Results 1 to 10 of 10
  1. #1
    Master Untangler
    Join Date
    Oct 2013
    Posts
    246

    Default Need some guidance whether to keep Ad Blocker turned on if I'm using Pi-Hole

    Background: I have Untangle running for over 31 days (since last reboot) and the Ad Blocker so far has only blocked 645 ads. Two days ago, I setup Pi-Hole and in just the last 24 hours, it has blocked over 30,000 DNS queries to ad domains.

    I don't know how that translates to Untangle's metrics but, my general impression is that the the protection provided by Ad Blocker seems superficial by comparison. That said, with Pi-Hole deployed, will it be alright to turn off Ad Blocker if it means to free up resources, however small?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,935

    Default

    I don't use it, I use the web adverts category in web filter. The latter will out perform your Pi-Hole, the former only sees HTTP requests.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    May 2008
    Posts
    352

    Default

    I think dns does not search for https only the domain name.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,935

    Default

    Web Filter uses SNI to inspect HTTPs sessions. That's basically the same level of detail you get from a DNS filter.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Oct 2013
    Posts
    246

    Default

    Appreciate the insights. I'll fine tune the web filtering and turn off Ad Blocker.

  6. #6
    Untangler
    Join Date
    Mar 2018
    Location
    Toronto, Ontario
    Posts
    37

    Default

    oj88,
    Like you, using pihole as well and have turned off ad blocker a long time ago. I'm looking at turning off the web filter for web advertisements in the coming weeks because:
    * pihole has a much better quality blocking adverts, telemetry, malware, etc.
    * dns load balancing plus it finds the faster DNS servers configured.
    * if a website doesn't work, my kids can unblock pihole for 5minutes and debug to see sites that blocked which should potentially be whitelisted and they checked with me if it's okay or not.

  7. #7
    Master Untangler
    Join Date
    Oct 2013
    Posts
    246

    Default

    Quote Originally Posted by balrog View Post
    oj88,
    Like you, using pihole as well and have turned off ad blocker a long time ago. I'm looking at turning off the web filter for web advertisements in the coming weeks because:
    * pihole has a much better quality blocking adverts, telemetry, malware, etc.
    * dns load balancing plus it finds the faster DNS servers configured.
    * if a website doesn't work, my kids can unblock pihole for 5minutes and debug to see sites that blocked which should potentially be whitelisted and they checked with me if it's okay or not.
    Yeah, being a Pi-hole user for barely a week, I'm sold! Nothing against Untangle but all things considered, Ad Blocker ought to be removed or updated to something more robust. IMO, it catches ads like sipping soup with a fork. I have turned it off as well, as advised above.

    In the rolling 24-hour report, Pi-hole blocks north of 50,000 queries to ad domains, which averages to about 30% of all DNS queries.... that's web traffic that's not even going to reach Untangle.


    I'm not yet ready to turn off advert blocking in Web Filter. I still see it blocking a few adverts even with Pi-hole running so I'll probably keep it as a 2nd layer protection for now.

    I am curious as to how you've setup your DNS load balancing. I maintain a Windows Server DNS for internal name resolutions like such:

    Clients from multiple VLANs > Windows Server 2019 DHCP+DNS > Pi-hole > Untangle.
    Last edited by oj88; 05-03-2021 at 08:24 PM.

  8. #8
    Untangler
    Join Date
    May 2008
    Posts
    352

    Default

    PIhole can do dhcp and dns. It will work for local dns. I don't use that yet but will when support for 2012r2 runs out now that I am retired.

  9. #9
    Master Untangler
    Join Date
    Oct 2013
    Posts
    246

    Default

    Quote Originally Posted by donhwyo View Post
    PIhole can do dhcp and dns. It will work for local dns. I don't use that yet but will when support for 2012r2 runs out now that I am retired.
    I don't think Pi-hole can do multiple DHCP pools, at least not from the GUI. As for local DNS resolution, do I have to manually enter each client hostname+IP in Pi-hole? I have Windows DHCP+DNS do that for me automatically. This is important because I use the clients' hostname as conditions in Untangle's Policy Manager.

  10. #10
    Untangler
    Join Date
    Mar 2018
    Location
    Toronto, Ontario
    Posts
    37

    Default

    Quote Originally Posted by oj88 View Post
    In the rolling 24-hour report, Pi-hole blocks north of 50,000 queries to ad domains, which averages to about 30% of all DNS queries.... that's web traffic that's not even going to reach Untangle.

    I'm not yet ready to turn off advert blocking in Web Filter. I still see it blocking a few adverts even with Pi-hole running so I'll probably keep it as a 2nd layer protection for now.

    I am curious as to how you've setup your DNS load balancing. I maintain a Windows Server DNS for internal name resolutions like such:

    Clients from multiple VLANs > Windows Server 2019 DHCP+DNS > Pi-hole > Untangle.
    That seems right. mine is blocking at 29% with 1.2million domains being blacklisted. For load balancing, the context here is about load balancing/High availability in upstream DNS providers used by pihole. For me, i use opendns, cloudfare and my ISP DNS. Because pihole uses dnsmasq, The magical sauce is "--all-servers". forwarded DNS queries goes to all upstream nameservers simultaneously and dnsmasq chooses the fastest one.

    The effect is that you get the fastest dns response (mine is at least 30% faster average) and HA at the same time since if opendns is down, it will simply ignore it.

    Like a bad infomercial at night, but wait there's more! since untangle uses dnsmasq, you can do the same thing above to make dns resolution faster if you don't use pihole.

    Now, for the cons. slight privacy since you are advertising your dns request to multiple provider. bad netizen since you unnecessarily query upstream dns? my counter to that is that it's free (opendns and cloudfare) and i paid for my ISP to use their DNS infrastructure.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2