Is there a point to use pi-hole at all?

Reading through FAQ I found out that pi-hole essentially does not work for HTTPS request (if I understand that correctly).

Now I am a little confused. Keeping in mind the big push in past year or so toward (practically) eliminating non HTTPS sites, I have to ask - what is the point of using the pi-hole at all?

Of course it is possible that I understand this situation wrong. In that case I'd like to get an explanation dumbed down enough tat the noob like me can understand it.

1 Like

I just checked and it looks like https is being cached site - api . github . com localhost OK (cached)

I guess If you have a new PC and healthy bandwidth you might say there is no point.
There is many tracking, Malwhare, telemetry servers. Also your PC can become a peer sharing things with other unknown PC's I think its call being used as content delivery.

The fact that the Pi-Hole caches DNS actually saves time in requesting information because it is mS away.
You can test this DNS with GRC's DNS Benchmark https://www.grc.com/dns/benchmark.htm Click the pic to download (It also works with PlayOnLinux). You have to rebuild the custom resolvers list first to find the fastest servers in your area of the world.

Pi-hole is a DNS server, it doesn't get involved in the HTTP/HTTPS process. It does it's work before the browser even gets to the point of processing HTTP/HTTPS traffic.

When you want to view a site, say www.baddomain.com via either HTTP or HTTPS, you browser needs to know how to find www.baddomain.com, so it sends out a DNS query that asks "Where can I find this site?" Since everything on the internet goes by the actual IP address, you need to know the IP address where that domain resides. The DNS query (the thing that takes www.baddomain.com and translates that to an IP address) goes to the Pi-hole, and it checks to see if that is a domain that should be visited or should be blocked. If it is okay to visit, the IP address of the domain is passed back to the browser, the browser then visits that IP address and requests the contents of the webserver, and that is sent back either over HTTP or HTTPS. If it is a domain that should be blocked, the IP that is sent back is that of the Pi-hole itself, and you get the blockpage contents instead. You never even get the contents of the bad domain.

The reason we say that it doesn't do HTTPS is that HTTPS is signed with a certificate, and we can't replicate that certificate, that would be what is called a Man in the Middle attack. But we don't need to be involved in that, as we really don't even see HTTP/HTTPS traffic, we work before any of that part of the process starts.

Screenshot from 2017-10-21 04-07-10

4 Likes

Have you looked into pixelserv-tls as a solution for the HTTPS certificate issue?

pixelserv-tls is a fork of pixelserv with added support for HTTPS - the tiny webserver that responds to all requests with "nothing" and particularly useful for whitelisting hosts on troubled websites, and for mining "big data" on adservers and trackers.

Certificates for adserver domains are automatically generated at real-time upon first access. All requests to adserver are optionally written to syslogd. The stats in text format are preserved, good for command line parsing. The same stats in HTML format are revamped to be more legible.

Author Website

For details, follow this guide GitHub - kvic-z/pixelserv-tls: A tiny bespoke HTTP/1.1 server for adblock and accelerating web browsing..

I was able to install it on my rasp pi:

$ sudo apt-get install git
$ sudo apt-get install autoconf
$ sudo apt-get install libssl-dev

sudo -i
cd
git clone https://github.com/kvic-z/pixelserv-tls.git
autoreconf -i
./configure
make
sudo make install

pixelserv needs an ip address to bind to:
sudo ifconfig eth0:pixelserv-tls 192.168.22.254 up

It can't be the same one as the eth0 ip address. I tried to assign pixelserv-tls to an unused ip on my network, but going to the 192.168.22.254/servstats.txt displays a web page of the pi-hole logo rather than the pixelserv statistics. The gravity.list file would require an update to use the pixelserv ip address.

I use pixelserv-tls on Asuswrt-Merlin in conjunction with the ab-solution.info ad blocker. It may help with the https issue discussed in this thread.

With pixelserv-tls you still need to import the CA certificate, so it's the same issue.

3 posts were split to a new topic: Pi-hole v4.0 and pixelserv-tls