Comments

• By andy_xor_andrew 2025-02-1819:1014 reply

  I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):

  There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.

  It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.

  By MyOutfitIsVague 2025-02-1819:312 reply

  > It's also not possible (or not clear) how to have different behavior for different clients

  There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.

  By paxys 2025-02-1820:356 reply

  It's slightly more complicated. What you are suggesting works if (1) you are using Pi-hole as a DHCP server or (2) all your devices are individually configured to use the Pi-hole IP address for DNS resolution. What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.

  By jimsmart 2025-02-1820:481 reply

  > What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.

  That depends entirely on what capabilities your router has.

  Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.

  Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.

  But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).

  Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.

  FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.

  By master_crab 2025-02-1823:242 reply

  And if your gateway device is configurable enough you can ban or redirect port 53 requests (DNS) to whatever machine you would like to use to serve up resolution.

  By jimsmart 2025-02-1919:512 reply

  That's kinda janky really.

  DNS doesn't have redirection like HTTP has, so what you describe can only be implemented using port forwarding (or SSH tunnelling, but I've never seen a router with the ability to tunnel DNS in this fashion?).

  Port forwarding used like this, won't enable one to use the 'groups' functionality on PiHole — which was the (g)parent thread here — because all requests arriving at the PiHole will come from the same client, i.e. the router. Because port forwarding is more like a proxy than a redirect (to use HTTP terms).

  The correct solution here if one wishes to use PiHole's groups — and not have a janky network configuration like you describe here (an extra unnecessary hop for local DNS) — is to either (a) use the router's DHCP settings to tell the clients to use the PiHole IP for their DNS, or (b) disable the router's DHCP and simply use the DHCP that PiHole provides, which is at least as good as what most routers provide (and more configurable than most routers also, should one need to)

  By sml156 2025-02-2021:381 reply

  > DNS doesn't have redirection like HTTP

  dnsmasq has grown up a lot in the last few years and does have the ability to redirect domains. It's that time again got to read the man page

  By jimsmart 2025-02-2119:41

  Erm, it's not redirection, because, like I said: DNS has no redirection — not in the sense that HTTP does.

  If you don't understand this, then you are perhaps lacking some knowledge as to how HTTP redirects work, and/or how DNS lookups work, and/or how they are quite different concepts.

  HTTP has redirects. DNS doesn't - but sure, it can be intercepted / hijacked.

  > It's that time again got to read the man page

  No need for the snark, this is HN, not Reddit.

  But I'm already well aware of the feature you describe (after all, PiHole/similar relies on exactly this kind of interception) — but it isn't actually new at all, dnsmasq has had this since the the very beginning, literally day one.

  It's still not redirection like HTTP though, it's interception: serving an IP number from a conf file when a matching domain is requested instead of querying upstream. Very similar to adding an entry in your local hosts file.

  Redirect isn't a term that is really ever used in DNS configuration. Except in the context of NXDOMAIN responses. And that's certainly not the topic of this thread.

  With HTTP redirection, the server responds with 'moved' and the URL of the new location of the requested content. But all one can do with DNS requests, is to respond: this is the IP for the domain A/CNAME you requested (or respond no-such-domain). In HTTP, that kind of inline interception can only be done with a proxy (transparent or otherwise) — and that's not the same as a the HTTP redirect mechanism at all.

  Some folk might argue that this is only a semantic difference. But it's not at all: they're quite different mechanisms, different traffic-flow / communication patterns. And the distinction is quite important to anyone who manages both DNS and HTTP, at a certain level.

  But if you want to call it DNS redirection, then good for you. But the old-timers will call it out nearly every time, because it's not actually redirection. — DNS doesn't have redirection like HTTP. Not in the same sense as HTTP at all. Anyone who claims otherwise, really just needs to brush up on their DNS knowledge / terminology.

  HTH

  By master_crab 2025-02-1923:121 reply

  That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.

  By jimsmart 2025-02-201:171 reply

  > That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.

  That's the first time such a thing has been mentioned in this thread.

  But I now get what you're trying to say in your comment above.

  Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.

  But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.

  And of course it wouldn't work if the device is using DoH.

  But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.

  By master_crab 2025-02-210:221 reply

  The question and assessment is around how your dhcp device can control DNS behavior (usually by broadcasting the name server IP). And I pointed out many devices that do DHCP often also act as the gateway device and internal firewall.

  It’s not meant to answer your direct question, but pointing out what’s possible. Because yes, there are a lot of IoT and other devices that misbehave on a network.

  And it’s incredibly trivial to port ban or port forward a selection of IPs and not affect the behavior of your Pi-hole. Packets carry last hop ip and source ip. I do it all the time on my gateway device.

  DoH is a completely different story. Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.

  By jimsmart 2025-03-010:07

  > DoH is a completely different story.

  Yes. And that's why, in the context of misbehaving devices, carrying their own methods of doing DNS, I mentioned it.

  > Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.

  No, not at all. Anything can use DoH. Doesn't need to be browser-based, nor using Apple private relay, nor anything of the kind. A device simply needs to be coded to make its DNS queries over HTTP. In a similar fashion to how it might have a hard-coded value for its DNS lookups, the developer can simply include a small library to do DoH instead. And that's not going to be so easily filterable by a rule for outgoing traffic / port forwarding.

