Thanks!

pihole -up

> Changelog:

> Add theme support for Pi-hole #1253 (@DL6ER)

~~Yay! How long until someone posts a dark-grey theme? Pretty please ;)~~

It has a dark-grey theme included! Woohoo! :D

Edit: (a quick reminder to donate to the fantastic Pihole project if you can)

Edit2: If your dashboard graphs arent loading after the update, try force refresh in your browser: CTRL+F5

Miuzei Raspberry Pi 3B+ Case with Fan Cooling and 3× Heat-Sinks, 5V 2.5A Power Supply with On/Off Switch Cable for RPi 3B+, 3B, 2b

I like it overall, came with everything I wanted minus the SD card and pi.

On most VPN services, the DNS traffic by default routes through the VPN, specifically to avoid a DNS leak (the DNS traffic being exposed outside of the VPN tunnel).

When you set your Pi as the custom DNS server in Mullvad, you are now using your local instance of unbound as the upstream DNS resolver. Since your instance of unbound is running locally on your home IP, this is what is shown for the location.

When you use the default DNS setting on Mullvad, you put the DNS back to their server and your DNS traffic is in the VPN tunnel - no DNS leak.

You can continue to use your Pi-hole as a DNS for the Mullvad service, but you will want to encrypt your upstream DNS traffic. In your case, using unbound, you would set up forwarding to an upstream DNS server using SSL. These lines would be added to your file for unbound to get encrypted traffic to Quad 9, as an example. In this forwarding mode, unbound is no longer acting as a recursive resolver. It is forwarding all DNS inquiries to the designated upstream resolver(s).

tls-cert-bundle: forward-zone: name: "." forward-tls-upstream: yes # Quad9 forward-addr: forward-addr:

I run unbound on my pihole.

​

https://pi-hole.net/2018/06/09/ftldns-and-unbound-combined-for-your-own-all-around-dns-solution/

​

Agreed. No hesitation in supporting this one with a donation.

If you have a fancy firewall, you can take all the outbound DNS requests in your network and jam them back through the pi-hole. Here's a post I made on how to do it with a Mikrotik. A lot of applications cheat, and don't use your specified DNS server. Apple devices are particularly 'helpful' at using 'backup' DNS servers. I find it oddly satisfying to help these helpful devices follow the instructions of their network administrator.

https://trello.com/c/5i7PFw6X/657-pi-hole-stickers

If you want to help us get them in unixstickers.com.

We don’t have them for sale, but if you send us your address we will ship you out a few.

We can’t do it for everyone, which is part of the reason they are not for sale: we don’t have time to be in the shipping business. The rest of our swag is all handled via a third party but they don’t offer stickers yet.

I have tried looking at Google searches on "pihole ad block test" and they all point towards https://ads-blocker.com/testing/

Furthermore, the website that pihole used to maintain is no longer a valid webpage

It was useful for me, but feel free to delete if it is redundant

Oh you can find it everywhere, it's a 3.5" Quimat, less than 20$ from amazon. But there're a lot of displays.

This one, unfortunately, can't be turned off, if you need to turn off by software you have to search for Adafruit or Pimoroni ones! Because this one (like a lot of the cheap displays) doesn't have the circuits to control the backlight via software.

What leads you to think we are collecting any user data? All of our code is open source (https://github.com/pi-hole). The ONLY way that we have the possibility of obtaining potentially personal data is if a user manually runs the debug script (pihole -d) when we are working with them to resolve an issue. This blog post should make clear that even the potentially personal debug logs are protected and only accessible by authorized developers/support.

If you have any questions about our code or debug process, or know of a way to improve our user's security, please don't hesitate to share it with us.

Link to Google Play store

And as always the app is completely free & open-source

I would honestly go with Raspberry Pi Zero W. it's like 1 inch x 3 inches in a small plastic case. this kit will get you everything you need, including SD card with OS pre-installed (just add pihole) and a power adapter. but, you should be able to power the raspberry pi with USB from your TV. I have mine plugged into USB power to my router.

https://www.amazon.com/Vilros-Raspberry-Kit-Premium-Essential-Accessories/dp/B0748M1Z1B/

We're working on a major upgrade, v4.0, and so we are taking extra care to make sure it all goes smoothly.

There is a beta currently open for it: https://pi-hole.net/2018/03/24/help-us-beta-test-ftldns/

You can get a whole kit for $50 from Amazon via the Canakit with a raspberry pi3 B+ , I am sure you can get it cheaper somewhere like microcenter.

YouTube will be difficult to block though so please be aware of that, and Pi-Hole isn't a one stop fix all for things, but can block a good chunk of stuff with the right lists.

This looks like a similar product on the US Amazon site:

https://www.amazon.com/MakerFocus-Raspberry-Required-Connector-Protective/dp/B07BK2BR6C/

You could also use the official docker image and run it under docker in Ubuntu. The link to the docker image is at the bottom of this post:

https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ftldns-improved-blocking-modes-regex-docker-and-more/

I loaded The Raspberry pi software. I had a previous Pi-Hole so setup was easy.

