MacInTouch Amazon link...
Channels
Security, Products
This is amazing...

Pi-hole.net moves ad and site blocking out of browser extensions or custom hosts files, and places it at router level as a local DNS server. All devices within the home network then share common blocking info. Every device speeds up within the internal network.

Pi-hole web UI is amazingly configurable and shows all web traffic and gives one-click block or unblock. It runs on a cheap Raspberry Pi ($35-65). Once installed, you point your router's DNS to use it, or point each machine's DNS to it, where it handles all requests and blocks if needed. Huge block lists are auto-updated, too. Big community support. And open source.

I installed Pi-hole a few weeks ago and couldn't be happier. Best part is, mere mortals that don't speak hex can understand it. I have no affiliation, just found it and wanted to crow about it.
 


Ric Ford

MacInTouch
Thanks for letting us know about Pi-hole. I hadn't heard of it before but knew about OpenDNS, which offers some similar services. (It was acquired by Cisco.)

There's also the 1.1.1.1 DNS service from CloudFlare, but that's a much more stripped-down option.
 



Dave,

I'd love to hear more, specifically a step-by-step or a reference to Pi-hole. I really don't have the time or inclination to relearn Linux, and this requires a Linux box. I gather it runs on a Raspberry Pi and one can be purchased from the Pi-hole people. Where would this box go in my DSL modem->Apple Airport->Router?

Also, do the external DNS servers mention by Ric do this without owned hardware? What are the pluses and minuses to either approach?

Thanks.

(As you can tell, I'm more than a little bit steamed about this whole ad thing.)
 


It looks interesting, but if this is purely a DNS-based solution, what does it actually do with requests for blocked domains?

I have found (via my own do-it-yourself ad blocking in the past) that if you set it up so these domains point at an IP address without any web server (e.g. 127.0.0.1 if you aren't running a server locally), then a lot of web sites will hang. The scripts will see the TCP "connection refused" error and will continuously retry the attempt, which never succeeds. Sometimes, I could just add the script's server to the block-list, but that didn't always work.

I had found that in order to maintain usability, I needed to point the spam domains at an IP address running a bogus web server - one that returns valid content (in my case, a trivial 5-line HTML file) for every URL received. This way, the advertising scripts think they have received valid data and will allow the rest of the page to load. So I see a lot of rectangles with my dummy HTML text in it where the ads would have gone.

I never tried configuring DNS so that these domains would generate not-found errors, so I don't know if that would or wouldn't allow the pages to work properly.

AdBlock Plus (and other products, I assume) works by actually altering the content of web pages, removing the HTML code for the images, scripts, frames and other content that match the filters (vs. letting the web browser try to load them and then getting errors from the attempt). This seems to have the least impact on my ability to read valid content. I assume that this could be done on a per-network basis by running the filters on a proxy server, but I haven't tried that yet.
 


Pardon my ramblings, I'm not an Pi-hole expert, but what I have found so far...
  • RaspberryPi is a great appliance PC. Tons of IP appliance-type uses and a fun PC to learn and use. I added a cheap $12 Pi ZeroW as an AirPrint server; another Pi is my Sonos music server, and now a third as Pi-hole. All run headless, no monitors. I ssh into them from my Mac.
  • Pi-hole does not run all your net traffic through the Pi. Its one ethernet or wifi connection simply sits alongside other machines on your network and serves DNS requests only.
  • Pi-Hole setup: RaspberryPi default linux is Debian tweaked and called cutely Raspian. It has command line or GUI versions. You simply download it, write it to a MicroSSD using Etcher on Mac , insert the SSD into the Pi and boot to a command line (pi/raspberry is default login). Type "raspi-config" then enable ssh, change password, set network settings, reboot. Login and install Pi-hole using curl, then reboot, done. Set the Pi aside. Next change your home primary router setting DNS to point to your new Pi's IP, not the DNS provided by your hosting provider. That's it. Next use Safari from your Mac to access admin screen and have fun blocking things, tweaking whitelists and blacklists. I removed hosts files and adblock extensions from all machines and saw instant speed increase.
  • Pi-hole kudos: Replaces the 127.0.0.1 block-sites function of a hosts file. It includes self-updating blocker lists, and you can add more. Pi-hole also caches DNS queries within your network for quicker speed. Pi-hole's log screen shows what queries were read from cache vs. cloud. I am just discovering the Pi-hole universe through Google and Reddit. It's early, but looks very promising.
  • Ric's mention of DNS at 1.1.1.1 [OpenDNS? -Ric] looks great, too. Practically does the same functions. But, I think both can be used. I plan to use that as my backup DNS in case the Pi-hole local fails, as my secondary. I will stick with Pi-hole since it logs traffic and lets me see exactly what is happening within my home network. It showed me that a very chatty Rainbird sprinkler wifi controller was hitting Rainbird cloud every 10 seconds. Hogging my system. And more...
  • David Charlap (always interesting in my opinion) brings up good points about 127.0.0.1 hangs. I concur, but Pi-hole seems to hang less so far. Maybe just my enthusiasm. Plus it protects all devices within my home NAT.
  • If you buy a RaspberryPi, I started with CanaKit getting started kit, pre-loaded SSD with noobs, (as in newbie) a boot screen program that helps you get going. your milage may vary.
 


AdBlock Plus (and other products, I assume) works by actually altering the content of web pages, removing the HTML code for the images, scripts, frames and other content that match the filters (vs. letting the web browser try to load them and then getting errors from the attempt). This seems to have the least impact on my ability to read valid content. I assume that this could be done on a per-network basis by running the filters on a proxy server, but I haven't tried that yet.
Do you know the mechanism by which some websites seem to "know" that your browser has an ad blocking extension? Would the same detection mechanism work for something like the Pi-hole (or even OpenDNS)? I know web browsers can cough up a lot of information, but this is one detail I would rather not advertise (ha).
 


It looks interesting, but if this is purely a DNS-based solution, what does it actually do with requests for blocked domains?
AdBlock Plus (and other products, I assume) works by actually altering the content of web pages, removing the HTML code for the images, scripts, frames and other content that match the filters (vs. letting the web browser try to load them and then getting errors from the attempt). This seems to have the least impact on my ability to read valid content. I assume that this could be done on a per-network basis by running the filters on a proxy server, but I haven't tried that yet.
I've been using AdBlock for some time, and it has worked perfectly. Much cleaner interaction with websites. Obviously, someone has "hacked" the server side so that it knows the browser (on this end) is blocking the site from "pushing" content, i.e. the ads. This behavior is, as far as I can tell, newly emboldened.

Aside: I've been watching Little Snitch for some time now. It is positively mind-boggling just how invasive the modern commercial Internet has become. Not only the Net, but also nearly every app I have calls home in some manner when invoked. In fact, some - I'm looking at you, Adobe, though you're not alone - call home even when none of their software is running. A particularly nasty customer is Google. You remember them? "Do no harm?" I regularly get calls to a Google app update site. My only connection to google is an email account and, of course, the search mechanism. No apps, so why is it digging? Apple of course seems to think if you have their system, they can do pretty much whatever they want. I always deny the "send diagnostics" and the anonymous "whatever we (Apple) want to make things better." The Internet has grown and changed in more ways than even the wildest, highest, craziest, stonedest pioneer could have guessed.

Anyway, I've tried setting up the 1.1.1.1 DNS. Not sure what, if anything, is happening. Will keep watching.
 


It looks interesting, but if this is purely a DNS-based solution, what does it actually do with requests for blocked domains?
This is how Pi-Hole works:

A normal webpage would work like this. For example, to load the Amazon banner ads on this very page, your browser would ask your computer's DNS system to resolve "rcm-na.amazon-adsystem.com". Your system's network stack would make a DNS query to the configured resolvers and get "176.32.103.183" as the response. Your browser would then make an HTTP request to 176.32.103.183 for the required elements, in this case "/images/G/01/rcm/180x150.gif" amongst other things, and the ad element would be rendered in the web page.

With Pi-hole active, your computer is configured to use the Pi-hole system as your DNS resolver. So, your network stack would make a DNS query for "rcm-na.amazon-adsystem.com" to Pi-hole. Pi-hole keeps a constantly updated list of ad servers, so it would recognize "rcm-na.amazon-adsystem.com" as an ad server and respond directly, instead of going out to the Internet to find the actual IP address, like resolvers normally do. Instead of responding with "176.32.103.183", Pi-hole will respond with its own IP address.

For this example, let's pretend Pi-hole is running on your local network at 192.168.1.210. So, your browser will now make an HTTP query to 192.168.1.210 for "/images/G/01/rcm/180x150.gif". The Pi-hole box is also running a web server on port 80. It is configured to respond immediately to all requests with a 404 Not Found error (alternatively, it can be configured to server a Blocked Page HTML response). So all those ad elements from Amazon will now not render in the web page because they were all 404.

Pi-hole is currently beta testing an alternative method of blocking. That is returning NXDOMAIN response for all ad server hostname requests, instead of an IP address. NXDOMAIN means the requested hostname doesn't exist. So, for example, for "rcm-na.amazon-adsystem.com", Pi-hole would say it doesn't exist, rather than returning a modified IP address. There are pros and cons to both methods, outlined in this article.
 


