Yes, or — if you're lazy like I am, and don't want to manage another device or container — use something like NextDNS, which has a very generous free plan and an extremely inexpensive yearly plan. Control D is a popular alternative with similar plans.
In the last 3 months, NextDNS has blocked nearly 9% of 10M DNS queries from devices in my household with no ill effects that I'm aware of. (I'm not affiliated with NextDNS in any way, other than as a satisfied paying customer.)
Not only can Tailscale directly integrate with NextDNS and therefore not require extra configuration on-device for DNS, but you can use Tailscale ACLs to assign different NextDNS profiles to different devices (for example, a parental control profile to a kid's device or an Apple TV, or an IoT profile, etc)
Lets say you have internet from comcast or your phone company in the us, aren't they able to be compelled to log your requests in the same way? Is there any internet access where you have actual privacy? I think not unless you vpn somewhere, and then that other company could be doing it.
The good ol' media talks about it happening in America so it must only happen in America fallacy. ISPs can be compelled to divulge data in most places around the world.
The article isn’t specifically about the USA (the word “American” appeared once in “American English” when explaining the name Pi-hole). The CharlesW comment doesn’t mention the USA. The nik282000 comment says NextDNS is a U.S. company so U.S. government will have access to the data, it never said it’s only a concern for American users. I don’t know where you got the idea that this thread is specially about the USA. In fact, I assume the nik282000 comment is mostly for non-American users.
I mean in theory this is absolutely correct and everyone everywhere will follow due process and the data will only become available at the individual level when a court affirms it is appropriate.
As long as due process and checks and balances are respected, there's absolutely nothing to worry about lmfao.
I think you missed my point. Your ISP already has your traffic, and is just as easy to compel as NextDNS. No one is going to NextDNS for your traffic, and even if they do, NextDNS doesn't have any information your ISP doesn't already have.
9% is reasonable. I've got pretty strict filters on my home DNS and it's currently blocking 12%. I imagine that number would be much higher if I didn't have ad block extensions on all my browsers and IoT devices on a restricted VLAN.
Nope! NextDNS blocked 913,294 of 10,287,370 queries over the last 3 months. I'm sure the percentage would rise if I flipped on other options that they provide ("AI-Driven Threat Detection", "Block Newly Registered Domains", etc.), and I should probably revisit those.
Wow! I'm more intrigued by the fact that you did 10M queries in 3 months. I'm going to assume you're using a single profile for everything. I have separated machines/robots (that includes the TV), kids, and other profiles for business devices.
Been using nextdns on both droid and linux and am really grateful for it. Coupled with ublock, I can browse the tubes without having a seizure. I'm so satisfied with it, that I fear someone will come along and prick me happy bubble, explaining why it's bad. But I might just look away.
Unfortunately, moving to DNS blocking could only be a brief refuge before the creeping anti-adblock efforts target it as well.
Adtech and the web are identifiable by mostly unique domains, but what if that could be hidden? What if the adtech industry builds and pushes a reverse proxy tech of sorts for page content inside the page where the web server goes and loads 3rd party content for the page render before sending it you? The theoretical result could make every request looks like it comes from the domain you requested and there's nothing to discriminate on when it comes to DNS requests.
Unrealistic? Today, maybe. Wait until DNS ad blocking goes mainstream, Manifestv2 addons are long since stamped out and Manifestv3 addons are proven to be gutted and defeated. If click-through rates are noticeably higher with some kind of anti-dnsblocking proxy, we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
Filtering proxies on the other end. A lot of corporate networks already MITM all traffic so they can block, monitor, and rewrite; and ironically that has been much-maligned by those working for Big Browser, ostensibly for "security" reasons. Ditto for the DoH advocates.
I've been running a filtering proxy on my network since the turn of the century. This was somewhat common in the past, then waned as browsers started growing extension functionality (one wonders if growing, and then now heavily restricting, extensions was a way to discourage proxying) but I suspect it'll become more popular in the future too.