I bought these -

Vilros Raspberry Pi Zero W Complete Starter Kit-Premium Clear Case Edition-Includes Pi Zero W and 7 Essential Accessories https://www.amazon.com/dp/B0748M1Z1B/ref=cm_sw_r_cp_api_i_tNc9DbKGQSQDX

And this adapter for wired connection-

3-Port USB 3.0 Hub with Ethernet USB Hub, ZACTEK, Supporting RJ45 10/100/1000 Mbps Ethernet Network USB Hub Compatible with iMac Macbook Microsoft Surface Tablet Laptop PC Computer https://www.amazon.com/dp/B074XK1GTS/ref=cm_sw_r_cp_api_i_jOc9DbFGW674X

1.- If you are connected to your company VPNs, I presume these will update your DNS servers which will circumvent the Pihole setup. Nothing to worry there.

2.- Same situation here. When you connect to NordVPN service, your DNS servers change to theirs, so Pihole won't block any ads whilst you are connected.

For now, what I do is connect to a VPN I set up at home, where the Pihole is, so I can strip ads while on the go. However, this is a bit slow, and potentially dangerous for opening ports on my home router, due to the upload speeds of my broadband at home. To solve that, I'm considering spinning a cheap VPS with Pihole/VPN and use it to browse on the phone, but seems a bit like an expensive idea. That, or installing Pihole on the Librem 5 directly once is released, depending on actual battery and performance use.

Great stuff, I have only one comment to make (from an official Pi-hole standpoint):

Please see the Trademark Guidelines for app developers, and the more general Trademark guidelines, specifically towards usage of the logo. Sorry to be a bore, but we have to protect our Trademark, else we lose it!

It can handle it but you may want to consider using a VM running Debian or something instead of a raspberrypi (Google has decent install instructions)

https://pi-hole.net/2017/05/24/how-much-traffic-can-pi-hole-handle/

We prefer to have people talk with us before doing that because the name and logo are trademarked. There is some guidance for people at https://pi-hole.net/trademark-rules-and-brand-guidelines/ and https://pi-hole.net/developing-apps-for-pi-hole/

I'd prefer the logo not use the leafs from our logo and the name to be something like "Connect for Pi-hole" but I'm not going to try and take down the application. It's open source and free and I think we need more of that type of software available.

Some people install Pi-Hole on a VPS/AWS/DigitalOcean droplet and will then expose port 53 to the outside world, this allows a user(s) to access it anywhere by setting there DNS to the IP of there VPS/AWS/Droplet.

Take a look at Shodan.io here for all the public Pi-Hole installs in the world, that in theory could be used to amply a DNS attack.

If you're hosting it internally, and not exposing port 53 (you can check here by selecting port 53) then you're not apart of the problem and you're safe :)

EDIT: As far as the control part, some individuals do not have proper control of there networks whether it be an apartment complex or they live in a household with other individuals (tech savvy or not), some individuals may not like there browsing history being logged etc.

Things that still give me great joy:

Statistics: for a system (DNS) that's otherwise completely invisible to the end user. Being able to see how many trackers have been blocked from mobile apps or what services your IoT devices connect to, and just the fact FTL is a stats haven. I adore FTL, because it means I can write scripts such as being able to send a weekly message via Pushover showing what my top 20 permitted domains were.

Blocked Domains: 8.8K suspicious/advertising/tracking/telemetry/malicious domains are blocked by my lists and a further 1.76M are related to pornography. Considering that childhood education is focusing a lot on the Internet these days, it's easy to mis-click and your child finding themselves somewhere unrelated to their original purpose. Knowing all that content is blocked is instant peace-of-mind!

In-app content blocking: Users will be delighted to see that ads have been removed from their free mobile games, smart TV, or from some of their online streaming sites (obviously, not YouTube, sadly)

Data quotas last longer: With 20Mb, you can read one news article with ads, or five without

Website Responsiveness: The web will undeniably feel "more snappy". If you're browsing sites you don't usually browse to, are you really going to wait 10+ seconds for it to load? Probably not, if you're used to 2 seconds!

I suppose there's more aspects that one can appreciate, but that's all I can think of right now! :)

I use some of the adult content filters in pihole and they are pretty effective. In addition, as a second layer, you can also set the DNS resolver in pihole to Adblock DNS Family Protection or OpenDNS Family Shield ip adresses that are both free of charge.

Most requests would be blocked by the pihole, but anything that gets through is blocked by these services. Of course, these services apply to the whole household. But adult content can still be accessed via a VPN on a machine-specific basis and this goes around the pihole.

https://smile.amazon.com/NEC-E655-65-Inch-LED-Lit-Monitor/dp/B00TB24HTI?sa-no-redirect=1

They exist. Not really what you may want to pay though

https://www.nvidia.com/en-us/geforce/products/big-format-gaming-displays/

quad9 is also in the data collection business FWIW (https://www.quad9.net/policy/ > see Logs, Compliance), and consider if an organization (https://www.globalcyberalliance.org/community-partners.html) who is interested in your privacy would be logging at all...I wonder if they ever got around to blacklisting basic botnet command & control domains.

