May 12, 2025 • 39 mins
Your network is talking behind your back—but Pi-hole is listening. Join The Audit as Pi-hole co-founders Dan Schaper and Adam Warner reveal how their open-source DNS sinkhole technology has become the secret weapon for over 200,000 privacy-conscious users worldwide.
In this episode, we discuss:
- How Pi-hole evolved from a simple ad blocker to a critical network security tool
- Why DNS-level filtering stops threats before they reach any of your devices
- The performance benefits that make browsing noticeably faster
- Setting up Pi-hole on everything from Raspberry Pi to enterprise hardware
- How the global development team maintains this powerful security shield
- Protecting vulnerable IoT devices from malicious traffic
- The future roadmap for Pi-hole and opportunities to contribute
Don't miss this deep dive into the technology that's reclaiming control of digital footprints one DNS request at a time. Connect with the Pi-hole community at discourse.pi-hole.net and discover why cybersecurity professionals consider this an essential defensive tool.
Like, share, and subscribe for more cutting-edge cybersecurity insights and expert analysis!
#pihole #DNSfiltering #networksecurity #adblocking #privacytools #cybersecurity #opensource #infosec
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
All right, welcome to the Audit presented
by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt.
Today we're joined by the usualcast, nick Mellom and Eric
Brown, our managing director atIT Audit Labs.
Today we're joined by DanShaper and Adam.
Sorry, adam, what's your lastname?
It's not on the Adam.
Adam Warner (00:19):
Warner.
Joshua Schmidt (00:20):
Well, great guys , Thanks again.
Maybe you could just give us alittle background on yourselves
and then how you got to beworking with PyHole and where
you're at today.
Dan Schaper (00:27):
It's got to have been 10, 12 years now.
I was looking for just thingsto do on the Internet.
Github was kind of new at thetime and bouncing around and saw
a project that was working onDNS was working on DNS and it
was kind of an interesting thingon content blocking and they
(00:49):
were having problems, ironically, getting IPv6 to work.
So I think my first poll wasintroducing IPv6, and here we
are, 12 years later, and IPv6 isstill nowhere to be seen.
I've been told for like 20years that school started IPv4
is over, you need to do six.
But so we started working onthat and it was just a ragtag
(01:11):
little group of people throwingthings together and then Adam
joined in.
Uh, very shortly after that weadded in our third, Dominic,
who's in Germany to help out,and then we've had some other
people come and go, as with opensource programs kind of do and
(01:34):
volunteer work does.
I'm amazed that we're stillhere this much later and still
have such a huge community and abig following.
The community is everything forus.
Joshua Schmidt (01:49):
Yeah, I can't wait to hear more about that.
You have what?
Over 190,000 Reddit followers,or?
Adam Warner (01:55):
Something like that .
Yeah, you'd think I'd have thatinformation just by hand.
Nick Mellem (01:58):
I think it's 191 when I was on there earlier 191k
.
Adam Warner (02:02):
Yeah, just so that, then that's awesome.
Joshua Schmidt (02:04):
That's impressive.
How about you, adam?
What's the background on youand how did you get to be
working with Dan?
Adam Warner (02:11):
So I first discovered I say discovered, I
didn't discover it, but I foundPiehole just on Reddit.
I was just browsing down thefront page and saw what looked
like a fancy dashboard orsomething.
Had a look into the post postand I was oh, hang on, this
looks like an interestingproject.
I've got a raspberry pi that issitting in a drawer.
In fact, at the time, Iprobably had about 10 raspberry
pi sitting in the drawer,because I had an awful habit of
(02:33):
buying them and then puttingthem in a drawer, um, because I
had no real, real purpose forthem.
I just thought they lookedfancy.
So span it up.
Um installed it and I think atthe time so this was back in
2016 I was using it, uh, andwhat I noticed was that the
whitelisting didn't work, or notvery well anyway.
It had an issue with it.
Um.
(02:53):
So, rather than uh complain, Ihad a look at the code to see
how it was working, what couldbe done to to make that work,
made it work, submitted a pullrequest to the project, and here
I am today, still after about10 years.
Joshua Schmidt (03:11):
We were talking just before we started recording
and you had let me know thatyou just released Pi Hole
version six.
Yeah, in February.
Adam Warner (03:19):
Yes, so that was five years in the making.
One of the things about usbeing a sort of volunteer-run
open-source project is we don'thave an awful lot of time to
work on things.
So when we do look at sort ofworking on major things, it
takes us a while, especially totry and sort of synchronize
everyone and get everyone in thesame place at the same time so
(03:41):
that we can actually press abutton to release it.
Eric Brown (03:44):
What's the big update in 6?
Adam Warner (03:47):
The web server, for example.
So we used to use a third-partyweb server.
Let me know how.
You say it Lighty, is it just?
Dan Schaper (03:55):
Lighty Lighty.
Adam Warner (03:57):
So that was a dependency of the project.
So the install script wouldalways install that PHP was a
big dependency of the project,would always install that PHP
was a big dependency of theproject.
In six, or PyHole six, we haveremoved the dependency for PHP
and LIT, so PyHole FDL is itsown web server now and the web
interface has been rewritten inLua pages.
Dan Schaper (04:19):
There's some Lua pages, some Java script and
that's still we're kind oflooking at, maybe doing a better
front end on it.
So we had the genius of Dom whodoes a lot of the C coding and
brought in, like Civit Web as aC package to handle the web
serving and trying to make it aone binary project.
Eric Brown (04:43):
What is PyHolic?
What does it do for theeveryday user?
Dan Schaper (04:48):
Essentially, when you go out on the internet, you
use your web browser or whatever.
You type in what's called adomain name.
You want to go to Google.
You just type in googlecom orwhatever site that you want to
go to.
On the back end, on howcomputers work, they don't
communicate via names and tokensand things like that.
They communicate with IPaddresses, numeric addresses.
(05:12):
So you need something that willconvert that name into an IP
address, a string of numbersthat computers can then use to
get you to where you need to go.
That's called a domain nameservice.
You send out a request, you saywhat is the IP address for
Google and you get back a number.
(05:32):
Your computer then understandsokay, to get to this number, I
need to go here, here, here, andget passed along.
What we do is we come along andsay, okay, there's this domain
out there is.
We come along and say, okay,there's this domain out there,
Evil Corp.
Well, we don't really want youto go to Evil Corp, or the
person decides themselves Idon't want to go to Evil Corp
because Evil Corp is going totake the information they see
(05:55):
from me and do things that Idon't want them to do.
So we say, when you ask uswhat's the address, how do I get
to Evil Corp?
We say Evil Corp doesn't exist,you can't get there, and that
kind of is is a very low levelbasic.
There's a lot of other featuresand things you can do to to
(06:16):
make it like nicer and spice itup and change it up.
Um, but uh, in in.
Essentially that's what we do.
It's called a DNS sinkholebecause we take DNS requests and
sync them.
Nick Mellem (06:31):
And it sounds like these things are pretty easy to
set up.
When I was, you know, inpre-production here, we were
talking about the YouTube videoI was watching.
It was a short where the guywas talking about he could set
this up faster than he can cooka hot dog in the microwave.
And he did do it.
Are you guys able to speak to?
Was that a part of theeducational process?
You wanted to make it easy, orwas that just the vision you
(06:52):
know throughout the project, tomake it easy for, kind of the
masses?
Adam Warner (06:55):
you didn't have to be technical, uh, to use the
pile so I mean I think I canprobably speak to this in that
um.
So when I, when I first joinedthe project um, I had never used
, I'd never touched linux um, soI've never done any bash
scripting anything like thatbefore.
I did have some background insort of c sharp programming on
windows, but beyond that um I'venever touched it.
So actually I found it prettysimple to install straight away.
(07:18):
This is even, you know, goingback 10 years when the installer
was probably a little bit morebasic but our, our installation
is a bash script.
Dan Schaper (07:28):
Um, and it is.
We joke about it.
It's the worst bash script youwill ever see in your life.
It's a thousand lines long ofbash script and originally uh,
the original project founder andconsidered co-founder myself
and Jacob Salmela when we didthe installation script.
(07:49):
There are a lot of comments inthere and the original intent
was you could look at thisscript as somebody who doesn't
know what batch is, doesn't knowwhat any of this is, and read
it line for line and see okay,here's, here's a command line,
here's the explanation of whatthis command does, how it does
it, what applications it usesand runs.
(08:11):
And to get back to the foodthing.