...and the fact that TLS fingerprinting is now a thing, and you'll be easily considered a "bot" by many sites if you MITM your own traffic, shows what their real intentions are.
Note that when I tried PiHole years ago, travel/flight-booking sites frequently required exemptions in order to operate. Not sure if the filtering is finer grained now, but it is not entirely a risk free proposition to set this up for an entire household.
The default list is so small that I am inclined to believe you used an untested and unmaintained 3rd party block list. Use the lists from firebog.net and hagezi. They are well maintained and documented
Pi-hole shouldn't be recommended anymore. The recent breaking change pretty much broke everyone's instances and also the downstream projects which has a plugin for pi-hole. Plus, pi-hole has very less configurable options and it's nothing more than a giant wrapper of dnsmasq. Instead, AdGuard Home seems to be more reliable and can be highly configurable with options to separate the DNS resolvers based on groups
My Chrome browser has just announced that uBlock Origin was turned off as it's no longer supported. Time to install another browser. Edit: actually uBlock Origin Lite has been recommended as an alternative.
Not a great headline, the article focus is on recent version improvements and entire local network "front of house" protection for all devices, all browsers, tablets, TVs, local data phones, etc:
Pi-Hole 6 appeared a few weeks ago. Since then, there have been a few small bug fixes and it's now up to version 6.0.5.
The new release is lighter weight and has fewer external dependencies: it no longer needs PHP or an external web server. If you run the Docker container version on top of another Linux OS, it's lighter still, as the container is now based on Alpine Linux instead of Debian.
Is it really worth setting up a dedicated ad-blocker on your own network? We decided it was high time to try.
For those that want to it's an easy setup on a NAS box and gives a central dashboard for whitelisting, blacklisting, toggling ad filters, logs, etc.
I nearly submitted this story myself, so I'm glad somebody did.
I've been running pihole at two locations for many years. It does a great job of blocking ads and scripts on all devices.
I customized one of my two locations and it stopped service DHCP on one of the two subnets after the update a few weeks ago. I reverted the update and it's been fine. (I keep good backups.) A friend who also runs it had the same problem and he provided me with his solution before I had a chance to look at it myself:
Granted, Pi hole is a great project, and this new version does seem like a big improvement. It just irks me how people will stay with a hostile browser instead of spending the literal five minutes it takes to switch to another one.
We sell used computers with windowa installed. We used to use edge to get chrome, and the someone suggested brave. Everyone uses brave now, except for me,the throwback uses nightly/Firefox. There I was reading news when someone on the machine next to me got a 1-800 alarm. He was shocked... So I turned off his computer, rebooted, and searched his browser history. He was looking for a printer manual, and it hit an auto forward, and in the url was a bytecode dropper. Wow. I copied the text and sent it off to my anti-virus, and scan and cleaned his machine up. Nothing was flagged except for that url, it's cache. I think I got it right before the drop,but I didn't bet on it, and reloaded os,apps and security and again a full scan. I thought he was in chrome, but he was using edge that one time. So now I have to bury all the launch points.
Yes stop using chrome as your daily driver.
Brave and opera were on a workstation I was cleaning up, so I flipped back and forth between them, but am going to do some deep dive on Monday.
I wouldn't recommend Opera, BTW. It was bought by some shady consortium and is no longer the browser it used to be. Vivaldi is its spiritual successor (and what I use).
AI predictably said anything including edge. Which is why it's the second thing I remove from the lab machines.
Anyone using Puffin, Freenet or Vivaldi? I am going to spend a day with each next week on a slow system.
The one thing I was looking for as an alternative to Nightly, was it's speller, that was getting old. Then a week or so ago, it has become significantly better.
As the article notes, Mozilla is telegraphing incoming targeted advertisements in Firefox. Everything else is a Chrome derivative and unless someone steps up to maintain Manifest V2 (which I've seen no evidence of so far), uBlock Origin will no longer function on them.
I would love to be able to rely on my browser to be a user agent that actually has my interests and only my interests at heart—I have hopes that maybe Orion can get there with a paid-for model. But in the meantime, most of the choices I can see are flawed in some way that justifies an extra layer of protection.
