I am banned from commenting on DWW for years, and I don’t remember exactly why. I don’t remember to have had any interaction with Jesse Smith, but Ladislav Bodnar didn’t like my comments at some point. From that point onwards, each and every time I wanted to comment, my comments vanished as soon as they were supposed to show up. Later, comments started to be displayed, only to be (manually?) erased within 15 minutes or so (maybe more). For identification purposes, I used “Béranger” for a name, and later “Ludditus”; as for the optional “Email address or homepage URL,” I give the address of this blog, which unfortunately allows them to blacklist me. This just happened again, after dumb me wanted to add a comment to their shithole.

What happened to me today

So they issued their DistroWatch Weekly, Issue 1103, 6 January 2025, which includes Tips and tricks: Filtering ads with a Pi-hole.

I felt like replying to this comment:

12 • The benefit of a single Pi-Hole (by UdoB on 2025-01-06 07:16:14 GMT from Germany)
@9 “What is the benefit of a pi-hole compared to a custom /etc/hosts file and an ad blocker like uBlock Origin?”

You install it ONCE, tell your already present gateway with the LAN-wide, “upstream” resolver setting to use it and then… ALL fourtytwo devices in your home use it. Without individual configuration of those devices – which would be tedious and error prone.

🙂

Here’s what I posted:

The NON-benefit of a single Pi-Hole

@12: Apparently, no one here has been on the Internet long enough as to notice that on SOME sites (e.g. a few newspapers) one HAS TO allow ads, or else the site would refuse to show its contents to you. I mean, it will REALLY refuse, so you HAVE TO allow ads on that site.

Unfortunately, when using a crap-hole device to filter ads, whitelisting BECOMES IMPOSSIBLE for “ALL fourtytwo devices in your home”!

Per-device and per-site customization is only possible through freedom, but not when using a Communist, centralized, cut-all ad blocker. (Which, by the way, is less effective than uBlock Origin on Firefox.)

I’d thought DWW readers are smarter than they seem to be. I’m sick of everyone recommending some fruit device to block ads in my household. OVER MY DEAD BODY. Centralism sucks.

Right after I posted the comment, it did show up, which made me think I wasn’t blacklisted anymore. I don’t remember the number my comment was listed under, but it was there.

Later, when I refreshed the page, I noticed two changes. The date was corrected from “6 January 2024” to “6 January 2025” (there was a comment asking them to correct this slip, and the comment was deleted); and my comment disappeared!

Morons.

NOTE: Installing Pi-hole® on a Raspberry Pi or a similar device is a more popular choice than installing it in a Docker container, a normal computer, or a PinePhone. This is why I mentioned that “I’m sick of everyone recommending some fruit device to block ads in my household.”

A small tip (more of an info)

Since I cannot comment there, I’d like to add here a remark on this other comment:

23 • Blocking Adverts (by picamanic on 2025-01-06 11:26:56 GMT from United Kingdom)
Firefox and /etc/hosts: as I understand things, Firefox does not honour /etc/hosts [by default], so uBlock Origin [or similar] is needed to block adverts. If using other web browsers, or on non-desktop computers, /etc/hosts and/or pi-hole may be needed. If the latter, Raspberry Pi5 can be purchased for way less than 100 £ or $. In 25 years, I have never seen an advert that I did not request.

What you should know is this. If and only if Firefox is configured to use DoH (DNS-over-HTTPS), then its queries bypass the system resolver and do not consider /etc/hosts. Instead, it directly resolves names using the configured DoH server. (DoH settings can usually be adjusted in Firefox’s preferences.) Otherwise, Firefox queries /etc/hosts indirectly through the operating system’s resolver library, usually by calling getaddrinfo() or a similar function in the underlying C library (glibc).

To check about the policy in use, go to about:config and search for network.trr.mode, which by default should have a value of 2:

  • 0: DoH is disabled.
  • 1: DoH is enabled, but only for DNS requests for which the operating system DNS fails.
  • 2: DoH is enabled with fallback to system DNS if DoH fails.
  • 3: DoH is used exclusively (no fallback to system DNS).
  • 5: DoH is explicitly disabled (to override any settings).

I don’t know why it can’t have a value of 4.

Other settings of possible interest, with the values they have on one of my laptops:

  • network.trr.uri = https://dns.google/dns-query (other popular values include https://mozilla.cloudflare-dns.com/dns-query and https://dns.nextdns.io)
  • network.trr.bootstrapAddress = no value, meaning that Firefox is not using a predefined IP address for bootstrapping the DoH resolver (I should set it to Cloudflare’s 1.1.1.1, Google’s 8.8.8.8 or 8.8.4.4, or NextDNS’s 45.90.28.0)
  • network.trr.fallback.enabled = no value, meaning the behavior from network.trr.mode will be used
  • network.trr.useGET = false, meaning it uses POST to send DoH requests

Blocking ads via /etc/hosts is utterly stupid, as it’s a system-wide measure. Just like I said for the LAN-wide blocking option, I might want, in one browser, on one device, for a given website, to allow ads.

It’s time for a true tip

Another hint: system-wide, when DoH is not used (which is the normal case), you can replace your ISP’s DNS servers (which in some countries, including Italy and the UK, are bound by law to block some sites by pretending they don’t know them) with, say, Google’s 8.8.8.8 or 8.8.4.4.

This involves three steps. This is what I found to work permanently for all possible connections in Ubuntu MATE. The idea is to prevent one’s ISP’s DHCP from adding its own DNS servers.

❶ Edit /etc/systemd/resolved.conf and add in the [Resolve] section values such as these (there should be commented out examples in the file):

[Resolve]
DNS=8.8.8.8 8.8.4.4 # These are Google's
FallbackDNS=1.1.1.1 1.0.0.1 # Optional fallback, Cloudflare's

Now, run:

sudo systemctl restart systemd-resolved

❷ Edit /etc/NetworkManager/NetworkManager.conf and add this line to the [main] section:

[main]
dns=none

❸ Create and edit a script that will take care of all present and future connections:

sudo touch /etc/NetworkManager/dispatcher.d/99-ignore-dns
sudo chmod +x /etc/NetworkManager/dispatcher.d/99-ignore-dns

Now put this inside:

#!/bin/bash
if [ "$2" = "up" ]; then
    nmcli connection modify "$CONNECTION_UUID" ipv4.ignore-auto-dns yes
fi

Now, run:

sudo systemctl restart NetworkManager

Now and after future reboots, you should get something like this:

$ resolvectl status
Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8 8.8.4.4
Fallback DNS Servers: 1.1.1.1 1.0.0.1

Link 2 (wlp42s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.4.4
       DNS Servers: 8.8.4.4

I hope I remembered everything I did. What should not be in any list of servers reported by resolvectl status is your ISP’s DNS, something that could be 192.168.1.1, which is your gateway (the router), or an actual DNS address different from what you just configured.

UPDATE: Per-connection is simpler

Obviously, changing the DNS per connection is simpler. Take NetworkManager’s nm-connection-editor (you’ll probably invoke it from nm-applet), which is used in MATE and Xfce.

Edit your connection and change “Automatic (DHCP)” into “Automatic (DHCP) addresses only“:

I have used here Quad9’s DNS, in the most typical configuration that includes DNSSEC validation and malware blocking (read the official page).

In theory, after you save the changes, it should be enough to disconnect and reconnect; or, to disable and re-enable either the Wi-Fi, or the networking altogether. In my experience, though, it’s better to restart them all to have the DNS really working, not just showing up:

sudo systemctl restart systemd-resolved
sudo systemctl restart NetworkManager
$ resolvectl status
Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8 8.8.4.4
Fallback DNS Servers: 1.1.1.1 1.0.0.1

Link 2 (wlp42s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 9.9.9.9 149.112.112.112

I don’t use GNOME, so I don’t know, nor care how their configuration tool looks like. In KDE, it should be self-explanatory.

Cinnamon is more confusing. From the Network Manager applet, you have two choices. First, you can invoke “Network Settings” and you’ll get cinnamon-settings, in which editing a connection is done in this idiotic window that cannot be resized, and which needs scrolling should you need to add routes (I’ve always said that Cinnamon has a completely stupid UI design):

But a second option offered by the applet is to invoke “Network Connections”; you’ll get the familiar nm-connection-editor:

What I want to add is that I always disable IPv6. It’s simply not necessary and no, we have not run out of IPv4 addresses. Let me give you some pointers: