It’s certainly existed for years and it’s a nice release, such as it is. However, the absolute lack of IPv6 and abject refusal to incorporate WireGuard for ReasonsTM led to me going back to OpenBSD and OpenWRT, personally. They seem to have a WIP towards finally incorporating WireGuard, but IPv6 is still AWOL, which is fatal for my use-case.
I’m older than some in here, I think (judging by the answers). For me, a couple of the things on steakandcheese.com and rotten.com (back in its early days, not the later milder days), cartel videos, beheadings, hangings etc. The standout though was a video called ‘Terrorists, Killers & Middle East Wackos’… Grim stuff. From Wikipedia:
Terrorists, Killers and Middle-East Wackos (also Terrorists, Killers and Other Wackos in the UK) is a shockumentary video from the makers of Bumfights. It includes footage of riots, suicides, executions, and the televised suicide of R. Budd Dwyer. All the scenes included are real scenes of death and suffering. The Bumfights website store touts the video as “One hour of the sickest images ever put to film.”
I was young and dumb once, but I actively avoid things like that nowadays. There’s knowing how things happen in the real world, and there’s traumatising and desensitising yourself to the worst depravities possible for… reasons? Just no. You can’t unsee some things, and some things shouldn’t ever enter your consciousness at all (unless you’re really unlucky IRL…).
No problem!
Even Hagezi’s most basic list blocks a lot more than OISD, and still no false positives. See a comparison (run over the top 10,000 websites) here.
DNS blocking is heavily dependent on the blocklist(s) you use. It’s entirely possible to block >95% of crapware, and break companies’ ability to track you without compromising usability.
Having used both for a lot of years, I’d say look instead at AdGuard Home. It is also FOSS but supports more out of the box; including certificate management, the ability to use encrypted DNS both upstream and downstream without need for third party software (cloudflared), the ability to use adblock filter syntax (lists are 200k lines instead of 2 million lines, but actually block more), and so on. PiHole has some improvements pending in the next version, but it’s not there yet in comparison, imho.
I’d also strongly suggest you check out Hagezi’s DNS blocklists, as they’re pretty much set and forget. They’re intended to be used as your only block list, and do an excellent job (see testing in the Discussions on their GitHub). Use the Normal list if you don’t want to deal with false positives occasionally, and the Pro++ list if you don’t mind getting your hands dirty (whitelisting occasionally) and want to block every last scrap of annoyance and anti-privacy crapware on the web. Both will significantly improve your online experience.
Here’s mine, if this helps? I have WireGuard running on an Alpine LXC on my LAN, and use it to connect back home. I can SSH to or use resources from any other machine on the LAN while connected. You’ll need to amend the include rules to match whatever distro you’re using (the paths will be different), and you can add whatever rules you wish under the LAN section to allow local access to the WireGuard ‘host’ for other services (eg SSH).
There’s also a lot of useful info on the Pro Custodibus blog.
#!/usr/sbin/nft -f flush ruleset define pub_iface = "eth0" define wg_iface = "wg0" define wg_port = "51820" table inet my_table { set LANv4 { type ipv4_addr flags interval elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } } set LANv6 { type ipv6_addr flags interval elements = { fd00::/8, fe80::/10 } } chain my_input_lan { ip6 daddr fe80::/64 udp dport dhcpv6-client accept comment "Accept DHCPv6 configuration" udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)" udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)" tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)" udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept comment "Accept PXE" tcp dport ssh accept comment "Accept SSH on port 22" } chain my_input { type filter hook input priority 0; policy drop; iif lo accept comment "Accept any localhost traffic" ct state invalid counter drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" tcp dport 113 reject with icmpx type port-unreachable \ comment "Reject AUTH to make it fail fast" # ICMPv4 ip protocol icmp icmp type { echo-reply, # type 0 destination-unreachable, # type 3 echo-request, # type 8 time-exceeded, # type 11 parameter-problem, # type 12 } accept \ comment "Accept ICMP" # ICMPv6 icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 parameter-problem, # type 4 echo-request, # type 128 echo-reply, # type 129 } accept \ comment "Accept basic IPv6 functionality" icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 nd-neighbor-advert, # type 136 } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132 mld2-listener-report, # type 143 } ip6 saddr fe80::/10 accept \ comment "Allow IPv6 multicast listener discovery on link-local" ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ comment "Accept DHCPv6 replies from IPv6 link-local addresses" ip protocol igmp accept comment "Accept IGMP" udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)" # Accept all WireGuard packets received on a public interface iifname $pub_iface udp dport $wg_port accept # Accept all DNS packets from wg clients sent to a DNS server running on the same local server (i.e. if running DNS and WG on the same VPS). # Doesn't seem necessary if the DNS is just on a separate server on the LAN. iifname $wg_iface tcp dport 53 accept iifname $wg_iface udp dport 53 accept counter comment "count dropped packets" } chain forward { type filter hook forward priority 0; policy drop; ct state vmap { invalid : drop, established : accept, related : accept } iifname $wg_iface oifname $pub_iface accept reject with icmpx type host-unreachable } chain my_output { type filter hook output priority filter; policy accept; # Accept every outbound connection } } table inet nat { chain postrouting { type nat hook postrouting priority 100; policy accept; iifname $wg_iface oifname $pub_iface masquerade } } # The state of stateful objects saved on the nftables service stop. include "/var/lib/nftables/*.nft" # Rules include "/etc/nftables.d/*.nft"