pi-hole local daemon/service
Open, HighPublic

Description

https://pi-hole.net/

It could be quite powerful to have pi-hole service running within PureOS, I could see if we could route DNS through the localized service, then block ads on the local level to the hardware, and have this option to enable/disable be below VPN/networking in the upper right drop-down settings menu in GNOME.

Can you test and see if there is a way to get pi-hole like service but local to the laptop/PureOS (rather than a separate DNS server on the network?

todd created this task.Sep 7 2017, 4:54 PM
todd triaged this task as "High" priority.Oct 6 2017, 7:37 PM
todd added a subscriber: zlatan.todoric.

Theo,

Could you look into this as two possible implementations:

  1. Local within PureOS on our devices (the original ticket this was created for)
  2. Included within Purist VPN service (on the server)

Todd.

Shane added a subscriber: Shane.Oct 31 2017, 11:51 PM

@todd A comment in the script says:

  1. Must be root to use this tool

I don't go through all 429 lines of code but if we plan to use something like by default in PureOS we need to review it beforehand. Everytime an update is available it will have to be reviewed before being included.

Also we will not have controlled on what is filter. The blacklist are supplied externally, and even though I think they are probably nice guys, every filtering system is susceptible to false positives and false negatives. This can lead to hilarities like labeling Michelangelo's David as porn, for example.

Testing will be needed to establish if it plays well with our VPN. Our VPN uses it's own DNS resolvers. The queries from the VPN to the DNS resolvers are encrypted and no logs are kept. This is a safeguard against the DNS leaks headache. We need to ensure the usng Pi-hole will not negate the privacy of the VPN users and that the VPN will not limit the effectiveness of pi-hole.

I think we could offer/recommend this as an option to PureOS users/Purism customers but I feel a bit uneasy including this as default in PureOS.

When I tested pi-hole it demolished my machines network configuration making it unable to connect to network at all while uninstall script failed badly so I needed manually to hunt down changes and remove them...
While good idea, still not mature for prime time.

d3vid added a subscriber: d3vid.Nov 3 2017, 10:58 AM
d3vid added a comment.Nov 3 2017, 12:24 PM

Pi-hole has an unusual license (EUPL v1.2). I've submitted it to FSD for evaluation on that front: https://directory.fsf.org/wiki/Pi-hole

(It needs to be approved. Click "View the most recent revision" to see details while we wait for that.)

d3vid added a comment.Nov 22 2017, 1:23 PM

I've reviewed Pi-hole and made some notes here: https://plan.puri.st/upstream/pihole

Highlights:

  • Pi-hole is not designed for local installation. On a laptop you'd want to install it on a Docker container. We could put together a recipe for this, but I'm going to put that on the backburner for now.
  • There are recipes for OpenVPN + Pi-hole configurations. I'll send these to sys team for review. Could be as simple as a separate box before/after the DNS box.
  • They don't plan on packaging and their development and release methodology is highly bespoke. They do seem to be active, though (new release somewhat imminent).
admin added a subscriber: admin.EditedNov 22 2017, 2:44 PM

I'm still not sure how this think works. Do you rely on their DNS service or is it a local DNS service on the installed machine?

admin added a comment.Nov 24 2017, 4:16 PM

I gave it a try. The setup wizard promotes these DNS services (in this order):

  • Google
  • OpenDNS
  • Level3
  • Norton
  • Comodo
  • DNS Watch
  • Custom

The setup wizard asks for a static IP! That means this cannot be used on the laptops (unless it is contained in Docker as David suggested). We could give it a try on our VPN and use our own DNS Servers.

@todd @d3vid @zlatan.todoric

d3vid added a comment.Nov 26 2017, 3:57 AM

Thanks @theodotos.andreou - please give it a try and let us know :)

Add Comment