Do no harm?
Things are actually worse; Google's self-commandment was "Don't Be Evil".

Yes, you read that correctly...was. The phrase, going back to at least Google's IPO registration, was held up as a guiding principle in virtually all consequential corporate communications. But now it is essentially just a footnote at the very end of Google/Alphabet's Code of Conduct.
 



Do you know the mechanism by which some websites seem to "know" that your browser has an ad blocking extension? Would the same detection mechanism work for something like the Pi-hole (or even OpenDNS)? I know web browsers can cough up a lot of information, but this is one detail I would rather not advertise (ha).
I don't know for sure. Different sites probably do it in different ways, but I assume most involve JavaScript. One script on the page looks for artifacts created by the ad-loading scripts. Or it inspects the DOM of the loaded web page to look for ad content. If it finds evidence that the ads haven't loaded, or the ad-scripts haven't run, then it displays the error screen.

Interestingly, an ad-blocker that substitutes its own content for ad-content (e.g. redirecting requests to a dummy web server) might end up suppressing these warnings, because the scripts would think that the ad loaded (depending on how dumb the script is, of course). It could also try to validate the retrieved ad content with a certificate or something, which fake content wouldn't pass.

Either way, I don't think ad blockers advertise their presence, but ad servers and ad serving scripts have ways to make good guesses even without an advertisement.
... Pi-hole will respond with its own IP address.
... The Pi-hole box is also running a web server on port 80. It is configured to respond immediately to all requests with a 404 Not Found error (alternatively, it can be configured to server a Blocked Page HTML response).
... Pi-hole is currently beta testing an alternative method of blocking. That is returning NXDOMAIN response for all ad server hostname requests, instead of an IP address.
Thanks. This helps enormously.

So their current mechanism (return a valid blank page) appears to be the same concept I cobbled together myself years ago. That is definitely the most effective (to me) approach for DNS-based blocking. Returning a 404 or other error page is less effective because some scripts will see this and retry the attempt (possibly running down a list of alternate ad servers) until one succeeds.

I'll be very curious to see how well NXDOMAIN works. I suspect it may suffer from the same problem as returning a 404 or refusing the HTTP connection - ad-serving scripts that keep on retrying until something succeeds.
 


Either way, I don't think ad blockers advertise their presence, but ad servers and ad serving scripts have ways to make good guesses even without an advertisement.
Thanks. I also saw your related post on another thread and I added the "AdBlock Warning Removal list" to the subscribed lists for the AdBlock extension in Safari.
 


Do you know the mechanism by which some websites seem to "know" that your browser has an ad blocking extension? Would the same detection mechanism work for something like the Pi-hole (or even OpenDNS)? I know web browsers can cough up a lot of information, but this is one detail I would rather not advertise (ha).
Of course, the problem is that running a unique suite of ad blockers (like I do) can create a unique "signature" of its own that can be used to track you. You can test this for yourself at Panopticlick.
 


If you install Pi-Hole, be sure to use one of their supported Linux flavors and versions. I tried installing into Ubuntu 18 and Pi-Hole's web server wouldn't work. I wiped the drive and installed Ubuntu Desktop 16.04. When I ran Pi-Hole's curl command I found that curl isn't installed in Desktop Ubuntu 16. After installing curl, the Pi-Hole installation proceeded smoothly and every just worked.

It'll take a few days of web browsing to reach a final verdict on Pi-Hole.
 


We run Pi-Hole here, on a NUC that runs the Debian operating system. The NUC also runs UniFi Video (for our security cameras) and the UniFi controller for our WiFi access point.

Running Debian and things like Pi-Hole are definitely an enthusiast type of thing - the average user would consider it as being too much work. Pi-Hole does work well; it's nice having a LAN-wide blocker for advertisements.
 


We use Pi-Hole on a NUC and a Raspberry Pi B+ (both running Debian) on two different networks. Pi-Hole offers smooth operation and hits the sweet spot for simplicity vs. control in its clean web interface, in addition to pretty unobtrusive operation.

The Pi-Hole setup benefits from a static IP address inside the local network - a DHCP-assigned IP address slows down the browser. We saw this while test-driving Pi-Hole on a VM.

My question to the community: Is a pre-configured one-trick-pony Raspberry Pi with pre-installed Pi-Hole (slim Linux, complete with admin access) something you would consider buying? Or would you prefer to assemble it to be sure you know where the code comes from?
 


