Pi-Hole Setup Tutorial

[ThisIsCheez]

5 hours ago, Teletha said:

does any1 know what os i should be using to use this for a pine64?

Any lightweight Linux/Unix will be fine. There's a build of DietPi specifically for the Pine64: https://dietpi.com/downloads/images/DietPi_PineA64-ARMv8-Stretch.7z

[VeauX]

Excellent tutorial, thank you! I know have a use for my Raspberry Pi 3! It works nice at router level!

[KnifeEdge2K1]

Hmm

 

Pi hole doesn't seem to be working for some big YouTube ads. Anyone else having the same problem? 

[Ferkner]

On 8/19/2019 at 6:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here. 

 

Is there any way for me to confirm it's working after going through the guide?

[deadpoolsITguy]

On 8/31/2019 at 10:33 PM, kosymodo said:

How did you manage this on the VM Superhub 3?  My understanding was that you couldn't change the DNS settings at router level?  Any advice would be great!

I disabled DHCP on the Superhub 3 and enabled it on the PiHole that is how i got this all working.

[KnifeEdge2K1]

On 8/29/2019 at 4:15 AM, SuperCookie78 said:

i am bit confused too. So If you were to follow the DNS request without pi-hole it would go from you computer to router to modem to external DNS server then the inverse path with the IPv4 address. But with Pi-hole I am totally confused. and is the static ip for your whole personal network or just the pi-hole device? and if it is the whole network couldn't that let hackers try and find a hole in your netwrok?

All the pihole does is intercept requests before they go to external DNS only if the request is to an item that shows up on the blacklist. Imagine that you want to load up some site.

 

What actually happens is that your computer sends a runner to Google's DNS (or someone else's) who tells you that the address of pornhub is actually 234.86.52.108 (because pornhub.com isn't something a router understands) so now your computer knows to actually contact 234.86.52.108 to load all the assets to your browser. What pihole does is sit between your computer and Google's DNS and forwards the request to Google's DNS only if the URL didn't match with anything in the black list. Imagine your mom checking the message the runner is bringing to Google's DNS, she sees the request for pornhub, kills the runner and buries their body in the backyard and sends back the message (uh this site doesn't exist, sincerely Google, p.s don't check the ditch in the backyard and go do your homework)

 

The static IP v dynamic IP has zero impact to hacking.

 

 

[KnifeEdge2K1]

Apparently YouTube ads are tricky with pihole since a lot of YouTube ads are hosted on the same places the videos are so it is increasingly harder and harder to blacklist them. I've had some success but some ads keep coming up.

[GameMaster2030]

6 hours ago, Ferkner said:

Is there any way for me to confirm it's working after going through the guide?

Run this command: 

dig @127.0.0.1 -p 5053 google.com

[Sevilla]

So I have the Pi-Hole software installed, however it's running on a Hyper-V VM instead (CentOS installation) and it works to the point where my PCs are able to get ads (mostly) taken out while they go through it as a DNS.

Here is my issue though, in the video I saw it was blocking YouTube ads left and right. I can get it to block ads on just about any page except YouTube and Hulu. I can see them going through the Pi-Hole and see the accessed site on the logs, but it doesn't block a single ad on YouTube (not even page banners).

I've added about 1.2 million blocked domain lists (scoured the internet for various lists), and still, nothing gets blocked in YouTube or Hulu.

Did they use a specific master list that works for YouTube?

[guwapojoe]

can someone tell me what i am doing wrong? the internet stops responding if i add it as the DNS on the router.

 

thanks

 

[wildcat2083]

Im curious, would this solution work in my case, basically i have a dd-wrt router hosting my wan/lan and openvpn server and client, the big thing is I finally have the dns set to where my traffic is properly routed through vpn using the providers encrypted dns (non public) with that said if their was a way to proxy ads between those and my devices id be golden, just leary about changing dns outside of my tunnel as then i get dns leaks out to my ISP ouch

[francois_loncle]

I definitely this just ruined my day. I tried successively on 3 different uSD to burn the image using Balena Etcher. And each time, after an error message, the uSD is unusable, Windows saying "Please inset a disk in drive D:/" no way to get this uSD reformated back to be usable.

 

I've been writing images on SD card for years, and, I don't know, I'm screwed, or for the least i screwed 3 precious uSD cards.

[KnifeEdge2K1]

Can anyone confirm if this Pi can be used for anything other than pihole sumultaneously?

[2FA]

9 minutes ago, KnifeEdge2K1 said:

Can anyone confirm if this Pi can be used for anything other than pihole sumultaneously?

You can, Pihole doesn't use much system resources. Keep in mind the limited resources of a Pi though so don't expect to run a lot of different things all at once.

[LostFerret]

On 8/19/2019 at 11:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here.