  I have all of my PiHole DNS lookups going over DoH. Have done for years now. Because when I originally setup my secure DNS, DoH was a better choice that DoT, because DoT was very much still in flux. And by comparison, DNS over an existing standardised transport is pretty much a known quantity. So that was my choice. And it works great.

  So all of my network's DNS lookup go out over DoH... there's lots of DNS providers that provide DoH nowadays, including plenty of very big providers. My secure DNS proxy cycles between different servers.

  DoH functionality is even just built-in to Bind these days.

  In reality, DoH isn't in any way restricted just to the services you describe here. Far from it. It can be used anywhere. It's just a protocol. With plenty of destination endpoint support, out there in the real-world.

  And if some device wants to control its DNS to that kind of level, then, beyond simply having a hard-coded DNS server value, using DoH is pretty easy.

  No browsers needed, no Apple Private Relay needed.

  By zaudo 2025-02-1910:372 reply

  This is exactly what I do with my Unifi router, but still all I see in Pi-hole is the router making the DNS requests.

  By bdavbdav 2025-02-1917:37

  I think you’ve set the WAN dns to the PiHole. You need to set the DNS in networks.

  By InvertedRhodium 2025-02-1914:26

  Are you NATing the redirection to the pi hole server? If so, disabling it should let pihole see unique clients.

  By mikestorrent 2025-02-194:35

  The better option is to configure DHCP to hand out the Pi-hole as your DNS server. If your router cannot do that, but you want to go deep enough to configure your home network with a Pi-hole, you should probably also invest in either a better router or OpenWRT on your current one to get a few more features.

  Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.

  DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.

  By MyOutfitIsVague 2025-02-1820:561 reply

  It works for me and I don't use Pi-Hole as a DHCP server or have any of my devices individually configured. I have my router acting as a DHCP server and have it tell clients to use my Pi-hole for DNS. Some routers' default firmwares don't let you do this, but most OpenWRT and Tomato and the like should.

  By sunshine-o 2025-02-190:262 reply

  I haven't tried Pi-Hole yet but is there a package for OpenWrt which could offer functionalities equivalent to Pi-Hole?

  I already run OpenWrt on x86 hardware so I have plenty of RAM and disk.

  By 31337Logic 2025-02-1913:34

  Yes. It's called adblock and it's rock solid. I also run mine on an x86. Just set and forget.

  By dmsayer 2025-02-194:16

  [dead]

  By sneak 2025-02-1823:27

  Not all routers proxy DNS; many have DHCP settings so you can give the pi-hole’s address as DNS server to clients via DHCP.

  I imagine this is how it’s usually done. There’s no reason to double proxy.

  By bolster8505 2025-02-1821:141 reply

  Using clients and groups works fine for me. I'm able to block youtube on my kids' devices, but allow it on others. I have pihole running in a container without being my dhcp server.

  By bilalel 2025-02-197:392 reply

  Do you mind sharing your blocklist for youtube? It has been a challenging one so far.

  By 10729287 2025-02-198:111 reply

  Not OP but we can assume when he's talking about blocking Youtube, he's in fact blocking youtube for his kids, not Youtube ads. Pi-hole can't block Youtube ads as they are delivered by the same servers as content. Then you can't block one without blocking the other.

  By bilalel 2025-02-1910:091 reply

  My comment wasn't clear. I was indeed referring to blocking youtube completely, not just ads on youtube.

  By jimsmart 2025-02-1920:011 reply

  Just go to PiHole's "Domains" page, in the box labelled Domain, type youtube.com, enable the checkbox for Add domain as wildcard, then click the button labelled Add to denied domains.

  Now youtube.com and all of its subdomains are blocked, for all clients.

  If you wish for it to only be blocked for some clients, then assign your clients to groups, and set the setting appropriately on the domains page.

  By bolster8505 2025-02-2416:321 reply

  The best way is to open up the Query Log, open up the site you want to block, and deny from there, making regex blocks are appropriate.

  By jimsmart 2025-02-2611:32

  > The best way

  I think you would need to explain your definition of 'best' here — I mean: explain why you think it is better.

  > making regex blocks are appropriate.

  I guess here you actually mean inappropriate?

  Perhaps. But I think you misunderstand what I am doing, and how that then works in PiHole.

  The method I describe, uses the Domains tab on the Domain Management page — and not the RegEx Filter tab.

  The distinction is somewhat of importance, because the implementation of PiHole uses a different code path for exact-match denies/accepts, vs regex denies/accepts. (Type 0 and 1, vs type 2 and 3, detailed here[1]). Adding a domain the way I describe, creates an exact-match type entry in that table, not a regex match type.

  But even if it were still using regex, the cost of that isn't as high as one might imagine, due to the fact that subsequent repeat queries to the same domain, do not get checked against regexes again: the result is cached.

  As described here [2]: "Our implementation is light and fast as each domain is only checked once for a match. When you query google.com, it will be checked against your RegEx. Any subsequent query to the same domain will not be checked again until you restart pihole-FTL."

  In summary: adding a domain the way I describe doesn't create a regex filter anyhow. But PiHole's regex matching isn't a naive implementation, it caches the results, so that it only actually performs the regex matching on first query to a domain not seen before (since last restart).

  So really it makes no difference at all if one blocks a domain the way I describe, or the way you describe. They both end up doing the same thing: they insert an exact-match filter entry into the database.

  In which case, it's simply down to one's own preference: do you prefer looking through the query log to find the site to block... or do you prefer just typing in a domain name.

