I think it’s safe to say that the majority of people hate ads. However, it is a necessary evil since we all love free stuff. Whether that’s YouTube content, email service, etc., we want it for free. Some people install ad blocker add-ons on their browsers, and they work great. Some tech-savvy folks go even further by blocking ads network-wide. Today’s article is how to block ads network-wide.
Why block ads?
I love ads! Said no one, ever.
People have different opinions about ads. However, generally, people hate ads. Some common reasons are the following:
- Pervasive
- Intrusive
- Obnoxious
- And many more
For the most part, I agree with this list. However, some creators know how to be responsible with their content monetization. Not being responsible can affect the user experience. As a result, viewership goes down, or users find ways to block ads, which results to lower ad revenue.
Malvertising
What this list doesn’t have is malvertising or malicious advertising. It is one of my reasons why I block ads. It is, after all, a security issue. If you are unfamiliar with the term, please visit this site.
Essentially, cybercriminals pay an advertising network to display malicious ads that will redirect users to a compromised server. Malvertising can perform the following attacks on users without clicking anything:
- A “drive-by” download. It is a type of attack that downloads and installs malware or adware.
- Redirects to a phishing site.
- Redirects to a site with fraud advertising. Some of these fraud ads will instruct users to download software to clean their computers.
- The list goes on.
Enter Pi-hole
Pi-hole is a free and open-source software (FOSS) project. It was created by Jacob Salmela as an alternative to AdTrap back in 2014.
It is a Linux-based application that allows users to block advertisements and internet trackers at the network level. Originally designed to work with embedded devices like Raspberry Pi; hence, the name Pi-hole.
For several years, Pi-hole has known to work with other operating systems. But, now, the project officially supports several Linux distros, including my distro of choice, which is Ubuntu.
Linux VM
I chose the virtual machine route this time since I had issues with internal DNS resolutions back in 2016 or 2017 when I used a pre-packaged Pi-hole Docker container. With the conditional forwarding feature, that issue should no longer exist and I may consider moving to a Docker container again in the future.
My network currently has three ESXi servers. I assembled one of them back in 2012, one in 2016, and one this year.
Specs of my Pi-hole VM are the following:
- 1 x vCPU
- 768 MB of RAM
- 1 x vNIC
- 8 GB of disk space
Preliminary steps
Pi-hole needs a static IP address. We can approach this in two ways. One is statically assigning an IP address to the server. The other is to use a DHCP reservation. I prefer to assign an IP address on my servers.
Before Ubuntu 18.04, assigning a static IP address is controlled via the/etc/network/interfaces file. Now, it’s a YAML file that needs to be modified which is the /etc/netplan/50-cloud-init.yaml file.
Since I used the VMXNET3 network adapter type, the interface name is ens160. Under the interface, we need to change the DHCP line from true to false. Then, assign an IP address to the interface. Alternatively, we can delete the dhcp4: true line.
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
ethernets:
ens160:
addresses:
- 192.168.100.53/24
gateway4: 192.168.100.1
nameservers:
addresses:
- 208.67.222.222
- 207.67.220.220
version: 2After saving the changes to the YAML file, we need to apply the changes. Issue the command as seen below for the changes to take effect.
$ sudo netplan apply
Finally, we’re on the last command in the preliminary steps. We now need to make sure our Ubuntu Linux is up to date.
$ sudo apt update && sudo apt dist-upgrade -y
Pi-hole installation
Installing Pi-hole is quite easy. We just need to issue a one-line command.
$ curl -sSL https://install.pi-hole.net | bash
You may be thinking that this is a risky command to issue. Pi-hole wrote a article on why curling and piping to bash is controversial. If you don’t trust what this command does, then head over to their GitHub for alternative methods of installation.
In the installation wizard, you can leave everything as default. If you ever need to change it, then you can do it after installation using the admin page.
Eventually, you’ll reach the end of the installation wizard, and it will provide you a random password. It also shows you how to access the WebUI to make additional configurations.
Post-installation
The default values in the installation wizard are enough for a typical home environment. That said, no need to make any changes by logging into the admin page except to change the default password that was created by the installation wizard.
Change default password
To change the password, you need to issue one command, as can be seen below.
$ sudo pihole -a -p Enter New Password (Blank for no password): makemypasswordgreatagain Confirm Password: makemypasswordgreatagain [✓] New password set
Conditional forwarding
As previously mentioned, I run an internal DNS in my network. I may consider moving everything to Pi-hole, but not at this time. That said, I configured the conditional forwarding feature. You’d want to do this if you have a similar environment like mine.
To configure, click on Settings > DNS and then scroll down until you find the Conditional Forwarding section.
Since I have multiple subnets, I needed to add PTR records so that I can perform reverse DNS lookups. Without these records, I was only able to perform lookups within the same network as my internal DNS server. In this case, it was only within the 192.168.100.0/24 network. To add more networks, create a file in the /etc/dnsmasq.d directory.
$ sudo vi /etc/dnsmasq.d/02-pihole.conf server=/10.168.192.in-addr.arpa/192.168.100.155 server=/20.168.192.in-addr.arpa/192.168.100.155 server=/30.168.192.in-addr.arpa/192.168.100.155 server=/40.168.192.in-addr.arpa/192.168.100.155 server=/50.168.192.in-addr.arpa/192.168.100.155
After saving the file, make sure to restart the Pi-hole DNS service by issuing the sudo pihole restartdns command.
