Pihole vs. Absolution

[kvic]

Angry already... lol..
In the event where they can reached your CA, your network is already compromised. It is no longer about mitm anymore... your whole network is almost GGed.

No anger. If there is little, it directs at the Fake News fabricated by Pi-Hole in their Wiki/FAQ.

Recently I saw other adblock script authors quoting Pi-Hole's wiki to make a case that pixelserv-tls is MITM attack. So took the chance to create a post that I could refer to later to quickly refute misunderstandings.

 

[Xentrk]

No anger. If there is little, it directs at the Fake News fabricated by Pi-Hole in their Wiki/FAQ.

Recently I saw other adblock script authors quoting Pi-Hole's wiki to make a case that pixelserv-tls is MITM attack. So took the chance to create a post that I could refer to later to quickly refute misunderstandings.

@kvic, I'm glad you took the time to write up a post containing the facts. I concur with your Fake News assessment. Good way to put it. I wonder if the Pi-Hole devs are also climate change deniers?

 

[Wisiwyg]

Love the reasoned discourse here, and the useful information coming out. Thanks all.

 

[p1r473]

I am curious about what is everyones take on both of these ad solutions? I am trying to choose.

I use the pihole and LOVE It

 

[Xentrk]

There are some nice features in pi hole. Kewl web GUI and stats. I sometimes help other expats with network and other computer issues where I live. Most of them have routers supplied by the ISP which lack many features available in in Asuswrt and Asuswrt-Merlin. I think pi-hole would be a good fit for them. However, not being able to handle ads delivered via https requests makes it a show stopper for me.

 

[JimbobJay]

Sorry to resurrect this old thread, but I was wondering if anyone here had noticed that in the 4.0 release of pihole, you may now configure whether pihole repsonds to blocked domains with null, or whether it points back to the ip of the pi, which I think in theory means you can now use pihole in conjunction with pixelserv-tls? Traditionally I have used AB-Solution with pixelserv, but I always thought it would be better to save the resources of the router and use an external device, such as the pi, for ad-blocking. Has anyone here tried the new pihole with pixelserv-tls?

 

[kvic]

Has anyone here tried the new pihole with pixelserv-tls?

If you had made your question clear like the previous post, you won't have to ask the second time in a different thread. I think it's not a taboo to discuss all sorts of adblock scripts/daemons on this forum, even though individuals might have their own preferences. lol

So let's try to do this again...

How-To make pixelserv-tls work with Pi-Hole

This question has been asked multiple times. Seems either very few pihole users on this forum or perhaps no one is desperate enough to take a serious look. I want to set it right and spend some time googling i.e. only the last 10 minutes or so. Hence, the answer below might not be fully correct and/or requires a dedicated pihole user to experiment and provide feedback.

With the release of 4.0 in their FTL, pihole seems to have added a new config variable known as "BLOCKINGMODE" in pihole-FTL.conf. First, you have to set it to "IP-NODATA-AAAA". That's the easy part.

Pihole uses lighttpd (users optionally possible to use ngnix) for serving the Dashboard as well as HTTP ads when you use the above mentioned BLOCKING mode. So natively they do not provide a configuration to change the IPv4 address that blocked domains will resolve to (more on this later).

Luckily Pihole currently only uses port 80 for HTTP since they haven't been able to figure out HTTPS..yet. This implies that lighttpd will be listening on port 80 while port 443 is free. However, pixelserv-tls will require both port 80 and 443 for best performance.

Option 1. You could simply run pixelserv-tls on the same interface (as well as IPv4 address) as Pihole but only listen on 443. This will complete your loop of HTTPS ads i.e. HTTP ads served by Pihole's lighttpd. HTTPS ads served by pixelserv-tls. Not recommended.

Option 2. Change Pihole's lighttpd config to listen on a different port for HTTP e.g. 8080. This implies you'll be accessing Pihole's Dashboard with an URL like http://<pihole IP>:8080/admin. The lighttpd config traditionally is in /etc/lighttd/lighttpd.conf but pihole might have changed that. I couldn't find a reference for it but instead I stumbled on the one for nginx HERE.

In option 2, both port 80 and 443 then can be used by pixelserv-tls. That's great since it can do a better and faster job than lighttpd & nginx. Recommended option.

