Pi-Hole Setup Tutorial

[WeeemRCB]

On 8/30/2019 at 12:41 AM, izzuken said:

Sorry for stupid question - is it possible to run this in a virtual machine under windows?

You could but it would only be active then windows is running and you'd probably have to manually start the VM.

 

Easier to spend the $15 or so to get everything together to have this as a 24/7 standalone solution for all your devices.

[WeeemRCB]

On 8/21/2019 at 7:12 AM, azariah said:

...some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. ....you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

You'll also need to save the rules with the following commands.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

 

I did the HTTPS DNS change with no problems and moved on to this task to make sure things stay as snappy as possible, but ran into an error when attempting the sample inputs:

iptables/1.8.2 Failed to initialize nft: Protocol not supported

 

In case anyone else has this problem, it looks like installing NFTables + a reboot fixes the problem

sudo apt-get install nftables

After a reboot I was able to add them adding "sudo" before each command

 

One thing I noted was the save function didn't work, but after looking at the man pages for iptables, iptables-save and iptables-apply, this seemed to work for me on Raspbian lite:

sudo iptables-save -f /etc/network/iptables.up.rules

[KeyboardKitten]

If anyone has Windscribe it has a built in DNS blocker (R.O.B.E.R.T), that blocks ads and anything else you want as long as you connect to the VPN, I have mine setup on my router, no ads on SpeedTest! If you're not great with Linux and are looking for a VPN it's a good choice!

[Nyanino]

On 8/28/2019 at 12:48 PM, steelo said:

I've done this in the past and it worked great as far as blocking unwanted ads.

 

The reason why I no longer use it though is it seemed to severely bottleneck the connection speed of my devices.

I was wondering about if there would be a speed issue. I had originally thought it would only slow down the ad requests, no the whole device though. Could you or anyone speak more towards this?

[FezBoy]

17 minutes ago, Nyanino said:

I was wondering about if there would be a speed issue. I had originally thought it would only slow down the ad requests, no the whole device though. Could you or anyone speak more towards this?

The only aspect of speed that it affects is the latency of DNS requests.  No actual traffic flows through it, it just makes it slower for your computer to find the data.  This difference is often negligible, and a pi-hole with a fast DNS server, like 1.1.1.1, will often times be faster than the DNS that your ISP provides.

[Nyanino]

1 minute ago, FezBoy said:

The only aspect of speed that it affects is the latency DNS requests.  No actual traffic flows through it, it just makes it slower for your computer to find the data.  This difference is often negligible, and a pi-hole with a fast DNS server, like 1.1.1.1, will often times be faster than the DNS that your ISP provides.

Fair enough. Looks like they also have a few remedies here for slow operation as well if you should come into contact with it.

[kosymodo]

On 8/30/2019 at 10:04 PM, deadpoolsITguy said:

I have done this with a Virgin media superhub 3 (im in the UK) and it works like a dream. I ended up disabling the Superhub DHCP and enabling it on the Pi Hole and this has made it much better as now the DNS is automatically applied to all devices and i dont have to look at that crappy webporal for the superhub anymore.

How did you manage this on the VM Superhub 3?  My understanding was that you couldn't change the DNS settings at router level?  Any advice would be great!

[guwapojoe]

i did the whole guide and running on the pi-hole console, but once i apply pi-hole as my DNS on the router i get no internet connect.

 

i have my cell connected directly to it through the DNS, no issues there. i still get ads.

[QuestionQuest117]

On 8/21/2019 at 2:12 AM, azariah said:

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

You'll also need to save the rules with the following commands.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.

 

So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.

I tried this, but it just responds "iptables/1.8.2 Failed to initialize nft: Protocol not supported". Why is this? What do I need to do?

[GHOSTKILLERS24]

want to do this but wondering what effect it has on your download and upload speed?

[3VRMS]

12 hours ago, EEE said:

Installed and everything is working great, with the exception of accessing via web browser (Chrome and Firefox):

 

If I put in 192.168.7.7 I get site cannot be reached

If I put in https://192.168.7.7 I get site cannot be reached

If I put in http://192.168.7.7 I get 400 Bad Request

 

I don't get any ads, and I can access it via ssh so it seems to be working.

 

 

Try adding "/admin" to the back of it? As in:

 

https://192.168.7.7/admin

 

[Zander de beer]

Dose anyone know how to get YouTube to work on pihole

[dauellama]

Managed to set everything up on an old rasp pi, and seems to be working properly.  I am seeing traffic being blocked on pi hole, however, youtube ads are very hit and miss. Most channels I still get ads at the beginning of the video.  I would say this is a great tool, especially for banner and side bar ads, but like everything in life, its hit and miss.  Thanks team Linus!