  [1] https://docs.pi-hole.net/database/domain-database/

  [2] https://docs.pi-hole.net/regex/

  By bolster8505 2025-02-2416:31

  Sorry, I didn't see this earlier.

  To block Youtube I use:

  youtube-ui.l.google.com - exact

  youtubei.googleapis.com - exact

  (\.|^)googlevideo\.com$ - regex

  (\.|^)youtube\.com$ - regex

  It's probably overkill but it results in no Youtube until chores are done.

  By doron 2025-02-1914:54

  That's my only gripe with the current pi-hole; there is no easy way to configure DHCP options.

  By aulin 2025-02-196:491 reply

  I use pihole for dhcp and it's extremely easy with dnsmasq. Hope their settings overhaul does not break this.

  dhcp-option=tag:nospam,option:dns-server,x.x.x.x dhcp-option=tag:spam,option:dns-server,y.y.y.y dhcp-host=client1...,set:nospam dhcp-host=client2...,set:spam

  By jimsmart 2025-02-1920:12

  Previously, PiHole used /etc/dnsmasq.d/ with best practice being to put one's own additional config, or overrides, in separate file(s) in that folder.

  PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).

  But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.

  By windexh8er 2025-02-1912:33

  One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.

  But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.

  [0] https://nextdns.io/ [1] https://controld.com/

  By ge96 2025-02-1819:267 reply

  I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.

  My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160

  By b3lvedere 2025-02-1819:523 reply

  Most non-smart 4K screens are more expensive than 4k-smart tv screens though. Really weird, because there's less stuff in it. I just want a nice 50" 4k screen with hdmi and display ports. I don't use all the other junk anyway, since i watch tv via a computer and sounds goes to a surround set.

  By Jeremy1026 2025-02-1820:011 reply

  > Really weird, because there's less stuff in it.

  It's also not subsidized by selling your user data.

  By b3lvedere 2025-02-1820:175 reply

  Is this really true? The margin must be huge. I've seen 4K smart tv's for half the price of 4k monitors.

  By ranbato 2025-02-1822:28

  In 2019 the Vizio CEO went on the record saying there was no money in dumb TVs. They sell near cost and make it all up in ads and metrics.

  https://boingboing.net/2019/01/11/telescreens-r-us.html

  By alabastervlog 2025-02-1821:341 reply

  I've had a little insight into this world. To make the BOM costs work at the retail prices they charge for things like common set-top streaming boxes (e.g. Roku) and, now, TVs themselves since they incorporate the same stuff, they have to be selling data. Otherwise they're selling at a loss, once you factor in middleman margins and such.

  You can try to compete by charging a reasonable amount for your hardware and software, but you'll be competing against economy of scale and wrestling for shelf-space with products that are (don't forget retail percentage mark-up) at least 30% cheaper than yours, which means your units don't move, which means you don't get (or keep) shelf space, and hello death spiral. Also if you somehow manage to make it despite that, as soon as an MBA gets in charge you'll just switch to selling data, too.

  By lukevp 2025-02-1823:372 reply

  Or you buy an Apple TV, that’s priced appropriately with its capabilities and doesn’t thieve everything from your network and your house.

  By alabastervlog 2025-02-1915:491 reply

  I only didn’t mention that because I’m not sure how much spying they do. I’d bet it’s a lot less, but probably still too much.

  But yes, that’s what I have, two of them in fact. Tried a Shield, sucked, should have just gone straight for Apple TV instead of trying to pinch pennies.

  By ge96 2025-02-1916:16

  A follow up question is, what does the transaction look like. Bulk DB dump or JSON files per person, spreadsheet, that would be interesting like race, interests, budget...

  By izacus 2025-02-1910:491 reply

  You'll be plugging your AppleTV into that data collecting TV device because you won't pay more for it.

  By K0balt 2025-02-1912:45

  I don’t allow my smart tvs on the network. They complain a bit but they work.

  By shbooms 2025-02-1914:45

  It's completely true.

  Looking at Vizio's financial records[0], the numbers make it clear.

  They seperate everything into 2 distinct businesses, Device and Platform+.

  Device represents their hardware business of selling physical TVs and soundbars. Platform+ covers all of their other "software-related" business, mainly consisting of ad delivery and selling user data to third parties.

  2019:

  - Device Net Revenue = $1.7 billion

  - Device Gross Profit = $125 million

  - Platform+ Net Revenue = $63 million

  - Platform+ Gross Profit = $40 million

  2023:

  - Device Net Revenue = $1.0 billion

  - Device Gross Profit = -($8.6 million)

  - Platform+ Net Revenue = $598 million

  - Platform+ Gross Profit = $364 million

  So over the course of just 4 years:

  - hardware revenue is down 40% and is actually losing money (confirms they are indeed selling the TVs at a loss)

  - Ad/user data revenue, however, is up almost ten-fold (+949%)

  - total gross profits of the two combined are up over 54%

  [0] https://investors.vizio.com/financials/quarterly-results/def...

  By emaro 2025-02-1820:28

  TVs usually have lower requirements regarding frame rate and latency compared to computer monitors. That's probably also a factor.

  By FirmwareBurner 2025-02-1820:52

  Probably more to do with the economies of scale. More TVs are sold than PC monitors so therefore cheaper.

  By baltimore 2025-02-1820:53

  > Really weird

  No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.

  By progbits 2025-02-1819:574 reply

  Is there an equivalent of DDWRT/OpenWRT but for TVs?

  Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?

  Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.

  By lotharcable2 2025-02-1821:181 reply

  > Is there an equivalent of DDWRT/OpenWRT but for TVs?

  Get a used mini-pc, install Linux on it, and don't allow the TV to connect to any networks. This is a 50-75 dollar solution. Good if you are on a budget and are not interested in any wiz-bang features like HDR.

  There are a few TV-dedicated Linux systems out there, like libreElEC.

  Or get a more powerful system with a AMD GPU and install Bazzite on it. That way you get something like "SteamOS for your TV". Pairs nicely with controllers like 8BitDo.

  It would be nice to have TVs as open as PCs, but the manufacturers and media companies are ran by dirtbags and would rather have victims then customers.

  By close04 2025-02-199:502 reply

  > Get a used mini-pc, install Linux on it

  As someone who tried that route I'd strongly recommend against it for anyone who isn't core HN audience or just loves tinkering. You're much better off with an Apple TV or an Nvidia Shield unless you really want the "beefy gaming media center".

  I walked the mini-PC/RPi road and they came up short every time even for me, let alone the rest of the family. Even when I put in place the perfectly optimized initial setup I was still left with a bad compromise of performance, power consumption, noise, boot time, ergonomics, and the constant trickle of things breaking down or needing tweaking because of some update.

  When trying to watch a movie with the family the last thing I want is to troubleshoot random issues.

  By edelhans 2025-02-1912:271 reply

  I just use an old macbook air with a bluetooth keyboard that also has a touchpad. The thing is in sleep mode when not needed, so it wakes up fast and does not need a lot of energy. With that setup I can access whatever media I want, have a solid adblocker and a browser with a real keyboard.

  By close04 2025-02-1913:10

  > with a bluetooth keyboard that also has a touchpad

  Different strokes for different folks, having to use a keyboard to control my TV is for me one of those usability compromises I preferred to avoid. It's probably related to how I use the TV, things like browsing the web were never on the list of requirements. I'll have a phone, tablet, or laptop at hand for that.

  By b3lvedere 2025-02-1910:221 reply

  I've had a MSI Trident functioning as a gaming/HTPC computer for years and the family loves it. They know how to browse the various streaming services and use Steam and Kodi.

  By close04 2025-02-1913:501 reply

  > a MSI Trident

  This is diverging quite a bit from "a smart TV replacement". Especially if Steam is a requirement.

  The gaming PC you have there is probably exactly the combination you want. But for most others it's the compromise to avoid I mentioned above. It delivers the console and TV/media center experience but with the full PC power consumption, noise, boot times, maintenance effort, and inconvenient controls.

  The cheapest Trident I can find on eBay costs more (by 2-5x) than an Xbox and an Apple TV together. And these 2 deliver their respective experiences with far fewer compromises.

  > They know how to browse the various streaming services

  Knowing how to use it is just the bare minimum requirement. With an Apple TV for example you can do the same with almost instant startup time, 0 noise, 0 maintenance, ~1-2W streaming, and a small remote control. And probably has less ads than the average Windows computer :). I found the "right tool for the job" more appropriate for my use case but that might not work for everyone or all the time.

  By b3lvedere 2025-02-2011:01

  Things just happened that lead to that optimised state of using one device for alll (The MSI). Nevertheless the main question was about a nice 4k screen. :)

  By kjs3 2025-02-1823:17

  Because just like virtually everything in the embedded SoC ecosystem outside of the RPi competitor SBC crowd, the TV embedded board likely has a chip with little or no doc (with or without NDA), and unlike a Pi-ish SCB there's probably not even an unsupported, outdated kernel linked with a ton of opaque proprietary blobs hidden on an obscure Chinese language web site to try out.

  Maybe there are smart TVs out there with a SoC that's been reverse engineered enough to do something with. If there is, that should be shouted from the rafters. But I kinda doubt it.

  By RandomDistort 2025-02-1820:044 reply

  Isn't a TV that permanently shows HDMI input a big monitor?

  Weirdly they always seem to be more expensive than a TV though.

  By adornKey 2025-02-199:051 reply

  One difference between Monitors and TV used to be that Monitors used RGB Subpixel-Layout and TVs used BGR. (i.e. TV panels are upside down)

  Configuring subpixel-layout per monitor is something that most OS won't allow. So if you use several monitors, you usually have to mount the BGR-ones upside down. (Otherwise fonts will be blurry...)

  For some time now there are really cheap 4K Monitors with BGR-layout available. If you mount those upside down you're fine... (I use LG 4K Monitors mounted upside down in combination with other screens)

  By kbolino 2025-02-200:16

  Subpixel hinting isn't that useful at high DPIs though. Apple has ditched it entirely in macOS, regardless of monitor DPI, and gone back to standard anti-aliasing.

  By protocolture 2025-02-1823:01

  Bare in mind I went down this hole years ago, so these could be solved problems, but in my experience Monitors speak a set of more useful modes (Resolution and refresh rate combos) and tv's often need to be trammed in a bit, the default screen position not being properly centered in all cases.

  By progbits 2025-02-1820:24

  Yeah exactly, as also others point out in the thread, if you want "TV-sized monitor" you will pay more than for a TV, and probably get worse panel, lower brightness, etc. Hence it would be useful to buy "smart" TV and turn it into a monitor instead.

