I’ve had pihole setup on my ubuntu server for some time now and have grown to enjoy its features. Especially on my phone and other non PC devices where blocking ads is either tough to implement or not possible on that device.
I would like to set it up to work on my phone or even my work desktop but I’m unsure if this is a good idea. I have a few questions.
Is it as simple as forwarding the DNS port on my router and pointing my phones DNS to my public IP?
Is there any security concern? Could I potentially be opening up my local networks topology to anyone with the skillset to do it?
If so is there a way to lock this down?
I dont want to use a VPN to a home machine since my upload is garbage.
There are certainly security concerns if you expose the web admin UI. Answer is to just not do that. Exposing 53 should be fine.
Main problem is there’s no way to change the DNS on your phone without root while on cellular data until Android Pie. And of course it’s impossible on iOS period without a jailbreak. All the various apps that say they do it use a local VPN, which is hacky as hell.
I honestly wouldn’t bother opening up your pihole to the internet. Switch to adguard DNS instead.
Be careful as Chrome recently switched to an internal DNS that bypasses any DNS you’re using. You have to explicitly turn it off. Chromecasts may have updated to use an internal DNS too, so you may have to strictly redirect the DNS for some devices.
MS also uses a hardened hosts file in Windows 10 for stuff like Skype ads and other ads in some of their apps.
Do you have references to that “hardened” windows hosts file? First I heard of it.
Some apps do use their own hardcoded DNS. To fix that you need to setup an IP masquerade and redirect external queries to 53 to your pihole. It isn’t very difficult to do via firewall rules, but unless you run pfsense or such you will likely need to SSH into your router and build custom scripts.
It doesnt really affect me because I dont use their start menu or any of their programs that would serve me ads. Telemetry is a different story but I have trimmed it down as far as it will let me. I would have to change my router setup to truly block it all as you suggested.
The only problem I have with adguard is there is no control over what is and isnt blocked. I have no idea what they control. I’m sure they block stuff that is in my best interest but I dont like the idea of not knowing for sure. The paid version probably has mitigation for my concerns but I dont have plans to pay for the service at this time.
The impact on the battery is minimal (I’ve had it running all day and it’s on 0.05% battery usage) as the VPN is only active for dns requests. I use it, when I used to have a rooted phone I could change the dns server but it was a pain and was unreliable. Dns66 works really well and is the easiest way to do what you want to do.