Frequently asked questions
We se pi-dns as a complement to web browser ad blockers.
Most of us use some form of ad blocker in our web browser. These can only block ads that you receive while using the web browser to brows the web. What about windows telemetry? Smart home (IoT) device telemetry? Ads in smartphone apps? Ad blocking for your entire network? This is where pi-dns can help. By setting your router or your devices to use our dns servers, ads and telemetry will automatically be blocked!
Behind this website, and the related services, is a single computer enthusiast who like to tinker with servers, code and similar things at his free time. There’s thus no corporation behind this website and the only source if income (if any) is based on donations.
You can find my website at https://noexit.tv
If you would like a website to be unblocked, you can fill in our white-list request form here. If the request is approved by us, the submitted domain will automatically be added to our custom white list that can be found here. This list is automatically propagated to all our DNS servers.
You can also submit an issue directly at our github repository: https://github.com/NoExitTV/whitelist/issues/new/choose
DNS queries together with the originating client IP address are stored for, at most, 24 hours. This is done to protect against DNS amplification attacks by using fail2ban. Fail2ban is a automated tool that do process the DNS query log file to listen for attacks, and requires no human intervention. The DNS query log, that also contain the originating client IP address, is automatically rotated and purged at midnight every day.
All our DNS servers do use the pi-hole privacy level: “Anonymous mode: This disables basically everything except the live anonymous statistics. No history is saved at all to the database, and nothing is shown in the query log. Also, there are no top item lists.“. Note that the DNS queries are still stored in the query log for, at most, 24 hours in order to use fail2ban as explained above.
Each pi-dns server host its own, local, recursive dns using unbound. This is done to minimize the amount of trust we have to put in others. As mentioned in the Pi-hole documentation, the reason for this is also quite motivated:
Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS. After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s). However, as has been mentioned by several users in the past, this leads to some privacy concerns as it ultimately raises the question: Whom can you trust? Recently, more and more small (and not so small) DNS upstream providers have appeared on the market, advertising free and private DNS service, but how can you know that they keep their promises? Right, you can’t.
Furthermore, from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected. Instead of your bank’s actual IP address, you could be sent to a phishing site hosted on some island. This scenario has already happened and it isn’t unlikely to happen again…
When you operate your own (tiny) recursive DNS server, then the likeliness of getting affected by such an attack is greatly reduced.
All our DNS servers use the following whitelists:
Visit the test site dnsleaktest.com and click “Extended Test”.
When the test is complete, the only dns servers visible should be the pi-dns servers that you’ve selected to use when configuring your device.
All our servers are tested for chache poisoning using the DNS Nameserver Spoofability Test by GRC and have passed with an excellent anti-spoofing safety.