Show off Your Pi-Hole blocks (Alt Title: How to block devices from reporting back to corporate overlords)


#1

Currently, I block pretty much all devices from communicating back with the corporate overlords (at least for stats data).

How? Pi-Hole running on a RPi and a ton of Gravity rules and a few custom rules.

Logitech Harmony Hubs: (^|.)myharmony.com$
-- When you need to update your firmware or add/remove activites or devices, you'll need to either disable this rule or disable pi-hole whilst you are working.

Sonos: Add a block rule for msmetrics.ws.sonos.com (or use a Gravity list).

I have 7 Gravity lists going right now that blocks 95% of all ads on the internet and telemetry from various devices:

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt

These are explicit blocks (the amazon.com one is needed to block telemetry from going back to Amazon for Alexa devices.


HE to RF?
#2

One thing to note: You have to have pi-hole running as your primary DNS server. Most (but not all) consumer routers should allow you to setup pi-hole as the primary DNS on your network. If yours does not, you need a better router. :wink:

The primary benefit to this is that you no longer need to run an adblocker on your browser (on any machine in your network). I run Brave normally. Below is a test showing Brave's adblocker disabled and still no ads. :smiley:

image


#3

Certain devices are also bypassing the primary DNS settings from your local router (Hubitat, Google Home, Paradox Security etc).

In most cases, with a good-enough Router, you can (port) DNAT these back so they also funnel through the local block.

The DNAT isn't perfect, but it'll handle many of the outliers to the pure DNS reconfig option.


#4

Yeah, there are a few devices that do bypass and I've done exactly that (explicit rules that DNAT back to my pi-hole server). Typically my advice for those that don't have routers that support DNAT or port forwarding (which isn't really workaround, but it seems to work in most cases), is to recommend being careful with what they put on their networks. That usually falls on deaf ears, but I do try at least.


#5

A down-n-dirty solution to keeping a device from calling home is to put it on a locally-controlled device and kill the power to it until it is time for an event.

I have two IR mini-blasters that have been outed in other HA forums as being excessively chatty with our Chinee overlords. HE only allows them a brief window of power, firing them up just 5 minutes before they're to launch the Roombas, then killing power as soon as the Roombas start.


#6

Power savings 101. :wink:


#7

Have had pi-hole running on my little nas box for years. Love it. thanks for sharing your list


#8

Love my pihole as well. Serve me great for a while now. I have around 9 gravity lists. I am thinking of adding restricted mode for YouTube to pihole but got sidetracked with other useless stuffs like yard work and real work. :frowning:


#9

They aren't Global Cache IP2IR are they?


#10

No, they're Broadlink-RM-Mini3s. The smart guys here haven't cracked them yet, either. IR blasters (of some sort) are the last thing I need to move to HE.


#11

We got rid of our Harmony hubs and replaced with the IP2IR. It's a lot more work to set up (and more expensive), but no worries with Logitech! I use a version of this app and driver:

[RELEASE] Send IP2IR - Control all of your IR devices from your Dashboard

If the Broadlinks use telnet, you might be able to modify the code to work for them?


#12

I took the plunge today and implemented PiHole (standard install) on my PiHome. Wow browsing is SO much better and faster. I truly thank you for sharing this!

I have also found some python scripts that enable DDNS with GiDaddy so now I won’t have to worry about IP changes next week when we switch internet providers. PiVPN is now using a CNAME which is directed to the root A record which is updated by this script.

Tonight was a fun nothing but sweet Raspberry Pi.


#13

Are you blocking or capturing devices that are using DNS over HTTPS (DoH)? If so, how? I would like to find an easy solution to this...


#14

Do you run on a separate Pi? Or on a device running other things? I have an RPi 3 running Cast-web-API and MotionEye and OpenVPN and the webCoRE dashboard (very light) and a couple other tiny apps (almost applets). Would I be safe running Pi-Hole on there or would your recommend on it's own device? Also, if you would recommend running a dedicated device does it have to be a full Pi or would a Pi Zero work? I looked at adding Pi-Hole a while ago but didn't want to totally bring my network to a crashing halt.


#15

I run OpenVPN, HomeKit, PiHole, and GoDaddyPy. No issues.


#16

Roku's are the worst, at least on my LAN.

Capture


#17

I have always wanted to set up. Very cool.


#18

Yeah, Rokus and Alexas are VERY chatty with their calls back to the mother ship. Microsoft is in a close third and Sonos devices in 4th.


#19

I run both my pihole servers on dedicated RPis, but that's only because I have over 100 WiFi devices and my network is super chatty.

On a less chatty network, a non-dedicated RPi would work fine.