Managing DNS

One of the very first things that started me down the path of taking control of my home network was my discovery of Pi-hole, the ad-blocking DNS server. As the name implies, it runs quite well on a Raspberry Pi – which I happened to have at the time – and it couldn't be much easier to install and configure. Out of the box, it was quite easy for me to get running, and reconfiguring my DHCP server to offer it as my primary DNS for my LAN was a piece of cake.

The rationale for using Pi-hole was initially motivated by privacy. You see, virtually every website you browse has scads of content that solely exists to track you. This tracking content "magically" renders Amazon ads for products you just browsed when you're reading your news aggregator. I got fed up with being the product, so I found Pi-hole. It is a simple, elegant solution to the tracker problem. When your browser requests content from websites that have embedded trackers, those trackers have hostnames like "analytics.google.com." DNS is what converts that name into an address that your computer can connect to; when Pi-hole is on the scene, it compares each hostname to lists of known advertisers (and pornographers, and gambling sites, etc.) and gives you the opportunity to blackhole them. This not only prevents the trackers from following you around and collecting information on you, but it also has the pleasant side effect of speeding up your web browsing (since your computer is no longer compelled to connect to scores of tracking websites to download their tracking code).

Aside from a few annoyances – like not being able to watch various TV apps that require trackers before they'll play their content – this has worked wonderfully. I've been a vocal supporter of Pi-hole to my colleagues at work (likeminded networking nerds), and to at least one of our customers I talk to at the office.

But now that I'm down the path, I realize that DNS isn't just about blocking ads and speeding up websites. The privacy aspect runs much, much deeper. You see, DNS requests are generally sent in cleartext. By default, your DNS requests will go to the ISP you buy your internet connection from (in my case, Verizon Fios). Each DNS request you send to their servers gives them a little bit of information about the things you do online. The sites you frequent say a lot about you. Clearing your browser history or going into "anonymous mode" does nothing to stop the flow of DNS requests out of your computer.

With Pi-hole, you can choose the upstream DNS servers it will use when it doesn't have anything in its local cache. I'm a fan of Cloudflare's 1.1.1.1 service personally. And not just because it's easy to remember, Cloudflare portrays themselves as right-minded and privacy conscious.

The next step in my DNS deployment is to take Pi-hole off of the Raspberry Pi it's sitting on (which could stand to be rebuilt anyhow, since I've learned a lot of the Zen of Pi since I put that guy together) and stand it up as a docker container. This should make the lifecycle management markedly easier. I'm fairly far down the path with my prototype, which I'm eager to share with you folks.

For those of you reading my blog that run 128T routing software... you're going to dig this. For those of you that do not run 128T routing software, look at setting up a Pi-hole server of your own. The privacy and performance benefits are real.