Some notes on a privacy-minded Pi-Hole deployment
But why?
There is already a thousand how-to’s on the Web about deploying Pi-Hole as a DNS resolver, and I don’t feel like writing yet one more that will be deprecated for some reason in a few months because some parameter has changed somewhere.
Rather, this article gives pointer to either other posts I’ve found interesting while setting mine up.
Finding Ad lists
When deploying Pi-Hole 5.2.1, I found out one of the built-in lists did not exist anymore.
In his article, Olivier Butterbach gives a link to filterlists.com, which is exactly what I needed. From the list, I selected:
- “Lite” from https://github.com/badmojr/1Hosts (add these to the Pi-Hole whitelist if you’re a Facebook user)
- https://raw.githubusercontent.com/xxcriticxx/.pl-host-file/master/hosts.txt
- https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Adware-Filters.txt
That may seem very few granted the insane amount of lists referred, but it turned out any form of ad disappeared from my machines after enabling just these, even with uBlock turned off. I’ll revise this if persistent ads show up.
Be warned that only lists where the Pi-Hole logo appears will be compatible with, well, Pi-Hole (duh).
Auto-refresh of the lists
Don’t forget to add a cron job for the pihole -g command to keep your ad lists up to date.
Use a local unbound instead of public resolvers
This howto makes a very valid point about why you should directly query the DNS root servers with DNSSEC instead of using the public resolvers like Google or Quad9, even with DNS-over-TLS.
If you’re worried about privacy, I do recommend to follow the proposed step (and did myself). That may sound strange since I also have a tutorial about using DNS-over-TLS with OpenDNS and Google, but I use this in another context (A VPS that runs some public service and for which privacy is not a concern).
About Author