Option 3. Make a feature request to allow users easily change HTTP port and/or the IPv4 address for blocked domains. For people, compiling their own PiHole shall be easy to change but I haven't looked at the code nor tried. Such feature request might be a little uphill struggle as it's not in PiHole's immediate interest.

At the moment, I believe option 2 is doable and will work. As said before if you or anyone else tried. Let us know how it goes. Personally I'm not a pihole user.

EDIT:

The above information may be outdated. The latest info can be found in this Wiki: HOW-TO Setup pixelserv-tls for Pi-Hole.

 

[JimbobJay]

If you had made your question clear like the previous post, you won't have to ask the second time in a different thread. I think it's not a taboo to discuss all sorts of adblock scripts/daemons on this forum, even though individuals might have their own preferences. lol

Apologies for making a second post. I only found this thread today, and it just seemed more relevant to the whole pihole-pixelserv issue I raised in my first post on the other thread. I think my original post was more of a "hey, did anyone know you could do this on the pihole now?" and was made just after I first read about the new blocking mode in pihole 4.0, whereas this second post was more of a specific "has anyone here tried this?" In any case, thank you for your comprehensive reply

Anywho, since I made that second post today, I have actually gone ahead and implemented pixelserv-tls with the new pihole blocking mode myself, and it seems to be working perfectly. Like you said, you need to set the "BLOCKINGMODE" in pihole-FTL.conf to "IP-NODATA-AAAA". As for how to implement the next part, I didn't actually need to face the dilemma between options 1 and 2, as on my setup I just disabled lighttpd and don't use pihole's webserver at all, instead only running it from the cli. This means both 80 and 443 pihole redirects are answered by pixelserv-tls no problem. I can confirm that with this setup running most of today, and with the pixelserv-tls CA installed and trusted on my devices, my piexelserv servstats page has been been notching up hits nicely.

So I suppose that would be option 4: Not to use pihole's web interface at all, and only use pihole from the command line in conjunction with piexelserv-tls. Now many people may well be wondering why I would do this instead of just using AB-Solution/Diversion, and that is a fair question, seeing as the main pull of pihole is its very nice web gui. I guess the only good reason really was that I would prefer to have the adblock running on a different device than my router, as I just think it's better for my 87U's resources to not have to worry about adblocking in addition to the other things I have running on it. I guess people with better and more modern ASUS routers wouldn't need to worry about that. Plus, I just like to tinker Anyway, it's a nice to have options, and I do get the feeling that there are more adblock lists already in the format used by pihole floating around, than there are in the format used by Diversion (correct me if I'm wrong in thinking Diversion needs adblock lists in the HOSTS format?). I can't say I have noticed a huge speed increase today since switching back to PiHole from Diversion, but I will let people know.

 

[kvic]

@JimbobJay Good stuff that you've made it already. It's hard to access one's capability based on two posts. I was really shooting in the dark in my responses.

One reason I could think of is that some people want the fancy charts/statistics i.e. PiHole's Dashboard. If that's required, option 2 is best. Otherwise, option 4 like you said will work too.

See if I could get more responses from pihole users, I perhaps will change the above post into a wiki/FAQ. Perhaps you guys could chime in details.

When I skimmed through their 4.0 release notes, seems Pihole made some advancement in FTL. Some stuff we briefly touched upon here previously on this forum. Perhaps it's just a coincidence and people do think alike.

So I would expect you get faster speed in resolving blocked domains if I'm not guessing wrong.

 

[JimbobJay]

@JimbobJay Good stuff that you've made it already. It's hard to access one's capability based on two posts. I was really shooting in the dark in my responses.

Yeah I get that so no worries. To be honest I was just kind of thinking out loud with my posts, and curious if anyone had tried it. Decided to go do it myself.

See if I could get more responses from pihole users, I perhaps will change the above post into a wiki/FAQ. Perhaps you guys could chime in details.

I think that's a great idea and would be happy to contribute in any way I could.

So I would expect you get faster speed in resolving blocked domains if I'm not guessing wrong.

I am comparing this new setup with my previous setup of AB-Solution (Diversion, since Sunday), and I can't say I have noticed a speed increase. I daresay that if I was comparing it to a previous pihole setup using NULL responses or their lighttpd responses that they used before, I would definitely have noticed a huge difference, but it's been so long that it's hard to compare (although I definitely remember having some htpps issues with pihole before). The main reason I switched from the pihole to AB-Solution in the first place was so that I could use pixelserv-tls and get proper HTTPS filtering.

