Pi-hole has helped improve my “relationship” with Firefox, or better phrased with Firefox forks like LibreWolf and Tor browser. Cool thing with Pi-hole is that you can watch the query log and see what happened in the background while you were surfing the Internet. I learned that :

  • After removing the sponsored shortcuts in Firefox and putting your own shortcuts there Firefox will make connections each time you start the browser. So, if you would have icons on your quick start page in Firefox for let’s say EFF, Lemmy, Mastodon, HackerNews, with each Firefox start up, it would query these sites. which I didn’t like so much. Since then I’ve gone back to a complete blank start page, removing search and all those quick start icons, using just toolbar folders with bookmarks.

  • Pi-hole defaults to blocking telemetry for Firefox and Thunderbird.

  • Signal uses Google servers I saw via Pi-hole. I thought that they were using Amazon servers, but looking at Wikipedia for the history of Signal hosting I learned that Signal went back to Google for hosting.

  • Firefox push notification services are hosted on Google servers. LibreWolf removes a lot of Google things that Firefox has by default, but not the push parts. With Pi-hole it is very easy to block that.

  • ZeDoTelhado@lemmy.world
    link
    fedilink
    arrow-up
    35
    ·
    7 months ago

    Pi hole is an amazing tool and gives a lot of insight on what is being queried and blocked against the block lists. Also, makes completely transparent on the entire network to have nasty things blocked. One thing I will mention to make the setup better: make sure on the firewall level you can have a rule that makes every request for a DNS to go through pi hole. Some devices will use a hard coded DNS instead of respecting the one on the network

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        Yes but I think OP is referring to plain DNS requests to a preferred server.

        You can hijack port 53 and redirect them to your preferred server. Also acts as a method of hardening DNS for devices and apps that do not support encrypted DNS.

        • ZeDoTelhado@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Forgot to mention the port but that’s it. Notorious devices like smart TVs and consoles like to use the hard coded DNS method

        • Turun@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Some devices will use a hard coded DNS instead of respecting the one on the network

          Right, and I am pointing out that non-cooperative devices still won’t be blocked by pihole if they so desire.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            Only if they do encrypted DNS, and you can still block them, you just can’t force them to use the DNS you want. Embedded devices tend to avoid encryption to cut down on hardware requirements, they typically even pull their updates over unencrypted connections. IoT is a crazy world. 😃

            And may I point out that if you have embedded devices freely connecting to the Internet you have a lot bigger problems than the fact they use encrypted DNS. Hell you should be so lucky for them to use encrypted DNS, at least it would be secure.

              • lemmyvore@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                7 months ago

                Media players, TVs, IP cameras, lightbulbs… anything with wifi capability really.

                • Chiro@lemm.ee
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  Is there a safe way to use these devices? I’m moderately tech savvy at best, and I do worry a lot about my tv. I also use some smart plugs to manage equipment on my aquarium, but that’s it. I’ve considered the implications of these devices, but didn’t know if there was anything I could do about it.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Who do you think developed DoH? Google has it’s paws on everything. It may be private, but as soon as I see Google, I’m out of there.

      • ZeDoTelhado@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        7 months ago

        I was making a quick check, and yes, the DoH situation is a bit more dicey. From how I see it, the best way to make this work is to, at the firewall level, either block as much as possible any requests that look like DoH (and hope whatever was using that falls back to regular DNS calls) or setup a local DoH server to resolve those queries (although I am not sure if it is possible to fully redirect those). In that sense, pihole can’t really do much against DoH on its own

        EDIT: decided to look a bit further on the router level, and for pfsense at least this is one way to do this recipe for DNS block and redirect

        • Turun@feddit.de
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          7 months ago

          Right, so flowing that link there are three ways for DNS:

          Classic on port 53,

          Dns over TLS on port 853

          Dns over https.

          The first two can be blocked, because they have specific ports exclusively assigned to them. DoH can’t be blocked reliably, because it is encrypted and on a common port. Though blocking 443 on common DNS resolvers can force some clients to fall back to one of the variants that can be blocked/redirected

      • Pete90@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        With most firewalls, there is an option to download ip lists for blocking. There are several list I don’t recall right now, that aggregate DoH services. It’s not perfect, but better than nothing.

    • aStonedSanta@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      What does something like this look like? I have an Orbi pro but have never really messed with firewall settings

      • ZeDoTelhado@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Hm… I am not familiar with that device myself, and since I use opnsense for a while I forget most people do not use routers outside of the provided one.

        But in a theoretical sense, this firewall rule should look something like this:

        • origin of traffic is any IP that goes into port 53
        • outgoing traffic has to go to pi hole on port 53
        • aStonedSanta@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Perfect thank you. My brain gets that. Had a long day of work working on IP centrex phones remotely with dumb end users.