I guess there's a food thingwith pie hole, because it's pie
hole and apparently hot dogs,and we like to say you can run
pie hole on a potato, so we hadto have this food theme going on
with everybody now I don't knowif nick, you're vegan, right,
so would it work with a?
Joshua Schmidt (08:29):
vegan hot dog big vegan probably not big vegan
here I don't think they'll letyou into texas if you're a vegan
one of the cool.
Nick Mellem (08:37):
He's originally from minnesota though
considering the, the gift boxeric sent me yesterday was full
of bacon goods.
I think no vegans.
Eric Brown (08:48):
So the cool thing just to kind of tie together why
an everyday user, maybe even anon-technologist, might like
Piehole to set up at home isit's really easy to do.
It's really easy to do.
There's lots of great videosand great instructions to be
able to set it up without a lotof technical expertise.
(09:10):
But in some cases you can getenterprise-level security, like
security that you would get atwork with a device that costs 50
, 60 bucks.
Right, you get a Raspberry Piand get a SIM card and you can
install PiHole on the RaspberryPi, plug it into your network
(09:32):
and it's going to filter traffic.
And you might say well, why doI want to filter traffic?
And there's a lot ofconversation with PiHole about
being able to block ads.
Able to block ads, but evenmore so than that is the ability
to block malicious links, likewhat you were talking about.
(09:53):
You can create that level ofsecurity at home.
So you know, I don't know, adamDan, anything you want to talk
about related to that.
Dan Schaper (09:59):
The way a lot of the like Cisco's firewall
systems and their DNS systemsare extremely similar to PyHole.
You're paying for the support,obviously, but lists of domains
that you want to block.
If you can get a list in what'scalled host format, we can use
it and it's very tailored tocustomization.
(10:22):
You can have a big list ofdomains you want to block and
there's only two or three thatyou want to let through, for
whatever reasons.
Okay, you can allow those.
You have some systems where youneed to access these domains
for work.
You can put your laptop into agroup and say, okay, assign no
domains blocks to any computerin that group, so you're not set
(10:44):
to one system managingeverything and everybody has to
have the same thing.
Yeah, you can do some extremelynarrow, fine-grained systems.
Eric Brown (11:01):
I had to create the wife on block Acceptance factor
Because I had everything lockeddown and we went to watch a show
.
I was so excited when I firstbuilt out the pie hole and I've
got my laptop and I'm watchingall of the blocks and we went to
(11:22):
watch a show.
I don't know if it was on primeor Netflix, but we're even just
trying to bring up the Apple TVto get to the show and it's not
working.
I'm thinking this is great,right, I'm blocking a ton of
stuff that I don't know, like Ididn't know even existed, where
it's trying to go out and sendmy information out to all of
(11:43):
these third parties, and I'mjust kind of watching it on the
screen and then realizing thatit's maybe blocking a little bit
too much.
I probably downloaded a few toomany lists and integrated them,
so then I was able to just goin and whitelist some, and then
from time to time I will hearshouting from upstairs and you
(12:05):
know, it's like that thing.
You got running and so I uh, Iam able to, you're able to
easily, with piehole, putmachines into a group with less
or no filtering before before wehave the group's feature on the
.
Adam Warner (12:18):
On the piehole um.
That was as much as I hate theuh the stereotype um on the.
On the piehole um that.
That was as much as I hate the.
Uh the stereotype um.
On the on the subreddit, thatwas one of the biggest
complaints.
Uh was uh.
My wife's trying to buy thingson google shopping, uh, and
every time she clicks thesponsored link in the in google,
she can't get to the shopping.
How do I fix this?
And the answer always used tobe well, disable it for a bit
(12:39):
whilst you want to click thelink, um.
So people were coming up withbookmarklets so that they could
give it to their spouses oranyone else in their family and
say hey look, if something's notworking, just press this button
.
It'll disable PyHole for fiveminutes.
You can then do what you wantand then it will come back on.
Eric Brown (12:55):
Yeah, absolutely.
I thought about eveninstituting something at home
where it's like well, you got towatch this five minute video on
security, I didn't.
That didn't go over too well.
Nick Mellem (13:06):
So, besides blocking all these websites and,
you know, stopping wives orsignificant others from
purchasing you know, this, thator the other, I suppose and I
don't use a pie hole, so I'm I'mlearning a lot here but could
this also be thought of a waythat just streamlines and speeds
up your web browsing experience, because it's not going out to
(13:26):
get all these curated ads on allthese websites?
I think the most, what I canthink of the most easy, is you
know you're doing a speed testfor your internet.
You know you go to one of thesewebsites and it's just like all
around where you're going tosee how fast your internet is.
It's just littered with ads soit takes a while for that to
generate.
If this is running, it's noteven going out to get those
(13:49):
those ads.
So I would assume across theboard, you know people are
seeing you know an easier andmore quick experience on the web
.
Dan Schaper (13:57):
It does reduce the amount of traffic you pull
because malvertisements tend tobe really heavy with a lot of
garbage attached to them.
One thing that we kind of anunintended side effect CDNs,
things that are geo IP based canget confused.
So a lot of the gamers at firstwere my latency shot to the roof
(14:20):
.
Well, yeah, because you're inAmerica and the geo IP is not
going to be able to work, soit's sending you to a server
farm in Germany.
There are ways to get aroundthat with some DNS extensions
that allow you to at least givea portion of where your IP is
(14:41):
located at, so you can get tothe proper CDN endpoints that
are located closer to you.
But at the heart of PyHole itis a full functioning DNS DHCP
server.
You want to develop and usethey call it a split brain DNS
or split horizon DNS, and theycall it a split brain DNS or
split horizon DNS where you haveIP addresses for your
(15:04):
production work and you want touse the same domain names but
use your local area networks.
You can go ahead and set it upand say when I ask for
production domain names, returnmy local, and you don't have to
worry about things like hairpinnatting or any of the router
tricks.
(15:25):
You're actually returning adifferent IP address depending
on where you happen to belocated.
Nick Mellem (15:31):
Dan, you brought up YouTube a little bit ago and
that's one thing I was thinkingabout.
And, funny enough, before wejumped on, I was searching the
internet looking at all thedifferent pies, pies to piehole
items and one of them one thatPost I saw was oh, I'm gonna
make a pie hole so I canessentially have YouTube premium
for free, and I was thinking tomyself what would that actually
(15:54):
work?
So, you know, maybe take asecond.
I'm curious on your thoughts.
I know you said I think youdislike this YouTube because of
this.
Can you elaborate on that said?
Dan Schaper (16:03):
I think you dislike this YouTube because of this.
Can you elaborate on that?
You want to do the Linus TechTips video that shot us in the
foot with that one.
Nick Mellem (16:09):
Was that what it was?
I didn't see that one, but I amfamiliar with him.
Dan Schaper (16:12):
Originally way, way back.
Yeah, Four or five years agoSix years ago, we'll say, I
think.
Yeah, he did one and he wasable to show somehow.
And this was back in the dayswhen, yes, you could block some
of the video roll from YouTube.
This was pre them knowing abouthow we worked and stuff.
Now they bake it directly intothe video stream.
(16:38):
So there isn't a separate DNSquery or a DNS endpoint.
You're not going to a CDNanymore like they used to do.
Ads were served from adifferent infrastructure than
videos.
It's all merged into one flownow, but people still see that
video and go oh well, I shouldbe able to block YouTube videos
like ads.
Nick Mellem (16:58):
I see it right now.
Block every online ad with thispie hole on Raspberry Pi.
It's got 4.6 million views andit was published five years ago.
Spot on, yeah.
Joshua Schmidt (17:09):
I think this is a good time for the disclaimer,
as we insert that into thepodcast here.
Adam Warner (17:15):
There he goes again .
Eric Brown (17:16):
Nick, there he goes.
Joshua Schmidt (17:19):
Well, we are hosting this on YouTube.
I would hate to set off anyalgorithms to clamp down on our
views, but yeah, we are hostingthis on YouTube.
I would hate to set off anyalgorithms to clamp down on our
views, but yeah, we don'tcondone any illegal activity, of
course.
My question was do you have asense of like I'm sure you do,
and especially Adam running theReddit what the community finds
to be the most valuable part ofthis?
(17:39):
Is it the ad blocking function,or is it mostly used by people
with personal computers?
Or do you find enterprisesusing this, or organizations, or
is it a mix?
Adam Warner (17:51):
There's probably a pretty healthy mix of people
that have just stumbled upon theproject because they've seen it
.
