Pihole everywhere you go?

I’ve had pihole setup on my ubuntu server for some time now and have grown to enjoy its features. Especially on my phone and other non PC devices where blocking ads is either tough to implement or not possible on that device.

I would like to set it up to work on my phone or even my work desktop but I’m unsure if this is a good idea. I have a few questions.

  • Is it as simple as forwarding the DNS port on my router and pointing my phones DNS to my public IP?

  • Is there any security concern? Could I potentially be opening up my local networks topology to anyone with the skillset to do it?

  • If so is there a way to lock this down?

I dont want to use a VPN to a home machine since my upload is garbage.

There are certainly security concerns if you expose the web admin UI. Answer is to just not do that. Exposing 53 should be fine.

Main problem is there’s no way to change the DNS on your phone without root while on cellular data until Android Pie. And of course it’s impossible on iOS period without a jailbreak. All the various apps that say they do it use a local VPN, which is hacky as hell.

I honestly wouldn’t bother opening up your pihole to the internet. Switch to adguard DNS instead.

https://adguard.com/en/adguard-dns/overview.html

1 Like

Be careful as Chrome recently switched to an internal DNS that bypasses any DNS you’re using. You have to explicitly turn it off. Chromecasts may have updated to use an internal DNS too, so you may have to strictly redirect the DNS for some devices.

MS also uses a hardened hosts file in Windows 10 for stuff like Skype ads and other ads in some of their apps.

Do you have references to that “hardened” windows hosts file? First I heard of it.

Some apps do use their own hardcoded DNS. To fix that you need to setup an IP masquerade and redirect external queries to 53 to your pihole. It isn’t very difficult to do via firewall rules, but unless you run pfsense or such you will likely need to SSH into your router and build custom scripts.

I still use ublock in chrome because it hides the elements where the ads were. As for chromecasts. I havent had an ad through them yet, only time will tell.

These are the hardcoded DNS domain names that will resolve to their proper IP addresses regardless of what you put into the HOSTS file:

www.msdn.com
msdn.com
www.msn.com
msn.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
microsoftupdate.microsoft.com
wustats.microsoft.com
support.microsoft.com
www.microsoft.com
microsoft.com
update.microsoft.com
download.microsoft.com
microsoftupdate.com
windowsupdate.com
windowsupdate.microsoft.com

These FDQNs are hardcoded in the following DLL:

%WINDIR%\system32\dnsapi.dll

It doesnt really affect me because I dont use their start menu or any of their programs that would serve me ads. Telemetry is a different story but I have trimmed it down as far as it will let me. I would have to change my router setup to truly block it all as you suggested.

My google fu has failed me because I stumbled upon this:

Port 53 (DNS) is a dangerous one to forward because you could unwittingly become a zombie in a DNS reflection attack.

It would seem that without more knowledge of hardening my setup I could become part of something I would not want to be part of.

Pihole is a forwarding server, not recursive, unless you set it up that way. So it shouldn’t be a problem. But I agree, I wouldn’t bother when adguard DNS is a thing that exists.

The only problem I have with adguard is there is no control over what is and isnt blocked. I have no idea what they control. I’m sure they block stuff that is in my best interest but I dont like the idea of not knowing for sure. The paid version probably has mitigation for my concerns but I dont have plans to pay for the service at this time.

Yeah, I wouldn’t use it at home, but if I had an android phone that allowed me to control its DNS servers on cellular, I would use it when on the go. It really is nice blocking ads inside apps.

1 Like

I do have root, I’ll have to look into how easy it is. I would like to be able to switch it easily if not automatically.

Oh, in that case you want AdAway. It’s in F-Droid.

1 Like

Searching adaway I found DNS66 which does the same as pihole essentially so I think you just inadvertently solved my problem. I can use the same lists as my pihole with this app.

DNS66 uses a local VPN, which doesn’t require root but drains your battery. AdAway just replaces your hosts file, which requires root but has zero battery impact.

1 Like

The impact on the battery is minimal (I’ve had it running all day and it’s on 0.05% battery usage) as the VPN is only active for dns requests. I use it, when I used to have a rooted phone I could change the dns server but it was a pain and was unreliable. Dns66 works really well and is the easiest way to do what you want to do.

1 Like

Personally I just VPN into my home network, solves all these issues as I have DNS forced to use my own resolver in pfSense.

I would probably do that if my upload at home wasnt so garbage. 10mbps before any vpn overhead.

I know that feel…

but my upload is < 1Mb

1 Like