Should you “Pi-Hole” your network? Block ads with this clever tech.

By -


There is a new device available that claims to block ads from the network level, acting like an ad blocker for all of the connected devices in your home.  Small businesses could potentially benefit from this inexpensive device as well, most likely in conjunction with a number of other tools to monitor or limit web traffic to ensure employees or visitors are not violating the company’s acceptable use policy.  The technology this device uses works differently than traditional ad-blockers by interfering with the way DNS works on your home network.  The technique is known as a DNS “black hole” and the server is so lightweight that it can be installed on an ultra-low power device like a Raspberry-PI, thus the clever name “Pi-Hole.”  If you have ever worked in the IT networking or security space, the hair on the back of your neck is probably standing up straight at this time, and for good reason.  There have been numerous attempts by hackers in the previous decades to use a similar technique during an attack called a “man-in-the-middle” but think about it: This device sets up a custom DNS server that you control, allowing you to run a benevolent man-in-the-middle which can subsequently be locked down and secured in the same way any company’s internal DNS servers would be. Instead of a hacker’s man-in-the-middle attack which would send you to a phony website by intentionally delivering you to the wrong IP address, the Pi-Hole simply redirects ad traffic to a “black hole.”

Like any internal IT system, risks and benefits need to be weighed.  DNS, short for Domain Name Service, is considered by many technology enthusiasts to be sacred, and it should never be touched to ensure the implicit contract of trust between the domain registrars and the end users on the Internet itself.  Domain names are valuable property, and it would be illegal or at least unethical for a company or a government to “black hole” certain domain names.  This would effectively block access to certain sites by deleting their entry in the Domain Name lookup table.  Yourfavoritewebsite.com would show up as a “404 – Page not found” error even as the web server hosting the site is still up and running.  When news articles about Internet censorship and government regulation of certain websites appear, the DNS black hole technique is the primary tool that is implemented to block offensive or unpopular websites.  Most progressive governments, especially in the United States and European Union are strongly opposed to this tactic as it is seen as limiting the freedom of speech.  In the private sector however, companies have the obligation to enforce their acceptable use policies on their own Internet connection due to the liability that the company assumes should an employee utilize the business Internet access for illegal or unethical activities.  A home user could use a similar tactic to block unwanted content in their own home, as their private Internet connection is their own responsibility and similar liability laws already exist that could potentially hold the head of a household responsible should anyone in the house use that connection for something illegal.  The reason I bring all this up is simply to illustrate that a strong argument exists for individuals and small businesses to consider using some easily available tools to take control of their own connection to the wide-open Internet.

As I mentioned earlier, the Pi-Hole is primarily for blocking ad servers.  A collective of dedicated contributors maintain a very thorough blacklist of ad services sites that the Pi-Hole service filters against whenever a user on the network is browsing the web.  This offers several advantages as web pages without ads tend to load much faster, crash less frequently, use less resources, and expose users to fewer viruses and malware attacks while still allowing the main content of the page to load and be displayed normally.  Don’t get me wrong, in principle ads are a useful source of revenue for many websites.  There is a saying however that a few bad apples can spoil the bunch, and this is exactly the case today with the state of ads on the Internet. Web browsers like Chrome and FireFox are even incorporating their own countermeasures to limit the ways intrusive ads can hijack a user’s browsing experience, redirecting them to an unwanted site or playing unskippable videos at extremely loud volumes, even going so far as to show inappropriate material or inject malware.  These few bad actors have demonstrated that the web as an advertisement platform needs to be completely reconsidered, the same way the advertisement industry on television has to adhere to specific guidelines.  We may get there one day, and when that day occurs maybe we will not need to block ads as aggressively.  Until that day, however, we have tools like Pi-Hole which can be installed on a number of platforms from the super convenient Raspberry Pi standalone box or a traditional DNS server running Linux.  The makers of Pi-Hole offer their own DNS Server called FTLDNS which boasts performance improvements over traditional DNS servers.  There is even a plugin for PfSense, a popular router and firewall solution, in beta-testing at the time of this writing that would allow an administrator to easily enable the Pi-Hole features to block ads, and even block unwanted domains from an assortment of pre-built lists.  I’ll cover the setup and configuration of each of these devices in future posts, so stay tuned if this is something you are interested in.

The Pi-Hole project is an open-source initiative, and they have pledged to never charge money for this software.   If you are interested in supporting them, please consider donating to the cause on their website.  If you are interested in trying Pi-Hole right away, their website is a great place to get started.  They even have a standalone Pi-Hole device that can be ordered from their store directly if you are looking for a ready-to-go solution running on an actual Raspberry Pi.


Comments

  1. Sharon SmithDecember 24, 2019 at 12:31 AM

    Great article! I've considered something like Pi-Hole for my office network, as I'm very concerned that my "news"-hungry colleagues could be exposed to all kinds of nastiness. But I'm equally concerned that it would block things that are actually necessary to doing their jobs (happens frequently with browser-based blockers), and it would be a lot harder for users to legitimately circumvent it in those cases. Anyone have thoughts on this?

    Check out our blog.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to Test Pi-Hole on a VM (Part I)

By -
Image
A great way to test experimental new software is to run it in an isolated software environment such as a Virtual Machine.  This tutorial will walk you through a the basic steps and a few things you need to know to configure your own test environment using Oracle's Virtual Box and Pi-Hole running in a custom CentOS 7 VM. Oracle VM VirtualBox The first thing you will need is Virtual Box.  This software is free to use for private non-commercial purposes such as a test lab.  It is an important distinction to make, and you will want to contact Oracle or find another solution if you were going to use this in a commercial or for-profit setting.  Follow the link above or visit  https://www.virtualbox.org/  and follow the download links to get the latest version for your operating system.  Install it once you are finished, selecting the defaults and reboot if necessary.  Once you load it up, you will be greeted with the Virtual Box interface and ready to create a new virtual machi
Read more

Testing Pi-Hole on a VM (Part III - Conclusion)

By -
Image
Part 3 In the previous two parts, I demonstrated setting up a VirtualBox VM environment and installing CentOS 7 minimal on a test VM.  I covered some of the details around VM sizing and network configuration along the way.  Now in this post, I'll cover the details of installing and configuring the Pi-Hole software itself on your test VM.  If you have questions or issues, please post them in the comments and I'll follow up to try and help you out. Installing Pi-Hole Boot up your CentOS 7 VM and log in as root. Now type the following to launch the Pi-Hole installer: curl -sSL https://install.pi-hole.net | bash This command gives the Pi-Hole installer full access to the bash command shell, allowing it to have full control of your VM.  It is certainly a questionable method to install software, but it is simple and fast, and for the purposes of this demonstration, we can feel free to use it to quickly set up our system. The first thing that we see is a warn
Read more

Testing Pi-Hole using a VM (Part II)

By -
Image
Part 2 In the last post, I demonstrated the setup of  Virtual Box  to get a test environment ready for a  Pi-Hole  service running on a  CentOS 7  VM.   I discussed Pi-Hole in an earlier post , and a few scenarios that might make it an interesting configuration to use if you intend to block ads for your home or small business network.  The larger your network, the more likely you would be to want to run this on a  dedicated piece of hardware like a PFSense Firewall , but even for small networks this software can be run off a  $35 Raspberry Pi  making it a very interesting project for a networking hobbyist or security enthusiast.  Hopefully with my guide, even an entry level enthusiast can follow along and get some positive results on their own.  Be sure to let me know in the comments if you try this out and what sort of experience you had! Installing Cent OS 7 CentOS 7 Cent OS 7 has a minimal distribution which we will be using for this demonstration.  I'll be running t
Read more