I use Vivaldi, I used to use Opera and I like Vivaldi's mission statement. I don't know about manifest v2, but uBO still works on Vivaldi, at least for now.
What about the Firefox forks? They aren't as popular as Chrome's (by nature of Firefox not being as popular as Chrome), but they're out there; Waterfox, Librewolf, and Mercury come to mind.
Waterfox was sold 5 years ago to an ad company [0], and the developer's response on that thread was... not ideal. From what I understand they separated from them a few years later, but the developer's response to complaints about the sale ("I’ve never tried to have it as a privacy product specifically ... all the outrage towards me for that has been, at least towards me, a little unfair.") don't lead to a lot of confidence even under a new business model.
And this is suggestive of the problem I see in general with the smaller players: their bus factor is too small and the number of people who have to be involved in a bad decision is too low. Switching to a small fork like these ones doesn't mean I can stop worrying about what my browser might do, it just changes the types of things I have to worry about. I still need layers of protection just like I do with Firefox or Chrome.
Safari isn’t a Chrome fork, although they do have the same roots. Other than my work machine where I use Chrome because it’s the company standard and I find that not going of the main path is usually past, I use Safari for everything and I find it’s generally faster and less of a battery hog.
That's a good point, I hadn't known about the Waterfox drama. I do still use Firefox, but I'd been eyeing Mercury, myself.
Anyway -- your other point about bus factors is also fair, but I think it's made a bit moot by the big players (evidently, Mozilla included) making bad decisions in spite of (or because of?) their size.
Perhaps the future involves people being more lean about which browsers they're tied to, and making the jump more often. Guess we'll see.
> it's made a bit moot by the big players (evidently, Mozilla included) making bad decisions in spite of (or because of?) their size.
True—I'm more counting on big players moving slowly and with lots of eyes on them. Mozilla's descent has been one that I've been following for years now, and I don't expect to be surprised by a sudden rug pull the way that a smaller player can do.
> I have hopes that maybe Orion can get there with a paid-for model
I'm hopeful. I stopped using firefox last week and switched fully to Orion (I was already using it on my iPhone for the firefox extensions), and now I'm paying for Orion+ to support them https://kagi.com/orion/orionplus.html
Unfortunately I need Linux and Android (and ideally Windows too) before I can make the switch. Sounds like Linux may be on the table for March of next year [0], but that's only half the story for me (unless there's a good way to tab sync to mobile Firefox?).
The point is there soon may not be. I'm a Firefox guy myself, but Mozilla looks like it is wanting to turn evil as well. So what's left? One of the forks of Chrome or Firefox? What happens if either "for security" decide to stop releasing their code? It could happen, projects have stopped being open sourced in the past. It couldn't stop people from basing browsers on the earlier code of course, but those would eventually have compatibility problems as they wouldn't have access to new changes.
An alternative option for those already running an OpenWRT router - whether that be on dedicated hardware (usually a reflashed commercial wifi access point + router) or as a virtual router (e.g. running in a container or VM, this is how I use it) - is to use the Adblock package and configure it to force local DNS (Redirect all DNS queries from specified zones to the local DNS resolver, applies to UDP and TCP protocol). This partly works but it is not effective against applications (e.g. TikTok) and devices (e.g. 'smart' televisions) using DoH (DNS over HTTPS) since that traffic is indistinguishable from normal web traffic without deep packet inspection. I have tried to run ipset-based blocklists to force such applications and devices to use 'normal' DNS but this is not really feasible as DoH servers can be hosted just about anywhere.
FreshTomato also has a adblock function that can go off the usual web lists. DD-WRT I recall does as well. Just goes to show the open source firmwares in general are superior and it should be a feature people look for when buying routers.
Both Pi-Hole and AdGuardHome are good; I've used both and settled on AdGuardHome as I've found it to be slightly faster to resolve (with the same Quad9 upstream for both).
This is hardly hacking the network. DHCP configuration is surfaced in almost every home router that exposes an admin panel (which is most of them).
If you don't want to broadcast your Pihole's address as a default DNS over DHCP, you can always just do it manually through the DNS panel on your device that you almost certainly have used in the past (statistically speaking, given HN's audience) to point it to quad9, or 1.1.1.1, or google's DNS.
a literary technique, originally used in Greek tragedy, by which the full significance of a character's words or actions is clear to the audience or reader although unknown to the character.
Why is PiHole even mentioned as alternative to UbO? It is not a comparable thing!
There is SO MUCH stuff you cannot do without access to the page contents. cookies. tracking parameters. "pixels". javascript. etc etc
PiHole, or equivalent DNS-based blocking tools protect networks, presuming your DHCP server points clients to the PiHole DNS server. ALL devices and apps on those devices which rely on the indicated DNS server benefit.
uBlock Origin protects individual browser profiles only. That is, if you have uBlock Origin installed and it's enabled on a given browser profile, that specific usage is protected.
Yes, uBo gives far more power in blocking online content, where it's available. But it only goes so far.
With PiHole, one of the disadvantages is that when you use another network you lose all your ad / malware blocking protections. I find it jarring when I use a tool w/o any native ad-blocking on an outside network.
Best practice is to use both DNS-based blocking (for global coverage on your LAN) AND uBlock Origin for browser instances where it's available (desktop generally, Firefox/Android on mobile).
Quibble: PiHole gives you back some of what you lose with uBo.
uBo will block more than just source-based content (though it does include very extensive domain blocklists). It will also, for example, block YouTube ads (added by YT, but not sponsorship bits within the video itself), ads identified by CSS or JS syntax, and (if you choose to do so) other Web annoyances, for example sticky header/navigation bars if those are present and you've installed the appropriate additional blocklists.
PiHole can't do any of the latter, though again, it's far better than nothing, and covers more than just the browser. Example of the latter, one of the Android podcast apps I have inserts advertising, that happens to be caught (usually) by my DNS-based blackhole when I'm at home, but not when I'm travelling. It's jarring to see those ads should I fire up the app when I'm on the road.
Yes, or — if you're lazy like I am, and don't want to manage another device or container — use something like NextDNS, which has a very generous free plan and an extremely inexpensive yearly plan. Control D is a popular alternative with similar plans.
In the last 3 months, NextDNS has blocked nearly 9% of 10M DNS queries from devices in my household with no ill effects that I'm aware of. (I'm not affiliated with NextDNS in any way, other than as a satisfied paying customer.)
Tailscale + NextDNS is a dream. One simple app to get me back to my self hosted services and block ads.
https://tailscale.com/kb/1218/nextdns
Not only can Tailscale directly integrate with NextDNS and therefore not require extra configuration on-device for DNS, but you can use Tailscale ACLs to assign different NextDNS profiles to different devices (for example, a parental control profile to a kid's device or an Apple TV, or an IoT profile, etc)
They are a US based company, whether they say they log your data or not, they can be compelled to log your requests and not tell you about it.
Regardless they look like good alternative for users who are unable to setup or are prevented from using a pihole.
Lets say you have internet from comcast or your phone company in the us, aren't they able to be compelled to log your requests in the same way? Is there any internet access where you have actual privacy? I think not unless you vpn somewhere, and then that other company could be doing it.
But I'd love to hear your ideas.
You can use an encrypted upstream DNS
> They are a US based company, whether they say they log your data or not, they can be compelled to log your requests and not tell you about it.
If someone wanted your internet traffic, they wouldn't bother with NextDNS. They would just compel your internet provider to give it to them.
This is not a real risk to using NextDNS.
The good ol’ everyone on the Internet is American fallacy.
The good ol' media talks about it happening in America so it must only happen in America fallacy. ISPs can be compelled to divulge data in most places around the world.
This thread is specially about the USA so I didn’t feel the need to clarify that I’m obviously only talking about the USA.