I hit a snag with this guide at the very end, Configuring Pi-hole- their example is a screenshot of the graphical configuration interface, however I have a headless install, so I don't really know what the command line procedure for that step is.

 

[edit] Ah, never mind this one, I didn't spot the Login on the admin page.

 

 

On 8/21/2019 at 7:12 AM, azariah said:

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

...

 

I get the following error when I run those commands:

 

pi@raspberrypi:~ $ iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables v1.8.2 (nf_tables): unknown option "--destination-port"
Try `iptables -h' or 'iptables --help' for more information.

 

Do I need to update my iptables package somehow?

 

[edit] Oh, seems this is for Pi-Hole pre-4.0. For the current versions: " As of v4.0, this should no longer be a problem unless you choose to deviate from the new default blocking mode 778 and return to the IP-based mode 141. "

 

So, may not be necessary any longer?

Edited September 4, 2019 by LostFerret
Figured it out

[Windows7ge]

Do we know weather or not the null/0.0.0.0/etc response that the Pi-hole gives to the client is openly accepted as the answer or if the request is simply dropped?

 

The reason I ask is because what I'll do is build a little 1U "server" with spare desktop parts and setup the home router as:

Primary DNS: Pi-hole

Secondary DNS: ISP/Google/Cloudflare/etc

 

What I don't know is if the application will jump to the secondary DNS if the Pi-hole gives a null response for the page component (the AD). Otherwise I'd be forced to only run with a Primary DNS and if the Pi-hole goes offline for any reason the whole home would effectively lose Internet.

 

Do we know what would happen in the circumstance? Or should I just test it to get my answer?

[vategu]

Hello i want to take the raspberry pi in travel and use it as a hotspot for my devices when a Ethernet plug is available taking advantage of pi hole to get rid of ads and have the pi provide an internal DHCP server for the wireless interface alone.

is there a good tutorial on this?

i want the pi to get the ethernet ip from the router's dhcp as usual

and then have pi have it's own dhcp server for the wireless interface and atribute IPS to the wireless devices

not sure if i was clear

[Jeremy Welch]

I can't get past this part!

 

Plug your uSD card into the Raspberry Pi followed by networking, and then power.

 

I can't connect networking if that means plugging in the Ethernet, cause its a wifi model!

[Atlas780]

On 8/19/2019 at 11:33 PM, Danny Rushton said:

I've never had any luck doing this on my isp provided router and am too cheap/broke to buy a new one.

Youn can still do it and just set your devices manually to the DNS IP. It will work just fine, just a little bit more hassel

[syfer]

I think you should make a new video with step by step guide so even none tecky person can do this. Its a shame that you could not do this? This should be a proper tutorial with out the skipping.......

[Sambal101]

On 8/19/2019 at 6:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here. 

Also if you want to use your DNS server away from home you can follow this official guide here. But setting it up to have a VPN and DNS server there are some changes that we need to do that don't follow the guide. 

1. Under "installation", you can skip the install pi-hole part since you should already have installed pi-hole. (For more experienced linux users: the port of the openvpn server can be anything. But make sure the port isn't already in use or that your ISP blocks it when port forwarding. Can be handy to bypass port blocks by using port 433 or 80)
2. Skip finding the IP under "Setup OpenVPN Server" and change `10.8.0.1` to the ip of your RPi(Raspberry Pi) which you already have if you followed Jake's guide.
3. Before creating an user follow this:
   1. Run command: `openvpn --genkey --secret ta.key`
   2. Edit the config file and add this line: `tls-auth ta.key 0` 
      (This adds an encryption layer between the client and the server, so some extra security)
4. You can probably skip "Firewall Configuration" since Raspbian doesn't have a firewall pre-installed and you also don't have installed any
5. Follow these parts of "Optional: Dual operation: LAN & VPN at the same time"
   1. Add this line to your `/etc/openvpn/server/server.conf`: `push "route 192.168.2.0 255.255.255.0"` but change `192.168.2.0` to your subnet which you can find in your ip, for example if your ip is: `192.168.1.43` you replace `192.168.2.0` with `192.168.1.0` and with `192.167.8.28` you replace it with `192.167.8.0`. But if your IP is for example `10.8.0.7` you'll probably need to replace the whole line with `push "route 10.8.0.0 255.255.0.0"`.
   2. Run this command: `pihole -a -i all`
   3. After this port forward `1194` or the port you decided to use on your router, you can find guides online. 

Let me know if you find a mistake in this.

So, it doesn't seem to work. Running "cloudflared -v" from the first step gives an output of "Segmentation fault" and running dig yields the following:

pi@raspberrypi:~ $ dig @127.0.0.1 -p 5053 google.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

It also appears that the cloudflared service never finishes starting.
If you have any idea how to fix it, that would be great.

[litetaker]

On 8/19/2019 at 11:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here. 

Also if you want to use your DNS server away from home you can follow this official guide here. But setting it up to have a VPN and DNS server there are some changes that we need to do that don't follow the guide. 