 

[kvic]

I daresay that if I was comparing it to a previous pihole setup using NULL responses or their lighttpd responses that they used before, I would definitely have noticed a huge difference, but it's been so long that it's hard to compare (although I definitely remember having some htpps issues with pihole before). The main reason I switched from the pihole to AB-Solution in the first place was so that I could use pixelserv-tls and get proper HTTPS filtering.

Take this opportunity to do a bit self-promotion. lol

#1 reason for a layman who may want to run pixelserv-tls

• pixelserv-tls: more is less
• pixelserv-tls v2 benchmark

I'm kinda surprised that not many people in PiHole community have picked up pixelserv-tls in the past year. Perhaps we need a few guys to spread the gospel.

I think the progress in FTL is sub-100ms level. On a busy network, shall be easier to see the difference on everyday use. It's just my guess though that I haven't looked at the code. My guess is based on the new feature of blocking by regular expression. If they get this far, perhaps some other optimization along the line could have been baked in or would be soon.

 

[Vexira]

Hmm I'll have to look into it for my pihole, considering I'm looking at getting a faster board for it.

 

[kvic]

I've created a wiki page with instructions on how to run pixelserv-tls on Pi-Hole based on the discussion so far. Updated the post #47 to include the link. And repeated here: [PI-HOLE] Setup pixelserv-tls for Pi-Hole

Hmm I'll have to look into it for my pihole, considering I'm looking at getting a faster board for it.

Cool, pls keep us posted on your progress on which ever option you choose to experiment.

 

[Vexira]

I've created a wiki page with instructions on how to run pixelserv-tls on Pi-Hole based on the discussion so far. Updated the post #47 to include the link. And repeated here: [PI-HOLE] Setup pixelserv-tls for Pi-Hole



Cool, pls keep us posted on your progress on which ever option you choose to experiment.

Will do soon as I get another board don't want to break my pi install.

 

[FreshJR]

Take this opportunity to do a bit self-promotion. lol

#1 reason for a layman who may want to run pixelserv-tls

• pixelserv-tls: more is less
• pixelserv-tls v2 benchmark

I'm kinda surprised that not many people in PiHole community have picked up pixelserv-tls in the past year. Perhaps we need a few guys to spread the gospel.

I think the progress in FTL is sub-100ms level. On a busy network, shall be easier to see the difference on everyday use. It's just my guess though that I haven't looked at the code. My guess is based on the new feature of blocking by regular expression. If they get this far, perhaps some other optimization along the line could have been baked in or would be soon.

Nicely written.

Quick question, did you manually retrieve the page load data from chrome and input it into excel. Or by some off chance do you have this test procedure scripted?

Browser supplied load times are the best test for page snappiness but creating a subset of 10 websites, loading them 10x, and clearing cache inbetween is a major PITA.

 

[kvic]

Nicely written.

Quick question, did you manually retrieve the page load data from chrome and input it into excel. Or by some off chance do you have this test procedure scripted?

Browser supplied load times are the best test for page snappiness but creating a subset of 10 websites, loading them 10x, and clearing cache inbetween is a major PITA.

The tests were done manually by a keyboard warrior. He transferred the data from Chrome's status bar into Excel. I think I was desperate enough back then wanting to see some quantitative difference..

In a revised version of the steps, I could complete it in less than 15min. A good muscle exercise when you don't want to think. But you're right no one wants to do it often. LOL

 

[kvic]

The HOWTO is posted on Reddit.

See if we could get more pixelserv-tls users or get flamed. LOL

 

[sfx2000]

See if we could get more pixelserv-tls users or get flamed. LOL

Pixelserv-tls on Github - would be really cool...

 

[thelonelycoder]

Pixelserv-tls on Github - would be really cool...

Itt would be cool to have something like GitHub and projects like pixelserv-tls on it.
Imagine what would come next.

 

[sfx2000]

Itt would be cool to have something like GitHub and projects like pixelserv-tls on it.
Imagine what would come next.

Gogs or Gitlab - and there's always the choice of a git outside of that (or SVN, whatever)