The article isn’t specifically about the USA (the word “American” appeared once in “American English” when explaining the name Pi-hole). The CharlesW comment doesn’t mention the USA. The nik282000 comment says NextDNS is a U.S. company so U.S. government will have access to the data, it never said it’s only a concern for American users. I don’t know where you got the idea that this thread is specially about the USA. In fact, I assume the nik282000 comment is mostly for non-American users.
This thread is about the dangers of using a US-based service provider. People outside the US can use it.
I mean in theory this is absolutely correct and everyone everywhere will follow due process and the data will only become available at the individual level when a court affirms it is appropriate.
As long as due process and checks and balances are respected, there's absolutely nothing to worry about lmfao.
I think you missed my point. Your ISP already has your traffic, and is just as easy to compel as NextDNS. No one is going to NextDNS for your traffic, and even if they do, NextDNS doesn't have any information your ISP doesn't already have.
NextDNS's price of $20/year (or something like that) is the easiest purchase I've ever made.
I still use uBlock origin, but like how NextDNS will block stuff from phones and other devices as well.
Do you mean 90%?
9% is reasonable. I've got pretty strict filters on my home DNS and it's currently blocking 12%. I imagine that number would be much higher if I didn't have ad block extensions on all my browsers and IoT devices on a restricted VLAN.
Nope! NextDNS blocked 913,294 of 10,287,370 queries over the last 3 months. I'm sure the percentage would rise if I flipped on other options that they provide ("AI-Driven Threat Detection", "Block Newly Registered Domains", etc.), and I should probably revisit those.
Wow! I'm more intrigued by the fact that you did 10M queries in 3 months. I'm going to assume you're using a single profile for everything. I have separated machines/robots (that includes the TV), kids, and other profiles for business devices.
Been using nextdns on both droid and linux and am really grateful for it. Coupled with ublock, I can browse the tubes without having a seizure. I'm so satisfied with it, that I fear someone will come along and prick me happy bubble, explaining why it's bad. But I might just look away.
Nextdns is great
Unfortunately, moving to DNS blocking could only be a brief refuge before the creeping anti-adblock efforts target it as well.
Adtech and the web are identifiable by mostly unique domains, but what if that could be hidden? What if the adtech industry builds and pushes a reverse proxy tech of sorts for page content inside the page where the web server goes and loads 3rd party content for the page render before sending it you? The theoretical result could make every request looks like it comes from the domain you requested and there's nothing to discriminate on when it comes to DNS requests.
Unrealistic? Today, maybe. Wait until DNS ad blocking goes mainstream, Manifestv2 addons are long since stamped out and Manifestv3 addons are proven to be gutted and defeated. If click-through rates are noticeably higher with some kind of anti-dnsblocking proxy, we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
we'll probably see proxies everywhere. What we'd do then for ad-block is beyond me.
Filtering proxies on the other end. A lot of corporate networks already MITM all traffic so they can block, monitor, and rewrite; and ironically that has been much-maligned by those working for Big Browser, ostensibly for "security" reasons. Ditto for the DoH advocates.
I've been running a filtering proxy on my network since the turn of the century. This was somewhat common in the past, then waned as browsers started growing extension functionality (one wonders if growing, and then now heavily restricting, extensions was a way to discourage proxying) but I suspect it'll become more popular in the future too.
https://news.ycombinator.com/item?id=36824165
https://news.ycombinator.com/item?id=36832736
...and the fact that TLS fingerprinting is now a thing, and you'll be easily considered a "bot" by many sites if you MITM your own traffic, shows what their real intentions are.
Note that when I tried PiHole years ago, travel/flight-booking sites frequently required exemptions in order to operate. Not sure if the filtering is finer grained now, but it is not entirely a risk free proposition to set this up for an entire household.
FWIW the PiHole web UI and Flutterhole (Android app) have easily accessible 'disable for x mins' operations which can help for things like this.
The controls exist, but it is just one more "computer thing" to break for a non-techy audience.
I thought about wiring up a physical button which would send the "disable for N minutes command" before I realized I was playing with too much fire.
