uBlock origin + Pihole. uBlock covers just about everything on your PC but I mainly use Pihole for mobile devices and as a "catch all net"
this post was submitted on 09 Nov 2023
1 points (100.0% liked)
Homelab
22 readers
1 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
I'm running unbound. I have a cronjob (bash+python) that downloads StevenBlack's blacklist (https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts), turns it into an unbound config file, and restarts unbound.
Happy to provide a copy if anyone is interested.
Some script that parses blocklists into unbound local-data statements, combined with cron and unbound-control
At home I'm in the process of moving from Pihole to pfblockerNG for DNS blocking. On all my machines (including my phone) I use Firefox with Ublock Origin.
unbound adblock is what I'm using. Hand it a couple of pihole lists and it fits the same thing without the fancy gui.
This is still only locally like Pihole though right?
Correct*, unless you vpn home. Please don't run a publicly accessible dns server. It's going to get used in a dns amplification attack.
*And even then only for devices that use your dns server. Many iot devices have hard coded dns servers to use. And with dns-over-https (DoH) they will get pretty close to unblockable.
What is a publicly accessible DNS server? Would something like NextDNS count as that?
I just use AdGuard Home. For me it works better then PiHole and runs native on my opnsense box.
I just use basic DNS ad/scam/spam/etc-blocking, via technetium.
I mostly relays on ublock/sponsorblock, as they are much more effective, and tend to "break" less of the internet.
DNS block-lists tend to do a nuke-from-orbit approach, while not being nearly as effective as you would want. (For example- its not going to effectively hide most youtube ads, facebook ads, etc.), while ublock, is extremely effective at the task.
Just PiHole and then VPN with split tunnel so that only DNS is using home one.
I’ve heard of using Wireguard for VPN when away from my local network. How does performance get impacted with something like that?
You can set up WireGuard to only route local addresses to the peer, so you would only be routing dns requests through the tunnel and everything else goes via whatever other interface you have. So performance is minimally impacted in that way.
I use DNS blocking as addons are not really a thing on all mobile devices, but I also roll out uBlock Origin via GPO on Windows as it can better target scripts instead of blocking whole domains and is most of the time able to block detection scripts. The best of both worlds I guess.
In any case, if you want to filter your traffic when you're away (be it with a network ad blocker or a proxy server) you will need to have a way to connect to said server.
Local browser extensions only detect what has been shipped to the browser by the web server, which is why they work at home or on mobile data, all the processing is done locally on the device.
A filtering DNS server, or a proxy server, will position itself between the web server you're trying to join and your device, and take out the ads and tracking. But to be able to use that server, it needs to be on the same network as your device. It's all good when you're at home, but when you're away, suddenly you two are separate. Hence the need for a VPN to connect your phone back to your home network.
You could make it public facing, but that's pretty much the worst thing you could do, security-wise. There are so many automated threats that actively try every waking minute of the day to get into an insecure home network to find of value, or to lay a time bomb that will allow them to do more, that you don't want to mess with that. For real. Don't mess with public-facing services.
Does connecting my phone to my home network via VPN when away from home impact speed?
Yes. It will hit your speed. How much? No idea, but it will.
It's actually quite easy to automatically let vpn turn on or off depending on whether you're home or not.
I personally use wireguard for this. On my wife's iPhone there's a setting in the wireguard app that automatically disconnects vpn when connected to specified ssid and reconnects vpn when disconnected from specified ssid. On my android I use the tasker app to get the same functionality. I used this guide to set it up: https://hndrk.blog/tutorial-wireguard-and-tasker/
I haven't set up dns ad blocking yet, but this is exactly the usecase I've come up with for this setup, that and always having our phones on home network for selfhosted services is great.
Hope this is the solution that you're looking for :)
I started with unbound dns blacklists and then moved to adguard home. Dns based blocking is just easier and covers the whole LAN imo, I didn't want to deal with various extensions on all my machines/devices.
It's still not bullet proof but it's good enough for me. While you don't need a VPN, I run one so my phone is on it while away from home. That was two fold, dns based blocking and screw my cell carrier getting to snoop. Well and off course I wanted to learn how to setup a VPN server 😁
Cellular is a completely different network so their is no solution unless you owned a cell tower and did it from that litterly impossible by design for cellular stick to extensions!!! I wouldn’t vpn just for no ads but would use a local ad blocker on my network
Adguard home
Made an entire video about how to do this with your pihole and unbound.
I look after two AdGuard Home installations.
One is local, running on a super-tiny PC (Intel Atom x5, 4 GB RAM, 64 GB eMMC, Debian 12, and I see no reason why AGH wouldn't run just as well on a 2 / 32 GB version of that PC). The average handling time for a DNS request is 30 ms. You could easily do something similar in a Proxmox container, give it a local IP address, and have you router use it as the DNS server instead of whatever it's using now.
The other is in the cloud, running on a virtual server with 1 GB RAM. The average handling time for a DNS request is 10 ms.
My firewall (opnsense) does this... With very little configuration. Using UnboundDNS with its block list features makes filtering most ads out rather easy.
I can't use any of this stuff, my ISP router is so shit that changing the DNS to Cloudflare or Google's breaks my internet =|
I use AdGuard Home, in a Linode instance, and point my pfsense box to it.
Technitium with block lists + OPNSense ZenArmor as a NGFW. Doesn't block everything, but still as good as you're going to get.
AGH on a raspberry pi. Super fast with caching and other setting enabled.
Pihole v6 Beta (and I have a fallback to v5). Runs together with unbound in recoursive mode. Super slick and fast!
I have multiple layers of ad blocking.
- Pihole for DNS
- Firefox w/uBlock Origin & SponsorBlock (YouTube) on every PC
- Brave browser on iPhones.
- SmartTubeNext (YouTube) on Chromecast
- All of my mobile devices are connected by VPN to utilize Pihole when I’m not home
If you're on android you can use tasker to automatically connect to VPN when not at home
adguard+ublock origin pretty much does it for me.