Any Pi-Hole Guru's Out There?

I run my own instance of Pi-Hole on a RaspPi and have the devices I run YouTube videos on pointing at that as primary DNS.

My workstation shuts down adverts perfectly in less than a second, but my Samsung “Smart” TV plays them uninterrupted. Both are wired to the same switch with static IP’s and the RaspPi as primary DNS.

I’ve tested the same video on both and seen the TV play the same ad that was blocked on the PC.

Looking to understand why the PC works, but the TV does not as I watch way more vids on the TV.

Can you redirect all outgoing DNS Traffic to your Pi-Hole by creating a Rule in your Firewall? It might just be that your Smart TV goes to a different DNS Server, that’s quite common with those kind of devices.

Look in the pihole logs if tv is actually using this dns.

If your tv allows you to set your dns manually, set it to your dns.

If you have a router/firewall centrally at the lan/wan junction, block outgoing UDP 53 traffic there for tv/entire lan.

If you have a router/firewall that supports dhcp for lan, set your dns there for broadcasting. Or use pihole dhcp if you don’t have another machine.

The rule is quite simple don’t let tv communicate with any dns server outside your pi-hole.

A bigger problem is then if the tv uses dns over https, i.e. TCP 443, here usually blocking traffic is not enough because you will not have access to www.

Also remember that pi-hole is not able to block youtube ads in the video stream.
Pi-Hole blocks at the dns level, unfortunately you need something more to block ads in the stream, on pc it will usually be ublock origin or something similar.

So make sure that the difference in blocking between tv and pc is not because you have something extra on your pc to block ads.
Blocking ads in a youtube video stream on tv will be very difficult if impossible.

Unfortunately, there are guides and claims on the web that falsely claim that pi-hole or other solutions at the dns level block all ads on youtube. It’s not, ads on the page yes but not in the player.

I also use pi-hole and as soon as I turn off ublock origin I start seeing ads on youtube. There is simply no way to block these specific ads in this specific place from the dns level.

Pi-Hole works by blocking domain name, more precisely when domain is blacklisted pi-hole returns 0.0.0.0 instead of real ip. Then there is no connection.

The problem is that YouTube does not use any dedicated domains for advertising. They are part of the sent data of the video stream, which is processed by the player and no filtering at the dns level will do anything, but you can do it locally, i.e. on a pc with the help of an appropriate browser add-on or on android using even NewPipe, but here too there are restrictions like 18+ and live do not work in NewPipe at the moment.

Recommended readings

@PhaseLockedLoop

The TV is likely using an DoT or DoH tunnel. If it’s DoH your not gonna have a lot of luck

If it’s DoT. Try blocking 853 traffic too and from the TV. Then redirect all 53 packets to your pihole.

Then for safe measure block all the URL lookups to known DNS services.

See if that helps?

To be completely honest smart TV ads are very very difficult to block. Google and Amazon both have taken to serving ads through the top domain now. As in yt ads are served through the very same URL that streams the video you want. It’s a way around DNS based blocking of ads

Thanks

I’m not up to date with smart tv but I doubt that the TV would use DOH/DOT, although of course it may be, but… Pi-Hole just won’t block these ads on youtube and it’s always been like that.

And such materials are misleading people!
https://www.youtube.com/watch?v=KBXTnrD_Zs4

It’s possible that Pi-Hole does not block ads (e.g. because Google bypasses the DNS for a reason). This would explain why they play on the TV.

Someone who runs Pi-Hole often also uses browser extensions for filtering. Are you? This might explain why Ads don’t run on the PC.

As pointed out, the Tizen based Youtube app may not necessarily make use of the default name servers (DNS) offered by DHCP. Given the nature of Tizen you can pretty much give up on finding an alternative player but practically I’m not sure why you even bother because it’s really sluggish to use even on recent hi-end models. You can in theory use Piped ( https://piped.kavin.rocks/ ) but I have a vague memory of the browser being very limited on Tizer (and slow). Pick up some Android device and use Newpipe or run Open/LibreELEC and use the Kodi remote on a phone (very easy way to control YT etc) and you’ll have much nicer experience.

Lol my sweet summer child. Android apps can do it easily inside themselves. It’s not hard to make a resolver and package it into an app . Hell it can be easily done with flutter (flutter.dev). DNS tunnels are something you could easily implement. I literally if I was nefarious enough could write a seemingly normal app and point it to a non standard port with DNS over TLS elsewhere and have a built in resolver bypassing network consent altogether.