There's a lot of people who arenow new to the project because
of all of the issues with ublock, origin in chrome, which is now
um no longer working in the newversion of chrome, um, I think
anyway, um.
(18:11):
So we've we've got a lot of newusers through that um.
But then you've got the, thesuper technical people who I
would say, probably definitelyknow a lot more than us.
Whether they do or not, theycertainly come to us as though
they do.
But there's all sorts.
Eric Brown (18:30):
One of the things that you mentioned there, adam,
was how some people are usingplugins in their browser to do
some of that ad blocking work,and that certainly works.
But, as you mentioned, youblock origin Chrome.
That plugin then, with Chrome'srecent changes, doesn't work.
(18:50):
So then, how do you deal withthat?
How do you keep the samefunctionality?
And well, you move it away fromthe browser and you move it to
the network, and the Pi holeworks at that network level.
I suppose it could work locallytoo, but if you, if you have it
on the network, then it'sworking for all of the machines
on the network.
And one of the tests that Ijust personally have found to be
(19:13):
pretty cool is a website Ithink it's tmzcom, tmzcom.
So, dan, maybe being morefamiliar with the Los Angeles
area.
Dan Schaper (19:26):
Yeah, I know, harvey.
Eric Brown (19:28):
It's for the 30-mile zone.
I guess that's around LosAngeles.
I mean something out there, noidea.
All I know is that site gets aton, has a ton of ads baked into
it.
So if you let that page loadyou'll see the counters just go
up.
If you have an ad blocker inthe browser Over 100, I think
(19:48):
it'll block on that, like ifyou're using Ghostery or
something like that.
But it's great to see it too onthe pie hole and just go to
that site and just watch all ofthe blocks come up from that
site.
It's pretty amazing all of thethings that they're doing to
monetize that site and thatexperience and what it looks
(20:10):
like when you're looking at thatwebsite, filtered versus
unfiltered.
Dan Schaper (20:15):
Well, also consider how do you use an ad blocker or
a malicious traffic blocker onyour home surveillance cameras
on your refrigerator, on yourweb-connected Light bulbs?
Yeah, I got an air fryer theother day that has an
application for it and itconnects to Home Assistant.
(20:37):
It's like it's an air fryer,come on.
Eric Brown (20:53):
And it's like it's an air fryer, come on, but yeah,
so being at the internet orbeing at the network level,
things that don't have userinterfaces, things that you
don't see and deal with, theycan still benefit.
Apple TVs can benefit from it.
Smart TVs can benefit from it.
Somebody I know has one ofthese.
It's like some sort ofelectronic litter box, as I hear
it it's called.
What is it?
That's you, Eric who could thatbe eric that has this you can
actually monitor the cat'sactivity in the litter box from
an app on the on the phone.
You know while you're remote.
So you know to your point.
Dan Schaper (21:14):
Everything is connected don't you have one of
those adam?
Adam Warner (21:18):
I had one of those.
The cat did not get on with it,so we Cat did not appreciate
the litter box surveillance.
He's a hipster, he hatestechnology.
Joshua Schmidt (21:33):
He's a lewdite cat.
That brings me to one of myother questions I had prepared.
What are some of the challengesthat Pileface is keeping up
with increasing sophisticationof ad delivery mechanisms?
I'm assuming that was bakedinto your latest update in
version six?
Yeah, and maybe you could kindof shed some light on what some
of those might be that we mightnot think about.
(21:54):
We just talked about, like youknow, roomba and adding that
pile at the network level tokind of give you some extra
protection on the IoT devices.
But anything new that you'veseen popped up, that that pie
hole has been addressing.
Dan Schaper (22:09):
It depends on white hat versus black hat on a few
things Ever since.
The big thing now is encryptedDNS DOT, doh, doq, no-transcript
(22:35):
and, depending on what thatcanary domain responded, you
could turn off DOH in Firefoxinternally.
So you could with PyHole, sayanybody on my network.
They need to stick with plain,unencrypted DNS.
Where you get into somedifficulty is for the bad actors
(22:55):
that give you an Android appthat is intentionally hard-coded
and bypass all of that and gothrough that gets into where you
do need some pretty heavy-dutyfirepower to be able to do it.
Even your home firewalls can'tdo it, because you need to be
able to break those encryptedpackets to see what the payload
(23:19):
is, able to break thoseencrypted packets to see what
the payload is.
So, as long as people play bythe generally accepted rules and
I think that's going to happenbecause you have enterprises
Enterprises are going to need tofigure out how to prevent
exfiltration through systemswhere they have their internal
DNS and you need to use ourActive Directory systems, our
(23:41):
structures, then how do theyprotect themselves?
And luckily, the way that theyprotect themselves can be scaled
down to home use also.
These agreements, thesepolicies and procedures that are
being codified do not needheavy lifting technology to be
able to use them.
(24:02):
We have version 6.1 coming outthat we wanna get out within,
probably this weekend.
Maybe that has some updateswhere these specific requests
from Apple, svcb requests wherewe can return either say these
(24:23):
services do not exist, don't golooking for them, or these
services exist and here are howyou can connect to the pie hole
to use these services instead.
Joshua Schmidt (24:30):
I was wondering if Eric could speak to using
this type of technology withinorganizations or helping others
shore up their security posture.
Eric Brown (24:39):
I think it's great in organizations that maybe
can't afford theenterprise-level firewalls that
are going to be able to do thatman-in-the-middle, where they're
breaking encryption andinspecting and then
re-encrypting and sending thetraffic on, which is what you
need to do in order to look atencrypted packets that might be
(25:01):
coming from an infected endpoint, where the threat actor put a
protocol in place in order toprotect that traffic.
Smaller organizations and homeentities aren't going to, as Dan
said, break that encryption,look at it and send it on, but
something like a pie hole or away to bring in lists, host
(25:29):
lists, into their firewall orwhatever is providing their DNS
services, is really a greatthing Like we were talking about
earlier.
This is really enterprise gradetechnology that is at fractions
of the cost, so you could bringit in and plug it into a network
and it doesn't consume muchresources at all.
(25:52):
And a really big shout out tothe Pihole community, because
there are some people out therethat are curating and generating
lists that we all then consumeand use, and the lists are up to
date.
Some of them are updated daily,if not more frequently, with
(26:13):
really new and emergingmalicious sites and we can
consume that and then we're justas safe as an enterprise
organization.
Joshua Schmidt (26:24):
That was going to be my follow up with.
That was going to say, adam,maybe you could speak to just
the value of the community andhow, how those people have been
generating those lists and howyou, how you integrate that
information into what?
Adam Warner (26:37):
you and Dan are working on.
Every block list that's outthere is community maintained.
We don't have an opinion.
So, as the software itself, wedon't care what you're blocking.
You can block as much or aslittle as you like.
It's really up to you how youuse it.
So when we initially install,just to make sure it works and
(27:00):
just to sort of lower thebarrier to entry, we have one
suggested list which we foundworks quite well, doesn't block
too much, doesn't break a lot,and that's just there to get
sort of people started.
But yeah, there are, I meancertainly on reddit.
There's a guy forget his name,w3k who maintains a list of
(27:22):
lists, so not just his own liststhat he puts together, but he
also, I think he goes throughand kind of optimizes a few
other people's lists.
Firebognet, I believe, is wherehe keeps those.
Dan Schaper (27:35):
Yeah.
Adam Warner (27:35):
Firebog, and then you've got.
There's just so many's, so manypeople out there that are just
coming up with the differentthings.
Joshua Schmidt (27:43):
One list to rule them all.
Eric Brown (27:45):
It sounds like sometimes more isn't necessarily
better.
So, Adam Dan, I don't know howbig are your lists that you run
on your home environments.
Adam Warner (27:56):
So I'm I'm not super fussy at home, um, I'm
still running just the defaultblock list.
So I've got currently about130,000 blocks on my block list.
You see, people on Reddit it'salmost a competition at some
point.
So people will come in withlike 15 million domains and you
think that you're not visitingor you're not hitting that many
(28:16):
domains, surely?
But people, you can do it, sothey do.
Nick Mellem (28:21):
But their wives might be visiting all those.
Joshua Schmidt (28:25):
Is there a list with Joanne Fabrics included on
there, aren't they?
Eric Brown (28:29):
out of business.
Dan Schaper (28:31):
I was going to say Joanne's closing.
Adam Warner (28:34):
Sort of talking of block lists.
I've even seen and I thinkmaybe I think, Dan, you used to
do this as well I've seen it thecomplete other way around,
where people have no block listsand they have a single domain
on their block or a single entryon their block list which is
just dot, and that blockseverything by default, and then
(28:55):
they won't look at it the otherway around.
