1 2
The0retical
The0retical SuperDork
1/26/18 12:09 a.m.

I've wanted to build one of these for a while since it solves a bunch of minor irritations that I have with using ad-blocker plugins, mobile browsers, my Rokus, and various drive by malware attacks.

If you're not familiar with a Pi-Hole it's an open source project that runs on a Raspberry Pi (the $35 dollar micro computer.) The big draw of the doing this is that the ad-blocking occurs at the session level of the network rather than the application layer. What this means to you is a reduction of bandwidth, since the ads/malware never makes it to your browser, and no longer have to deal with iffy plugins. Additionally the Pi has no fans and very low power consumption which makes it ideal for this task.

Newark/Element 14 carries starter kits (they're also great for electronic components in general.) I just rolled my own with one of the official cases as I'm not going to do any heavy lifting with it and didn't want the clear one on my shelf in the kitchen.

The board is pretty small but packs a 1.2 Ghz quad core Arm processor, a gig of RAM, a wireless card, bluetooth, NIC, 4 USB ports, HDMI and stereo outputs. I added the heat sinks because they were $4 dollars. So what the hell,

From there, with the official case anyway, it's a snap together affair. (Hopefully my fancy .gif works)

Plug in a keyboard, mouse, and monitor, then the power cord and you're greeted with some fancy ASCII art and the Raspbian OS boot screen. (Don't mind the walls or the wingback chair I'm recovering. They're on my list of things to do once my kids reach an age where they can amuse themselves for a hour.)

Configure Raspbian with the correct date, time, US English, US English keyboard mapping (or Dalvik if you swing that way), and get it on your network.

Open the command prompt and smash in the correct command:

Magic happens.

Then you'll run through the configuration. If you have any network knowledge this is pretty easy to step through, even if you don't the defaults will work fine (I only changed the DNS to Level3 instead of Google as Level3 has a Net Neutrality stance I very much appreciate) and choose a static IP for the Pi outside of your dynamically assigned range.

Plug your Pi-Hole into your router.

Alter the settings on your router so they don't incorporate that IP into the dynamically assigned range

Change the DNS from your ISP to the Pi's static IP address

And viola you now have a device which monitors your network DNS traffic and blocks ad/malware domains from passing DNS addresses to your endpoints. All you need to do is whitelist GRM's advertisers through the very nice interface and you're good to go. Sorry GRM staff I'm still not unblocking that 3rd party ad server as I still get the Amazon/Walmart gift card ads here and there. The ads which only show 3 or 4 different advertisers from one of the Double click  domains haven't caused an issue so they get a pass.

Interested to see how this goes but so far there's a marked improvement in performance with my mobile devices. It also manages to kill those "White list us" full page popups. It literally took me longer to write this than the entire project took, it's that easy.

eastsideTim
eastsideTim UltraDork
1/26/18 7:15 a.m.

Ooh, I like this.  I’ve even got a Raspberry Pi laying around that I am not using right now.

RossD
RossD MegaDork
1/26/18 7:23 a.m.

My RPI2 has no meaning in life right now since I upgraded to stretch and Retropie doesn't do stretch. So maybe I'll try this.

GameboyRMH
GameboyRMH MegaDork
1/26/18 7:56 a.m.

Couldn't you have done something similar with different router firmware like OpenWRT? Cool idea, but I don't think it needed dedicated hardware.

gearheadmb
gearheadmb Dork
1/26/18 8:05 a.m.

So is that just router>raspberry>screen/keyboard/etc or router>raspberry>pc>screen? Explain like I'm five.

The0retical
The0retical SuperDork
1/26/18 8:14 a.m.

In reply to GameboyRMH :

I believe you can with OpenWRT but it requires more configuration and there didn't appear to be as many data logging options that I could easily parse for whitelisting. The decision came down to how hard I'd have to try to administrate it and ease of troubleshooting with the extra spice of the Nighthawk being 2 hours old at that point. For 50 bucks I decided I'd rather configure the Pi and have the removable hardware if need be.

The0retical
The0retical SuperDork
1/26/18 8:24 a.m.
gearheadmb said:

So is that just router>raspberry>screen/keyboard/etc or router>raspberry>pc>screen? Explain like I'm five.

