> Can Pi-hole also block specific numeric IP addresses?
No, this is outside the scope of Pi-hole as it uses Dnsmasq to perform its magic.
> what's to stop ad companies from using bare numeric IP (instead of domain names) to defeat hosts file style blocking?
For a dodgy advertiser, not a whole lot. It's not standard practice to do so, and makes it impossible to serve ads over HTTPS. In reality, you can't ever guarantee that an IP will stay the same and it's a rookie mistake to presume that it will.
Perhaps someone with some more expertise can provide a more technical answer!
Depends on the router. Most home routers are tiny embedded linux devices running a very nice piece of software called dnsmasq.
It has a feature where when a client computer sends its hostname along with a dhcp request it will create an A record in your local zone. (Active directory and many other suites of software do the same thing)
If that does not happen windows will use netbios lookups. In a workgroup one computer is elected to become the master browser and is responsible for generating a list of all of the netbios client computers it can find. This machine would typically respond to wins lookups. (If you have ever looked at a desktop switch and wondered why all of the lights were blinking when nothing was happening on the network, it is usually the 'windows noise' from this process.)
If you are running linux the same thing could happen if one setup samba. Linux could also use zeroconf (avahi) and resolve names through multicast dns like os x does. Or linux users may have a hostfile they copy to each machine on their network.
I don't have a source on the last one but I believe .local was part of the zeroconf specs.
That really makes no sense. Even if Facebook were secretly behind it, the project is open source, and available on Github for everyone to clone. It doesn't "provide binaries", it's something you clone and run as-is.
Besides that, it's built on dnsmasq, which is GPL, and in the case of pi-hole installations, provided by the distribution.
FWIW I have two piholes where each serves a different set of devices with a different set of lists / blacklisted domain names :)
dnsmasq is the limiting factor here, I believe, in that it doesn't have that kind of feature built into the code: http://www.thekelleys.org.uk/dnsmasq/doc.html
Regarding 1) "block at your router level" That's actually a pretty good starting point for understanding how it works! Regarding updating: happens automatically in the background, trivially easy from the interface.
Regarding 2) Try logging into your router now, as an exploratory mission. Your server should have a place for manually configuring DNS servers: get a feel for that process & flow. Should only take two minutes, but your mileage may vary...
>simply because I don't understand Pi-HOle enough to know what questions to ask
I like this :) Never stop learning!
So the pihole project is some software that runs on a server. This software replaces a function that usually happens outside of your network and outside of your control with a local service entirely at your control via a very easy-to-use interface. The software runs on an open software stack (usually GNU/Linux Debian-or-variant) on reliable, low-power-consumption hardware (usually a Raspberry Pi computer).
With a local DNS (dnsmasq specifically: http://www.thekelleys.org.uk/dnsmasq/doc.html) under your control, you can then easily use it to manage network connections. It simply replaces an unwanted domain's server address with it's own internal http server, which is set to return nothing in place of the advertising :)
ELI5: Pi-hole Adblocking makes use of a technique called "DNS poisoning".
DNS (or Domain Name System) is the act of converting hostnames like www.doubleclick.net
to IP addresses such as 150.101.213.180
, kind of like how a phone book has a record of a persons name and the corresponding telephone number.
By poisoning the DNS record using Pi-hole, we're making our own partial phone book (through a utility known as Dnsmasq) which syncs the records of the sites we've visited with full phonebooks online. When our phone book comes across a record that we've listed as bad, suddenly www.doubleclick.net
is altered to return 192.168.1.1
. Since this is hosted on your Pi, it does not have the ad that your web browser was trying to retrieve - therefore the ad was "blocked".
Since we can only alter these records in this manner, it is not possible for Pi-hole in its current state to block by IP addresses (and frankly, is outside the scope of this utility as we would no longer be dealing with DNS queries).
Hope this helps!
Instead of adding 895 individual domains to a host file from your list above & worrying about constantly updating individual domains to the list, why not just use dnsmasq to utilize wildcards ("*") that cover each domain?
