Block cookies network wide for domains


#1

I find it annoying having to block the specific sites I do not want leaving cookies on my devices on each and every one of my device and on every web browser. And some browsers make it difficult not handling wildcard blocking properly.

So, it would be interesting to have the ability to have a cookie domain blacklist on which domains you wish pi-hole to strip cookies from in both directions (in case you have been on 4g and come home)

If pi-hole is running a proxy server that take ownership of the domains you wish to block cookies on, terminate https at that point, strip https, or re-encrypt with self managed certificate chain (maybe remove the HSTS headers too? :S)

And yes, I do understand this can be troublesome if someone for some reason want to do it with youtube, it will push a lot of traffic through pi-hole on a sizeable network, it has to be used with care and for purposes where it’s needed.

In my case I would like to block pretty much every single news site I visit, or basically anywhere I consume public static content.


#2

Pi-Hole is a domain blocker. It either blocks or passes a domain request, and doesn’t see the content of any traffic that follows a passed domain request.

If you do not load a domain (Pi-Hole has blocked it), the domain cannot leave a cookie on your browser.

If you are having problems with cookies loading while off your network, setting up a VPN to your Pi-Hole may be the solution you seek:

https://docs.pi-hole.net/guides/vpn/overview/


#3

Hello.

I know what Pi-hole is capable of today. This was a feature request, as many ad-blockers let you block certain aspects of a domain, like uMatrix and uBlock, like cookies.

As explained it is for sites you want, but don’t want to be tracking with cookies from.


#5

@Rudde

To explain some basics of web addresses to you.

If you were to navigate to https://www.reddit.com/r/pihole/

https:// is the protocol that is used to access the page. (others include http, ftp, etc…)

www.reddit.com is the domain (with the subdomain “www”). THIS is what Pi-hole can actually block.

/r/pihole/ is what is called a “path”. Any part of the url after a domain is something that cannot be blocked by a domain (DNS) blocker like Pi-hole. Adblocking extentions for a browser and proxy servers are capable of doing more granular content filtering.

I hope this helps.


#6

I do understand that. That’s why this is a feature request and not a bug report.

I have explained in my proposal how it can be implemented, and certain limitations of what can be done.


#7

@Rudde

One of the core features of Pi-hole has always been low overhead.

Pi-hole blocks Domains only, as a proxy server requires all content traffic to flow through it.

Low-powered devices such as the Raspberry Pi would not be capable of handling this kind of traffic.

You would also find a majorly increased latency when browsing the web.

Additionally, it is an added difficulty to force an entire network to use a proxy server. This typically has to be setup on each individual device.

If you are looking into proxy server functionality, I have seen tutorials out on the web that allow you to pair privoxy/squid with Pi-hole.

Pi-hole is a DNS server, not a Proxy server.


#8

My opinion - this is way out of scope. You are asking for the entire functionality of Pi-Hole to be changed. This isn’t a few lines of code or an enhancement or even a new feature - it’s a complete change in how Pi-Hole operates.


#9

I understand.

Is it possible to get Pi-Hole to resolve a domain or domains to another self-defined IP (like if I build this service myself as a standalone solution) to handle the request instead of returning a blank page?


#10

You can do this in the /etc/hosts file.


#11

@Rudde

I actually have something for dnsmasq that does this.

Step one: Install this to dnsmasq.d directory (change the addn-hosts= to any directory)

Step Two:

install this to the directory you used for addn-hosts=, and remove .default from the filename.

Note: this is nowhere near a perfect solution, the port requested from a domain will be the same one used by your browser. dnsmasq doesn’t let you switch port that way. You may also run into certificate issues between websites.