They start whitelisting thingsso they actually end up with
bigger whitelists than a blocklist.
It's, I imagine, a pain in theass to manage and to keep up
with because there are just somany domains out there, but it's
another thing that we've seenpeople do.
Dan Schaper (29:14):
Yeah, it's a default deny and then only
specifically allow certainminors that you want.
Yeah, if you're streaming video, that is not the way to go,
because you're you're going more.
I'll have this.
No, no, I'll have this now.
Eric Brown (29:27):
Yeah, you could do that almost as a time base right
, Like if it's, if it's time forthe kids to go to bed, and
you're like, all right shut.
Dan Schaper (29:40):
They don't want to do it and you're like all right,
boom, 10 pm shutdown.
People do do prong, job basedor chronologically based, for
not even just complete shutdowns, but just for I want to cut my
addiction to social media.
So I'm going to give myselfthese five minute blocks where I
can access it but most of thetime not be able to access it.
And then you have some externalthings saying no, don't do it,
(30:02):
reminders, yeah.
Joshua Schmidt (30:03):
Have you guys seen this, this new product
called a brick, I think it'scalled where it makes you
physically physically get up andunlock you know an app.
You can program it to unlock aspecific app by you know blue
toothing it to your phone For aspecific amount of time so you
can only hit Instagram if you goup to the brick, unlock it.
(30:24):
Oh wow, for just kind of whatyou're talking about, but it
sounds like you can do that withPiehole.
Dan Schaper (30:28):
Originally we wanted to be able to provide
this tool and then say, hey, dowith it as you want, Extend it
as you want, add in features asyou want.
And we're getting to that pointwhere you can programmatically
access things.
I never use the web interfaceOnce it's set up.
It's set up and I don't reallyneed to go through and tweak it.
(30:51):
Took a while to get to thatpoint, but yeah, now it just
kind of just runs on its own.
Joshua Schmidt (30:56):
That's a perfect segue.
I was going to ask, adam, ifyou've seen any interesting or
unexpected use cases for the Pihole that go beyond the ad
blocking function.
Adam Warner (31:07):
Not really that go beyond the ad blocking function,
but certainly in terms of justintegration to other systems.
So again, as I mentioned withv6, we've got this new shiny,
restful API which is much moreadvanced than the old API in our
v5 version and with that peopleI think there's a guy who's
(31:27):
made an Android.
Yeah, there's an Android app,there's an iPhone app.
These are all community madethat effectively mimic the web
interface, allow you to manageit on the go.
I've seen integrations intoHome Assistant.
I think you've got people inthere, sort of automations
actually setting up a trigger todisable PyHole or enable PyHole
(31:48):
in certain things, based on notjust time but whether or not
the lighting they're always on,that sort of thing.
Dan Schaper (31:55):
Yeah, the staples easy button when you want to
stop the blocking I've got oneon my desk actually where do you
see the future going?
Nick Mellem (32:02):
you know how is ai dictating how pie holes evolving
.
Anything you guys want to speakto on that?
Eric Brown (32:08):
the future?
Um, nick, to some extent is allof the technology that is built
into appliances.
These days, I think just aboutevery appliance that you could
put in your home has some formof connectivity capabilities
washers, dryers, refrigerators,rice makers, right Toasters I
(32:32):
think Dan said your careverything is connected and that
kind of gets into the IPV6,where everything potentially
could be on the internet and ifyou're not taking some level of
caution you're just pretty muchexposed.
So a project like this isreally awesome.
(32:53):
It puts some of the controlback in the consumer's hands
that may not want to just plugthat refrigerator in and then
the next thing you know it'sdumping out the contents of
whatever is in there to whoknows where that's going.
I mean, the simple solution tothat is you just don't connect
(33:14):
your fridge to the internet andit might be one of these days
that, in order to warranty thething, it's got to be internet
connected right Like they'regoing to put checks and balances
in place, unfortunately, and Ihope it doesn't go there for a
while, but that is certainly apossibility.
Joshua Schmidt (33:33):
Yes and so on that note, adam, can you think
of any?
How do you see yourself in thisecosystem of the community on
Reddit?
Do you see yourself more aslike a firefighter, police
officer, park ranger?
I mean, it's a lot of people tomanage and seems like a big job
.
Adam Warner (33:53):
When we first started certainly when I first
got involved 10 years ago, I wason Reddit every day.
Every sort of hour of free timeoutside of work I would be in,
read every thread, read everycomment.
That got very tiring veryquickly In sort.
(34:14):
Of.
Recent years I've had less timeto be able to commit to that
for work reasons, but I meanwe've got some super moderators
out there.
Jfb John is a good one.
He again, he is like that.
He's in every thread.
He reads every message, notjust on Reddit but on our
discourse forum as well.
I don't know where he finds thetime.
(34:36):
I assume he's got a lot of itor maybe I've never met him.
Actually he could be AI.
There are a lot of people outthere who are very into Pi-Hole
and are happily giving back tous, to the community, sharing
(35:00):
their own projects.
One of our biggest requestedfeatures in all time has been
high availability of having twopie holes on your network for
redundancy and being able tosynchronize those two pie holes.
It's not something we've everquite got around to doing.
However, there are at least sixthat I can think of off the top
(35:22):
of my head projects out in thecommunity where people have
taken it upon themselves tocreate a project that will
approximate that and actuallykeep several pie holes in sync.
There's there's been a fewpopular videos doing the rounds
recently, since we launched v6,of how to set up, you know,
three pie holes for redundancyon a, an LXC stack, plus having
(35:45):
these synchronizers to to keepeverything like the block lists
and everything the same, so thatthe community for that purpose,
you know they, it's brilliantthe best of all worlds, can you
know?
Joshua Schmidt (36:00):
free software, an amazing community.
People are joining together tohelp other people out.
It's good to have somepositivity, especially in the
world in general.
But in cybersecurity, we oftenhear a lot about a lot of the
bad things that are happening.
So it's really cool to hear howpeople are banding together and
creating a positive impact.
Adam Warner (36:21):
The people who are sort of enthusiastically
negative as well.
I'm sure you agree.
Joshua Schmidt (36:27):
So if someone like me who doesn't know a lot
about tech really piqued myinterest on this conversation,
where should they go to getstarted, and how should they get
started with integrating a piehole into their security posture
?
Dan Schaper (36:40):
Probably the best way is our website, piholenet.
It's P-I-H-O-L-Enet, I thinkit's still pretty much a version
five.
You'll see there.
I haven't updated it forversion six, but there's links
there to our GitHub at the top,to the community for our
discourse.
Best place to get a hold of usis to do that discourse, which
(37:04):
is discoursepy-holenet.
And yeah, any questions,anything you need, come find us
there.
We're happy to talk to you andget things set up for you.
Joshua Schmidt (37:17):
Excellent, well, great work Everything you've
been up to and, on behalf of thecybersecurity community, we
commend you for your time andthat you put into this and
helping people shore up theirsecurity.
Dan Schaper (37:29):
Thank you.
Joshua Schmidt (37:30):
If I may speak for them on this podcast.
Nick Mellem (37:33):
You can.
Yeah, congratulations, guys onwhat you've built, and
especially the community.
I think that's huge for me,especially in this space, seeing
a community of almost 200,000people like-minded that are
helping everybody else.
Kudos to you guys for curatingand building that.
Adam Warner (37:51):
Yeah, I mean it's a team effort.
At the end of the day, it's notjust myself and Dan that are on
the core team.
We've got Dom over in Germany,rd down in brazil, um ub again
over in germany, so we've gotsort of there's a few of us in
the sort of cool team and thenthere's probably contributors
that I don't know where they are, but they're regular enough
(38:14):
well, if they would like to joinus on on the upcoming episode,
we'd be happy to host them andhear what they've been working
on and have another pieholeconversation and get their take
from different parts of theworld.
Joshua Schmidt (38:24):
It definitely is of interest to us, so please
extend our invitation and ourkudos to them as well, okay,
sounds good.
Eric Brown (38:32):
Yeah, this was great , thank you.
Joshua Schmidt (38:34):
Thanks a lot, gents, for your time.
Today You've been listening tothe Audit presented by IT Audit
Labs.
My name is Joshua Schmidt,co-host, and today You've been
listening to the Audit presentedby IT Audit Labs.
My name is Joshua Schmidt,co-host and producer.
I've been joined by Nick Mellomand Eric Brown, and today our
guests were Dan Schaper and AdamWarner from Piehole.