For example, Ive reviewed each domain in the Facebook list above, and pulled out 1 example of each domain suffix:
*facebook.com
*edgekey.net
*edgesuite.net
*fbcdn.net
*instagram.com
*instagramstatic-a.akamaihd.net
*cdninstagram.com
*tfbnw.net
*whatsapp.com
*fbsbx.com
*facebook-web-clients.appspot.com
*fb.me
*fbcdn-profile-a.akamaihd.net
*fbsbx.com.online-metrix.net
Thats a total of 14 wildcard domains to add to a host file via dnsmasq that blocks all 895 listed.
-For Mac users:
sudo port install dnsmasq
edit /opt/local/etc/dnsmasq.conf
sudo port load dnsmasq
-For Ubuntu users:
Create a file called /etc/NetworkManager/dnsmasq.d/dnsmasq-localhost.conf
Insert the following in the file: address=/localhost.com/127.0.0.1
Restart
-For Windows users, see DNSagent
Edit: formatting
It doesn't serve content at all. It is caching DNS responses (IP addresses that point to a website). No content is ever cached. The service is DNSMasq that is actually handling the DNS:
I'm going to guess you used bind. Have a look at dnsmasq, http://www.thekelleys.org.uk/dnsmasq/doc.html. i know this will use /etc/hosts or another file that you specify. This is what pihole used or uses.
I don't know what the resolution is, but I haven't seen this happen. And I have Cox outages at least once a week. I use <em>dnsmasq</em> to provide DHCP/DNS services for my home network, and like u/Tymanthius, have static IPs assigned for the ecobee thermostats. Maybe that makes a difference.
If you are using something Linux-based as router, you may be able to solve the problems in the link that you posted by using dnsmasq. It not only can broadcast RAs, but can do it using the current IPv6 prefix of your public interface. And then, as it's also a DNS server, it should register each of the addresses as a DNS name.
I haven't tested this personally, but have two links in my bookmarks that may help:
I hope this helps.
As far as I can tell pi-hole uses dnsmasq which will just forward requests to the upstream DNS server (which would be your ISP's DNS in most cases) until it builds up its cache. That doesn't really solve the problem as unless you've already recently visited a website it won't be in your cache.
Possible I'm misunderstanding that though.
Using /etc/hosts
to block sites is a royal PITA. You'd probably be better off blocking them at your router/firewall, if you have access to it. BTW, that often that involves using <code>dmasq</code>, which is a good thing, since it blocks sub-domains by default—meaning, if you block "iron-start.me" it will also block "www.iron-start.me".
Depending on your needs and how big your school is, there are multiple ways to block websites through DNS.
Apart from what /u/arcticblue wrote, you could use a blacklist with bind or a modified hosts file with dnsmasq.
Another addition to his post: Blocking domains with DNS should be much less demanding on the hardware than using a proxy. Someone please correct me if I'm wrong.
> I've a TP-Link, but I think it doesn't allow me to do that.
Model? If the firmware doesn't support it there might be a chance that you can flash DD-WRT or OpenWRT. This is my configuration for static leases and hostnames in OpenWRT. You can configure it so that the DNS Server (DNSMasq) recognizes these names and gives back the according IP to your internal devices.
Since you already talk about a server machine, my short answer to this is yes. You can set up a dns service like dnsmasq (for a small network) on the same machine, but you have to keep in mind that by doing so you risk having an Internet outage if the server should be turned off or lose power, etc. I'm just adding this because a desktop pc and a server use different hardware exactly because a server is built for running 24/7. This doesn't automatically mean that you can't use a old desktop machine as a server, but if the service it provides is crucial you should invest in server hardware. Since you are posting in this sub, however, it should be ok.
Finally, I just want to make clear that if you want a domain that is accessible from outside your own network you need to buy one or use dyndns.
dnsmasq can do this for you. If you don't want the DHCP part of it, you can disable it pretty easily.
Configure the DHCP server to point DNS to the dnsmasq server. Have the dnsmasq server use 8.8.8.8 as it's dns server. With this setup, all requests will route to the dnsmasq server who will respond if it's a host it knows about, if not it will forward it on to 8.8.8.8 and respond back.
