa.service && sudo systemctl disable bluetooth.service" to disable bluetooth, to save power and resources.
11. NOW you can finally install pihole. Not before.
12. Consider installing Unbound as well. https://www.youtube.com/watch?v=FnFtWsZ8IP0 shows how. It's easy.
13. The most important. Go into your web admin panel, go to tools/interfaces, and drill down through your LAN (wifi or ethernet) into the Hardware Addresses, and look for the IPv6 address that you are using to access your Pihole, and which you've programmed in to your clients (either via DHCP or some other means). Check that that IPv6 address has "Valid lifetime: Forever". If you've followed the Pihole installation instructions, and have used the ipv6 address that was suggested to you on the post-install screen, this COULD WELL BE WRONG! That screen tends to show a non-static IPv6 address, which means your pihole will be unavailable via ipv6 on a regular basis. Change your clients etc to use one of the ipv6 addresses for your pihole which DOES have a forever lifetime.
14. Use a decent quality SD card and a sufficiently beefy PSU. The USB socket in the back of your router isn't necessarily sufficient.
If you can't set up a device on your network to run Pi-hole, another option is to set your router to use an adblocking DNS server. There's several options out there, or you can host your own on a cloud provider.
You can also set individual devices, or even just a browser, to use an adblocking DNS server. That can be useful for your phone while it's on cellular data, or if changing the whole network's DNS source isn't an option (perhaps you don't manage the network, or perhaps making that change breaks something).
Of course the catch to all of this is that you need to trust whoever's running that DNS server, since they can see all the sites you visit if they wish to.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