My question to the community: Is a pre-configured one-trick-pony Raspberry Pi with pre-installed Pi-Hole (slim Linux, complete with admin access) something you would consider buying? Or would you prefer to assemble it to be sure you know where the code comes from?
Maybe I'm getting old and my enthusiasm for learning new things is slowing down, but I'm definitely seeing an advantage to "plug it in and it works".
 


Of course, the problem is that running a unique suite of ad blockers (like I do) can create a unique "signature" of its own that can be used to track you. You can test this for yourself at Panopticlick.
If you go there, there's a link to show what data your fingerprint is composed of. I don't think ad blocking is a part of it:
  • "Limited supercookie test" (DOM local storage, DOM session storage, IE user data)
  • Hash of canvas fingerprint (not sure what this is)
  • Screen size and color depth
  • Browser plugins supported (in my case, the specific version of Flash currently installed, since Firefox doesn't support any other plugins these days)
  • Time zone
  • Do-not-track header enabled
  • HTTP_ACCEPT header (what data-representation does your browser support)
  • Hash of WebGL fingerprint
  • Languages supported
  • System fonts (a list of every font you have installed, which the browser tells the server you can display). This looks like the biggie here. Unless you restrict yourself to the fonts that come with your OS (and perhaps office suite), this is likely to be a unique signature.
  • Platform (your OS)
  • User Agent (a unique string that identifies your browser, usually incuding OS, and version number as well). In my case, it is identifying my browser as Firefox 60.0 on Windows 10 64-bit x86.
  • Touch support (does your system support touch-screen events)
  • Are cookies enabled?
While some could probably be stripped without breaking your experience, some really can't be. It's very unclear how you could modify this to be more private unless you want to run a stripped-down browser that only supports least-common-denominator features, in order to blend in with everybody else. And even then, it would in turn be a unique identifier unless lots of other people use the same browser.

And it is likely that such a browser would have problems because so many web sites try to customize their "experience" based on this data. If the data is missing or wrong, you may end up viewing the site with important content missing or garbled.

Interestingly, they give my browser a red "X" because my browser does not "unlock 3rd parties that promise to honor Do Not Track". I wouldn't consider this a problem. The advertising industry has lied to us so many times, there is no way I'm going to believe them just because they're issuing an EFF-authored platitude. Especially when they admit there is no possible enforcement:
EFF said:
What does the dnt-policy.txt promise mean?

Posting the dnt-policy.txt file makes a promise to the users who interact with their domain. We believe it would be a false and misleading trade practice to post the policy without the intent to comply in good faith. However, EFF is not in a position to enforce this promise or monitor compliance.
They seem to think that advertisers have a problem with "false and misleading trade practice", even though that appears to be the fundamental basis of 90% of Internet advertising. (And, one could argue a very large percentage of advertising everywhere else).
 


Speaking of fingerprinting and web privacy, I've had an odd experience, repeatedly, only with Amazon.

I'm using Mac Firefox ESR, running uBlock Origin with lots of filters enabled, including do-not-track and privacy filters in addition to the usual ad-blocking filters. To further increase privacy, I use the Firefox keystroke (Command-Shift-Delete) that brings up a dialog allowing me to clear various things. I clear almost everything except "Browsing & Download History" -- in other words, I clear:
  • Form & Search History
  • Cookies
  • Cache
  • Active Logins
  • Offline Website Data
  • Site Preferences
…and then, from a regular Firefox window, go to Amazon. Not surprisingly, they don't recognize me, and ask me to log in to my account.

However, if I go through the exact same clearing sequence -- but from a Firefox "Private Window" (what some browsers call "Incognito mode", and some people call "porn mode") -- then most of the time, Amazon will immediately recognize me and greet me by name -- i.e. I'm already logged in when I arrive there.

My understanding was that a Private Window's special status is quite limited: once you leave the current website, it prevents that site's history entries and cookies from being saved. Otherwise, as far as I know, it's similar to a regular browsing window. I never thought it would increase my privacy and security within one website, but why should it reduce my privacy on Amazon? Why do they immediately recognize me from a Private Window but not from a regular window?
 