  By b3lvedere 2025-02-1820:111 reply

  Well yes, but i guess either big monitors use different panels or there's some shady business going on.

  By bee_rider 2025-02-1821:10

  Inclusive or.

  By b3lvedere 2025-02-1820:101 reply

  Would be fun if some could hack those os'es indeed.

  It could make a nice CrowdSupply project, except for the cheap distribution of the huge packages. Sounds not that hard though: Just get some nice 50" 4k smart tv's and remove all the junk. Cool features like DP daisy chain or something and one could have a nice project. But i'm guessing there is (too) much money to be made in user info and ads. :(

  By simondotau 2025-02-193:011 reply

  Top tip: some smart TVs will turn into perfectly serviceable dumb TVs if you reject their on-screen software license agreement/privacy disclaimer.

  By K0balt 2025-02-1912:47

  Yup. This. Just tell it no.

  By lotharcable2 2025-02-1821:11

  I have a 'smart tv'. I don't allow it to connect to any network.

  The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.

  By reddit_clone 2025-02-190:02

  I am hanging on to my 15 year old Vizio for dear life (With a Roku box). We don't watch much TV anyways. Its just Youtube playing.

  I dread the day it dies.

  By themadturk 2025-02-200:07

  I just have never connected my Samsung TV to the Internet. My streaming all goes through my Roku. When the TV turns on it displays a splash screen asking me to connect to the network, which disappears after about 15 seconds and never comes back until I turn the TV back on.

  I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.

  By oz3d 2025-02-198:34

  does pi-hole actually block youtube ads ? last time I tried it did not really work (on pc and phone). Switched back to UBO

  They probably do some tricks that blocking ads with DNS is not possible.

  By AstralSerenity 2025-02-204:13

  If you use an Android device, you have the potential to live an ad-free life:

  - Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls. - Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads. - Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.

  By JKCalhoun 2025-02-190:53

  My thought is to develop a headless, Smart TV like device that just sends random bullshit data to the servers that collect it.

  By josephg 2025-02-1819:263 reply

  > For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates

  Why install software updates if you don’t use the “smart” features? Our smart tv has been banned from the internet for years.

  By timoteostewart 2025-02-1820:155 reply

  I imagine software updates might bring improved support for various media codecs, or UI enhancements, or better Bluetooth compatibility, etc.

  By hsbauauvhabzb 2025-02-1821:53

  Or more likely: reduced privacy settings, increased analytics, and in-menu advertisements.

  By prmoustache 2025-02-197:28

  Why would the manyfacturer spend money on that if it had your sale already and you aren't paying any support subscription?

  By globular-toast 2025-02-1911:061 reply

  Yes, those are the "smart" features. Just plug in a Raspberry Pi and don't touch the TV after its initial setup. I'm still using the same Raspberry Pi 2 I've been using for more than 5 years now. Beats "smart" TVs that you can buy today.

  By itsoktocry 2025-02-1911:361 reply

  >Raspberry Pi 2

  Isn't that the one with the network speed capped at 100MB/s and no capability to stream HEVC files?

  By doubled112 2025-02-1911:501 reply

  It only has a 100Mbps Ethernet jack, yes, but so do both of my TVs.

  I don’t have any HEVC media so I’m not sure there, but the lack of 4K output would be a big stopper for me.

  I’m also not sure about the streaming services it would support, but chances are if your running off of a Pi2, you’re sailing the seven seas for media. Will that thing even play YouTube in a browser at this point?

  By globular-toast 2025-02-1913:251 reply

  Nah, I used to have a YouTube plugin that worked years ago but don't any more. I don't use it for "TV" purposes, though, it's more of a home cinema device. I don't have background screens in my house.

  But my point wasn't literally to use a Raspberry Pi 2, just that you can get cheap low power devices that beat "smart TV" crap. You can of course get much more recent ARM-based boards that support all the latest HD standards etc. I don't do the hedonic treadmill, though, so I'm still happy with 1080p Blu-ray.

  By doubled112 2025-02-1913:42

  Can't disagree with that. If it's still fulfilling it's purpose, why change?

  Smart TVs really aren't very smart and a nicely ripped 1080p Blu-ray often looks better than what the streaming services will stream you anyway.

  I don't think I'd even have a TV if it were just me. Wife and kids seem to need one though, so simplicity counts. What would they do if they couldn't watch people who watch people play games?

  By sneak 2025-02-1823:28

  I let one of my cheap smart TVs update for this reason (and not the other two identical ones I have) and now that one crashes and lags all the time, despite none of them being on the internet.

  Embedded device software development quality is usually even worse than webapp software development quality.

  By hsbauauvhabzb 2025-02-1821:52

  My tv after a recent update has begun randomly crashing with audio looping for a few seconds before rebooting. When an update comes through for that you can he damned sure I’ll be disabling all future updates.

  By psychlops 2025-02-191:30

  Same, my smart tv has never heard of the Internet.

  By BHSPitMonkey 2025-02-1819:483 reply

  Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.

  By progbits 2025-02-1819:541 reply

  I recommend putting all these things on their own VLANs with strict routing rules.

  For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.

  On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.

  This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.

  By JB_Dev 2025-02-1821:03

  Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.

  By temp0826 2025-02-1822:05

  Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.

  By xrisk 2025-02-1820:281 reply

  It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.

  And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.

  By nothrabannosir 2025-02-1820:341 reply

  Smart TV opt-out telemetry is malicious.

