Content filtering showdown: DNS vs Proxy

Long story short, due to Riccardo Palombo video about PiHole i were wondering how this could be used in tandem with NethServer for de-crappify a bit the internet traffic of some “not requested things”.
My little stupid idea was “virtualize PiHole on the RED side, use it as DNS server per NethServer and Voilà! internet decrappified available”. Than a feature came to my eye: group based policy/listing/whitelist/blacklist. This arrangement i thought was making this feature completely unavailable, due to the fact that the only client for PiHole were nethserver, not computer hosted into green network.
PiHole do not exactly act as content filtering, but some lists can be used for a sort of that.
On the other side, use a proxy as a content filter is quite a more “tough” to manage for the system, so i has to be a bit bulkier, and gains the advantage of caching (even after the spell of prophet Filippo Carletti “HTTPS makes cache useless”, but updates about OS, AV and even something crazy like Steam may take advantage of cache. A lot.)

As far as i can remember, Nethesis offered for Italy (only) a subscribed DNS content filtering. Is offered only in Italy due to the list compiler, a firm which is italian market oriented only.

But now? Which is the opinion of the community? Consider that the debate could lead to practically nothing, not only because 7.8 fixes will take time, but more time will be taken by some EOL packages and the remaining is focused to the “big goal”: IPv6…

Ok don’t laught to loud. Please, be kind. Don’t laugh! (thanks MJ for the inspire)

I know, i know, IPv6 is not interesting, they are developing about 8.0 and “all the new stuff” about that like podman.



I use a combination of a LXC PI-Hole in my Clients Proxmox, and NethServer as Proxy.
NethServer itself does NOT use PI-Hole as DNS.
DHCP Clients get the PI-Hole as DNS, WPAD and Proxy.pac takes care of the Squid access.
As the DNS requests are sunk by the PI-Hole it works quite OK.

Still could do with some optimizing, I think adapting proxy.pac sufficient.

At least until we get full IPv6…

My 2 cents