So thanks again.
And we publish every other weekon Monday, and you can catch us
on YouTube, spotify, apple,amazon, wherever you get your
(38:54):
podcasts, and we have video onSpotify now as well.
So like and subscribe and we'llcatch you soon.
Eric Brown (39:01):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(39:23):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(39:46):
source your security content.
All right, welcome to the Audit presented
by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt.
Today we're joined by the usualcast, nick Mellom and Eric
Brown, our managing director atIT Audit Labs.
Today we're joined by DanShaper and Adam.
Sorry, adam, what's your lastname?
It's not on the Adam.
Adam Warner (00:19):
Warner.
Joshua Schmidt (00:20):
Well, great guys , Thanks again.
Maybe you could just give us alittle background on yourselves
and then how you got to beworking with PyHole and where
you're at today.
Dan Schaper (00:27):
It's got to have been 10, 12 years now.
I was looking for just thingsto do on the Internet.
Github was kind of new at thetime and bouncing around and saw
a project that was working onDNS was working on DNS and it
was kind of an interesting thingon content blocking and they
(00:49):
were having problems, ironically, getting IPv6 to work.
So I think my first poll wasintroducing IPv6, and here we
are, 12 years later, and IPv6 isstill nowhere to be seen.
I've been told for like 20years that school started IPv4
is over, you need to do six.
But so we started working onthat and it was just a ragtag
(01:11):
little group of people throwingthings together and then Adam
joined in.
Uh, very shortly after that weadded in our third, Dominic,
who's in Germany to help out,and then we've had some other
people come and go, as with opensource programs kind of do and
(01:34):
volunteer work does.
I'm amazed that we're stillhere this much later and still
have such a huge community and abig following.
The community is everything forus.
Joshua Schmidt (01:49):
Yeah, I can't wait to hear more about that.
You have what?
Over 190,000 Reddit followers,or?
Adam Warner (01:55):
Something like that .
Yeah, you'd think I'd have thatinformation just by hand.
Nick Mellem (01:58):
I think it's 191 when I was on there earlier 191k
.
Adam Warner (02:02):
Yeah, just so that, then that's awesome.
Joshua Schmidt (02:04):
That's impressive.
How about you, adam?
What's the background on youand how did you get to be
working with Dan?
Adam Warner (02:11):
So I first discovered I say discovered, I
didn't discover it, but I foundPiehole just on Reddit.
I was just browsing down thefront page and saw what looked
like a fancy dashboard orsomething.
Had a look into the post postand I was oh, hang on, this
looks like an interestingproject.
I've got a raspberry pi that issitting in a drawer.
In fact, at the time, Iprobably had about 10 raspberry
pi sitting in the drawer,because I had an awful habit of
(02:33):
buying them and then puttingthem in a drawer, um, because I
had no real, real purpose forthem.
I just thought they lookedfancy.
So span it up.
Um installed it and I think atthe time so this was back in
2016 I was using it, uh, andwhat I noticed was that the
whitelisting didn't work, or notvery well anyway.
It had an issue with it.
Um.
(02:53):
So, rather than uh complain, Ihad a look at the code to see
how it was working, what couldbe done to to make that work,
made it work, submitted a pullrequest to the project, and here
I am today, still after about10 years.
Joshua Schmidt (03:11):
We were talking just before we started recording
and you had let me know thatyou just released Pi Hole
version six.
Yeah, in February.
Adam Warner (03:19):
Yes, so that was five years in the making.
One of the things about usbeing a sort of volunteer-run
open-source project is we don'thave an awful lot of time to
work on things.
So when we do look at sort ofworking on major things, it
takes us a while, especially totry and sort of synchronize
everyone and get everyone in thesame place at the same time so
(03:41):
that we can actually press abutton to release it.
Eric Brown (03:44):
What's the big update in 6?
Adam Warner (03:47):
The web server, for example.
So we used to use a third-partyweb server.
Let me know how.
You say it Lighty, is it just?
Dan Schaper (03:55):
Lighty Lighty.
Adam Warner (03:57):
So that was a dependency of the project.
So the install script wouldalways install that PHP was a
big dependency of the project,would always install that PHP
was a big dependency of theproject.
In six, or PyHole six, we haveremoved the dependency for PHP
and LIT, so PyHole FDL is itsown web server now and the web
interface has been rewritten inLua pages.
Dan Schaper (04:19):
There's some Lua pages, some Java script and
that's still we're kind oflooking at, maybe doing a better
front end on it.
So we had the genius of Dom whodoes a lot of the C coding and
brought in, like Civit Web as aC package to handle the web
serving and trying to make it aone binary project.
Eric Brown (04:43):
What is PyHolic?
What does it do for theeveryday user?
Dan Schaper (04:48):
Essentially, when you go out on the internet, you
use your web browser or whatever.
You type in what's called adomain name.
You want to go to Google.
You just type in googlecom orwhatever site that you want to
go to.
On the back end, on howcomputers work, they don't
communicate via names and tokensand things like that.
They communicate with IPaddresses, numeric addresses.
(05:12):
So you need something that willconvert that name into an IP
address, a string of numbersthat computers can then use to
get you to where you need to go.
That's called a domain nameservice.
You send out a request, you saywhat is the IP address for
Google and you get back a number.
(05:32):
Your computer then understandsokay, to get to this number, I
need to go here, here, here, andget passed along.
What we do is we come along andsay, okay, there's this domain
out there is.
We come along and say, okay,there's this domain out there,
Evil Corp.
Well, we don't really want youto go to Evil Corp, or the
person decides themselves Idon't want to go to Evil Corp
because Evil Corp is going totake the information they see
(05:55):
from me and do things that Idon't want them to do.
So we say, when you ask uswhat's the address, how do I get
to Evil Corp?
We say Evil Corp doesn't exist,you can't get there, and that
kind of is is a very low levelbasic.
There's a lot of other featuresand things you can do to to
(06:16):
make it like nicer and spice itup and change it up.
Um, but uh, in in.
Essentially that's what we do.
It's called a DNS sinkholebecause we take DNS requests and
sync them.
Nick Mellem (06:31):
And it sounds like these things are pretty easy to
set up.
When I was, you know, inpre-production here, we were
talking about the YouTube videoI was watching.
It was a short where the guywas talking about he could set
this up faster than he can cooka hot dog in the microwave.
And he did do it.
Are you guys able to speak to?
Was that a part of theeducational process?
You wanted to make it easy, orwas that just the vision you
(06:52):
know throughout the project, tomake it easy for, kind of the
masses?
Adam Warner (06:55):
you didn't have to be technical, uh, to use the
pile so I mean I think I canprobably speak to this in that
um.
So when I, when I first joinedthe project um, I had never used
, I'd never touched linux um, soI've never done any bash
scripting anything like thatbefore.
I did have some background insort of c sharp programming on
windows, but beyond that um I'venever touched it.
So actually I found it prettysimple to install straight away.
(07:18):
This is even, you know, goingback 10 years when the installer
was probably a little bit morebasic but our, our installation
is a bash script.
Dan Schaper (07:28):
Um, and it is.
We joke about it.
It's the worst bash script youwill ever see in your life.
It's a thousand lines long ofbash script and originally uh,
the original project founder andconsidered co-founder myself
and Jacob Salmela when we didthe installation script.
(07:49):
There are a lot of comments inthere and the original intent
was you could look at thisscript as somebody who doesn't
know what batch is, doesn't knowwhat any of this is, and read
it line for line and see okay,here's, here's a command line,
here's the explanation of whatthis command does, how it does
it, what applications it usesand runs.
(08:11):
And to get back to the foodthing.
I guess there's a food thingwith pie hole, because it's pie
hole and apparently hot dogs,and we like to say you can run
pie hole on a potato, so we hadto have this food theme going on
with everybody now I don't knowif nick, you're vegan, right,
so would it work with a?
Joshua Schmidt (08:29):
vegan hot dog big vegan probably not big vegan
here I don't think they'll letyou into texas if you're a vegan
one of the cool.
Nick Mellem (08:37):
He's originally from minnesota though
considering the, the gift boxeric sent me yesterday was full
of bacon goods.
I think no vegans.
Eric Brown (08:48):
So the cool thing just to kind of tie together why
an everyday user, maybe even anon-technologist, might like
Piehole to set up at home isit's really easy to do.
It's really easy to do.
There's lots of great videosand great instructions to be
able to set it up without a lotof technical expertise.