  By xrisk 2025-02-1820:391 reply

  Edited to clarify what I mean.

  By nothrabannosir 2025-02-190:45

  Thanks for giving my glib comment the credibility it didn't deserve.

  Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...

  By btreecat 2025-02-1823:241 reply

  There's also adguard home

  https://adguard.com/en/adguard-home/overview.html

  By zikduruqe 2025-02-1823:452 reply

  It replaced my Pi-hole a long time ago.

  By zenonu 2025-02-1823:54

  Running w/ my opnsense router. All-in-one.

  By hacky01 2025-02-1823:55

  [dead]

  By guhcampos 2025-02-1822:591 reply

  I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.

  By hotstickyballs 2025-02-1823:032 reply

  It's destructive if you can't reach your remote devices anymore. See also jeff geerling's "It was DNS T-Shirt" https://www.redshirtjeff.com/shop/p/it-was-dns-shirt

  By OJFord 2025-02-1823:42

  Only if they're configured to explode if not pinged for 30s or something.

  By master_crab 2025-02-190:57

  The only times I have seen this happen is when the remote devices were communicating with something on blacklist (which should be concerning anyway, but also a quick fix if not) or doing something naughty like not using the DNS server broadcast by DHCP.

  By jkingsman 2025-02-1819:18

  I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.

  So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.

  By bdcp 2025-02-1819:19

  For the seconds question, it is indeed Groups. I have my SO's phone bypass everything. It's the way she wants it.

  Yea i agree it's not super UX friendly.

  By everdrive 2025-02-1819:33

  You can definitely set client groups, either based on CIDR, MAC (if on the same network segment) or individual IP. From there, you can assign different domains and list to the specific groups.

  By nkrisc 2025-02-1819:30

  The way I handled this issue for my family and devices is just by having two SSIDs - one with pihole blocking and one without. If it’s interfering with something me or my wife can just switch to the unblocked network temporarily.

  By NoPicklez 2025-02-1823:26

  You'd be hard pressed to find that an auditing mode would be helpful. Even once you hit that big red button, depending on the blocklists you use you will come across false positives that cause issues.

  By Mekoloto 2025-02-1911:27

  You need to put your SmartTV on a different VLan.

  The biggest risk is not samsung knowing what someone watched but what devices you have on your lan

  By simooooo 2025-02-1914:53

  Adguard home seems to be better in every way. Not sure if this is a feature though.

• By LeoPanthera 2025-02-1818:529 reply

  I've been using AdGuard Home, which does pretty much the same thing, but is slightly better polished, with things like support for DoH and OSs other than Linux.

  https://github.com/AdguardTeam/AdGuardHome

  By laweijfmvo 2025-02-1819:575 reply

  I went from PiHole -> AdGuard -> NextDNS. My patience for tinkering and maintaining wasn't high enough to not just pay someone else to do it :)

  By sph 2025-02-197:17

  I used to use NextDNS, but pi-hole is such low maintenance it makes no sense to pay for a third party service and additional latency to do ads filtering. I set up pi-hole on an Arch Linux for ARM installation on a rPI 3 like 5 years ago and haven't touched it since. Still chugging along nicely.

  By LeoPanthera 2025-02-1820:283 reply

  The big benefit of running a DNS server locally is caching. Using any external provider means you have to go out to the internet for every single request.

  With a local server, most requests are fulfilled from the local cache.

  By Novosell 2025-02-1821:39

  Hmmm, my router caches DNS queries.

  By natrys 2025-02-195:34

  You can just run something like dnsmasq locally though.

  By pseufaux 2025-02-190:16

  You can run NextDNS on your router to solve this.

  By mrmuagi 2025-02-1820:424 reply

  Same except skipping AdGuard.

  Having the DNS live on a pi sounded like fun for me but it gave me stress due to power outages. There is safety in knowing you aren't adding a point of failure that only you know how to solve.

  I also had issues with adding backup DNS, since a backup DNS would be queried if the pihole blocked the DNS query -- so I would have to maintain two seperate blocklists, one local and one offsite.

  By martin_a 2025-02-1821:432 reply
  I think my PiHole is up for 3+ years on a Raspberry Pi dedicated to that task. Did not fail once since then, so not sure if "DNS is going down" is really an issue. But maybe I've got survivorship bias.
  By brummm 2025-02-1821:552 reply

  Living in a North American city with power wires being above ground, I have had so many power outages in the last five year, it was kind of a crazy thing to get used to. My Pi would not deal well with power outages when running through the SD card and so I stopped using it.

  By eldaisfish 2025-02-1823:19

  I've had a raspberry pi and pihole going on the same SD card for approximately seven years now.

  I also regularly reboot the pi by simply cycling power.

  The solution was fairly simple. Send the linux log files to /dev/null (or whatever it is actually called, i.e. RAM) and disable query logging in pihole.

  That's it. Helps greatly!

  By sizzle 2025-02-1911:40

  I ran it on an old laptop and never had issues. The extra ram and cpu + actual disk hd gave me ~99% uptime even after power outage no sd card corruption. Laptop auto rebooted on crash too.

  By mrmuagi 2025-02-1822:101 reply

  I live in Vancouver BC, we have a power outage every 1-2 years due to high winds or fallen power poles. I noticed some devices on my home network whilst connected to power have power quality issues too, no doubt a UPS would help here.

