Could a tracker blocking database feature be added to the outbound firewall rules for the SURF SOHO, analogous to the web content filtering database for inbound ad traffic ? A recent Norwegian consumer organization found over 200 tracking sites were being contacted by a handful of popular apps. (There are overlaps between the tracking sites listed in the Norwegian study and the ad sites in the Peplink web content filtering database.) Having tracker blocking within the router would be a valuable privacy feature, which would extend protection beyond browser-based tracker blocking to apps and all LAN devices.
May I suggest one approach to handle this? We have several “PiHole” installations – https://pi-hole.net/. This involves using a raspberry pi and free software as a DNS server. As I write this I see the PiHole at my present location is reporting having blocked about 32% of DNS inquiries and there are about 125,000 sites on the “no go list.” We’ve built about a dozen PiHoles and found this approach to be highly reliable. In a couple of cases we use an additional PiHole accessible via PepVPN as a back-up DNS.
Another vote for PiHole. Pretty easy and straightforward to setup. What got me was configuring it on my Surf SOHO.
You can’t have DNS proxy enabled otherwise I think you end up in a kind of DNS lookup endless loop.
It’s been running for a few months without any problems. Just SSH into it every month to update Linux and any pihole updates when available.
You could also configure some additional content blocking by TLDs as listed by Palo Alto Networks that have been reported as being popular for malaware etc.
Here’s my configuration:
The .to TLD is the most popular amongst hackers. Amazon uses it for its own URL shortener for product links, so a little annoying but I don’t usually come across too many of those.
Thanks for the advice and sharing your experiences with pi-hole on RPi. While I do like the prospect of blocking trackers etc. on my entire network, I am a little concerned that adding an RPi that talks to the outside world (for DNS and tracker database updates) might be opening up a potential security vulnerability. I see that there are firewalls and antivirus for Raspian, but do you have any other thoughts or advice on secure configuration of an RPi as a pi-hole, such as firewall configuration ?
Check this out. Just came across it this week from a YouTube comment on a video I was watching.
And it’s being discussed in the forums here
Hi. Sorry for the great delay in responding – I managed to miss your reply. Maybe we’ve forgotten an important measure but generally we’ve done this:
- Periodically monitored comms to/from the RPis to see “what’s happening.”
- Ensured the devices listen only on eth0 and only serve requests from behind the firewall(s).
- Ensured that the RPis are used for nothing else – no other software installed (even though it may be tempting as the DNS server load is always extremely light.)
- Used only 184.108.40.206 and 220.127.116.11 (filtered) DNS servers (and their secondaries) for upstream (never Google, for example).
- Used the routers rather than the Pis for DNS servers.
- Periodically actively searched for reports of security issues/compromises.
- Keep the software updated.
If we’ve missed something I’d be grateful for any suggestions.