There’s also an iOS remote app I have used - pi-hole remote. Works wonders to temp disable pihole
Yeah, I can't use this and I'm surprised it doesn't come up more often.
The default list is so small that I am inclined to believe you used an untested and unmaintained 3rd party block list. Use the lists from firebog.net and hagezi. They are well maintained and documented
Pi-hole shouldn't be recommended anymore. The recent breaking change pretty much broke everyone's instances and also the downstream projects which has a plugin for pi-hole. Plus, pi-hole has very less configurable options and it's nothing more than a giant wrapper of dnsmasq. Instead, AdGuard Home seems to be more reliable and can be highly configurable with options to separate the DNS resolvers based on groups
Agreed. AdGuard Home is much better overall.
But not free as in beer?
Hard to tell from their site tbh, it is possible to pay but if they have free options I didn’t wade through enough product info to find them.
It's a self-hosted software under GPL3 license.
https://github.com/AdguardTeam/AdGuardHome
My Chrome browser has just announced that uBlock Origin was turned off as it's no longer supported. Time to install another browser. Edit: actually uBlock Origin Lite has been recommended as an alternative.
It's not as good. Even ublock themselves point that out.
This is infuriating. "This browser is shit, so here's how to install a program that makes this browser tolerable".
No! Stop using Chrome! There are other browsers you could (and should) use instead!
Not a great headline, the article focus is on recent version improvements and entire local network "front of house" protection for all devices, all browsers, tablets, TVs, local data phones, etc:
For those that want to it's an easy setup on a NAS box and gives a central dashboard for whitelisting, blacklisting, toggling ad filters, logs, etc.I nearly submitted this story myself, so I'm glad somebody did.
I've been running pihole at two locations for many years. It does a great job of blocking ads and scripts on all devices.
I customized one of my two locations and it stopped service DHCP on one of the two subnets after the update a few weeks ago. I reverted the update and it's been fine. (I keep good backups.) A friend who also runs it had the same problem and he provided me with his solution before I had a chance to look at it myself:
listeningMode = "ALL" ### CHANGED, default = "LOCAL"
Granted, Pi hole is a great project, and this new version does seem like a big improvement. It just irks me how people will stay with a hostile browser instead of spending the literal five minutes it takes to switch to another one.
We sell used computers with windowa installed. We used to use edge to get chrome, and the someone suggested brave. Everyone uses brave now, except for me,the throwback uses nightly/Firefox. There I was reading news when someone on the machine next to me got a 1-800 alarm. He was shocked... So I turned off his computer, rebooted, and searched his browser history. He was looking for a printer manual, and it hit an auto forward, and in the url was a bytecode dropper. Wow. I copied the text and sent it off to my anti-virus, and scan and cleaned his machine up. Nothing was flagged except for that url, it's cache. I think I got it right before the drop,but I didn't bet on it, and reloaded os,apps and security and again a full scan. I thought he was in chrome, but he was using edge that one time. So now I have to bury all the launch points.
Yes stop using chrome as your daily driver.
Brave and opera were on a workstation I was cleaning up, so I flipped back and forth between them, but am going to do some deep dive on Monday.
I wouldn't recommend Opera, BTW. It was bought by some shady consortium and is no longer the browser it used to be. Vivaldi is its spiritual successor (and what I use).
AI predictably said anything including edge. Which is why it's the second thing I remove from the lab machines.
Anyone using Puffin, Freenet or Vivaldi? I am going to spend a day with each next week on a slow system.
The one thing I was looking for as an alternative to Nightly, was it's speller, that was getting old. Then a week or so ago, it has become significantly better.
I use Vivaldi and really like it.
Which do you recommend these days?
As the article notes, Mozilla is telegraphing incoming targeted advertisements in Firefox. Everything else is a Chrome derivative and unless someone steps up to maintain Manifest V2 (which I've seen no evidence of so far), uBlock Origin will no longer function on them.
I would love to be able to rely on my browser to be a user agent that actually has my interests and only my interests at heart—I have hopes that maybe Orion can get there with a paid-for model. But in the meantime, most of the choices I can see are flawed in some way that justifies an extra layer of protection.
I use Vivaldi, I used to use Opera and I like Vivaldi's mission statement. I don't know about manifest v2, but uBO still works on Vivaldi, at least for now.
Fair. I was thinking only of the big players.
Waterfox was sold 5 years ago to an ad company [0], and the developer's response on that thread was... not ideal. From what I understand they separated from them a few years later, but the developer's response to complaints about the sale ("I’ve never tried to have it as a privacy product specifically ... all the outrage towards me for that has been, at least towards me, a little unfair.") don't lead to a lot of confidence even under a new business model.
And this is suggestive of the problem I see in general with the smaller players: their bus factor is too small and the number of people who have to be involved in a bad decision is too low. Switching to a small fork like these ones doesn't mean I can stop worrying about what my browser might do, it just changes the types of things I have to worry about. I still need layers of protection just like I do with Firefox or Chrome.
[0] https://news.ycombinator.com/item?id=22338321
Safari isn’t a Chrome fork, although they do have the same roots. Other than my work machine where I use Chrome because it’s the company standard and I find that not going of the main path is usually past, I use Safari for everything and I find it’s generally faster and less of a battery hog.
I'm not on MacOS or iPhone, Safari isn't an option.
That's a good point, I hadn't known about the Waterfox drama. I do still use Firefox, but I'd been eyeing Mercury, myself.
Anyway -- your other point about bus factors is also fair, but I think it's made a bit moot by the big players (evidently, Mozilla included) making bad decisions in spite of (or because of?) their size.
Perhaps the future involves people being more lean about which browsers they're tied to, and making the jump more often. Guess we'll see.
> it's made a bit moot by the big players (evidently, Mozilla included) making bad decisions in spite of (or because of?) their size.
True—I'm more counting on big players moving slowly and with lots of eyes on them. Mozilla's descent has been one that I've been following for years now, and I don't expect to be surprised by a sudden rug pull the way that a smaller player can do.
Unfortunately I need Linux and Android (and ideally Windows too) before I can make the switch. Sounds like Linux may be on the table for March of next year [0], but that's only half the story for me (unless there's a good way to tab sync to mobile Firefox?).
[0] https://news.ycombinator.com/item?id=43302073
The point is there soon may not be. I'm a Firefox guy myself, but Mozilla looks like it is wanting to turn evil as well. So what's left? One of the forks of Chrome or Firefox? What happens if either "for security" decide to stop releasing their code? It could happen, projects have stopped being open sourced in the past. It couldn't stop people from basing browsers on the earlier code of course, but those would eventually have compatibility problems as they wouldn't have access to new changes.
Running Linux, I feel similar about Chromium. Despite needing a backup browser for occasional Firefox issues, I won't touch it.
I'm using Midori for this purpose and it quite sucks a bit. I really hope a good alt browser jumps into the repos soon.
Do you think Google is going to let you get away with this? pahahaha. Nope.
The next thing they'll do is to claim that DNS over TLS (probably port 443 mind you) is mandatory.
On a side note, Safari's latest version seems to do this, and there's no way I can figure out how to disable the behavior.
Per usual, they'll claim is "for safety", but the real motive is to kneecap extremely useful tools like PiHole.
DoH is already a thing.
Of course, the escalation from the user side is likely to involve more firewalls and proxies.
An alternative option for those already running an OpenWRT router - whether that be on dedicated hardware (usually a reflashed commercial wifi access point + router) or as a virtual router (e.g. running in a container or VM, this is how I use it) - is to use the Adblock package and configure it to force local DNS (Redirect all DNS queries from specified zones to the local DNS resolver, applies to UDP and TCP protocol). This partly works but it is not effective against applications (e.g. TikTok) and devices (e.g. 'smart' televisions) using DoH (DNS over HTTPS) since that traffic is indistinguishable from normal web traffic without deep packet inspection. I have tried to run ipset-based blocklists to force such applications and devices to use 'normal' DNS but this is not really feasible as DoH servers can be hosted just about anywhere.