If you go there, there's a link to show what data your fingerprint is composed of. I don't think ad blocking is a part of it:
  • "Limited supercookie test" (DOM local storage, DOM session storage, IE user data)
  • Hash of canvas fingerprint (not sure what this is)
  • Screen size and color depth
  • Browser plugins supported (in my case, the specific version of Flash currently installed, since Firefox doesn't support any other plugins these days)
  • Time zone
  • Do-not-track header enabled
  • HTTP_ACCEPT header (what data-representation does your browser support)
  • Hash of WebGL fingerprint
  • Languages supported
  • System fonts (a list of every font you have installed, which the browser tells the server you can display). This looks like the biggie here. Unless you restrict yourself to the fonts that come with your OS (and perhaps office suite), this is likely to be a unique signature.
  • Platform (your OS)
  • User Agent (a unique string that identifies your browser, usually incuding OS, and version number as well). In my case, it is identifying my browser as Firefox 60.0 on Windows 10 64-bit x86.
  • Touch support (does your system support touch-screen events)
  • Are cookies enabled?
While some could probably be stripped without breaking your experience, some really can't be. It's very unclear how you could modify this to be more private unless you want to run a stripped-down browser that only supports least-common-denominator features, in order to blend in with everybody else. And even then, it would in turn be a unique identifier unless lots of other people use the same browser.

And it is likely that such a browser would have problems because so many web sites try to customize their "experience" based on this data. If the data is missing or wrong, you may end up viewing the site with important content missing or garbled.

Interestingly, they give my browser a red "X" because my browser does not "unlock 3rd parties that promise to honor Do Not Track". I wouldn't consider this a problem. The advertising industry has lied to us so many times, there is no way I'm going to believe them just because they're issuing an EFF-authored platitude. Especially when they admit there is no possible enforcement:

They seem to think that advertisers have a problem with "false and misleading trade practice", even though that appears to be the fundamental basis of 90% of Internet advertising. (And, one could argue a very large percentage of advertising everywhere else).
From the Panopticlick website:
In 2015, we upgraded Panopticlick with a new feature: tracker blocker testing. Million of Internet users are using privacy add-ons and other tools to block trackers, including tools like AdBlock, Ghostery and Disconnect. But how well do these add-ons actually protect users from invasive tracking?
Our new version of Panopticlick researches both.
Your response made me double-check this, though, which is a good thing--so thanks!
 


I just got Pi-hole up and running on a Raspberry pi I had laying around not doing anything. I'm impressed at this point. I don't see DNS queries being any slower per se (hard to quantify that, but everything feels the same). Pages load quicker anyway since the ads are blank. I had not heard of this, so thanks. Good stuff....
 


Add me to the list of satisfied Raspberry Pi + Pi-hole customers. Install went smoothly, although it took a little digging to figure out how to change the default user and credentials.
 


I also have Pi-hole running on my home network. I keep getting many requests for "ckdatabase.fe.apple.dns.net" [ckdatabase.fe.apple-dns.net] from my Macs and iOS devices that are blocked by default. A quick search shows that this request may be for iCloud services. Does anyone have any experience with this?
 


Just wanted to add my thanks to the Pi-hole project. I implemented two Pi-holes here, and they work great with my Edgerouter.

For example, I note how well the system works to keep my Sonos zone players from being naughty. Even though I disabled sending metrics to Sonos in its preference pane, there were 1,166 attempts to reach msmetrics.ws.sonos.com over the last 7 days. It is the second most blacklisted entry after graph.facebook.com. (FWIW, I am not a Facebook user.)

Happily, the Sonos' TuneIn Radio function still works fine, despite my firmware release (8.4) being quite old by now. My CR100 is also going strong! So, no loss in functionality and extra privacy – thank you, Pi-hole!

I want to extend a huge thanks to Derek Seaman for his detailed instructions on how to set up a pi-hole on a Raspberry Pi 4 with DNSCrypt, followed by instructions on how to redirect all DNS traffic to said pi-holes on a Edgerouter. DNSCrypt helps ensure your computer gets good DNS data, and the Edgerouter DNS traffic redirects prevents most devices from getting their DNS data elsewhere (though with limitations, thanks to DoH and DoT).

After the FBI report on smart TVs, I'd suggest using a Pi-hole DNS array for any home that has "smart" appliances in it (or disconnect said smart appliances from the network). The only downside so far is that the queen bee cannot reach ads as easily as she used to. Some might call that a feature, not a bug. :-)
 


Just wanted to add my thanks to the Pi-hole project. .... I note how well the system works to keep my Sonos zone players from being naughty.
Top of my Pi-Hole identified chatty device list is my Rainbird sprinkler controller trying to talk to Rainbird.com every two seconds. Thousands of times daily. Naughty naughty.

I would be even more paranoid without Pi-hole.
 


Ditto the praise for Pi-Hole. I've had mine running for well over a year and it's nice to see and control all of the rogue traffic from devices....
 