(09:10):
But in some cases you can getenterprise-level security, like
security that you would get atwork with a device that costs 50
, 60 bucks.
Right, you get a Raspberry Piand get a SIM card and you can
install PiHole on the RaspberryPi, plug it into your network
(09:32):
and it's going to filter traffic.
And you might say well, why doI want to filter traffic?
And there's a lot ofconversation with PiHole about
being able to block ads.
Able to block ads, but evenmore so than that is the ability
to block malicious links, likewhat you were talking about.
(09:53):
You can create that level ofsecurity at home.
So you know, I don't know, adamDan, anything you want to talk
about related to that.
Dan Schaper (09:59):
The way a lot of the like Cisco's firewall
systems and their DNS systemsare extremely similar to PyHole.
You're paying for the support,obviously, but lists of domains
that you want to block.
If you can get a list in what'scalled host format, we can use
it and it's very tailored tocustomization.
(10:22):
You can have a big list ofdomains you want to block and
there's only two or three thatyou want to let through, for
whatever reasons.
Okay, you can allow those.
You have some systems where youneed to access these domains
for work.
You can put your laptop into agroup and say, okay, assign no
domains blocks to any computerin that group, so you're not set
(10:44):
to one system managingeverything and everybody has to
have the same thing.
Yeah, you can do some extremelynarrow, fine-grained systems.
Eric Brown (11:01):
I had to create the wife on block Acceptance factor
Because I had everything lockeddown and we went to watch a show
.
I was so excited when I firstbuilt out the pie hole and I've
got my laptop and I'm watchingall of the blocks and we went to
(11:22):
watch a show.
I don't know if it was on primeor Netflix, but we're even just
trying to bring up the Apple TVto get to the show and it's not
working.
I'm thinking this is great,right, I'm blocking a ton of
stuff that I don't know, like Ididn't know even existed, where
it's trying to go out and sendmy information out to all of
(11:43):
these third parties, and I'mjust kind of watching it on the
screen and then realizing thatit's maybe blocking a little bit
too much.
I probably downloaded a few toomany lists and integrated them,
so then I was able to just goin and whitelist some, and then
from time to time I will hearshouting from upstairs and you
(12:05):
know, it's like that thing.
You got running and so I uh, Iam able to, you're able to
easily, with piehole, putmachines into a group with less
or no filtering before before wehave the group's feature on the
.
Adam Warner (12:18):
On the piehole um.
That was as much as I hate theuh the stereotype um on the.
On the piehole um that.
That was as much as I hate the.
Uh the stereotype um.
On the on the subreddit, thatwas one of the biggest
complaints.
Uh was uh.
My wife's trying to buy thingson google shopping, uh, and
every time she clicks thesponsored link in the in google,
she can't get to the shopping.
How do I fix this?
And the answer always used tobe well, disable it for a bit
(12:39):
whilst you want to click thelink, um.
So people were coming up withbookmarklets so that they could
give it to their spouses oranyone else in their family and
say hey look, if something's notworking, just press this button
.
It'll disable PyHole for fiveminutes.
You can then do what you wantand then it will come back on.
Eric Brown (12:55):
Yeah, absolutely.
I thought about eveninstituting something at home
where it's like well, you got towatch this five minute video on
security, I didn't.
That didn't go over too well.
Nick Mellem (13:06):
So, besides blocking all these websites and,
you know, stopping wives orsignificant others from
purchasing you know, this, thator the other, I suppose and I
don't use a pie hole, so I'm I'mlearning a lot here but could
this also be thought of a waythat just streamlines and speeds
up your web browsing experience, because it's not going out to
(13:26):
get all these curated ads on allthese websites?
I think the most, what I canthink of the most easy, is you
know you're doing a speed testfor your internet.
You know you go to one of thesewebsites and it's just like all
around where you're going tosee how fast your internet is.
It's just littered with ads soit takes a while for that to
generate.
If this is running, it's noteven going out to get those
(13:49):
those ads.
So I would assume across theboard, you know people are
seeing you know an easier andmore quick experience on the web
.
Dan Schaper (13:57):
It does reduce the amount of traffic you pull
because malvertisements tend tobe really heavy with a lot of
garbage attached to them.
One thing that we kind of anunintended side effect CDNs,
things that are geo IP based canget confused.
So a lot of the gamers at firstwere my latency shot to the roof
(14:20):
.
Well, yeah, because you're inAmerica and the geo IP is not
going to be able to work, soit's sending you to a server
farm in Germany.
There are ways to get aroundthat with some DNS extensions
that allow you to at least givea portion of where your IP is
(14:41):
located at, so you can get tothe proper CDN endpoints that
are located closer to you.
But at the heart of PyHole itis a full functioning DNS DHCP
server.
You want to develop and usethey call it a split brain DNS
or split horizon DNS, and theycall it a split brain DNS or
split horizon DNS where you haveIP addresses for your
(15:04):
production work and you want touse the same domain names but
use your local area networks.
You can go ahead and set it upand say when I ask for
production domain names, returnmy local, and you don't have to
worry about things like hairpinnatting or any of the router
tricks.
(15:25):
You're actually returning adifferent IP address depending
on where you happen to belocated.
Nick Mellem (15:31):
Dan, you brought up YouTube a little bit ago and
that's one thing I was thinkingabout.
And, funny enough, before wejumped on, I was searching the
internet looking at all thedifferent pies, pies to piehole
items and one of them one thatPost I saw was oh, I'm gonna
make a pie hole so I canessentially have YouTube premium
for free, and I was thinking tomyself what would that actually
(15:54):
work?
So, you know, maybe take asecond.
I'm curious on your thoughts.
I know you said I think youdislike this YouTube because of
this.
Can you elaborate on that said?
Dan Schaper (16:03):
I think you dislike this YouTube because of this.
Can you elaborate on that?
You want to do the Linus TechTips video that shot us in the
foot with that one.
Nick Mellem (16:09):
Was that what it was?
I didn't see that one, but I amfamiliar with him.
Dan Schaper (16:12):
Originally way, way back.
Yeah, Four or five years agoSix years ago, we'll say, I
think.
Yeah, he did one and he wasable to show somehow.
And this was back in the dayswhen, yes, you could block some
of the video roll from YouTube.
This was pre them knowing abouthow we worked and stuff.
Now they bake it directly intothe video stream.
(16:38):
So there isn't a separate DNSquery or a DNS endpoint.
You're not going to a CDNanymore like they used to do.
Ads were served from adifferent infrastructure than
videos.
It's all merged into one flownow, but people still see that
video and go oh well, I shouldbe able to block YouTube videos
like ads.
Nick Mellem (16:58):
I see it right now.
Block every online ad with thispie hole on Raspberry Pi.
It's got 4.6 million views andit was published five years ago.
Spot on, yeah.
Joshua Schmidt (17:09):
I think this is a good time for the disclaimer,
as we insert that into thepodcast here.
Adam Warner (17:15):
There he goes again .
Eric Brown (17:16):
Nick, there he goes.
Joshua Schmidt (17:19):
Well, we are hosting this on YouTube.
I would hate to set off anyalgorithms to clamp down on our
views, but yeah, we are hostingthis on YouTube.
I would hate to set off anyalgorithms to clamp down on our
views, but yeah, we don'tcondone any illegal activity, of
course.
My question was do you have asense of like I'm sure you do,
and especially Adam running theReddit what the community finds
to be the most valuable part ofthis?
(17:39):
Is it the ad blocking function,or is it mostly used by people
with personal computers?
Or do you find enterprisesusing this, or organizations, or
is it a mix?
Adam Warner (17:51):
There's probably a pretty healthy mix of people
that have just stumbled upon theproject because they've seen it
.
There's a lot of people who arenow new to the project because
of all of the issues with ublock, origin in chrome, which is now
um no longer working in the newversion of chrome, um, I think
anyway, um.
(18:11):
So we've we've got a lot of newusers through that um.
But then you've got the, thesuper technical people who I
would say, probably definitelyknow a lot more than us.
Whether they do or not, theycertainly come to us as though
they do.
But there's all sorts.
Eric Brown (18:30):
One of the things that you mentioned there, adam,
was how some people are usingplugins in their browser to do
some of that ad blocking work,and that certainly works.
But, as you mentioned, youblock origin Chrome.
That plugin then, with Chrome'srecent changes, doesn't work.
(18:50):
So then, how do you deal withthat?
How do you keep the samefunctionality?
And well, you move it away fromthe browser and you move it to
the network, and the Pi holeworks at that network level.