Passepartout is an app that I stumbled upon when I was looking for something that did the known wifi thing. It has worked great and was exactly what I wanted. https://passepartoutvpn.app/

In your case it's probably better to check the query log to see which blocked domains are causing 'some stuff to break' and white list these domains.

For disabling/enabling Pi-hole you can simply do it in the web admin console by clicking 'Disable', or use an Android app like FlutterHole.

I abandoned Adblock Plus and uBlock Origin entirely after I setup my Pi-hole.

If they're legitimate, simple ads, they come through. That's perfectly fine to my mind; people have to eat and I have zero problems paying for content with my eyeballs if the advertiser is doing it right.

I keep Privacy Badger around, though, because tracking protection is still necessary.

I use piVPN on a VPS, where the server is forwarding packets to a Mullvad VPN. It seems like you should be able to adopt this on your VM.

​

1. Setup the PiVPN as you would. Follow the directions to get Wireguard server/clients setup, but modify your file to include a fwmark statement: FwMark = 51820
2. Get your Mullvad Wireguard .conf file from the Mullvad site (i.e. in the example below). Get that file onto your /etc/wireguard directory, but you'll need to add the following rules:

​

PostUp = iptables --table nat --append POSTROUTING --out-interface mullvad-usxx --source 0.0.0.0/0 --destination 0.0.0.0/0 -j MASQUERADE PostUp = ip route add default via <gateway IP> dev eth0 table pivpn PostUp = ip rule add fwmark 51820 table pivpn PostUp = iptables --table filter -A INPUT --in-interface mullvad-usxx -p udp --dport 2836 -j ACCEPT PostUp = ip rule add from <server IP> lookup main PreDown = iptables --table nat -D POSTROUTING --out-interface mullvad-usxx --source 0.0.0.0/0 --destination 0.0.0.0/0 -j MASQUERADE PreDown = ip route delete default via <gateway IP> dev eth0 table pivpn PreDown = ip rule delete fwmark 51820 table pivpn PreDown = iptables --table filter -D INPUT --in-interface mullvad-usxx -p udp --dport 2836 -j ACCEPT PreDown = ip rule del from <server IP> lookup main

mullvad-usxx == the conf file/wireguard route name

Replace server IP and gateway IP with your appropriate values

This will tag your packets (fwmark) so they will route to your VPN packets to wg0 on up, and delete the rules on down.

You'll have to make sure that you do wg-quick up mullvad-usxx along with wg0.

You'll probably need a router than allows you to edit iptables rules; most consumer grade ones won't allow you to do this (unless flashed with openwrt or the like).

What you're after is dns hijacking. I use it on my mikrotik router to force all dns requests to my pihole. The openwrt guide is here:

https://openwrt.org/docs/guide-user/services/dns/intercept

I cannot say how much I appreciate Pi-hole on my Raspberry Pi. I'm a Comcast customer and kept bumping into their 1 TB per month bandwidth cap. Since buying my Pi and installing Pi-hole I haven't gone over 900 GB in a given month!

If you can, please consider donating or buying something from the shop.

This is not an ad, just a happy customer/user.

DietPi is probably a better option. It should be lighter and it has a built in setup for installing pihole.

Don't host Pi-hole on the internet unless you know what you're doing. Unless you secure it, you are probably being used as an open resolver. The local machine connection might cause it to wait until the timeout is reached, causing pages to load much slower (30-60 seconds is a timeout). Don't worry about the Pi-hole connection - it's way cheaper than the ad connection would be.

This is possible. You can start a wireguard docker container and pihole container separately. Wireguard container will be your wireguard server, to which your clients will connect to. The container will additionally connect to one Mullvad VPN instance. Wireguard container could run a dns server like coredns or unbound as upstream to mullvad dns

Set the in wireguard container to pihole docker container IP.

In pihole container, run an Nginx instance in any port, that connects to wireguard container port 53. Set 127.0.0.1#nginx port in pihole as upstream DNS. This step is required, as wireguard container already runs a DNS server in port 53, and you need traffic in wireguard container not use that, as it will bypass pihole.

> The main reason for doing this was so that if the RPi2 went down, adverts would still be blocked.

That's a good reason for running two. I regularly do development work on my primary RPi 3B (which has its own dedicated power supply) and if something goes disastrously wrong, there's the Pi Zero backup running a fresh install of RJL off my routers USB port.

Using SSH, SCP and an passwordless SSH key login for the Zero on the primary Pi, I can sync the important bits to the Zero using a cron job:

# Perform maintenance on secondary Pi if online pi=$(timeout 0.2 ping -c1 10.0.0.3 &> /dev/null && echo "0" || echo "1") if [ "$jd" -eq 0 ]; then cd /etc/pihole/ ssh -i /root/.ssh/id.pi "" "[ ! -f '~/pihole' ] && mkdir ~/pihole" scp -i /root/.ssh/id.pi adlists.list list.txt setupVars.conf *.domains :~/pihole scp -i /root/.ssh/id.pi /etc/dnsmasq.d/03-pihole-wildcard.conf :~/pihole/03-pihole-wildcard.conf ssh -i /root/.ssh/id.pi "" "sudo mv ~/pihole/03-pihole-wildcard.conf /etc/dnsmasq.d; sudo mv ~/pihole/ /etc/pihole" ssh -i /root/.ssh/id.pi "" "pihole -g" fi

https://dietpi.com/ works for me.

There is even a way to script the install for the ZeroW. Install img, copy the Automation_Custom_Script.sh over, boot up and wait a few till done. After you are done testing a bit, I would make it your DHCP server that way it collects info on all the connected clients.

Above all have fun.

Par for the course with Windows 10 - you are the product being sold now - all your data, everything you type, everything you wisper to Cortana, every website you visit, it's all being sold to the highest bidder so this "cloud OS" garbage concept can "win"

Get Shut Up 10 and turn off all the embedded crapware in Windows 10: https://www.oo-software.com/en/shutup10

Remember to run it again any time you do an update, cause Microsoft just re-enables and sometimes renames the spy services.

Maybe this will help you a bit: https://dnscrypt.info/faq

Also I would recommene dnacrypt because it has a feature named anonymized DNS which routes your DNS traffic like tor. Also see this thread were you can find more helpful links: https://www.reddit.com/r/privacytoolsIO/comments/mktwba/improve_privacy_and_security_with_a_raspberry/

> I’d be willing to donate via patreon or similar offering that’s recurring, not for a reward but because I wouldn’t need to think about it and it be a platform to have tiers, but of course they take a % and it’d be something else someone has to update.

There is the option to set a monthly donation via Paypal, for what it's worth! :)

Mostly yes. The apps are designed to have the space filled with something, so you will have a gap.

As for the delay, I have never seen one, but then I use NoRoot Firewall to block games from having any sort of internet access.

This is what I'm trying, multiple A records for the same hostname, each with a different IPv4 address. It's called DNS Load Balancing

Nevermind, I searched and the post I mentioned actually addressed slow timeouts with HTTPS pages, it didn't fix the block page.

>why can't the developers host the block page on their website https://pi-hole.net which has an SSL certificate, and redirect to it instead?

It's not just a question of having an SSL certificate, the certificate has to be for the requested domain. If you blocked example.com you would still get an error because the browser won't accept a certificate for pi-hole.net when it is trying to contact example.com.

I think it might be possible if you created your own CA and generated certificates as requests came in.

Most browswers are coming with DNS over HTTPS turned on by default. This will bypass your pihole. I also had AVG attempt to take over my DNS with an optional feature called AVG Webshield.

Right now there is competition and value in your DNS requests. They claim they're keeping us SAFER by monitoring our requests, and blocking them as necessary.

Apple/iMac consumers are going to be shocked when they realize what iCloud Privacy Relay is on the new iOS 15.

https://www.dnsleaktest.com/

That's weird, I tried the link out to and I got no for everything except the very bottom section for ipv4 addresses. I checked with www.dnsleaktest.com and I got cloudflare as the response. I only have 127.0.0.1#5053 as the upstream server.

EDIT: I got the help site to work if I disable dnssec on the pihole and use my router to validate and cache dnssec instead. Could just be the way that the pihole does dnssec validation?

We do offer recurring donations direct through our Website. =) https://pi-hole.net/donate/

A single Pi-hole can handle quite a bit of traffic with enough specs. But I also understand people wanting to run several of them. We do have an active feature request out there for HA, syncing, etc (https://discourse.pi-hole.net/t/high-availability-ha-for-pi-hole/3138), but it's part of the conundrum where the product is free, our developers donate their time, and there's just not enough time to get everything done that we want to.

The survey isn't a request for money; it's just an investigative survey. As mentioned, we've been working with a product manager. We try our best to listen to our communities needs and wants and respond in kind, but this survey helps put things into a precise perspective.

Prior to using Vivaldi, I used Opera for 10 years, or more. Opera had speed dials and gestures, which were new at the time, as well as "private" browsing. Becasue Opera was bought by a Chinese conglomerate, or whoever it was, I didn't feel like it was going to be secure anymore. So, I switched to Vivaldi, which is developed by the same developer as the original Opera.

So, I would say the most basic features are the two I mentioned; customizable speed dials and gestures. The Firefox addons I found for both of those features are not good.

The ways you can customize Vivaldi is in a completely different league than Firefox and Chrome. The sidebar and web panels are super handy, too. Tab-stacking, combining tabs into useful groups, with the option to Tile them, which will open multiple tabs into one window. It really comes in handy if you are working with multiple pages at the same time.

I tried Firefox for a few hours a while back, and I just feel like there's nothing there. It's like using Edge...

Vivaldi browser

Can you find a display that is powered from the RPi itself? If so, then you can power the RPi from this device for $11.

https://www.amazon.com/gp/product/B01MDLUSE7/

Here are two comments from this Amazon page:

I bought this for a FingBox (5v 2A, micro USB) and it works great! Also hooked it up to a RPi3 with the RPi touch display. Worked just fine, but I must admit I didn't leave it running long, just booted it up. Using this w/ the FingBox saves me from using an AC outlet in my server closet which are in short supply. Must use 48V POE on the switch.

Works perfectly. My switch recognizes it as a class 3 PoE device, and typically consuming 3.1 to 3.5 watts of power. It plugged right into my pi (with a 3.5" display) and so far I have not found any problems. The only thing I'd mention is there's no clear indication of which network connection faces the switch, and which faces the client device. I took a guess that with the male RJ45 and micro-usb cable being the same length, that was where the pi should go, and I was correct. (I include a picture of the "correct" manner of connecting it.)

Hope this helps.

The app: Network Connections may help you.

https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&amp;hl=en

Hi there, have you tried setting up the NordVPN DNS on your router? After I have set them on, Amazon Prime worked for me with NordVPN. It seems that you router is pushing the wrong DNS and it doesn't resolve, so try setting up Nord's DNS. Also, make sure to clear your caches and cookies before entering amazon.

Be careful, however. Private Internet Access is one of the commercial VPNs that was recently found to leak your real IP via a WebRTC bug that has been known for years. This may matter to you or not, but still, I'm just saying... be careful. [and to be fair, PIA is far from the only one]

Source:

We provide a very clear disclaimer about curl in our documentation. Particularly a link to this discussion. In my opinion, that provides enough background for a user to make an informed choice for how they prefer to install.

https://pi-hole.net/2016/07/25/curling-and-piping-to-bash/#page-content

Mine is installed on an Intel NUC, but I concur that the project is very straight forward, instructions are clear, project is highly useful in a network, and awesome support team here in the sub. Couldn't ask for much more than that.

Tip your devs: https://pi-hole.net/donate/

Lots of issues being reported with 18, go back to 16

See this thread

https://www.reddit.com/r/pihole/comments/9aun4d/install_fails_on_ubuntu_1804_on_esx_65_or_esx_67/

Ubuntu 16 LTS is supported till 2021

https://www.ubuntu.com/about/release-cycle

I wish we could get something pinned to the top about Ubuntu 18

It's possible that something on your network is compromised and is participating in an NTP Amplification Attack. I would investigate which host is sending these requests and then see about running a rootkit scan. It looks like Malwarebytes has one in beta.

You control the install on your own device which blocks ads on your entire network, open source code, better support, to name just a few.

And, Pi-hole doesn't have a "purchase" option - it is free and funded solely by user donations.

https://adguard.com/en/license.html

If you look at this link (https://github.com/gorhill/uBlock) they name the lists that are used for u-block. You can incorporate those individual lists in your /etc/pihole/adlists.list and run pihole -g.

I have some of those lists in my config.

I used DNS Bench (https://www.grc.com/dns/benchmark.htm) and test my unbound installation on my pihole with cloudflare, Quad9, Google..etc

The results shows that my unbound is the fastest.

Everyone in this thread is clueless, that is the secondary Quad9 server at 149.112.112.112. You can do nslookup rpz-public-resolver1.rrdns.pch.net. to confirm.

Quad9 FAQ

> Secure IP: 9.9.9.9 Provides: Security blocklist, DNSSEC, No EDNS Client-Subnet sent. If your DNS software requires a Secondary IP address, please use the secure secondary address of 149.112.112.112

Here you go, I've looked into it on your behalf. Didn't take a lot of searching. tl;dr - whitelist it if you use it, or remove the steven black list:

https://github.com/StevenBlack/hosts/issues/713

https://gitlab.com/ZeroDot1/CoinBlockerLists/issues/10#note_86995105

In the blog post How Much Traffic Can Pi-hole Handle?, we explain that during the development of FTL, we tested a 4GB RAM VM and it was able to handle well over a million queries in 24 hours and that we were able to crank it up beyond that. We did this using a tool called DNSBlast which for all intents and purposes, is a DDoS utility that directly attacks a DNS server, rather than attacking a specific open port.

In your debug log, I can see a few things:

• You're running your tests on a Raspberry Pi 3B, which is CPU limited, and has 1GB of RAM. It is definitely not capable of sustaining a DDoS
• The pihole-FTL daemon was still active - it hadn't crashed (which we would expect it to if there was an issue)
• The pihole-FTL log does not indicate that anything had gone wrong

Any non-responsiveness would be attributed to the hardware being overloaded - you'd be able to tell this via the likes of htop.

FTL being indirectly DDoS'd by dnsmasq is definitely something we've taken into account, and at this point, I'm not seeing an issue that points to FTL being unresponsive, or the cause of bigger issues. We've got our ears open, so if there is something that we can address with a code fix, then we'll definitely (and strongly) consider it.

It's an IFTTT recipe I found a few years ago. It has an accompanying bash script to capture the speedtest-cli results then sends it to a google sheet on your account. I've modified it a bit to send the captured data to my webserver. Can't exactly share atm as I'm at work.

But if you really want it now, you can probably find it on google using the keywords "ifttt speedtest logger". The one I found was a tutorial article. I already forgot what website it was, though I think I have it bookmarked on my computer at home.

Edit:

I did a quick google search and I can't find the article I've found before. Though the IFTTT recipe is still alive here. The link to the bash script is also in the recipe description.

Edit2:

Sorry. I think I found the article I'm talking about here

Unfortunately this is exactly correct in my limited and somewhat dated experience (around the 3B / 3B+ days). I invested WAY too much time trying to save a few dollars putting everything together that was only what i needed for the project, yada yada... turns out you can't really beat those CanaKit jobs if yer starting completely fresh. Don't waste yer time with a 2GB model, invest the extra ten bucks to double that. Three years from now you'll thank yourself while you're still doing tons of cool things with it and memory is at a premium.

Both the Canakit and Vilros package options are linked from the offical RPi product website, but it will take a few extra days to arrive -- that's where the resellers on Amazon make their profits, they understand that you're already paying for a Prime subscription, so they're ONLY marking up enough to compete directly with the official site (+shipping & handling): https://www.raspberrypi.org/products/

Be ruthless with any suspicious SD and trash it away. Get a dependable one, like this: https://www.amazon.com/Samsung-Endurance-128GB-Micro-Adapter/dp/B07B98GXQT/

Basic Amazon light strip does the trick! USB powered by the Xbox. Zoom in to see the controller next to it.

Link: https://www.amazon.com/gp/product/B0796TLP4S/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1

To do it correctly, you'd want a device with 2 ethernet interfaces. It does not need to be very powerful - there are a few dual NIC Intel NUCs.

internet -> router -> NUC -> Your LAN

- A basic install of your favourite linux distro

- Pihole installed natively (or in a docker container) would be your dhcp and dns server.

- iptables firewall

- openvpn to connect to NordVPN

&#x200B;

All the devices on your network use your NUC as their default gateway.

You set the rules for what goes over NordVPN and what doesn't - there will be no way for any device on your network to get around your device and the rules you have configured.

&#x200B;

&#x200B;

You'll need to:

$ sudo ufw allow 80

&

$ sudo ufw reload

To permit incoming web connections (and have the pi-hole install work right) in addition to 53 and anything else you're running (22 for ssh, etc etc).

Additional reading: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04

> Are there any concerns or gotchas I need to know about?

Please read the release notes for both V5.0 and V5.1 carefully. The upgrade from 4.x to 5.x is not reversible, so you will want to clone your SD card first so you can revert later if desired.

There are many changes as described in the release notes.

https://pi-hole.net/2020/05/10/pi-hole-v5-0-is-here/

https://pi-hole.net/2020/07/15/pi-hole-5-1-released/

See the sticky announcement : https://pi-hole.net/2018/08/06/pi-hole-v4-0-released-with-ftldns-improved-blocking-modes-regex-docker-and-more/

What they meant by "regex" in the title, is like super duper wildcards, and it's new with the version 4.0, released two weeks ago.

Hi, founder of Healthchecks.io here! Just to clarify, the "100 log entries" is how many historic records of received pings are stored and shown in the dashboard. It's not the total number of pings a single check can receive – there's no upper limit on that.

Zerotier is open source: https://github.com/zerotier/ZeroTierOne

If you don't want to use/don't trust the hosted version of Zerotier feel free to deploy your own moon which will give you the same capabilities as the hosted one: https://www.zerotier.com/manual.shtml#4_4

Let me know if you've got any other question, I have been using Zerotier since almost 5 months now for my personal servers and it's wonderful to just have one network that I can access from anywhere around the world.

Try the instructions listed here:

https://pi-hole.net/2017/07/18/pi-hole-3-1-4-hotfix-for-ipv6-cidr-bug/

sudo rm -rf /etc/.pihole

sudo git clone https://github.com/pi-hole/pi-hole /etc/.pihole

pihole -r

For what it's worth I've been using two of this $13 adapter for over a year and haven't had any issues.

I use Mullvad VPN - and both work well while still delivering ad blocking.

I just use a Pi Hole at my mom's house.

As a ProtonMail user, I dislike using multiple critical services by the same company to distribute risk - even less so for a VPN to also focus on being a Pi Hole/NextDNS.

Generally speaking, lack of focus in product = inferior product.

As Confucius says: "One who tries to catch two rabbits catches none"

ProtonVPN and mullvad are both really good services. Proton has a lot of server options over mullvad, while mullvad has crypto and doesn't ask for any info, if extra privacy is needed.

Setting up pivpn on a VPS is also really simple and what I use now. Easy to setup and once done keeping the system upto date once a week is a simple "Sudo apt update && Sudo apt upgrade" and if a restart is required no biggie.

Previously was using Private Internet Access (PIA). Quality was good, lots of options for customizability and flexibility, only issue was the fact that its based in the USA which can be a privacy concern for some.

Currently using SurfShark, cheap, easy, straightforward, super beginner friendly. Not as flexibile as PIA is. Based out of the British Virigin Islands so less privacy concerns than a US based VPN.

ProtonVPN is probably the crown standard right now in terms of paid VPN services. Can;t really say too much since i've really only done the bare minimum, but they offer a free tier with minimum service options based out of Switzerland. Same people that run ProtonMail.

While the article gets a lot of things wrong it does still have a point. VPNs don't suddenly and magically make you instantly private.

You do still need to do research on VPNs and make sure you're getting a reputable one (preferably one proven in court or through independent auditing, although court is better).

>There have been subpoenas that have proven this to be the case.

I want to clarify one misconception here. When the FBI subpoenaed Private Internet Access twice they didn't say there were "no logs". They said there were "no useable logs", it's a subtle difference but it's where I think the author is trying to go.

The VPN provider keeps logs, otherwise trying to troubleshoot problems with their infrastructure would be impossible, and they are after all selling a product; reliability is important. What the VPN provider (in this case Private Internet Access) doesn't record in this case is logs that link network traffic back to specific users.

Really its a semantics thing when you're arguing about no logs vs no usable logs but it's the argument the author wants to make, so

Flutterhole has a disable option. You'll still need your api key. You can get it in the admin interface under settings/api/web interface.

https://play.google.com/store/apps/details?id=sterrenburg.github.flutterhole

NordVPN DNS will not filter the content and that what your PI is trying to do so. Overlapping those is not efficient. So settling for one or other seems the only way. However, you can add the PI DNS to which should filter it, but then NordVPN's smart DNS will not resolve and fail with streaming services as from my experience.

PiVPN is to create your own VPN server not to connect to a commercial VPN. You need to download the ExpressVPN linux binary and install that, then modify it's configuration file to use local DNS (assuming you're using CLI and not a GUI).

To set up the PiHole DNSCrypt there's good guide on the DNSCrypt GitHub page:

10,000 requests/second will cause you problems.

(1) You will likely hit the rate limits of Pi-hole. The default limit is 1,000 queries in 60 seconds per client. This can be changed, but won't avoid other problems.

https://pi-hole.net/2021/02/16/pi-hole-ftl-v5-7-and-web-v5-4-released/#page-content

(2) If you use the query logging in the long term database, you will likely have problems restarting FTL because it will have to read the most recent 24 hours of data, which in your case will be 864 million queries. This too can be changed so you either don't save the queries or don't read them on restart.

(3) You will likely run into memory limits storing the 864 million queries in RAM.

As /u/arithforu said, your DNS requests are being sent through the VPN to their DNS server. It is also worth noting that this is what you want to happen.

The main point of a privacy-VPN is so that your ISP and other interested parties can not see what your are doing on the internet. Just like you can view DNS requests coming into the Pi-hole in the web interface, your ISP can also see exactly what web content you are requesting. If you are trying to keep a low-profile from your ISP than it is best to not have any DNS queries going through your normal internet connections, and that includes your Pi-hole; regardless of what upstream DNS service you are using.

If PIA was not routing your DNS requests through the VPN, then it would be said to be leaking. When you are downloading "linux distributions" or various "scientific content" that your ISP and friends is not ok with, you may be found out even if you were using a functioning VPN.

The only way I can think of to be able to use your pi-hole and a VPN, would be to setup a local VPN entry point on the Pi that passes content back and forth from PIA as well as defers to their DNS resolver. Take this last statement with a huge grain of salt as I am tired and not a network engineer. The folks over on /r/homelab would probobly be able to help you with these interesting and niche projects.

Using a VirtualMachine would be possible of course, and if you then configure your Windows to use the PiHole VM as your DNS server it should work perfectly normal.
You just need to ensure that your VM can access the Internet and is reachable for your Windows PC. But using the standard "Bridged network" adapter should do what you want. (Read https://www.virtualbox.org/manual/ch06.html#network_bridged if in doubt.)
But keep in mind that DNS won't work until the VM has been started and until that point it will pretty much look like that you have no internet connectivity.

What I did was just block Instagram and FaceBook entirely. Took care of those pesky ads. :)

But I guess if you just have to have it, then uBlock Origin or uMatrix.

Since you are here in the Pi-Hole sub that you are concerned about your privacy and data stealing trackers, ads et al. So, I would take the advice of others and switch your browser to FireFox. Then head over to https://www.privacytools.io and learn about hardening FireFox. There is also a ton of other useful info there as well.

Lists in a "hosts" format (x.x.x.x hostname) are perfectly fine, it's the adblock-type lists that need to be parsed/filtered first, although the gravity command will try to filter Example 2 domains as best as possible

I had issues in the past.

This fix worked for me, the HTTPS section.

https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/

The page has been updated to say it's for versions < 4. I applied the fix before upgrading to 4. I haven't had any noticable issues since then.

It would be quite easy to add a button, but personally, I never disable my PiHole - there should be no need to.

As for installation, I would suggest you read the excellent documentation they have and watch the "official" getting started YouTube videos. https://nodered.org/

DietPi and don't look back. Essentially a stripped and curated version of raspbian.

Zero issues with it, stable as expected. It contains an update script / engine 'dietpi-update' and many other command line tools to make management simple and quick. Could not be easier to install and use. I have updated at least 4 releases without issue. It even includes a backup Q&A before updating. Get a thumb drive or use the 'dietpi-drivemanager' to add a backup location.

I had issues with Raspbian Lite, which is unexpected, but ¯\_(ツ)_/¯

I'm running DietPi with pihole and mopidy as a music server on different ports from lighttpd, but there's a big list of other media server software available as well. Unfortunately, not Volumio, but it could be worth looking into if the virtual adapter doesn't work out.

You could configure Adguard DNS in your pihole configs. This way you have a local fast DNS block, with a second layer of blocking if things escape pihole and are still on the Adguard block list.

An advantage of this is also the family filter offered by Adguard DNS for those who might use it.

Edit: Add:

https://adguard.com/en/adguard-dns/overview.html#instruction

This is a good question for the blocklist maintainer. The Pi-hole project does not curate or maintain any blocklists. We have used this default list for a number of years.

https://github.com/StevenBlack/hosts/blob/master/data/StevenBlack/hosts

In addition to a pihole I would install ublock origin and decentraleyes. Pihole can't block certain ads if they are hosted on the same domain, ublock will. And decentraleyes keeps local copies of some common scripts for you. Both should help save a little more bandwidth.

> I'm afraid this is a harbinger of things to come

Sadly, yes. Personally, I'm sick to death of the massive over reliance of Javascript in modern web development - it should be optional, and used to enhance features of an existing site opposed to being used as a crutch to do basic tasks like loading a page of text. It drastically increases load times, and is designed in a way to allow you to be tracked across the web.

Testing this website on my PC with Scriptsafe and uBlock Origin plugins disabled from the Chromium UI, I could see f.cl.ly and pagead2.googlesyndication.com are being blocked. If you try and unblock the latter, you come across CNAME hell - all the aliases of Google Syndication that are also blocked by various block lists, thereby exposing you to ads on an extremely large portion of sites on the web. Even when the site loads, it lets you scroll for a bit before doing a giant "bugger off" popup that you can't do anything about. (Though oddly, I don't get the bugger off popup consistently on my phone - it pops up every few pages and lets me back in when I say that I've disabled it)

If I were in your position, I'd choose to never use that site again, let the site know via social media that their brute force anti-adblocking solution prevents security concious users from browsing their site, and that they should consider alternative revenue streams.

Sadly, I know that good Hackintosh resources are hard to come by - you may need to consider a VPN type solution that lets you have a browser session of your choice not protected by Pi-hole.

> Big fan of your work in the community.

Thank you :)

Did you just copy instructions from somewhere else into your post? You just have to run curl -sSL https://install.pi-hole.net | bash

This has all the instructions you should need: https://pi-hole.net/

I run no ad-blockers anymore, I do not need them. I am running a rather decent list of domains on my blocklist though.

I do still run Privacy Badger, though. It just kills tracking and is very lightweight.

Yea there was an interesting video by a guy arguing against the use of free vpns. Basically:

If I were part of a government tracking organization I would set up hundreds of front companies that offer free VPN services. This attracts people who want a VPN (most being normal users but also those who have things to hide). I would then slowly roll out paid versions of those services to help pay for my hosting and data processing fees. Build up the number of companies you control, build up the trust those companies have in the community and bam mass surveilence of those who have things to hide.

My personal favorite is NordVPN, they've been externally audited and their claims verified by a well know and trusted third party. They're based in Panama which has almost no Internet laws, and they keep no logs.

I'm already using Private Internet Access on all of my devices as a VPN. If I use PiVPN, will this cause a conflict or slower speeds using them together or will only be able to use one or the other?

UPDATE: I just watched a few tutorials on this. So basically I can use PiVPN to run PIA across my whole network.

Here is what a DigitalOcean Droplet is , AWS uses instances, and a VPS is a Virtual Private Server that many different hosting companies offer for varying amounts.

See this:

https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/

Basically it is only available to the pihole developers. It has to authorize any user with github to ensure they are in fact a pihole developer.

No idea how your home network was/is configured, but here's some examples of pihole running at much larger scale and doing perfectly fine.

https://pi-hole.net/2017/05/24/how-much-traffic-can-pi-hole-handle/#page-content

Yeah, you can definitely connect to it via PuTTY and every other major SSH client.

For most RPi users, this is a bit overkill (from a security perspective), but is still a huge convenience once set up. Here's some reading material:

• Creating SSH keys
• Setting Up an SSH Session with SSH Keys in PuTTY (< Skip to that heading)