"Dnsmasq is targeted at home networks using NAT and connected to the internet via a modem, cable-modem or ADSL connection but would be a good choice for any smallish network (up to 1000 clients is known to work) where low resource use and ease of configuration are important."
Dnsmasq is pretty easy to configure, but what you are using is most likely already ideal for your environment.
I've been using dnsmasq as my PXE boot server. The really nice thing about it is that it's a combo DHCP and TFTP (and DNS) server - so it's only one package (though honestly, it's not a lot of effort to set dnsmasq up to use a third party tftp server). GPL Licenced, Linux/BSD/OSX (it sounds like you're a Windows guy, but if you're comfortable with *nix, give it a shot!).
I think it can be used in conjunction with BartPE generated ISOs, but I've never bothered implementing it.
Are you asking for a DHCP client or a DHCP server? You swap back and forth in this post. For a client I use Roy Marple's dhcpcd and for a server I use Simon Kelley's dnsmasq.
r/pihole if you use it. Enable all the DNS servers you want to test and dnsmasq, which is used by Pi-hole, will automatically pick the DNS server who responds first. Leave all DNS servers enabled for 24 hours and see the results, then pick the one Pi-hole (dnsmasq) preferred the most. That’s the fastest DNS responder for you.
The way dnsmasq favours a DNS server is sending requests every 10 seconds or 50 queries, whichever comes first, to all recursive DNS resolvers you enabled and picks the first one that responds and moves into a state where only the preferred server is used. Pi-hole is using a fork of dnsmasq for which as far as I remember changed the timing from 10 seconds or 50 queries to 10 minutes or 1000 queries again whichever comes first, but it’s still essentially the same.
> DHCP and DNS, on a Windows AD environment, linux DHCP doesn't register in DNS. you can change the scope settings to allow any DHCP client to register. This works well, but may not be available for security reasons.
I don't really understand the issue. Did you try dnsmasq?
Ja, men man kan ikke bare lige installere Pihole. Det distribueres some et image, i stedet for en package. Det er åndssvagt og jeg hader det.
Jeg bruger Dnsmasq med en blocklist. Et cron job opdaterer listen en gang i døgnet:
0 6 * * * curl -s --compressed -o /var/lib/dnsmasq/hostnames.txt https://raw.githubusercontent.com/notracking/hosts-blocklists/master/{hostnames.txt,domains.txt} | sed -e '/::/d' -e 's/0.0.0.0//g' > /var/lib/dnsmasq/domains.txt && rc-service dnsmasq restart
Masquarade is a docker DHCP & DNS image able to block tracking, advertising, analytics & malware servers for all devices on your LAN when running in a container.
Masquarade is also able to block undesired webminers servers which could mine crypto money at your expense on your devices.
Masquarade is based on latest Alpine Linux and Dnsmasq. Final image size is ~5MB.
Masquarade use notracking/hosts-blocklists as blocklists source. Blocklists are updated everyday at 2AM (customisable with BLOCKLISTS_UPDATE_SCHEDULE env variable).
Masquarade is the "elementary version" of Pi-Hole. It's a sufficient alternative.
Hope this helps ;)
What router are you using? Enabling dnsmasq on the router makes for fast/easy local name resolution, which should resolve any potential issues you're having utilizing a proper FQDN, or can be achieved in a similar manner by implementing this same information into a simple /etc/hosts
file.
That being said, do you need (or want) VCSA for learning purposes, or to manage your compute host? I often find a single (or couple/few) ESXi servers can be adequately managed via the HTML5 webgui? In either case, you can do this without deploying a full Active Directory or Domain. My Edgerouter performs DHCP (with dnsmasq) duties, Pi-hole + Unbound for DNS and then I've got the following:
Okay, so here's what you want to do:
1) Install Bind, configure forwarding to your external DNS server of choice. Your ISP's DNS servers are fine, you can also use 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google).
1a) (Optional) Install PowerAdmin to make things easy.
2) Configure your DHCP server/service to set your new DNS server as the default DNS servers for your network. If you don't know what is handing out DHCP addresses, it's probably your cable/DSL/etc modem. Since you're a homelabber, switch over to dnsmasq
3) Choose a domain name. This can literally be anything you want, since only your local machines will be resolving it. BE AWARE - If you choose a domain that already exists on the internet, you won't be able to hit that site anymore.
If you choose "google.com" for example, "google.com" will redirect to your local server, instead of the real google.
4) Configure BIND to resolve your new domain, and set up subdomains for your individual devices and services.
5) Enjoy your freshly earned hate for all things DNS.
>nextcloud server
If you're already running a Nextcloud server, you have the resources to run a lightweight internal DHCP/DNS server like dnsmasq.
It's so lightweight that it can be run on off-the-shelf home routers (that have very little RAM and storage) using third-party firmware like DD-WRT, but is still powerful enough to assign static IPs via DHCP (matching each node's MAC address against an allocation list) and "mask" whatever domain names you want with internal IP addresses. No messing with individual /etc/hosts
required, and is largely a set-and-forget operation.
See the dnsmasq entry on ArchWiki for more ideas on what can be done with this one simple tool.
This clearly isn't the response you desired, but here goes anyway.
I've had ecobee thermostats since 2012. I've gone through several routers, and two service providers, in the last 6+ years and have never run into the issue you describe. The one constant during that entire period that is that I use dnsmasq for to provide dns/dhcp services for my home network; all my IOT devices are on their own subnet, and because it was more convenient for me to monitor them, I configure DNSMasq to assign them names that resolve to static IPs (and I ensure that rDNS works).
These days I use a FingBox to monitor my home network. It doesn't require me to configure dnsmasq the way I have, but doesn't hurt either.
I don't know what hardware you have - but why not assign static IPs? Doing that doesn't adversely affect network reliability or stability?
16.04 usually requires a package or two to be manually installed (from what I remember), in addition to having the network configured correctly.
The DHCP server within pihole is dnsmasq - http://www.thekelleys.org.uk/dnsmasq/doc.html - and you can't really explore-by-breaking an active service running on your primary network: you'll want to set up a standalone or otherwise isolated network (if you have an old router sitting around, that'd do nicely once it's own DHCP server was disabled) that is serviced by the DHCP server you want to play with.
You could always whitelist Netflix for your TV via DNS, which would (effectively!) prevent it from accessing anything else.
Scenario:
The only caveat is that accessing sites by IP address will still work, but that's a pretty rare thing to do and it's unlikely your TV does this.
You could set up DNSMasq to use your /etc/hosts
file for DNS. Then you would configure your wireless router to use the IP of the DNSMasq server for DNS (use your ISP's DNS as second and tertiary servers so you can still resolve normal DNS). Then your iPad should be able to resolve whatever you put in your hosts file.
Edit: Instead of reconfiguring your router, on your iOS device go into Settings -> WiFi -> Your WiFi and change the DNS there. This way it'll only affect your iPad, and not everything else on your network.
www.thekelleys.org.uk/dnsmasq/doc
> Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. …
> Local DNS names can be defined by reading /etc/hosts
, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.
If the client machines were already using DHCP, I wouldn't expect you to need to change anything on them.
Late to the party here, but another tool that might be useful to you is called dnsmasq. You can install it to be an "overlay" on top of your local DNS, point your queries at that, and stand up a traditional DNS server or two (or more?) as fallback servers. Hope this is useful to you or a future searcher in some way. :)
Well, I can tell you what I use. I have dnsmasq on my router, and it can do DNS filtering or redirection by domain, among many other things. If you're using Windows, you can also do DNS filtering or redirection using Acrylic. Both require a bit more work than just installing an ad-blocking addon, but they can protect multiple PCs on a LAN.
I use dnsmasq for this. It works as a simple dns server and will serve the domains from your /etc/hosts file.
I run it under OS X and set it up as my dns server in the Parallels machine...