[Point5]

Hi, am wondering whether a 2A power supply be enough for this setup. as the power supply that they recommend is quite expensive in my country, i am planning to use samsung's micro b which is far cheaper. thank you

[Srius1]

i got the wireless one and damn thing isn't working! i have the correct supplicant file but its not working. any ideas??

[TechyBen]

On 8/28/2019 at 7:56 PM, steelo said:

I guess I'm a bit confused how it actually works. So traffic is first routed to the rpi, it processes and filters out the spam and routes it to the device? Doesn't it slow the data down simply because all data has to go through the rpi and it also takes time to process? I can wait an extra .05 seconds for a webpage to load, my main concern is that it is going to make online gaming painful.

Not the traffic. Only the question "where is this website". For adds, the reply "they don't exist", for other stuff "go here". So the RiPi only takes requests and addresses, the PC still connects directly to the internet (A DNS can even be local, of a list of files/addresses on your HDD/SSD/in RAM, however, updating new websites would take a lot of time if not automated). A DNS is just a phone book... you still need to pick up the phone and make a phone call!

 

[2FA]

4 hours ago, Srius1 said:

i got the wireless one and damn thing isn't working! i have the correct supplicant file but its not working. any ideas??

What do you mean by supplicant file? Which step are you stuck at?

[BadBunny]

This is a really neat idea and was fun to do. I don't have a Raspberry Pi Zero yet (I have actually ordered one though) so tried it on a Orange Pi PC Plus that i had kicking around and got it working just fine.

[KnifeEdge2K1]

I managed to set this up thanks to this guide having had zero experience with Linux or Raspberry Pi before. 

My main question is can I do anything else with the Rasberry Pi Zero I got for PiHole or is it relegated to doing this one task ?

 

Ideally I also want to turn it into a torrent box so I don't need to keep my PC on all the time.

[Kpanga]

On 8/16/2019 at 6:11 PM, jakkuh_t said:

This is an accompanying guide for our recent video trying out Pi-Hole.

 

Note: Image links will be coloured like this: https://google.ca 

 

 

Parts List:

• Raspberry Pi (any model)
  • We will be using a Raspberry Pi Zero (https://lmg.gg/8KV3n) - $5
  • You can optionally install Pi-Hole in a docker container, or inside a VM, but we will be assuming you are using a Raspi for the rest of this tutorial.
• Micro SD Card (2gb+, but you should probably just buy a 16GB card because they're so cheap)
  • We'd recommend a cheap SanDisk card (https://lmg.gg/8KV3k)
• 2.5A Micro USB AC Power Supply
  • You can get these really cheap on eBay, but we aren't making any promises about quality. AdaFruit has a solid one: https://lmg.gg/8KVm8
• *Optional*: Micro USB to RJ45 Ethernet Adapter
  • This is in case the RasPi you are using doesn't have an ethernet port or WiFi (if you're using the Pi Zero, you will need one of these)
• *Optional*: Other stuff that you might need:
  • SD/uSD Card Reader (Unless your laptop, or you already has one)
  • Ethernet Cable (Unless you're using WiFi, you will need one of these)
  • Case for your Raspberry Pi Model (Nice to have to keep it protected, but cardboard also works)
  • Heat sinks for your Raspberry Pi (Nice to have to keep it cool, also helpful if you want to overclock your Pi)
  • A display connection for your Pi (Pi Zero's use Mini HDMI) (We will be doing a headless install, so this is not necessary)

 

Stage 1 - OS Install/Setup:

1. Before we can install Pi-Hole or anything else really, we have to setup our operating system of choice: Raspbian Buster Lite (stretch also works)
   1. Download and unzip the "Raspbian Buster Lite" image from the Raspbian website: https://www.raspberrypi.org/downloads/raspbian/
   2. Download and install balenaEtcher, our uSD card writer/burner of choice: https://www.balena.io/etcher/
   3. Plug in your uSD card
   4. Launch balenaEtcher, select the Raspbian Buster Lite image, your uSD card, and then click Flash. (https://xq.ms/lD5H3)
2. If you're doing a headless install like us (no monitor/keyboard required), you'll need to enable SSH before booting up the Raspberry Pi
   1. Replug your uSD card to allow Windows to recognize the new Raspbian partition layout
   2. You should have a lettered drive pop up marked as "boot" (https://xq.ms/HSnr3)
      1. If you don't, ensure your uSD is being detected in Disk Management (https://xq.ms/KeYFL)
      2. Then assign the partition a drive letter: https://lmg.gg/8KVm6
   3. Create a file inside the "boot" folder called "ssh" with no extension (https://xq.ms/sOiok)
      1. If you don't know how to make an extension-less file you can download it here: https://lmg.gg/8KVmb
3. Plug your uSD card into the Raspberry Pi followed by networking, and then power.
4. Since we're doing a headless install, we'll need to search for our raspberrypi's IP address so we can access it over SSH.
   1. If you know what you're doing, log in to your router's admin page and check the DHCP client/reservation list for "raspberrypi"
   2. If you don't know how to do the above, download Angry IP scanner and run it: https://lmg.gg/8KVmS
   3. Look for the hostname "raspberrypi", on that line the IP and MAC address of our Raspberry Pi will also be listed: 10.20.0.77 in our case (https://xq.ms/xmRO6)
5. Now that we've found our Raspberry Pi's IP address + MAC Address, we need to assign it an INTERNAL/LOCAL static IP address.
   1. This process is going to vary wildly based on which router/DHCP server you use, so we'd recommend Googling your router's model name/number (can be found on the back) + "how to set static IP" (ex: "Netgear R7000 how to set static ip").
   2. If you're willing and somewhat tech savvy, you might also be able to figure it out on your own.
      1. Start by navigating to your router's admin page. The IP for this is typically located on a sticker on the back of your ISP's provided router (along with the admin page's default username and password), but you can also find it by running the command "ipconfig" in command prompt on a Windows PC. Your router's IP will be listed after "default gateway" (https://xq.ms/Ss5r8)
      2. Log in to the admin page either with the Iogin credentials listed on the back of the router, or by googling the model number of the router along with "default password". Some routers use a randomly generated default password, so googling will not work for those.
      3. Once logged in, look for a tab labeled "DHCP Reservation", "Static IP Assignment", or something along those lines. (https://xq.ms/usUSm) You may have to go to the Advanced menu to access this. (https://xq.ms/Iiakq)
      4. Enter the MAC address we grabbed earlier with Angry IP scanner, and then enter/select your desired static IP address (make sure you're using something not taken by another device on your network). (https://xq.ms/093f5)
      5. Hit Apply (or whatever the equivalent is for your router) 
6. Re-plug the power connection for your Raspberry Pi, to allow it to restart and fetch it's newly assigned IP.
7. To access the Raspberry Pi over SSH we will need to download and connect to it with an SSH client
   1. Download, install and then launch the SSH client of your choice.
      1. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://xq.ms/o1MmW)
   2. Enter the newly assigned static IP address of your Raspberry Pi into PuTTY, and click "Open" (https://xq.ms/RenX0)
   3. After it prompts you with "login as:" enter "pi" (https://xq.ms/RaB85)
   4. Then for password, enter "raspberry". You should now be logged in over SSH.  (https://xq.ms/bOTSr)
8. Now that we're logged in over SSH, start by changing the default password, and updating the Raspberry Pi.
   1. To change the user password enter the command "passwd" and press enter.
      1. You'll then be prompted to enter the current password (this is "raspberry" so enter that)
      2. Then enter your desired new password
   2. To update the Raspberry Pi, run the command "sudo apt update" - this is going to update the package list to tell us if anything needs to be update. (https://xq.ms/arykN)
      1. Then, to actually upgrade the packages now that the package manager knows which ones need updating, run "sudo apt upgrade -y". (https://xq.ms/jglHA)
9. Our Raspberry Pi is now updated, set to a secure password and ready to install Pi-Hole onto!

 

Stage 2 - Pi-Hole Install/Setup (this is where the tutorial portion in the video starts)

