Having fun with DNS control on home networks

As many people here know, DNS (Domain Name System) is a protocol that your computers and internet connected devices use to resolve domain names such as “Microsoft.com” to an actual address of the server that will show the content requested (in this case, the home page of the Microsoft.com web site). Computers, phones, and other devices don’t really connect to “Microsoft.com”. At a very high level, the following happens:

• The user types “Microsoft.com” into the web browser.
• The device contacts the DNS server that is registered on the current network and asks for the address that matches “Microsoft.com” record.
• DNS server returns the answer to the device.
• The browser then connects to the web site address. The browser will still show that you are connected to “Microsoft.com” but really, your device and Microsoft server talk through addresses, not friendly names like “Microsoft.com”.

I will annoy you all with one more technical term: DHCP (Dynamic Host Configuration Protocol). DHCP is a networking protocol that can be used to provide every device that connects to a network with a unique address on that network. Each device must have a unique address on the network. On a typical home network, your Internet Service Provider (ISP) router is a multi-functional device which, among other things, behaves as a DHCP server on your network. This will become relevant later in the article…

Who cares about this geeky DNS stuff?

DNS is kind of a big deal. Some reasons why:

• If someone can hijack or compromise the DNS server on your networks, they could send your devices to a site that looks like “Microsoft.com” but is not. That would be bad. Imagine it being a bank site instead. Indeed, there are various DNS attacks out there and different standards are in place to help fight such things.
• If the owner of the DNS server that your network uses wanted to, they can correlate the domains that you are visiting with the address of your devices. To be clear – this does not mean that they’d see what you are doing at those addresses, rather, they could get a general sense of places you go to.
• It follows, then, that by controlling the DNS resolution process on your own network, you can achieve a certain level of privacy protection and perhaps even block communication to some “known bad” domain names.

What if I told you that by doing a bit of research and work, you can drastically lower the number of ads that are shown on all devices connected to your network? And cut down on the amount of tracking done on your devices too?

But… will that not break the Internet?

It is fair to point out that there are many web sites out there that rely on their advertising revenue to stay in operation. On the other hand, the reality of it all is that the amount of tracking and data collection going on is quite staggering, actually. And it is not just what developers put into their apps; they might use various 3rd party packages that provide various functionality inside of apps and those packages themselves might have tracking of their own. My goal here is not to pitch “DNS hygiene” as some sort of ultimate tool that will restore everyone’s privacy at zero cost. Rather, I suggest it as a learning tool with some benefits of fewer ads and tracking!

OK… got it! How do we do this?

There are several solutions that are readily available that you can use for network-wide DNS control. For the purpose of this article, they can be divided into two categories:

• Devices: typically, you get a device, plug it into your network and make some adjustments to your network settings. The device you purchased then (typically) serves as a DNS endpoint for your network and via that device, you can see reports of what is being blocked, allow / block specific domains and control which devices you want to block the traffic for. Some examples of this are AdGuard Home or Pi-hole. Some of those might require a subscription and some do not. Also, check your router settings. If you use one of the newer Mesh Wi-Fi systems (like Eero, but likely there are others) – it might provide a service or functionality allowing you more control over DNS. There are other solutions out there too if you search for DNS blockers / filters.
• DNS providers: you can choose a DNS provider that offers DNS filtering. In this case, you typically create an account and configure your network address that will be connecting to a specific DNS provider. If you want to get reports of DNS usage or configure particular type of filtering or blocking, you’d usually use a portal at the DNS provider. Some examples of this are OpenDNS and NextDNS or ControlD (there are others).

What do I use?

For some time, I used a service provided by my mesh Wi-Fi router. But wanting to play with this a bit more (and I also wanted to play with a Raspberry Pi), I downloaded and installed Pi-hole (which is an open-source product). I run it on a Raspberry Pi (I think mine is version 3b+). I then wired all this up as follows:

• ISP modem / router gets the Internet connection first.
• My mesh Wi-Fi system is the only thing plugged into ISP modem. My mesh Wi-Fi router is the DHCP server on my network (it gives all devices an address on the network).
• My Raspberry Pi is a client that is hardwired (physically plugged in) to my home network, running Pi-hole software, with a static IP address (the address will not change if I reboot the Pi).
• My mesh Wi-Fi system is configured as the DHCP server, and any network client gets Raspberry Pi as the DNS server.

The end result of this is that well-behaved clients (I’ll come back to this later) then go to the address of my Raspberry Pi for their DNS needs. On that Raspberry Pi, I also run Unbound, which means that my Raspberry Pi is truly a DNS server for my network (instead of just passing request to what is known as an ‘upstream’ DNS server, like for example ISP’s server). Note that running Unbound is an optional step and you could use let’s say OpenDNS as an upstream DNS server instead. My Pi-hole software then uses my Unbound software (on the same Pi) as the “upstream” DNS server where requests are sent to. So, it all works together kind of like this:

1. My computer boots up and gets the local network address from my mesh router (it uses DHCP protocol for this).
2. My Wi-Fi mesh router, as a part of the response, gives my computer the address of my Raspberry Pi as the DNS server.
3. Sometime later, on my computer, I type “Microsoft.com” into my browser.
4. My computer looks up the DNS server address it got from the network; oh, it is my Raspberry Pi!
5. My computer sends the DNS request to resolve “Microsoft.com” to the Raspberry Pi.
6. Pi-hole software that is listening on the Raspberry Pi gets the request and looks at “Microsoft.com” address. It checks if this domain name is one of domains that are configured to be blocked on my network (it is not.)
7. Pi-hole software then hands off the DNS request to Unbound software on the same Raspberry Pi (if Unbound was not running, it would send it to a different upstream DNS server that you can choose).
8. Unbound resolves the name to the address and sends my computer the result.
9. Having the address, my browser then connects to the Internet address of Microsoft.com. Note that until the next time that the computer needs to resolve “Microsoft.com” to the address again, the computer does not need to contact the DNS server again for this address.

All of this happens very quickly. Note that in step #6 above, if “Microsoft.com” was a domain that I blocked on my network, the reply to the computer would have no connecting address. This would then mean that my computer would not know where to connect to Microsoft.com and therefore I’d see an error in my browser (something to the effect of “This site can’t be reached”).

This is important because every complex web page that you might browse has many different elements on it. Some of them might be for ads that are hosted on “bestads.com” and some might be for tracking cookies hosted on “yummiesttrackingcookies.com”. If those two domain names are blocked, the rest of the page will usually display in your browser, but without those ads and tracking cookies. Seeing that this all happens network-wide – we have network–wide blocking of ads / tracking / whatever else we blocked. Yes, this works inside of apps too.

Extra tip: if you decide to run Pi-hole, you should look into the Pi-hole Remote app for easy management from your iPhone / Apple Watch.

What are the downsides?

There are downsides to using such an arrangement:

• The complexity of the network does increase; you should consider that adding a different device to the network adds another point of failure. Configuration is more complex too.
• Some web pages might break. There might be false positives (domain names marked as blocked but should not be) so some pages might just be broken and not load properly. This then might require troubleshooting (in my case, looking through Pi-hole logs to find out what was blocked and unblocking it).
• Some web sites might block access when you have an ad-blocker running. They depend on ad-revenue and will completely deny access if they detect ad-blockers on the network.

Few other things to keep in mind…

• DNS blocking is not a way to control network use. Remember that DNS is used only when the name needs to be resolved. Once the name is resolved, the browser or app does not need to talk to DNS again. This is not a system for reliably setting network timeouts.
• Controlling DNS does not mean that you can see what people do when they visit a particular domain; just that they (or an app on their device) requested a certain domain. So, if someone goes to YouTube, you will know that something on the device requested YouTube. But not if the person searched for cat or dog videos when there. Actual YouTube searches are not sent via Raspberry Pi. That is between the browser and YouTube servers.
• I mentioned “well behaved clients” in the article above. I have seen some clients (for example, some made by a company that starts with a letter G) who ignore the DNS server address given to them by DHCP server and go directly to a Google DNS for all name resolution. What I do on my network is block outbound traffic to Google DNS addresses on my network firewall. This forces the clients to fall back to DHCP provided DNS server. If the client / app uses this “hard-coded DNS” shortcut, I call it “not well behaved” and I want to see it break, so I can return it to where I bought it. ?? (If I broke your brain with this firewall stuff, don’t worry about it; I might write about that in the future).
• Some ads cannot be blocked network-wide using DNS blocking, for example if the ads are served from the same domain name as the main web site is hosted on. If you blocked the ads, you would block the main site too. Because they use the same “domain.com” domain.
• DNS blocking will not remove ad / sponsored links in your search engine results. The links will still be there. Following the links might be blocked (clicking might not work) but the links will still be there. If you feel you see too many ads in your search engine results, you should really explore different search engines. ??
• If so desired, you can set up VPN on your Raspberry Pi to use Pi-hole when away from your home network. There are various guides out there, for example this and this one.
• There are various “lists” that you can add to Pi-hole to increase or decrease the number of blocked domains; some of them are focused on specific sites (adware, malware etc.) and some are not. Just search and you shall find (many of those projects are hosted on GitHub).

Even if not a perfect solution, what I described in this article could be a fun project that I would recommend you try. It is fun learning about how devices work and why not make the Internet a little “cleaner” for you and your family, in the process?

Stay safe!

PS. I understand there are many other things that people could do to help protect their privacy when using computing devices. This article should not be misunderstood as a comprehensive solution to Internet privacy and (at times) barrage of advertisements. It is, at best, a part of the picture.