1. Under "installation", you can skip the install pi-hole part since you should already have installed pi-hole. (For more experienced linux users: the port of the openvpn server can be anything. But make sure the port isn't already in use or that your ISP blocks it when port forwarding. Can be handy to bypass port blocks by using port 433 or 80)
2. Skip finding the IP under "Setup OpenVPN Server" and change `10.8.0.1` to the ip of your RPi(Raspberry Pi) which you already have if you followed Jake's guide.
3. Before creating an user follow this:
   1. Run command: `openvpn --genkey --secret ta.key`
   2. Edit the config file and add this line: `tls-auth ta.key 0` 
      (This adds an encryption layer between the client and the server, so some extra security)
4. You can probably skip "Firewall Configuration" since Raspbian doesn't have a firewall pre-installed and you also don't have installed any
5. Follow these parts of "Optional: Dual operation: LAN & VPN at the same time"
   1. Add this line to your `/etc/openvpn/server/server.conf`: `push "route 192.168.2.0 255.255.255.0"` but change `192.168.2.0` to your subnet which you can find in your ip, for example if your ip is: `192.168.1.43` you replace `192.168.2.0` with `192.168.1.0` and with `192.167.8.28` you replace it with `192.167.8.0`. But if your IP is for example `10.8.0.7` you'll probably need to replace the whole line with `push "route 10.8.0.0 255.255.0.0"`.
   2. Run this command: `pihole -a -i all`
   3. After this port forward `1194` or the port you decided to use on your router, you can find guides online. 

Let me know if you find a mistake in this.

Hi GameMaster2030, thanks for the information! This is useful but I think a BIG CAVEAT is that most people, including me, have a ISP who gives us a dynamic IP address. As far as I can tell this causes major problems and I cannot use this setup as is. Actually my ISP uses carrier grade NAT (CGN) which plays havoc on port forwarding. SO, there seems to be no way to access the openvpn server from outside my network. Which is a shame! I am looking into DynamicDNS to do this, but I think it is important to note that typical ISP practices may make this very difficult.

I feel this caveat should have been stated in your post to warn folks like me, as I ended up spending a couple of hours without success.

[DeepFriendLettuce]

On 8/31/2019 at 3:22 AM, Kisai said:

That would just be adding more sites to the blacklist.

 

Keep in mind that the this entire pi-hole solution is NOT a proxy or a firewall, it's a DNS relay. If you want to block access to adult sites you have to null-route the actual IP addresses they operate on. If they're behind a CDN however (eg cloudflare) that won't help you block it.

 

If you know certain people in your house/business have a penchant for visiting a certain site, log the DNS requests and then block them. Then they would have to manually set the DNS in their computer to access it, but you can also just block the ip addresses at your router that point the landing pages of the sites, and that saves having to deal with the DNS at all.

 

Which is the problem with this pi-hole solution. This is a solution for blocking ads, not entire sites. Ads domains change frequently, and (presumably) the most effective way of blocking ads is by setting the ip address of the javascripts domains (or better yet the javascript frameworks like jquery) used by the ad networks, because these won't change frequently (because then the ads need to be recompiled.)

 

If you are looking for a solution to actually block sites, this is not the correct solution for people who know what DNS is. The correct solution has to sit between your internet router and your hardware connected to the router and behave as a firewall, and if you do that, you also cripple all latency-sensitive software behind the firewall. As an example, you have 5ms over fiber that travels 1000 miles, but with the firewall intercepting everything and relaying the packets, it ends up being 40ms.

Thanks for your feedback, very helpful! 

[XUjunqiang]

"pihole-FTL-arm-linux-gnueabihf"文件应该在哪个文件夹里面，我树莓派直接安装的时候无法下载，所以我手机上网下载下来了，应该安装在哪里？

[Snaggs]

I'd love to be trying pi-hole out but I can't get it installed and running.

 

1st off, I've NEVER used Linux or Raspberry pi before so its all new to me. While I can follow the excellent guide you have produced here, there is nothing covering install problems.

So far I've set up the pi, flashed buster lite, and updated it. Run through the setup for pi-hole and it starts installing. I get as far as installing the ftl engine and it fails with “Error: Unable to get latest release location from GitHub”

Having a poke round google has given some suggestions but everyone thinks I know how to drive a raspberrypi ! 

I need an answer that is as easy to follow as the original guide is.

I tried doing sudo nano /etc/resolv.conf changing to nameserver 8.8.8.8 save and exit, then pihole -r but that just gives -bash: pihole: command not found.

If i try to install again (curl -sSL https://install.pi-hole.net | bash) I get curl: (6) Could not resolve host: raw.githubusercontent.com
Only thing I can do is reflash the orignal image and start again, but then it fails at the same point. 

Can anyone help me get this installed and running?