Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
jakkuh_t

Pi-Hole Setup Tutorial

Recommended Posts

1 hour ago, Danny Rushton said:

I've never had any luck doing this on my isp provided router and am too cheap/broke to buy a new one.

It worked for me on my ISP provided router.

 

The catch was some ISPs won't let you set a network-wide DNS server, so I had to manually set my Pi as the DNS server in the systems on my network.

Link to post
Share on other sites

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable
You'll also need to save the rules with the following commands.
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.

 

So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.

Link to post
Share on other sites
10 hours ago, azariah said:

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 


iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

You'll also need to save the rules with the following commands.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.

 

So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.

Hmm, interesting. I'll try that since I do know certain video platforms that require you wait since the player is waiting for the ad domains to timeout.


LTT Discord | Floatplane

Current PC: 

i5-6600k@4.3Ghz OC

16GB DDR3-1600Mhz

Nvidea GTX 1050Ti

About 5GB or less left on C:, which is 250GB. Total storage around 2.5TB

2 monitors 1080p@60hz

 

Link to post
Share on other sites
On 8/19/2019 at 4:40 PM, TheFox720p said:

Just installed it and it works very well. Great tutorial for a linux noob like myself.

I got mine going as well, dashboard shows its blocking but, haven't really noticed the blocking. I have it connected to the router via dns changes it showing on dashboard fine any good test website that it should be blocking?

 

Link to post
Share on other sites
On 8/16/2019 at 2:11 PM, jakkuh_t said:

 

Stage 3 - Setting Up Pi-Hole to Run on Your Devices / Whole Network

  1. To enable Pi-Hole on a device-by-device basis, you'll need to manually set the DNS IP address in your device settings. 
    1. For each of these, substitute the IP in the tutorial for the IP of your Raspberry Pi
      1. How to set DNS on an iPhone: https://lmg.gg/8KVmw
      2. How to set DNS on Android phones (your phone manufacturers skin may slightly vary): https://lmg.gg/8KVmh

the link for how to change on an android phone is for an old version of android

Link to post
Share on other sites
On 8/22/2019 at 8:39 AM, Flyfishermansam said:

the link for how to change on an android phone is for an old version of android

On all newer versions it's still the same steps. Even Android P, which I have myself.


LTT Discord | Floatplane

Current PC: 

i5-6600k@4.3Ghz OC

16GB DDR3-1600Mhz

Nvidea GTX 1050Ti

About 5GB or less left on C:, which is 250GB. Total storage around 2.5TB

2 monitors 1080p@60hz

 

Link to post
Share on other sites
On 8/19/2019 at 6:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here

So I am flowing your guide but I am a total noob with command line, and I am getting stuck at this part (Proceed to create a configuration file for cloudflared by copying the following in to /etc/default/cloudflared. This file contains the command-line options that get passed to cloudflared on startup.), tried copying the commands under that getting a command not found error, again total noob I'm sure I am missing something easy, but can't figure it out if anybody could help that would be amazing.

Link to post
Share on other sites

Never mind after googling some basic Linux commands I got it figured out, works great now, and I was totally missing some basic steps in the process.

Link to post
Share on other sites
13 minutes ago, TechnicalPyro said:

Really enjoyed the video

What channel was the video on? I can't seem to find a pi hole tutorial vid from LTT.


"A promise is a promise"

Link to post
Share on other sites
10 minutes ago, Velcade said:

What channel was the video on? I can't seem to find a pi hole tutorial vid from LTT.

from what i can tell will be on the LTT main channel FP early release is out

Link to post
Share on other sites

Thanks I already tried doing this a while back but im very unlinux savy so it didn't work out and i quit.


My Rig

CPU - Ryzen 5 1600@3.8ghz          GPU - XFX XXX RX580 8g          Cooler - Arctic Freezer 33 eSports edition green          Motherboard - Gigabyte AB350 Gaming 3          Ram -  G.Skill 2x8 Ripjaws 5 2666                   Case - Pahntecs P400s TGE Modded with Green accents          PSU - Seasonic M1211 evo 620w          SSD - Samsung 960 evo 500 GB          HDD - Seagate Barracuda 7200rpm 2tb       

 Fans - 2 be quiet SilentWings 3         OS - Windows 10 Home 64-Bit         Cables - Cable Mod Green Cable Extension

 Peripherals

Mouse - Logitech G502          Keyboard - k95 Platinum Brown          Headset - Philips SHP9500s + Vmoda Boom Pro          Monitor - LG 29UM69GB

Webcam - USB webcam for Wii Fitness game xD

Link to post
Share on other sites

I've done this in the past and it worked great as far as blocking unwanted ads.

 

The reason why I no longer use it though is it seemed to severely bottleneck the connection speed of my devices.

Link to post
Share on other sites
5 minutes ago, steelo said:

I've done this in the past and it worked great as far as blocking unwanted ads.

 

The reason why I no longer use it though is it seemed to severely bottleneck the connection speed of my devices.