Just wanted to add my thanks to the Pi-hole project. I implemented two Pi-holes here, and they work great with my Edgerouter.
For those with Ubiquity EdgeRouters, here is a another method for blocking IoT connections to the internet. It is more absolute and doesn't require running Pi-Hole, but has considerably less flexibility than DNS interception. The two methods aren't mutually exclusive; you can use either or both. In fact, after reading this thread I'm fascinated by what I can do with Pi-Hole, and will probably buy a Pi (which one?) and set it up on my LAN.

EdgeRouters support simple script rules that can prohibit LAN devices from communicating with the outside world. LAN devices can be specified by either their IP address or their MAC address; for my needs, filtering by device MAC address made the most sense.

This code snippet, part of my Edgerouter configuration, shows rules that allow two of my smart plugs to get the time (port 123, ntp time servers) whenever they want, but block all other attempts to talk to the outside world. If I want to allow the smart plugs to update their firmware, I just temporarily edit the rules to allow them outside communication.
Code:
name WAN_OUT {
    default-action accept
    description "WAN to Internet"
    rule 10 {
        action accept
        description "Allow HS105-1 Port 123"
        destination {
            port 123
        }
        log disable
        protocol udp
        source {
            mac-address 70:4f:57:aa:bb:cc
        }
    }
    rule 15 {
        action drop
        description "Drop IoT tp-link HS105-1 MAC"
        log disable
        protocol all
        source {
            mac-address 70:4f:57:aa:bb:cc
        }
    }
    rule 20 {
        action accept
        description "Allow HS105-2 Port 123"
        destination {
            port 123
        }
        log disable
        protocol udp
        source {
            mac-address 70:4f:57:dd:ee:ff
        }
    }
    rule 25 {
        action drop
        description "Drop IoT tp-link HS105-2 MAC"
        log disable
        protocol all
        source {
            mac-address 70:4f:57:dd:ee:ff
        }
    }
}
 


I'm fascinated by what I can do with Pi-Hole, and will probably buy a Pi (which one?) and set it up on my LAN.
The current generation Raspberry Pi is the model 4B. Key features are:
  • Broadcom Microcontroller. 1.5 GHz 64-bit ARMv8 CPU with 4 cores.
  • 1G, 2G or 4G RAM (not upgradable)
  • Two micro HDMI ports, supporting up to 2 4K displays
  • 2 USB 2 ports
  • 2 USB 3 ports
  • Gigabit Ethernet
  • Wi-Fi and Bluetooth
  • Powered from a 15W USB-C power brick
  • Boots from and uses a MicroSD card for primary storage
You can, theoretically, just buy the circuit board. If you do, you'll need (at minimum) to supply a power supply and SD card. Amazon prices are currently $42 /47.50 / 62 for 1/2/4 GB of RAM, respectively.

If you're just getting started, then I would strongly recommend getting a starter kit. These typically include a case, power supply and SD card and may add other useful items as well. There are many different kits available from many different vendors. One very popular kit is from CanaKit. This bundle costs $80/90/100 for a kit with 1/2/4G of RAM. It includes:
  • The Raspberry Pi 4B board
  • Plastic case
  • Heat sinks and cooling fan
  • Power supply, including a power switch on the cord (the Pi board itself has no power switch - it powers on when you plug it in)
  • 32 GB MicroSD card, pre-loaded with NOOBS (an OS installer that is very easy to use).
  • Micro HDMI-HDMI cable
  • USB MicroSD card reader

If you want to save a little bit of money, older models are still sold. If you want to do this, I would suggest the model 3B+. I wouldn't go any older than that unless you have a specific need to do so. A 3B+ features:
  • Broadcom Microcontroller. 1.4 GHz 64-bit ARMv8 CPU with 4 cores.
  • 1G RAM (not upgradable)
  • One HDMI port (DVI video only, using an HDMI connector)
  • 4 USB 2 ports
  • Gigabit Ethernet
  • Wi-Fi and Bluetooth
  • Powered from a 12W micro-USB power brick
  • Boots from and uses a MicroSD card for primary storage
And, of course, starter kits are available for the 3B+ as well.

Regardless of the hardware you pick, there are several choices of operating system. I would recommend running Raspbian Linux, which is based on Debian. You can either write it directly to your SD card (from another computer) or install it via NOOBS.

(Other operating systems are also available, but I wouldn't recommend running one of them unless you have a particular need to do so).
 