Pi-hole as internal DNS server
The easiest way to make Pi-hole as an internal DNS server is by making it the DHCP server for the network. A lot of people will opt for this option because it’s easy and automatic.
If you want to make your life harder, then adding entries to the host file is the other option. To edit the host file, use your favorite text editor and add host entries to /etc/hosts file. Below is an example of a host file I create for another home network that I have.
$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 pihole 192.168.80.151 esxi03 esxi03.networkjutsu.local 192.168.80.1 erx erx.networkjutsu.local 192.168.80.100 unifi unifi.networkjutsu.local unifi-controller unifi-controller.networkjutsu.local 192.168.80.101 nanohd nanohd.networkjutsu.local # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Update: With the release of version 5.0, adding IP address and DNS name associations are now available on the Web UI. In the main navigation pane, click on Local DNS Records.
Alternatively, you can create /etc/pihole/custom.list file and add the IPs and names there.
$ more /etc/pihole/custom.list 192.168.1.1 rtr.networkjutsu.local 192.168.1.53 pihole01.networkjutsu.local
DNS resolution from another network
If you have multiple subnets, just like my environment, you will need to ensure that your Pi-hole interface listening behavior is correct. There might be an instance where the installation wizard sets it to first option. With this setting, the Pi-hole ignores DNS queries from clients that are not in the same network as Pi-hole’s interface. Make sure to set it to the second or third option.
Alternatively, if you’re a CLI junkie, you can change this setting by editing /etc/pihole/setupVars.conf file. Below is my current setting.
$ cat /etc/pihole/setupVars.conf | grep DNSMASQ_LISTENING DNSMASQ_LISTENING=single
If you want to know the Web UI equivalent, then use this table.
local | 1. Listen on all interfaces |
single | 2. Listen only on interface ens160 |
all | 3. Listen on all interfaces, permit all origins |
Adding more to the blocklist
While the built-in blocklist works great in blocking ads, there are other lists that you can add. Currently, I use some of the blocklists from The Firebog site. I need more time to test before adding more to the list. Additionally, I added Dshield’s suspicious domain list as well.
Update: I added some of the lists in here as well.
Client’s DNS configuration
Once you completed the Pi-hole configuration, you’re now ready to make changes to your DNS configuration. There are two approaches that you can take.
The first one is to change your router’s DNS configuration. I recommend using this route since it’s the easiest and fastest out of the two.
The second approach is to change the DHCP configuration settings to point to Pi-hole as the DNS server. This approach is slow since the DHCP timeout applies. To immediately take effect, clients will need to release and renew their DHCP lease.
Keeping it up to date
At this time of writing, the update mechanism is not available on the web UI. That said, you would have to use the CLI to update Pi-hole. To update, use the command below.
$ pihole -up [i] Checking for updates... [i] Pi-hole Core: up to date [i] Web Interface: up to date [i] FTL: up to date [✓] Everything is up to date!
Pi-hole in action
Now that you’re finished with configurations, it’s time to see it in action. In the next few sections, I’m going to demonstrate the different types of scenarios to show the value of Pi-hole and ad blocker.
First scenario
Here’s an example of a network without Pi-hole and a browser without uBlock Origin installed. As expected, advertisements are showing on the page.
If you try it out yourself, you will notice that the page loads very slow. It is especially noticeable when you’re testing it using a low powered machine and not a very fast internet connection. With the use of developer tools, you will notice there are a lot of web requests.
Second scenario
Here’s an example of a network with Pi-hole and a browser without uBlock Origin installed. As expected, no advertisements are showing on the page.
If you try to load the page again, with cache disabled, you will notice that it loads very fast. It is because of the reduced number of web requests blocked by Pi-hole. In this scenario, we saved a whopping 758%!
Third scenario
Here’s an example of a network without Pi-hole and a browser with uBlock Origin installed. In this scenario, the browser add-on blocked the ads. However, it loaded the video player that we saw earlier but without the ads.
Using uBlock Origin still saves us a lot of web requests. However, the number is not as high as the one shown earlier. Nevertheless, having the ad blocker reduced the number of web calls to 403%.
Fourth scenario
Here’s an example of a network with Pi-hole and a browser with uBlock Origin installed. Visually, there’s no difference between this and the second scenario. However, inspecting with developer tools shows that there’s a slight difference.
As you can see, it further reduced the number of requests compared to the second scenario. While not significant, having an ad blocker on your browser helps block ads and trackers not caught by Pi-hole.
An example of this is by visiting YouTube. If you turn off the ad blocker, the ads will load. Pi-hole cannot effectively block the ads because YouTube hosts both the content and advertisements on the same server.
Final Thoughts
As discussed, blocking ads is no longer just to avoid seeing obnoxious images or videos. It’s also for avoiding malvertising and saving bandwidth. With the combination of Pi-hole and ad blocker, you will definitely accomplish those objectives.
BUY ME COFFEE ☕
Disclosure
AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.