I suppose it could work locallytoo, but if you, if you have it
on the network, then it'sworking for all of the machines
on the network.
And one of the tests that Ijust personally have found to be
(19:13):
pretty cool is a website Ithink it's tmzcom, tmzcom.
So, dan, maybe being morefamiliar with the Los Angeles
area.
Dan Schaper (19:26):
Yeah, I know, harvey.
Eric Brown (19:28):
It's for the 30-mile zone.
I guess that's around LosAngeles.
I mean something out there, noidea.
All I know is that site gets aton, has a ton of ads baked into
it.
So if you let that page loadyou'll see the counters just go
up.
If you have an ad blocker inthe browser Over 100, I think
(19:48):
it'll block on that, like ifyou're using Ghostery or
something like that.
But it's great to see it too onthe pie hole and just go to
that site and just watch all ofthe blocks come up from that
site.
It's pretty amazing all of thethings that they're doing to
monetize that site and thatexperience and what it looks
(20:10):
like when you're looking at thatwebsite, filtered versus
unfiltered.
Dan Schaper (20:15):
Well, also consider how do you use an ad blocker or
a malicious traffic blocker onyour home surveillance cameras
on your refrigerator, on yourweb-connected Light bulbs?
Yeah, I got an air fryer theother day that has an
application for it and itconnects to Home Assistant.
(20:37):
It's like it's an air fryer,come on.
Eric Brown (20:53):
And it's like it's an air fryer, come on, but yeah,
so being at the internet orbeing at the network level,
things that don't have userinterfaces, things that you
don't see and deal with, theycan still benefit.
Apple TVs can benefit from it.
Smart TVs can benefit from it.
Somebody I know has one ofthese.
It's like some sort ofelectronic litter box, as I hear
it it's called.
What is it?
That's you, Eric who could thatbe eric that has this you can
actually monitor the cat'sactivity in the litter box from
an app on the on the phone.
You know while you're remote.
So you know to your point.
Dan Schaper (21:14):
Everything is connected don't you have one of
those adam?
Adam Warner (21:18):
I had one of those.
The cat did not get on with it,so we Cat did not appreciate
the litter box surveillance.
He's a hipster, he hatestechnology.
Joshua Schmidt (21:33):
He's a lewdite cat.
That brings me to one of myother questions I had prepared.
What are some of the challengesthat Pileface is keeping up
with increasing sophisticationof ad delivery mechanisms?
I'm assuming that was bakedinto your latest update in
version six?
Yeah, and maybe you could kindof shed some light on what some
of those might be that we mightnot think about.
(21:54):
We just talked about, like youknow, roomba and adding that
pile at the network level tokind of give you some extra
protection on the IoT devices.
But anything new that you'veseen popped up, that that pie
hole has been addressing.
Dan Schaper (22:09):
It depends on white hat versus black hat on a few
things Ever since.
The big thing now is encryptedDNS DOT, doh, doq, no-transcript
(22:35):
and, depending on what thatcanary domain responded, you
could turn off DOH in Firefoxinternally.
So you could with PyHole, sayanybody on my network.
They need to stick with plain,unencrypted DNS.
Where you get into somedifficulty is for the bad actors
(22:55):
that give you an Android appthat is intentionally hard-coded
and bypass all of that and gothrough that gets into where you
do need some pretty heavy-dutyfirepower to be able to do it.
Even your home firewalls can'tdo it, because you need to be
able to break those encryptedpackets to see what the payload
(23:19):
is, able to break thoseencrypted packets to see what
the payload is.
So, as long as people play bythe generally accepted rules and
I think that's going to happenbecause you have enterprises
Enterprises are going to need tofigure out how to prevent
exfiltration through systemswhere they have their internal
DNS and you need to use ourActive Directory systems, our
(23:41):
structures, then how do theyprotect themselves?
And luckily, the way that theyprotect themselves can be scaled
down to home use also.
These agreements, thesepolicies and procedures that are
being codified do not needheavy lifting technology to be
able to use them.
(24:02):
We have version 6.1 coming outthat we wanna get out within,
probably this weekend.
Maybe that has some updateswhere these specific requests
from Apple, svcb requests wherewe can return either say these
(24:23):
services do not exist, don't golooking for them, or these
services exist and here are howyou can connect to the pie hole
to use these services instead.
Joshua Schmidt (24:30):
I was wondering if Eric could speak to using
this type of technology withinorganizations or helping others
shore up their security posture.
Eric Brown (24:39):
I think it's great in organizations that maybe
can't afford theenterprise-level firewalls that
are going to be able to do thatman-in-the-middle, where they're
breaking encryption andinspecting and then
re-encrypting and sending thetraffic on, which is what you
need to do in order to look atencrypted packets that might be
(25:01):
coming from an infected endpoint, where the threat actor put a
protocol in place in order toprotect that traffic.
Smaller organizations and homeentities aren't going to, as Dan
said, break that encryption,look at it and send it on, but
something like a pie hole or away to bring in lists, host
(25:29):
lists, into their firewall orwhatever is providing their DNS
services, is really a greatthing Like we were talking about
earlier.
This is really enterprise gradetechnology that is at fractions
of the cost, so you could bringit in and plug it into a network
and it doesn't consume muchresources at all.
(25:52):
And a really big shout out tothe Pihole community, because
there are some people out therethat are curating and generating
lists that we all then consumeand use, and the lists are up to
date.
Some of them are updated daily,if not more frequently, with
(26:13):
really new and emergingmalicious sites and we can
consume that and then we're justas safe as an enterprise
organization.
Joshua Schmidt (26:24):
That was going to be my follow up with.
That was going to say, adam,maybe you could speak to just
the value of the community andhow, how those people have been
generating those lists and howyou, how you integrate that
information into what?
Adam Warner (26:37):
you and Dan are working on.
Every block list that's outthere is community maintained.
We don't have an opinion.
So, as the software itself, wedon't care what you're blocking.
You can block as much or aslittle as you like.
It's really up to you how youuse it.
So when we initially install,just to make sure it works and
(27:00):
just to sort of lower thebarrier to entry, we have one
suggested list which we foundworks quite well, doesn't block
too much, doesn't break a lot,and that's just there to get
sort of people started.
But yeah, there are, I meancertainly on reddit.
There's a guy forget his name,w3k who maintains a list of
(27:22):
lists, so not just his own liststhat he puts together, but he
also, I think he goes throughand kind of optimizes a few
other people's lists.
Firebognet, I believe, is wherehe keeps those.
Dan Schaper (27:35):
Yeah.
Adam Warner (27:35):
Firebog, and then you've got.
There's just so many's, so manypeople out there that are just
coming up with the differentthings.
Joshua Schmidt (27:43):
One list to rule them all.
Eric Brown (27:45):
It sounds like sometimes more isn't necessarily
better.
So, Adam Dan, I don't know howbig are your lists that you run
on your home environments.
Adam Warner (27:56):
So I'm I'm not super fussy at home, um, I'm
still running just the defaultblock list.
So I've got currently about130,000 blocks on my block list.
You see, people on Reddit it'salmost a competition at some
point.
So people will come in withlike 15 million domains and you
think that you're not visitingor you're not hitting that many
(28:16):
domains, surely?
But people, you can do it, sothey do.
Nick Mellem (28:21):
But their wives might be visiting all those.
Joshua Schmidt (28:25):
Is there a list with Joanne Fabrics included on
there, aren't they?
Eric Brown (28:29):
out of business.
Dan Schaper (28:31):
I was going to say Joanne's closing.
Adam Warner (28:34):
Sort of talking of block lists.
I've even seen and I thinkmaybe I think, Dan, you used to
do this as well I've seen it thecomplete other way around,
where people have no block listsand they have a single domain
on their block or a single entryon their block list which is
just dot, and that blockseverything by default, and then
(28:55):
they won't look at it the otherway around.
They start whitelisting thingsso they actually end up with
bigger whitelists than a blocklist.
It's, I imagine, a pain in theass to manage and to keep up
with because there are just somany domains out there, but it's
another thing that we've seenpeople do.
Dan Schaper (29:14):
Yeah, it's a default deny and then only
specifically allow certainminors that you want.
Yeah, if you're streaming video, that is not the way to go,
because you're you're going more.
I'll have this.
No, no, I'll have this now.
Eric Brown (29:27):
Yeah, you could do that almost as a time base right
, Like if it's, if it's time forthe kids to go to bed, and
you're like, all right shut.
Dan Schaper (29:40):
They don't want to do it and you're like all right,
boom, 10 pm shutdown.
