Block cookies network wide for domains

Rudde · October 17, 2018, 11:23pm

I find it annoying having to block the specific sites I do not want leaving cookies on my devices on each and every one of my device and on every web browser. And some browsers make it difficult not handling wildcard blocking properly.

So, it would be interesting to have the ability to have a cookie domain blacklist on which domains you wish pi-hole to strip cookies from in both directions (in case you have been on 4g and come home)

If pi-hole is running a proxy server that take ownership of the domains you wish to block cookies on, terminate https at that point, strip https, or re-encrypt with self managed certificate chain (maybe remove the HSTS headers too? :S)

And yes, I do understand this can be troublesome if someone for some reason want to do it with youtube, it will push a lot of traffic through pi-hole on a sizeable network, it has to be used with care and for purposes where it's needed.

In my case I would like to block pretty much every single news site I visit, or basically anywhere I consume public static content.

jfb · October 17, 2018, 11:41pm

Pi-Hole is a domain blocker. It either blocks or passes a domain request, and doesn't see the content of any traffic that follows a passed domain request.

If you do not load a domain (Pi-Hole has blocked it), the domain cannot leave a cookie on your browser.

If you are having problems with cookies loading while off your network, setting up a VPN to your Pi-Hole may be the solution you seek:

https://docs.pi-hole.net/guides/vpn/overview/

Rudde · October 17, 2018, 11:46pm

Hello.

I know what Pi-hole is capable of today. This was a feature request, as many ad-blockers let you block certain aspects of a domain, like uMatrix and uBlock, like cookies.

As explained it is for sites you want, but don't want to be tracking with cookies from.

deathbybandaid · October 18, 2018, 12:32am

@Rudde

To explain some basics of web addresses to you.

If you were to navigate to https://www.reddit.com/r/pihole/

https:// is the protocol that is used to access the page. (others include http, ftp, etc..)

www.reddit.com is the domain (with the subdomain "www"). THIS is what Pi-hole can actually block.

/r/pihole/ is what is called a "path". Any part of the url after a domain is something that cannot be blocked by a domain (DNS) blocker like Pi-hole. Adblocking extentions for a browser and proxy servers are capable of doing more granular content filtering.

I hope this helps.

Rudde · October 18, 2018, 6:41am

I do understand that. That's why this is a feature request and not a bug report.

I have explained in my proposal how it can be implemented, and certain limitations of what can be done.

deathbybandaid · October 18, 2018, 12:14pm

@Rudde

One of the core features of Pi-hole has always been low overhead.

Pi-hole blocks Domains only, as a proxy server requires all content traffic to flow through it.

Low-powered devices such as the Raspberry Pi would not be capable of handling this kind of traffic.

You would also find a majorly increased latency when browsing the web.

Additionally, it is an added difficulty to force an entire network to use a proxy server. This typically has to be setup on each individual device.

If you are looking into proxy server functionality, I have seen tutorials out on the web that allow you to pair privoxy/squid with Pi-hole.

Pi-hole is a DNS server, not a Proxy server.

jfb · October 18, 2018, 4:22pm

My opinion - this is way out of scope. You are asking for the entire functionality of Pi-Hole to be changed. This isn't a few lines of code or an enhancement or even a new feature - it's a complete change in how Pi-Hole operates.

Rudde · October 18, 2018, 4:29pm

I understand.

Is it possible to get Pi-Hole to resolve a domain or domains to another self-defined IP (like if I build this service myself as a standalone solution) to handle the request instead of returning a blank page?

jfb · October 18, 2018, 5:10pm

You can do this in the /etc/hosts file.

deathbybandaid · October 18, 2018, 6:58pm

@Rudde

I actually have something for dnsmasq that does this.

Step one: Install this to dnsmasq.d directory (change the addn-hosts= to any directory)

github.com

deathbybandaid/piadvanced/blob/master/piholetweaks/dnsmasqtweaks/07-customredirect.conf

## This is just the dnsmasq side of things.
## to add redirects, you will need to edit
## /etc/piadvanced/installscripts/customRedirect.list
addn-hosts=/etc/piadvanced/piholetweaks/customRedirect.list

Step Two:

install this to the directory you used for addn-hosts=, and remove .default from the filename.

github.com

deathbybandaid/piadvanced/blob/master/piholetweaks/customRedirect.list.default

## This config will theoretically let you redirect a page to something other than 127.0.0.1 or localhost
#
## Example:
# If you want to redirect bing to google,,,
# google.com bing.com
#
#Or if you want requests for a website to be redirected to a internal site.
# IPADDRESSOFINTERNAL bing.com
#
## This may not always work

Note: this is nowhere near a perfect solution, the port requested from a domain will be the same one used by your browser. dnsmasq doesn't let you switch port that way. You may also run into certificate issues between websites.