1. With our RasPi's OS, internet, and SSH ready to go, we can now install Pi-Hole. 
   1. Copy the Pi-Hole install command from their website, paste it into the SSH client, and click Enter to run it: https://lmg.gg/8KVm9 (https://xq.ms/Nc2OU)
   2. The installer will spit out some status updates until you're brought to the configuration screen (https://xq.ms/n3CMi)
   3. Press Enter until you get to the "Choose An Interface" page. The default "eth0" interface for Ethernet users should be selected by default. Press Enter to continue.
      1. ("wlan0" should be selected if you're using WiFI - keep in mind WiFi installation is not supported in this tutorial, but if you have some decent Google-Fu you should be able to figure it out)
   4. On the next screen, select your upstream DNS provider. This is where requests will be forwarded if they're not blocked by Pi-Hole (ie. if they're not found in it's block/black lists). We will be using Google DNS, and if you don't know what this means, stick with that. Press Enter to continue.
   5. The following screen allows you to select which of the default block list's you'd like to use. We will leave these all on, but you can use your arrow keys and space bar to (de)select any of them as you wish. Press Enter to continue.
   6. Next up, it will ask you if which IP protocols you want to block ads over, leave this at the default unless you know what you're doing. Press Enter to continue.
   7. The next screen will list the IP address of the Raspberry Pi and the IP of your router, assuming you've set a static IP, just click Enter to continue.
      1. If you get a screen about an IP conflict, just ignore it and click Enter to continue.
   8. You'll then be asked about the web interface, web server, and logging modes. Leave these all at default by clicking Enter.
   9. After all that, Pi-Hole is going to do a bunch of stuff, and it might take a couple minutes so sit back until you're greeted with an "Installation Complete!" page. This will list the IP and password for the Pi-Hole web interface.
2. Copy the IP into your browser, and log with the listed password. Huzzah! You now have a functioning Pi-Hole installation  

 

Stage 3 - Setting Up Pi-Hole to Run on Your Devices / Whole Network

1. To enable Pi-Hole on a device-by-device basis, you'll need to manually set the DNS IP address in your device settings. 
   1. For each of these, substitute the IP in the tutorial for the IP of your Raspberry Pi
      1. How to set DNS on an iPhone: https://lmg.gg/8KVmw
      2. How to set DNS on Android phones (your phone manufacturers skin may slightly vary): https://lmg.gg/8KVmh
2. To enable Pi-Hole on a Router level, meaning it will work on all your devices automatically, you'll need to configure your router's DHCP server's default DNS settings.
   1. This process is going to vary wildly based on which router/DHCP server you use, so we'd recommend Googling your router's model name/number (can be found on the back) + "how to set DNS servers" (ex: "Netgear R7000 how to set DNS servers").

 

Stage 4 - Using Pi-Hole + Common Whitelisting

1. To enable some common whitelisted false-positives run the command listed here: https://github.com/anudeepND/whitelist
2. For some great info on the Pi-Hole web interface read the lower portion of this tutorial: https://www.smarthomebeginner.com/pi-hole-tutorial-whole-home-ad-blocking/#Configuring_Your_Router_8211_Whole_Home_Ad_Blocking 

How different is it to run Pi Hole in the Raspberry Pi zero w? As buying the Ethernet adapter would be the same as buying the W version. Does anyone know of a tutorial that uses that version?

[Teletha]

does any1 know what os i should be using to use this for a pine64?

[NystriX]

can it work at the same time with the 1.1.1.1 dns from that vid?

 

 

[AlexOak]

4 minutes ago, NystriX said:

can it work at the same time with the 1.1.1.1 dns from that vid?

 

 

When setting up pi-hole there is a cloudflare dns option when it tells you to select a dns. You can also change it in the settings tab.

Spoiler

 

[reblz28]

to anyone who wants to use a pi zero w for its wifi make sure you set the eql conversion to unix otherwise youll have issues

[ThisIsCheez]

I've been using a PiHole for a while and after this video/tutorial came out I've had many friends ask me this, seen is asked on the PiHole subreddit, and in this thread; Is a Pi Zero W not powerful enough and will using it on WiFI rather than dongled/hardwired impact network performance, speed, and latency?

 

Short answer, absolutely not.

 

Unless you're trying to have your entire city block send DNS queries to your PiHole you will be just fine with PiHole running on a Zero W with WiFi as long as you have a decent wireless router and you Pi is close to it. For the sake of testing I pointed my PCs DNS to my ISP, ran a SpeedTest pointed to the nearest test server to me, and my ping was 19. I pointed my DNS back to my PiHole and my ping/speed was identical.

 

Here's some tips to provide for the ones that want to sent their Zero W on WiFI and want to do it headless (no monitor, keyboard, mouse):

 

1. When creating your wpa_supplicant.conf on the boot drive DO NOT right click and create a new text document. This creates the conf in a format that Raspbian doesn't like for some reason. You'll want to open notepad, make a new txt document, enter the proper syntax/information, save as to the boot drive, and make sure to save it with UTF-8 encoding.
2. Zero W doesn't support 5GHz so make sure to point it towards your 2.4GHz band.
3. I had the hardest time getting it to connect to my network that uses WPA2 with AES. If you use AES encryption you can't use the basic ssid and psk entries, the below format worked for me:

country=US #change to your country code

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

update_config=1

network={
        ssid="MySSID" #enter your 2.4GHz SSID here
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=CCMP
        group=CCMP
        psk="mypassword" #enter your password here
}