... One very popular kit is from CanaKit. ...
I've had two CanaKit power adapters fail. Both partially fried their RaspBerry Pi's. I didn't like the case that came with one of their kits. My favorite has far better cooling (more below).
... If you want to save a little bit of money, older models are still sold. If you want to do this, I would suggest the model 3B+. I wouldn't go any older than that unless you have a specific need to do so. ...
Agreed. For only running Pi-hole, I recommend the 3B+ over the 4. My two 4's have some quirks, and there are some unresolved issues with Raspbian that should be fixed in the future.
... I would recommend running Raspbian Linux, which is based on Debian. You can either write it directly to your SD card (from another computer) or install it via NOOBS. ...
Agreed. The NOOBs installer makes everything trivial. All that's required is a microSD card formatted to MS-DOS (FAT) using the Scheme Master Boot Record. Once it's booted, select the full Raspbian install.

My favorite case for the 3 is:
I have three of them and they've worked flawlessly.

The 3's will run headless without a dummy plug adapter; the 4's won't. While the display, keyboard, and mouse are still attached, go into Preferences > Raspberry Pi Configuration > Interfaces and enable VNC. (I suggest also enabling SSH.)

You have to manually edit /boot/config.txt to run headless. For my Raspberry Pi 3's, I uncomment these lines and change them to this:
Code:
hdmi_group=2
hdmi_mode=50
hdmi_mode=50 gives 1440x900. For details and other options visit

Since /boot stays on a FAT partition after Raspbian is installed, you can edit config.txt on the Mac.

Raspbian comes with RealVNC's VNC Server built-in. Download the free viewer app here:
 


Agreed. For only running Pi-hole, I recommend the 3B+ over the 4. My two 4's have some quirks, and there are some unresolved issues with Raspbian that should be fixed in the future.
There is a new firmware update for the Raspberry Pi 4, which appears to decrease the power consumption of the USB controller, as well as the SoC, allowing it to run cooler.
 


There is a new firmware update for the Raspberry Pi 4, which appears to decrease the power consumption of the USB controller, as well as the SoC, allowing it to run cooler.
Thanks, I've got that one. Many of the quirks are harmless GUI glitches I've learned to ignore.

I run BOINC's SETI@Home on all five of my Pi's. I over-clock the 4's – both run stably at 2,000 MHz, a 33% increase over the stock 1,500 MHz. I use an ICE Tower [Amazon], which keeps them at about 42C/108F at 100% load.
 



There is also no hardware switch for orderly [Raspberry Pi] shutdown. This is a problem when running a headless server. Pulling the power plug can be problematic. It’s best to do a sudo shutdown or sudo poweroff command from the terminal prior to removing power.
 


While perhaps a bit off topic, I would be curious to hear from others about their thoughts regarding experiences working with a Raspberry Pi. In a side conversation I had with Ric, we were in agreement that a Raspberry Pi build and coding had a very Woz-like vibe about it. The ability to add inexpensive componets; the versatility; the fun. Take a Raspberry Pi, add a battery pack and some sensors, attach to a small balloon, and set it free. Who knows what will happen, but that is the fun in it.

Such projects were perhaps one reason I got into engineering and computing in the first place. The early days of desktop computing were filled with that wonder of plugging things together and seeing how it all worked. I do not see that as much today, except perhaps with devices such as with these single-board-computers (SBC).
 


While perhaps a bit off topic, I would be curious to hear from others about their thoughts regarding experiences working with a Raspberry Pi. In a side conversation I had with Ric, we were in agreement that a Raspberry Pi build and coding had a very Woz-like vibe about it. The ability to add inexpensive componets; the versatility; the fun. Take a Raspberry Pi, add a battery pack and some sensors, attach to a small balloon, and set it free. Who knows what will happen, but that is the fun in it.

Such projects were perhaps one reason I got into engineering and computing in the first place. The early days of desktop computing were filled with that wonder of plugging things together and seeing how it all worked. I do not see that as much today, except perhaps with devices such as with these single-board-computers (SBC).
I have an RPi 3B+ running Homebridge for over 9 months, 24/7, with no issues. I have over 30 years of SysAdmin experience on various versions of Unix/Linux, and for $80 you can't beat the RPi. The distro is solid. The development environment (GitHub) is solid. Except for the obvious (it's slow with only 1GB of RAM - the Rpi 4 should be better), it does everything you need/expect it to do.
 


You have to manually edit /boot/config.txt to run headless. ...
I don't know about the Raspberry Pi 4, but with a 3, you really don't have to. But if you don't change anything, it will launch the X11 GUI environment (and auto-login to it) at bootup, which is a waste of system resources for something running headless.

On my system, I left the config.txt file alone, but configured Linux to not auto-start the X11 GUI:

Edit /etc/default/grub. Change the GRUB_CMD_LINE_LINUX_DEFAULT string so it is empty ("").​
Then run sudo update-grub
sudo systemctl enable multi-user.target --force
sudo systemctl set-default multi-user.target
Reboot​

When I need to access the Pi, I just run "ssh" from a Terminal window on my Mac in order to log in to it.