It only changes DNS lookup (where the address is), not download/throughput code/routing. So no. However, sometimes things may not work on it... but that's the same for any DNS (ISP or third party like Google/opendns etc).

Link to post
Share on other sites
24 minutes ago, TechyBen said:

It only changes DNS lookup (where the address is), not download/throughput code. So no. However, sometimes things may not work on it... but that's the same for any DNS (ISP or third party like Google/opendns etc).

I guess I'm a bit confused how it actually works. So traffic is first routed to the rpi, it processes and filters out the spam and routes it to the device? Doesn't it slow the data down simply because all data has to go through the rpi and it also takes time to process? I can wait an extra .05 seconds for a webpage to load, my main concern is that it is going to make online gaming painful.

Link to post
Share on other sites
20 minutes ago, steelo said:

I guess I'm a bit confused how it actually works. So traffic is first routed to the rpi, it processes and filters out the spam and routes it to the device? Doesn't it slow the data down simply because it has to take time to process? I can wait an extra .05 seconds for a webpage to load, my main concern is that it is going to make online gaming painful.

What's happening is the DNS requests are being directed to the Pi-Hole, not the actual traffic, that's another solution entirely that requires WAY more horsepower, and you're right in that if done through a RPi would nuke speeds and pings.

There's a couple ways to go about blocking ads like they mentioned in the video, per device or across an entire network if configured correctly. There are multiple ways to block ads at the network level, this is just the fastest and easiest way to do it with the least amount of resources. Online gaming should not be affected, any visible slowdowns in behavior on apps on a phone or on the PC are going to be related to the DNS interruption when trying to request for ads and the code handling this eventuality poorly (typically the culprit is poor advertising plugin coding). It wouldn't be any different than disconnecting the ethernet or wifi or flipping the device to airplane mode in this instance.

Link to post
Share on other sites
On 8/25/2019 at 2:45 AM, GameMaster2030 said:

On all newer versions it's still the same steps. Even Android P, which I have myself.

oh, it must be a samsung thing then, i had to do it a differant way

Link to post
Share on other sites

I considered doing this, but why not just change the DNS on your router to AdGuard DNS?

 

It also won't work outside the home on mobile unless you're rooted using AdAway.

Link to post
Share on other sites
On 8/16/2019 at 2:11 PM, jakkuh_t said:

removed for line spam - @jakkuh_t

I can't get my desktop to use Pi-Hole. I am using CloudFlare in my DNS settings of my Pi-Hole, and when I go to look at the network list, it says my device is not using Pi-Hole" Does it matter that my raspberry Pi is on a switch? It does see all of my devices, it's just controlling them to filter ads. 


AMD Ryzen 7 2700 3.2Ghz Pinnacle Ridge | Asus ROG X470-F GAMING | Corsair Vengeances RGB 32GB 3000Mhz | EVGA Nvidia Geforce GTX 980 Ti | EVGA G2 SuperNova 750 Watt PSU

Link to post
Share on other sites
44 minutes ago, Cynagen said:

What's happening is the DNS requests are being directed to the Pi-Hole, not the actual traffic, that's another solution entirely that requires WAY more horsepower, and you're right in that if done through a RPi would nuke speeds and pings.

There's a couple ways to go about blocking ads like they mentioned in the video, per device or across an entire network if configured correctly. There are multiple ways to block ads at the network level, this is just the fastest and easiest way to do it with the least amount of resources. Online gaming should not be affected, any visible slowdowns in behavior on apps on a phone or on the PC are going to be related to the DNS interruption when trying to request for ads and the code handling this eventuality poorly (typically the culprit is poor advertising plugin coding). It wouldn't be any different than disconnecting the ethernet or wifi or flipping the device to airplane mode in this instance.

i am bit confused too. So If you were to follow the DNS request without pi-hole it would go from you computer to router to modem to external DNS server then the inverse path with the IPv4 address. But with Pi-hole I am totally confused. and is the static ip for your whole personal network or just the pi-hole device? and if it is the whole network couldn't that let hackers try and find a hole in your netwrok?


LOOK AT MY NEW FLAG DESIGNS FOR PA AND VOTE ON YOUR FAVORITE

LOOK AT MY FIRST BATCH OF DESIGNS HERE

 

 

 

 

 

4690K @ 4.5GHz

GTX 970 FTW

MSI Z97 PC MATE

Define R5 windowed

Cooler Master Seidon 240m

EVGA SuperNOVA 650 G1

Kingston 120gb SSD

SanDisk 480Gb SSD

Seagate 1Tb Hard drive

Link to post
Share on other sites

LTT became lazy preparing slides with technical information. IP that looks like 123.456.789.0 ? We laughed at it when movie "Hackers" came out. I was not expected that kind of f-ups from LTT. Come on guys?


Main System: 2 x Intel Xeon Platinum 8268, 384GB DDR4 2933 ECC, 2 x NVidia 2080 Ti FE, 2 x Samsung Enterprise 3.2TB NVME PCIe Gen.3x8 SSD, custom water cooling.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×