Buy Now

How advertisers and tracking services are bypassing Pi-hole

The dangers of Pi-Hole DNS Based Blocking

DNS-based "black hole" devices, such as Pi-hole, are a popular method used to block ads and tracking on a local network. 

If you aren't familiar with DNS, it's a kind of digital phone book that converts a human-friendly domain name, such as amazon.com, to a computer-friendly physical IP address like 176.32.103.205. 

How does Pi-Hole work?

Devices like Pi-hole work by altering DNS lookups to unwanted destinations so that they return invalid IP addresses. So for instance, when your browser tries to connect to Doubleclick to retrieve an ad, your network can't reach their server. So the lookup fails and the ad is not displayed.

This works pretty well for browsers. But what if like most people, you have an increasing number of "smart devices" in your home? Products such as Rokus, Amazon Firesticks, Samsung TVs, Amazon Echos, and so forth, which can change the rules for how they connect to the internet.

To find out, we instrumented several home networks with a customized DNS server that was coded to route all IP addresses served by our DNS server to a non-default network interface. Any remaining traffic could then be sniffed on the default network interface to determine if anything might be connecting to external services that weren’t being detected by DNS.

And it turns out... there was quite a bit of traffic that was completely bypassing DNS. We found numerous devices and mobile apps evade Pi-hole and other DNS based adblocking approaches, chatting freely with services like:


graph.facebook.com

graph.instagram.com

Alarmnet.com (Alarm monitoring service - not necessarily a bad thing)

1e100.net (Google)

amazonaws.com

ns.apple.com 

beacons.gvt2.com 

stats.g.doubleclick.net 

launches.appsflyer.com 

bidswitch.net 

feelinsonice.com (Snapchat)

How they managed to do this is both interesting and alarming. 


Smart devices are increasingly using alternatives to traditional DNS 

When using these alternatives to traditional DNS, such as encrypted DNS (DNS over TLS or DNS over HTTPS), it becomes impossible to rewrite the responses from encrypted DNS servers. While these requests can be blocked, this is a more advanced networking tweak that is likely to break devices that rely on it.

Another common method, typically used in Google products, is to hardcode DNS lookups so that they always resolve through Google's servers. The situation here can be improved somewhat by forcibly intercepting DNS requests on your network to a friendly server. Some Android apps are known to ignore DNS results that have been intercepted in this fashion, likely failing over to encrypted DNS lookups or relying on digital signing of DNS replies (DNSSEC).

Needless to say, doing either of the above requires some networking engineering skills.


What this means for the future of ad blocking 

Digital advertising and consumer tracking is big business, so it should come as no surprise that considerable engineering effort is being devoted to bypassing Pi-hole and other adblocking technologies (Google even has plans to kick ad blockers out of Chrome). 

Winston has the most advanced blocking technology available. It operates at the network layer and utilizes intelligent algorithms to minimize data collection while keeping the internet fast and convenient so that you don't have to settle for being digital livestock.