The Pi can run headless (without a screen) and Pi-Hole has an local web portal you can configure and monitor it from. The Screen/Keyboard/Mouse is only really required for initial setup.

After that you hook the modem to the router's WAN port then plug the Pi into the router's LAN port. The distilled way this functions is when the response from a user submitted query is received, the router passes all DNS information to the Pi which compares all the domains attempting to pass information to your browser against a maintained blacklist. Any domain not on that blacklist is passed through the local network to the device requesting the information to render the page. Any known "bad" DNS entries on the blacklist are sent a "received" response and path required to render elements are never passed to the end point appearing as if the element simply doesn't exist on the final rendered page. It's actually pretty ingenious.

I did approve GRM's doubleclick advertiser ID since it only appears to serve a handful of vetted ads. We've also had timely responses from the staff when things go wrong which makes me comfortable with how GRM handles this (I also subscribe and gift subscriptions in an attempt to compensate.) GRM seems to be the only place on the internet that understands the irritation of the drive by malware attacks via ad network and, since I use this service a lot, I have to at least acknowledge how the funding works.

Also Coinhive is blocked by this as well. If you haven't experienced the bottom of the barrel scraping nonsense that is Coinhive you're lucky. There's been some reports that the service, or ones like it, are damaging mobile devices from the heat build up by overtaxing the processor and I'd very much like to avoid one of those situations. Google "Cryptojacking" if you're interested.

Armitage
Armitage HalfDork
1/26/18 8:27 a.m.
The0retical said:

Configure Raspbian with the correct date, time, US English, US English keyboard mapping (or Dalvik if you swing that way), and get it on your network.

Nice write up! Someone's rooted a few too many Android devices in the past methinks.

The0retical
The0retical SuperDork
1/26/18 8:49 a.m.

In reply to Armitage :

I don't think I've owned a single Android device since Android 1.5 which hasn't been rooted and run a custom version of Android. In the past this was due to needing tethering and an end run around Verizon's artificial controls. I'm pretty bad at the whole "leave well enough alone" thing.

I was wondering if anyone would catch that though wink

RevRico
RevRico UltraDork
1/26/18 9:03 a.m.

 

Once I've recovered some from the truck purchase, I've been looking at pi to add a web controller to my 3d printer, so I wonder if I can make it do double duty as an ad blocker and printer host. then again, they're cheap enough and powerful enough for standalone units

ProDarwin
ProDarwin PowerDork
1/26/18 10:05 a.m.

Does it restrict bandwidth at all?  Does all network traffic have to pass through the Pi (and its notoriously slow network port)?

 

AWSX1686
AWSX1686 Dork
1/26/18 10:10 a.m.

I do need to look into this...

red_stapler
red_stapler Dork
1/26/18 10:32 a.m.
ProDarwin said:

Does it restrict bandwidth at all?  Does all network traffic have to pass through the Pi (and its notoriously slow network port)?

 

I believe it's just the DNS traffic, so bandwidth would not be affected.

The0retical
The0retical SuperDork
1/26/18 11:03 a.m.
red_stapler said:
ProDarwin said:

Does it restrict bandwidth at all?  Does all network traffic have to pass through the Pi (and its notoriously slow network port)?

 

I believe it's just the DNS traffic, so bandwidth would not be affected.

That's correct. I didn't see any indication it slowed network traffic, including some online games, down when I brought it online. Anecdotal testing actually appeared to have a net speed increase for page load times. If I do have some slowdowns I'll report back on it.

dculberson
dculberson UltimaDork
1/26/18 1:59 p.m.

I’m going to need to do this. Mobile phone ad blockers are no good. 

DrBoost
DrBoost MegaDork
1/26/18 3:45 p.m.

I want to do this, but don't really understand what it is or how to do it. 

Can this monitor web traffic on my network as well? Like keep a history of what pages were visited by what device?

The0retical
The0retical SuperDork
1/26/18 4:52 p.m.

In reply to DrBoost :

It keeps a log of all the domains which tried to make contact and which were allowed through. So you could parse the data and get a log of the sites visited. Or turn off logging if you don't want it, that option exists. I have it on so I can tell if any IoT items or other devices are phoning home without my knowledge.