If I need to run a GUI app on the Pi, I run XQuartz on the Mac. Then I use "ssh -y" to log in to it. The "-y" option sets up a tunnel for the X11 traffic, which allows all of the GUI content to be presented on the Mac's screen.
 


I would be curious to hear from others about their thoughts regarding experiences working with a Raspberry Pi.
I've used one at work for various bits of IoT research. I find it a lot of fun.

Thanks to the GPIO expansion header, it is trivially easy to attach electronic devices to the Pi. The expansion header includes pins for SPI and I2C buses, and you can manually read/write individual pins. You can get small breakout boards from many sources including Adafruit and SparkFun. You can wire them up using breadboards and jumpers.

There is a wealth of free software (including lots of Python libraries) for accessing the various buses on the expansion header. So you don't need to be an electrical engineer in order to design and attach home-built electronics.

It is incredibly difficult (virtually impossible) for an amateur to design and build custom hardware that can connect to a modern PC/Mac via its standard buses (e.g. PCI Express, USB, Thunderbolt), so it's really wonderful to be able to buy a cheap computer where this kind of connectivity is easy.

The Raspberry Pi isn't the only device that fits this bill - there are many other popular devices like Arduino - but it is one of the few that is powerful enough to run a desktop operating system (like Linux) and is also popular enough to have a strong on-line community.
 


While perhaps a bit off topic, I would be curious to hear from others about their thoughts regarding experiences working with a Raspberry Pi.
I love my Raspberry Pi's (three 3B+'s and two 4's.). I love the ease of the NOOBS installer and Raspbian. The GUI is cruder than macOS, but it is mostly consistent and easy to figure out. Using the Pis headless with RealVNC's VNC Viewer makes it easy to control them and transfer files back and forth. I've been running Pis since I got my first for Pi-hole in August 2018. The only time they've crashed or hung is when I pushed the overclocking of the 4's too far.

I bought Sense HATs [Amazon] for all of my Pis. Programming them in Python using the Python IDLE environment is a joy. I use the Sense HATs' 8x8 LED to display columns with each of the four cores' CPU % load, memory usage, the Pi's temperature, the Sense HAT's temperature, and humidity. On top of that, ping-ponging flashing rows show the results of pinging my computers, a green LED for OK, red for no response. This makes it easy to see when a headless computer has crashed.

For rock-solid stability I recommend the 3B+. For more memory, faster CPU, faster USB, and faster Ethernet get the 4. I suspect the 4 will approach the stability of the 3B+ within months.

I also have a Jetson Nano SBC. It's more powerful than the RPis. It requires NVIDIA's Ubuntu for the drivers. I prefer Linux Mint with Xfce, so after NVIDIA's Ubuntu install, I installed Xubuntu and copied GUI elements from Linux Mint. It's close enough. I run BOINC on the Nano. In addition to SETI@Home running on the CPU, I obtained a special app that lets me run Einstein@home using the Nano's NVIDIA Tegra (Maxwell) GPU. I've modified and built a bunch of BOINC code on the Nano; it's all standard Linux. Not as much fun as the Raspberry Pis though.
 


...others about their thoughts regarding experiences working with a Raspberry Pi.
Raspberry Pi is awesome fun and for peanuts. I've made some goofy useful widgets with it.
  • Pi-hole, of course
  • Made AirPrint servers for old printers using the tiny Raspberry Pi Zero W ($20-ish for the kit). Works great.
  • Made a Sonos controller using the amazing Http API
  • Linked ESP8266 ($3) wifi Audrino-ish boards to talk to the Sonos API for a quick mute/unmute.
  • Made Barking Dog Sonos alarm. (I don't have a dog). Plays a big mean barking dog sounds if I'm gone and someone walks up to my front door.
  • Made a box with big red button marked Do Not Press. Someone always presses it, which slowly begins to play through my Sonos speakers a slowly rising tone, getting louder and louder, that won't turn off unless you know the tap-tap-tap secret code. (I know, dumb – gets a laugh.)
  • Currently struggling to get a multi-line home IP phone configured using a Pi. Learning Asterisk and the IP phone world is drinking from a fire-hose, but why not. My goal is a working landline that won't cost much on a Pi, and maybe let me control robot calls. I like that I can nuke the Pi SSD and start over fresh. Pi doesn't care.
Raspberry Pi is a great. Huge online support. Have fun. David mentioned Arduino, too. If you dabble with wires or batteries, Arduino code base ESP8266 and ESP32 are cheap task-oriented boards. Fun times, too.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts