NextDNS or many other DoH services that are out there (I personally recommend Mullvad).
this post was submitted on 10 Feb 2025
65 points (97.1% liked)
Privacy
33538 readers
356 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
You want the truth? Setup OPNsense firewall on your network. Add EasyPrivacy, EasyList, AdGuard List and other blocklists to the Unbound DNS service on the OPNsense server.
Then configure your DHCP to use the OPNsense router/firewall IP (eg. 192.168.1.1) as DNS server in DHCP provisioned computers on your LAN network.
This is how I do it and it's an enterprise setup, which works and scales really well.
As an extra step you can block DNS requests to external services from within your network to prevent devices trying to reach hardcoded for example Google DNS servers to bypass your filtering which isn't uncommon with some IoT/streaming devices. Best to both block the known IPs as well as have DNS redirects for the urls that point back to your firewall at whatever IP it's using to serve DNS from. There is a list called DoH servers by name or something like that which you can add to the blocklist to try and prevent usage of any DNS but your own.
OP if you enjoy a fun weekend project, don't go with a pi-hole. It literally only takes about 5 minutes. Also I recommend the blocklistproject lists https://blocklistproject.github.io/Lists/
Pi-hole works great for me, but everyone else on the network that uses Google hates it because the entire first page is ads and they can’t click on them.
For a mobile device / TV, sure.
For a browser on a computer, uBlock or AdNauseum will fix that.
I install some local adblocker to their devices and they don’t see those ads
I have one SSID with pihole (which I use), and one without. Works pretty well, if you're ok with a VLAN-aware network.
Yeah, PiHole is great if you live by yourself otherwise the entire household will have it out for you.
Learned that lesson the hard way.
Only Apple the filtering to your MAC addresses.
Light + TIF https://sky.rethinkdns.com/1:AAkACAQA
Normal + TIF https://sky.rethinkdns.com/1:AAkACAgA
Pro + TIF https://sky.rethinkdns.com/1:AAoACBAA
Pro plus + TIF https://sky.rethinkdns.com/1:AAoACAgA
Ultimate + TIF https://sky.rethinkdns.com/1:gAgACABA
Light + TIF https://dns.dnswarden.com/00000000000000000000048
Normal + TIF https://dns.dnswarden.com/00000000000000000000028
Pro + TIF https://dns.dnswarden.com/00000000000000000000018
Pro plus + TIF https://dns.dnswarden.com/0000000000000000000000o
Ultimate + TIF https://dns.dnswarden.com/0000000000000000000000804
Light https://freedns.controld.com/x-hagezi-light
Normal https://freedns.controld.com/x-hagezi-normal
Pro https://freedns.controld.com/x-hagezi-pro
Pro plus https://freedns.controld.com/x-hagezi-proplus
Ultimate https://freedns.controld.com/x-hagezi-ultimate
TIF https://freedns.controld.com/x-hagezi-tif
DNS based adblocking with Hegezi blocklist and TIF (threat intelligence feeds). Works with any device on your network in one way or another (QUIC, DoH/3, DoT, etc) and doesn't require installing anything. Just changing dns settings.
This is a great list. Blocks about 95% of all advertisements. About 4% are unblockable due to one reason or another, and the remaining 1% get added very quickly. I highly recommend this solution. Sure, you can setup a PiHole and do it all yourself, but in the end that requires time and attention. It's the same list, but if you roll PiHole yourself you don't get access to TIF, which are amazing for protecting you from different kinds of threats.
I use Adguard's public DNS on my router for convenience, no problems at all. In the past I had pi-hole with some lists that in the end, from time to time, broke things.
I second your idea of going with Pi-Hole. It is purpose-made for this and easy to setup.
Plugging my favorite block lists:
- general browsing https://firebog.net/
- For TV's https://github.com/hkamran80/blocklists
- For Phones https://github.com/craiu/mobiletrackers
yep, 100% set yourself up a pihole. You'll likely need to set it as your DNS via DHCP in your router, or configure it manually on devices that allow that.
If you want cheap and easy, something like NextDNS. Otherwise, your tentative plan works just as well. My family liked NextDNS because all I had to do was have them install an app, enter my code (for the profile I configure for them), and set it to on. The rest was magic, to them.
That really doesn't sound that easy...
Pihole has its issues, ~~but at least you dont need to setup each and every device individually. ~~ edit: I have been informed that this is not the only way.
For balance, the main issue I have with pihole is that family members can't easily bypass it when they need to, which is inconvenient.
Dont you need to set the dns adress to the pi-hole dns on every device? It was a few years ago but I remember that I had to set my dns to the pi-hole, which acted as a dns server. Or am I mistaken?
You can setup DHCP to give the DNS address to every device automatically. Even heavily locked down routers sometimes have the option, but I guess OP will have to try that out.
Pihole also has a built in DHCP, which you can enable and use as long as you disable the router one.
You can set up NextDNS on the router to cover every device on the network. My family is all over the country, so the app was easier for my use case.
Ah, okay, thats much more simple then.
I set up NextDNS for my family's devices and it wasn't that hard. Plus it still works even when they're not on the home network.
Either Pi-Hole or there is also AdGuard Home
From what I’ve heard their as good as each other it just comes down on what UI you prefer^^
Make a NextDNS with the settings/features you like and add that as your router's DNS service. Super simple
This is the lazy option that just works, the free tier is decent but their paid one is so cheap that you can run it for years with the price of a single Rapberry Pi
Put their router into modem mode and daisy chain your own router. Look up its labels and find the original manufacture for manuals. Watch out for name changes and mergers. ISPs do not manufacture routers. They buy them from companies, change a few logos and lend them to you.
You can also use the DMZ setting for your router depending on the software on the device from your ISP. DMZ means all traffic is forwarded that hits the device.
I use Ad-Guard instead of Pihole because the pi-hole software used to be missing some of the DNS features I wanted at the time, and I just stuck with it ever since. I have the main DNS server running on my Unraid Box, and a backup that runs on my HomeAssistant Pi4B.
PfSense with PFblockerNG or Pihole
I use PfSense and it's great
Controld.com is what i use and it works great.
They have one server that blocks nothing, one server that blocks known malware, one server that blocks known malware and advertising and tracking, and a server that blocks all of that, including social media. And they are all free.
We have an Odroid with AdGuard that's worked great for many years. We used to use Pihole but had niggles that Meany AdGuard was easier. For us we wanted a completely free solution that we had complete control over.