This is possible but Google doesn’t usually have a habit of doing this. They simply go for the easier solution. Route an ad directly through YouTube.com instead of s.youtube.com or xyz.googlevideo.com or google user content urls

It’s really really really easy for anyone if they tried hard to enough to completely make pihole ineffective. It’s just one of the fundamental flaws of the DNS ad block method and ultimately no one size fits all for solutions

This is very true too. Samsung smart TVs run tizen and they have the option to override the DNS provided by the network

This can be overcome by redirecting all port 53 traffic to your pihole. I’ve done that and it works okay. Something’s will still always get through

When something acts weird: crack open Wireshark and do some packet intercepts. I wouldn’t put it past smart TV manufacturers to implement some weird DNS tunneling just to collect that extra level of sweet sweet data on their users.
Then publish the defeats here.

All DNS-based adblock (pie hole included) cannot block YouTube ads.

Your PC saw it blocked maybe due to something else.

Sometimes I wish I was, unfortunately I’ve been to too many places and seen too many things.

I am fully aware of the above, I have an application myself that uses doh to bypass locally blocked addresses for telemetry.

I’m just saying that it doesn’t always have to be the fault of the doh and often the limitation of the pi-hole.

If OP tv uses doh/dot it’s easy to check, but it doesn’t change the fact about pi-hole limitations and how youtube serves ads.

P.S
You’re overthinking!
OP probably uses a common tv with youtube app.

P.S.2
Running DOT through other ports on a properly configured and managed network won’t do much. Only if you send it on tcp port 443, at my place, otherwise you just won’t come out because everything is blocked.

This is true and while I don’t want to muck up this thread I think anyone running a DNS server should understand this video and the point of view of keeping the existing system simple. You see simple is genius. Complex is still a simple system but making it complicated (like doh does) is just poor design

It’s worth the watch. He is currently the VP of security at Amazon aws and he has massive contributions to the DNS system architecture as a whole. Incredibly knowledgeable individual. I agree with almost all of his points. DNS over HTTPS is a terrible direction to go. It has a ton of fundamental flaws. It still needs basic DNS to actually work. DNS over TLS is superfluous but valuable to those dealing with high chances of MITMs and URLs that don’t have DNS SEC

I use Google TV. I did the paranoid venture of degoogling at one point. Got tired of it and it wasnt worth it and it did not fit my situation at all

As for YouTube ads I don’t deal with them any longer as I have YT premium for 3 years as a deal with my pixel 6 pro

But yeah the OP is going to have to find the best solution for himself on the TV. A lot of trial and error but hey it’s a learning experience!

That is indeed the port I would use I’m familiar with bypassing firewalls. It just takes finesse and I do not like doing it nor encouraging it as in my view you are bypassing the network owners consent and you ideally should not have to do that

I wish the OP luck but yt ads are very stubborn

That’s right, we’re starting to do offtop, but on the other hand, a bit of healthy discussion has never hurt anyone and maybe one day someone will read it and learn something new.

Discussion about blocking traffic as well as dns should start primarily with the assumptions of a given network and the user’s needs. Otherwise, we’re chasing a bunny…

I configure my private network differently than my work network.
It all depends on the concept and needs. I don’t waste time redirecting udp 53 traffic to my dns. I block it, and either the device allows manual setting or honors what dhcp says about dns… otherwise gtfo with something like this from my network.

Another thing is that I start controlling network traffic already at the end point. If only the device has an OS where I can set a firewall, I run it and control it per application, per device, only at the end is there a firewall on the gateway.

Before anything touches the rules on the gateway against tcp 443 it must first be able to access tcp 443 through the local firewall. Where traffic is usually limited per application/system service and specific protocol, port, and destination ip.
For example, some Windows machine, let’s try to establish communication with tcp 443, here it must have a rule that will allow this particular process to do this traffic. If there is no rule, traffic will not go through even though centrally tcp 443 is open.

Of course, this is not an option in the case of tv where we do not have the freedom to operate with fw. The problem is the very fact of using smart tv which is evil in itself.

You can also block known DOH/DOT servers… but that doesn’t affect the OP’s case too much.

You can of course play around with deep packet inspection for tcp 443 to identify smuggled dns traffic. theoretically possible, there are known cases where dpi can even handle tor or openvpn masked traffic. But here we are already in deep water.
Theoretically, we could try to implement port knocking/single-packet authentication to mark legitimate tcp443 traffic from a hostile one. But that already requires some deep digging… to limit your hostile dns payload via tcp443

And the conclusion, keeping it simple, is that pi-hole can’t handle ads on youtube, even if tv where 100% uses this dns.

Others have already suggested an alternative approach instead of smart tv directly.

Bizarre and Unusual Uses of DNS
Rule 53: If you can think of it, someone’s done it in the DNS