FreshTomato also has a adblock function that can go off the usual web lists. DD-WRT I recall does as well. Just goes to show the open source firmwares in general are superior and it should be a feature people look for when buying routers.
Both Pi-Hole and AdGuardHome are good; I've used both and settled on AdGuardHome as I've found it to be slightly faster to resolve (with the same Quad9 upstream for both).
[dead]
[flagged]
[flagged]
Pi-hole is one of the easiest setup and operation experiences I've ever had. This is not "hacking the network."
Might be easy to install, still is a hack ( as in useful hacking, not cracking).
It's a thing (dns) modified for a purpose it wasn't designed for (ad firewall)
This is hardly hacking the network. DHCP configuration is surfaced in almost every home router that exposes an admin panel (which is most of them).
If you don't want to broadcast your Pihole's address as a default DNS over DHCP, you can always just do it manually through the DNS panel on your device that you almost certainly have used in the past (statistically speaking, given HN's audience) to point it to quad9, or 1.1.1.1, or google's DNS.
The cognitive load it takes to parse this sentence is proof that it's hacking.
That’s not what this is. You are already using a DNS server; it’s just the one your ISP built.
Swapping your DNS server takes three seconds in your router interface.
It's taking something (DNS) to do things it wasn't designed to do (be an ads firewall)
That's a definition of hacking
It's a bit ironic that the article is all about blocking ads whilst essentially being an ad for pihole.
No, the real irony is the last bit where they beg the reader to allow the Register’s ads.
> Bootnote: If any loyal Reg readers have built a Pi-hole allow-list to whitelist El Reg and its sister sites, do please let us know in the comments.
Modern comedic, self aware irony, yes.
Classic Real Irony™ ? No.
Ah, the old No Truly Ironic Scotsman. A certain Canadian pop princess knows how hard it is to please the pedants on this point.
Elisapie ?
TIL. No, I was thinking of https://en.m.wikipedia.org/wiki/Ironic_(song)
Only if we agree that a tutorial on how to use grep to find things, instead of just putting up with not finding them, is an "ad for grep".
Why is PiHole even mentioned as alternative to UbO? It is not a comparable thing! There is SO MUCH stuff you cannot do without access to the page contents. cookies. tracking parameters. "pixels". javascript. etc etc
PiHole, or equivalent DNS-based blocking tools protect networks, presuming your DHCP server points clients to the PiHole DNS server. ALL devices and apps on those devices which rely on the indicated DNS server benefit.
uBlock Origin protects individual browser profiles only. That is, if you have uBlock Origin installed and it's enabled on a given browser profile, that specific usage is protected.
Yes, uBo gives far more power in blocking online content, where it's available. But it only goes so far.
With PiHole, one of the disadvantages is that when you use another network you lose all your ad / malware blocking protections. I find it jarring when I use a tool w/o any native ad-blocking on an outside network.
Best practice is to use both DNS-based blocking (for global coverage on your LAN) AND uBlock Origin for browser instances where it's available (desktop generally, Firefox/Android on mobile).
Exactly. Thank you for taking the time and elaborating on the difference for those, who may be confused about it.
Now compare to the article: "chrome users are forced to use less capable UbO lite. Enter PiHole!"
So, basically, PiHole gives you all that you lose because of the Chrome dropping v2. I cannot read that in any other way.
Quibble: PiHole gives you back some of what you lose with uBo.
uBo will block more than just source-based content (though it does include very extensive domain blocklists). It will also, for example, block YouTube ads (added by YT, but not sponsorship bits within the video itself), ads identified by CSS or JS syntax, and (if you choose to do so) other Web annoyances, for example sticky header/navigation bars if those are present and you've installed the appropriate additional blocklists.
PiHole can't do any of the latter, though again, it's far better than nothing, and covers more than just the browser. Example of the latter, one of the Android podcast apps I have inserts advertising, that happens to be caught (usually) by my DNS-based blackhole when I'm at home, but not when I'm travelling. It's jarring to see those ads should I fire up the app when I'm on the road.