  By distances 2025-02-1823:34

  What's the concern about power outages? My Pi-hole is back online much faster than my router.
  By sph 2025-02-197:191 reply
  DNS issues during power outages is the least of your problems, as chances are your Internet and all your PCs are down as well.
  By 10729287 2025-02-198:171 reply

  Also, having two Raspberry Pi for primary and secondary dns is good practice, in case something goes wrong with the main one.

  By sph 2025-02-1913:051 reply

  Why not run pi-hole in one of those kubernetes cluster for Raspberry Pi, and don't forget a set up a UPS for redundant power supply.

  Or: in the rare eventuality that your raspberry pi dies, it takes 15 seconds to open your router interface and reset to the ISP DNS. Work smart, not hard.

  By 10729287 2025-02-1918:38

  I dare you to tell my wife how easy it is. I still remember OpenDNS being blocked in France the exact day I went for business trip and me not anticipating it (I didn't remember it was set in pi-hole)
  By weirdkid 2025-02-190:43
  But you don’t have to run pi-hole on a pi. I run it in an Ubuntu Linux container on my Proxmox server.
  By LeoPanthera 2025-02-1821:151 reply
  I run AdGuard Home on the same device as my router, so anything that would take it down would also take down the entire router anyway.

  By vosper 2025-02-1820:17

  Yeah +1 for NextDNS. It's so easy to setup and manage, and works really well.

  By pixxel 2025-02-197:29

  [dead]

  By brynx97 2025-02-1820:26

  DoH is possible on pihole using cloudflared-- https://docs.pi-hole.net/guides/dns/cloudflared/.

  > The cloudflared binary will also work with other DoH providers.

  By 2OEH8eoCRo0 2025-02-1820:134 reply

  I love AdGuard Home but the single binary container from a Russian company makes me nervous. I may move to building it myself. Is this criticism unfair?

  By sunaookami 2025-02-1820:272 reply

  >Is this criticism unfair?

  Yes because you judge people by the country they live in. AdGuard has made their stance clear if something like this is important to you: https://www.reddit.com/r/Adguard/comments/t15gr4/announcemen... & https://adguard.com/en/blog/official-response-to-setapp.html

  By sfRattan 2025-02-1823:51

  > Yes because you judge people by the country they live in.

  This is an extremely uncharitable reading of the preceding comment. The comment is clearly concerned about the national jurisdiction from which the AdGuard binary originates, not the national origin of a human.

  American government initiatives against Huawei telecom hardware at critical junctures aren't making a personal statement about Chinese individuals. European regulatory skepticism of American-located cloud services isn't a personal statement about American individuals. Russia and China requiring the on-shoring of data-centers doing business in their internal economies aren't making personal statements about foreigners by doing so.

  Whether or not you hold all those governments as roughly equal, none of them mistrusting each others' jurisdictions is "judging people by the country they live in." It is judging the trustworthiness of the governments of those countries. And the people in those countries are inevitably subject to the jurisdictions of the governments that rule them.

  If someone actually attacks people on the basis of national origin, have at it, but please don't brow beat individuals for making common-sense risk assessments.

  By 2OEH8eoCRo0 2025-02-1820:28

  I actually didn't know this. Thanks!

  By seemaze 2025-02-1820:30

  I built it myself for a while but as I mentioned elsewhere, it's now being packaged in the Alpine Linux testing branch. That makes a container image an 'apk add' away.. whether you trust Alpine Linux more or less than the AdGuard Home teams is up to you.

  By LeoPanthera 2025-02-1820:26

  Given that the whole thing is open source and it is possible to build it yourself, I'm willing to give them the benefit of the doubt.

  Not that it means all that much, but AdGuard is headquartered in Cyprus, for what it's worth.

  By skotobaza 2025-02-1820:192 reply

  > Is this criticism unfair?

  Only if you don't trust only Russians and no one else.

  By 2OEH8eoCRo0 2025-02-1820:262 reply

  I don't trust Iran, North Korea, or China either. It's not hard, I'm an American and it's 2025. These are our adversaries (I didn't choose them) who currently commit cybercrimes against us. Hopefully in 2035 that won't be the case and we can all sing kumbaya.

  By h4ck_th3_pl4n3t 2025-02-1822:511 reply

  I hope that you at some point will understand that these are minorities among a huge population that you are talking about.

  It sounds like you think that every butcher, barber, dancer, teacher, software dev etc in China is just thinking of how they can hack the US.

  Guess what: that's the image propagated by propaganda and very far from the actual truth.

  If you don't trust people, study their code and make a formed opinion about it.

  By theatomheart 2025-02-190:462 reply

  This seems like woefully naive virtue-signaling to me. I geo-block all traffic from Iran, N Korea, China and Russia specifically at my clients' firewalls because I have watched the logs and could clearly see IPs from each of these countries attempt connections to American businesses every minute of every day. Try to single out the offending IP and tomorrow it moves to another; you will spend the rest of your days adding to that block list. It is perfectly sensible to block the country entirely; and better yet - as I've made a standard for my clients - block the entire world, and only allow specific countries to talk to your firewall. Then you can add more granular blocks on top of this. If something gets blocked that shouldn't, that's not painful to adjust. I have no doubt there are many fine people in Russia, but that doesn't mean there's a single computer in Russia that has any business talking to mine.

  By skotobaza 2025-02-198:011 reply

  The question is why those specific countries? Do you just assume that all connections made from, say, Netherlands, are safe by default?

  By theshrike79 2025-02-1911:491 reply

  Basic statistics. The chance of someone from Netherlands being a state-level hacker is a lot smaller than someone from a Russian IP.

  By skotobaza 2025-02-1914:501 reply

  Logically, if Russians would want to infiltrate your organization, they won't do it from Russian IPs directly, but instead do it from cheap proxies, and those proxies are abundant in Netherlands or Germany.

  By CheBuzz 2025-02-2017:131 reply

  And yet experience shows that GP is correct. The vast majority of mailicious traffic originates from those countries IME.

  By skotobaza 2025-02-2020:24

  Only stuff like scanners and other basic stuff (that comes from devices that have been left unattended and without updates). But the actual malicious traffic is not that easy to spot, as it won't be router directly.

  By out-of-ideas 2025-02-191:31

  i used to do similar on gaming clans' forums; for local rationalized fps we didnt want folks with 300+ ping and country blocking was pretty easy (and folks on the forums were either spamming us with porn or trying to become a member). though since it was forums based i did allow GETs but restricted POSTs ect vs straight up 0 access

  By skotobaza 2025-02-1820:511 reply

  But if the binary came from US even with some malicious code, it would be OK simply because the origin is different?

  By ziddoap 2025-02-1821:22

  >with some malicious code

  Obviously not.

  By roger_ 2025-02-1819:54

  I moved to AGH a while ago too.

  Is there anything in Pi-Hole v6 that would make someone switch back?

  By zzyzxd 2025-02-1917:39

  And it's much easier to customize.

  - I run it in Kubernetes with multiple replicas behind a load balancer for high availability.

  - A companion iOS shortcut for family members to temporarily pause protection on all replicas for online shopping.

  - Configuration as code, which gets mounted as a secret.

  - Query logs from all replicas forwarded to loki for visualization and performance review.

  By nocchedure 2025-02-190:00

  Pet peeve: I wish there was an (easy) way of installing Adguard directly on my Dream Machine.

  By febrianrendak 2025-02-212:10

  I don't know why but adguard often just freeze and need to be restarted. Maybe due my device is old enough (Pi 1). But Pihole + cloudflared run flawlessly.

  By mattrighetti 2025-02-1917:47

  Switched to AGH too a few years ago because from time to time pi-hole would get stuck upon unplanned reboots of the Raspberry Pis on which I had it installed

  By lawn 2025-02-1819:101 reply

  I even run Adguard Home on my router that runs opnsense.

  By samplatt 2025-02-192:462 reply

  What routers are compatible with opnsense? Or does it need a full-blown server/container?

  Been happy with my pihole for a few years, and this thread is full of new information for me.

  By gh02t 2025-02-195:381 reply

  Opnsense is not like OpenWRT, it targets running on relatively powerful generic x86 hardware. Intel CPUs and networking hardware usually works best because of driver support on BSD, but it will work on others. I say "relatively" because even low power old embedded CPUs are more than enough to route at a gigabit or more with lots of firewall rules and services running. Opnsense's cousin Pfsense also has some support for ARM, but that version is only really available on their commercially supported hardware.

  Most people either buy a generic box that can be had for ~$250, or recycle an old PC and stick in a network card. You can also buy commercially supported hardware for Opnsense or Pfsense's parent companies, though the value proposition isn't worth it for home users IMO as you will pay a steep premium versus loading up something yourself.

  By samplatt 2025-02-196:331 reply

  Thanks very much for that. Been thinking about converting an old server to a router + container host for a while.

  By gh02t 2025-02-1914:57

  Look on eBay for old 4 port Intel NICs, you can get em for very cheap and they work forever. Beware Opnsense and Pfsense are based on BSD and you're really not supposed to touch the underlying OS by design anyway, so you will need to virtualize if you also want to host containers alongside.

  By lawn 2025-02-197:23

  I bought my router from this site: https://teklager.se/en/products/routers/

  They have some guides and stuff that explains the hardware requirements that might be helpful for you.

• By Mossy9 2025-02-1818:361 reply

  Pi-hole is such a great tool. I've been running it for a few years on a raspberry pi zero, and am constantly astonished by the sheer amount of cruft it blocks for me.

  Congratulations to the team for the release - happy to support you via Patreon!

  By hk1337 2025-02-1819:412 reply

  I have had many times click an article link on reddit where everyone in the post comments complains about how the site is riddled with ads that it makes it unreadable and all I see is the article with a lot of whitespace.

  By martin_a 2025-02-1821:46

  IT department does not like that, but I had them install Firefox on the machines of my team, so we can install uBlock Origin. People are _amazed_ how the internet does look without ads.

  By ed_mercer 2025-02-190:402 reply

  Can’t you just use uBlock for this?

  By saltymug76 2025-02-190:521 reply

  Pihole catches a lot of the trackers and crap coming out of my android tv. On my pc I see it as an extra line of defense after ublock.

  By mistyvales 2025-02-192:222 reply

  Hulu stopped working properly on my Shield after using Pi-Hole, so I guess it was working?

  By saltymug76 2025-02-203:01

  On the pihole subreddit there's a wiki with lists of domains you can whitelist for certain services. I had to whitelist something for xbox live to work.

  By dmajor2 2025-02-1914:38

  Yeah, even the paid (non-ad) hulu has trouble if you block its telemetry servers.

  By alimbada 2025-02-1910:57

  You can't use uBlock everywhere, .e.g phones, tablets, TVs.