People do do prong, job basedor chronologically based, for
not even just complete shutdowns, but just for I want to cut my
addiction to social media.
So I'm going to give myselfthese five minute blocks where I
can access it but most of thetime not be able to access it.
And then you have some externalthings saying no, don't do it,
(30:02):
reminders, yeah.
Joshua Schmidt (30:03):
Have you guys seen this, this new product
called a brick, I think it'scalled where it makes you
physically physically get up andunlock you know an app.
You can program it to unlock aspecific app by you know blue
toothing it to your phone For aspecific amount of time so you
can only hit Instagram if you goup to the brick, unlock it.
(30:24):
Oh wow, for just kind of whatyou're talking about, but it
sounds like you can do that withPiehole.
Dan Schaper (30:28):
Originally we wanted to be able to provide
this tool and then say, hey, dowith it as you want, Extend it
as you want, add in features asyou want.
And we're getting to that pointwhere you can programmatically
access things.
I never use the web interfaceOnce it's set up.
It's set up and I don't reallyneed to go through and tweak it.
(30:51):
Took a while to get to thatpoint, but yeah, now it just
kind of just runs on its own.
Joshua Schmidt (30:56):
That's a perfect segue.
I was going to ask, adam, ifyou've seen any interesting or
unexpected use cases for the Pihole that go beyond the ad
blocking function.
Adam Warner (31:07):
Not really that go beyond the ad blocking function,
but certainly in terms of justintegration to other systems.
So again, as I mentioned withv6, we've got this new shiny,
restful API which is much moreadvanced than the old API in our
v5 version and with that peopleI think there's a guy who's
(31:27):
made an Android.
Yeah, there's an Android app,there's an iPhone app.
These are all community madethat effectively mimic the web
interface, allow you to manageit on the go.
I've seen integrations intoHome Assistant.
I think you've got people inthere, sort of automations
actually setting up a trigger todisable PyHole or enable PyHole
(31:48):
in certain things, based on notjust time but whether or not
the lighting they're always on,that sort of thing.
Dan Schaper (31:55):
Yeah, the staples easy button when you want to
stop the blocking I've got oneon my desk actually where do you
see the future going?
Nick Mellem (32:02):
you know how is ai dictating how pie holes evolving
.
Anything you guys want to speakto on that?
Eric Brown (32:08):
the future?
Um, nick, to some extent is allof the technology that is built
into appliances.
These days, I think just aboutevery appliance that you could
put in your home has some formof connectivity capabilities
washers, dryers, refrigerators,rice makers, right Toasters I
(32:32):
think Dan said your careverything is connected and that
kind of gets into the IPV6,where everything potentially
could be on the internet and ifyou're not taking some level of
caution you're just pretty muchexposed.
So a project like this isreally awesome.
(32:53):
It puts some of the controlback in the consumer's hands
that may not want to just plugthat refrigerator in and then
the next thing you know it'sdumping out the contents of
whatever is in there to whoknows where that's going.
I mean, the simple solution tothat is you just don't connect
(33:14):
your fridge to the internet andit might be one of these days
that, in order to warranty thething, it's got to be internet
connected right Like they'regoing to put checks and balances
in place, unfortunately, and Ihope it doesn't go there for a
while, but that is certainly apossibility.
Joshua Schmidt (33:33):
Yes and so on that note, adam, can you think
of any?
How do you see yourself in thisecosystem of the community on
Reddit?
Do you see yourself more aslike a firefighter, police
officer, park ranger?
I mean, it's a lot of people tomanage and seems like a big job
.
Adam Warner (33:53):
When we first started certainly when I first
got involved 10 years ago, I wason Reddit every day.
Every sort of hour of free timeoutside of work I would be in,
read every thread, read everycomment.
That got very tiring veryquickly In sort.
(34:14):
Of.
Recent years I've had less timeto be able to commit to that
for work reasons, but I meanwe've got some super moderators
out there.
Jfb John is a good one.
He again, he is like that.
He's in every thread.
He reads every message, notjust on Reddit but on our
discourse forum as well.
I don't know where he finds thetime.
(34:36):
I assume he's got a lot of itor maybe I've never met him.
Actually he could be AI.
There are a lot of people outthere who are very into Pi-Hole
and are happily giving back tous, to the community, sharing
(35:00):
their own projects.
One of our biggest requestedfeatures in all time has been
high availability of having twopie holes on your network for
redundancy and being able tosynchronize those two pie holes.
It's not something we've everquite got around to doing.
However, there are at least sixthat I can think of off the top
(35:22):
of my head projects out in thecommunity where people have
taken it upon themselves tocreate a project that will
approximate that and actuallykeep several pie holes in sync.
There's there's been a fewpopular videos doing the rounds
recently, since we launched v6,of how to set up, you know,
three pie holes for redundancyon a, an LXC stack, plus having
(35:45):
these synchronizers to to keepeverything like the block lists
and everything the same, so thatthe community for that purpose,
you know they, it's brilliantthe best of all worlds, can you
know?
Joshua Schmidt (36:00):
free software, an amazing community.
People are joining together tohelp other people out.
It's good to have somepositivity, especially in the
world in general.
But in cybersecurity, we oftenhear a lot about a lot of the
bad things that are happening.
So it's really cool to hear howpeople are banding together and
creating a positive impact.
Adam Warner (36:21):
The people who are sort of enthusiastically
negative as well.
I'm sure you agree.
Joshua Schmidt (36:27):
So if someone like me who doesn't know a lot
about tech really piqued myinterest on this conversation,
where should they go to getstarted, and how should they get
started with integrating a piehole into their security posture
?
Dan Schaper (36:40):
Probably the best way is our website, piholenet.
It's P-I-H-O-L-Enet, I thinkit's still pretty much a version
five.
You'll see there.
I haven't updated it forversion six, but there's links
there to our GitHub at the top,to the community for our
discourse.
Best place to get a hold of usis to do that discourse, which
(37:04):
is discoursepy-holenet.
And yeah, any questions,anything you need, come find us
there.
We're happy to talk to you andget things set up for you.
Joshua Schmidt (37:17):
Excellent, well, great work Everything you've
been up to and, on behalf of thecybersecurity community, we
commend you for your time andthat you put into this and
helping people shore up theirsecurity.
Dan Schaper (37:29):
Thank you.
Joshua Schmidt (37:30):
If I may speak for them on this podcast.
Nick Mellem (37:33):
You can.
Yeah, congratulations, guys onwhat you've built, and
especially the community.
I think that's huge for me,especially in this space, seeing
a community of almost 200,000people like-minded that are
helping everybody else.
Kudos to you guys for curatingand building that.
Adam Warner (37:51):
Yeah, I mean it's a team effort.
At the end of the day, it's notjust myself and Dan that are on
the core team.
We've got Dom over in Germany,rd down in brazil, um ub again
over in germany, so we've gotsort of there's a few of us in
the sort of cool team and thenthere's probably contributors
that I don't know where they are, but they're regular enough
(38:14):
well, if they would like to joinus on on the upcoming episode,
we'd be happy to host them andhear what they've been working
on and have another pieholeconversation and get their take
from different parts of theworld.
Joshua Schmidt (38:24):
It definitely is of interest to us, so please
extend our invitation and ourkudos to them as well, okay,
sounds good.
Eric Brown (38:32):
Yeah, this was great , thank you.
Joshua Schmidt (38:34):
Thanks a lot, gents, for your time.
Today You've been listening tothe Audit presented by IT Audit
Labs.
My name is Joshua Schmidt,co-host, and today You've been
listening to the Audit presentedby IT Audit Labs.
My name is Joshua Schmidt,co-host and producer.
I've been joined by Nick Mellomand Eric Brown, and today our
guests were Dan Schaper and AdamWarner from Piehole.
So thanks again.
And we publish every other weekon Monday, and you can catch us
on YouTube, spotify, apple,amazon, wherever you get your
(38:54):
podcasts, and we have video onSpotify now as well.
So like and subscribe and we'llcatch you soon.
Eric Brown (39:01):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(39:23):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(39:46):
source your security content.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Cold Case Files: Miami
Joyce Sapp, 76; Bryan Herrera, 16; and Laurance Webb, 32—three Miami residents whose lives were stolen in brutal, unsolved homicides. Cold Case Files: Miami follows award‑winning radio host and City of Miami Police reserve officer Enrique Santos as he partners with the department’s Cold Case Homicide Unit, determined family members, and the advocates who spend their lives fighting for justice for the victims who can no longer fight for themselves.