The easiest way to think of this is that it operates like an ad blocker but A) it affects all devices on your network and B) The ads never make it to your device so you gain some network performance and reduce the risk of exposure to malware through ad networks.

There's a lot of geek stuff that goes with this, and some voids in my write up like where to change the keyboard layout. If anyone has a question on that I'll be happy to fill in the blanks.

Bonus: This is a very visible open source project so the likely hood some malicious code could get in there exists but it'll show up in the changelog and likely be noticed by the community very quickly.

Edit: Another cryptojacking article from today and served on YouTube... Confirmation bias is a wonderful thing.

DrBoost
DrBoost MegaDork
1/27/18 7:31 a.m.

Thank you very much. I think I'm going to do this as well, as long as you dont mind me tapping your knowledge base here and there.

The0retical
The0retical SuperDork
1/27/18 2:08 p.m.

In reply to DrBoost:

Not a problem. It's pretty easy overall and I thought the project would be fun to share here since advertising is becoming more and more aggressive. My job title is Sales and Marketing and even I disapprove of how bad it's become.

 

UPDATE #1

No major issues. Youtube ads are not being served during the viewing of videos when streamed to my Roku (one of the major drivers in the first place. I can handle before but during is irritating) and seem to also be blocked through my browser.  The Youtube app on my phone still seems to serve them. There appears to be some debate on the Reddit Pi-Hole community about how Youtube is accomplishing this (probably serving them directly rather than a separate query. A benefit of owning the ad network I guess) so if they bother you don't use the phone app.

T.J.
T.J. MegaDork
1/27/18 2:49 p.m.

I like this. I have a pi that I use to run octopi. That was my first and only pi experience and it was fairly easy to set up. I think i'll try this. 

mikeatrpi
mikeatrpi HalfDork
1/28/18 2:09 p.m.

Awesome.  Thank you.  I just set this up at home.  I really need to learn just what else my Pi can do too!

bgkast
bgkast PowerDork
1/28/18 2:23 p.m.

Cool. My son and I built a retro pi a year ago, and this looks like a good follow up project.

The0retical
The0retical UberDork
1/28/18 11:48 p.m.

Update #2 YouTube ads are definitely blocked on the Roku. The browser still plays in video ads however. The page ads are blocked so it's definitely a stream injection.

Looking at the logs it appears that the domain name server being used is coming from core process YouTube servers, one of which is the mechanism which tracks video history the other is the actual server the video is located on. Blacklisting it cripples YouTube. Cute. 

The Roku ads are being served from a doubleclick domain so they're being picked up. Not sure why this is but I'll take it.

The rest of the internet is still fantastic to browse now. I doubt anyone besides Facebook and Google can pull off the embedded ad from an essential part of the service, so the problem is contained there.

Ublock Origin picks up the ads still but the idea was to eliminate that add-on. It also appears to be a pretty recent change by the various discussion dates.

dculberson
dculberson UltimaDork
1/29/18 10:31 a.m.

I'm going to set one up for my office to begin with. My one concern so far is heat - it's going in a mechanical room that isn't air conditioned other than incidentally. Do you think it's worth upgrading the case to one with a fan or am I adding unneeded complication? It looks like I can get a fan case for about $13 so cost isn't a problem, I just want to make sure it's at least a little helpful.

The0retical
The0retical UltraDork
1/29/18 12:27 p.m.

In reply to dculberson :

I looked into putting a fan on mine. The consensus online appeared to be that it's really only needed if you're doing some overclocking and high load work. The Pi-Hole program doesn't seem to be too resource intensive so mine appears to have leveled out at about 50C with just the heat sinks in the official case (house is maintained at 73 degrees F (23C).) I don't think that's too awful since my gaming computer is set to start throwing a fit at 90C.

If it's in a mechanical room it probably wouldn't hurt but I don't think it's really necessary unless the room is really baking.

1 2
Our Preferred Partners
fQVfgaUx5JYoi5S5Do2botJBra2CJwFCpZDh9TXvGafcVTb3q8LhkHFOJejNx06c