Pi-Hole Setup Tutorial

[jakkuh_t]

This is an accompanying guide for our recent video trying out Pi-Hole.

 

Note: Image links will be coloured like this: https://google.ca 

 

 

Parts List:

• Raspberry Pi (any model)
  • We will be using a Raspberry Pi Zero (https://lmg.gg/8KV3n) - $5
  • You can optionally install Pi-Hole in a docker container, or inside a VM, but we will be assuming you are using a Raspi for the rest of this tutorial.
• Micro SD Card (2gb+, but you should probably just buy a 16GB card because they're so cheap)
  • We'd recommend a cheap SanDisk card (https://lmg.gg/8KV3k)
• 2.5A Micro USB AC Power Supply
  • You can get these really cheap on eBay, but we aren't making any promises about quality. AdaFruit has a solid one: https://lmg.gg/8KVm8
• *Optional*: Micro USB to RJ45 Ethernet Adapter
  • This is in case the RasPi you are using doesn't have an ethernet port or WiFi (if you're using the Pi Zero, you will need one of these)
• *Optional*: Other stuff that you might need:
  • SD/uSD Card Reader (Unless your laptop, or you already has one)
  • Ethernet Cable (Unless you're using WiFi, you will need one of these)
  • Case for your Raspberry Pi Model (Nice to have to keep it protected, but cardboard also works)
  • Heat sinks for your Raspberry Pi (Nice to have to keep it cool, also helpful if you want to overclock your Pi)
  • A display connection for your Pi (Pi Zero's use Mini HDMI) (We will be doing a headless install, so this is not necessary)

 

Stage 1 - OS Install/Setup:

1. Before we can install Pi-Hole or anything else really, we have to setup our operating system of choice: Raspbian Buster Lite (stretch also works)
   1. Download and unzip the "Raspbian Buster Lite" image from the Raspbian website: https://www.raspberrypi.org/downloads/raspbian/
   2. Download and install balenaEtcher, our uSD card writer/burner of choice: https://www.balena.io/etcher/
   3. Plug in your uSD card
   4. Launch balenaEtcher, select the Raspbian Buster Lite image, your uSD card, and then click Flash. (https://i.imgur.com/GMSZj8Z.png)
2. If you're doing a headless install like us (no monitor/keyboard required), you'll need to enable SSH before booting up the Raspberry Pi
   1. Replug your uSD card to allow Windows to recognize the new Raspbian partition layout
   2. You should have a lettered drive pop up marked as "boot" (https://i.imgur.com/4ar0ih3.png)
      1. If you don't, ensure your uSD is being detected in Disk Management (https://i.imgur.com/ZPmyyz6.png)
      2. Then assign the partition a drive letter: https://lmg.gg/8KVm6
   3. Create a file inside the "boot" folder called "ssh" with no extension (https://i.imgur.com/KDyB4nc.png)
      1. If you don't know how to make an extension-less file you can download it here: https://lmg.gg/8KVmb
3. Plug your uSD card into the Raspberry Pi followed by networking, and then power.
4. Since we're doing a headless install, we'll need to search for our raspberrypi's IP address so we can access it over SSH.
   1. If you know what you're doing, log in to your router's admin page and check the DHCP client/reservation list for "raspberrypi"
   2. If you don't know how to do the above, download Angry IP scanner and run it: https://lmg.gg/8KVmS
   3. Look for the hostname "raspberrypi", on that line the IP and MAC address of our Raspberry Pi will also be listed: 10.20.0.77 in our case (https://i.imgur.com/lK2ce0R.png)
5. Now that we've found our Raspberry Pi's IP address + MAC Address, we need to assign it an INTERNAL/LOCAL static IP address.
   1. This process is going to vary wildly based on which router/DHCP server you use, so we'd recommend Googling your router's model name/number (can be found on the back) + "how to set static IP" (ex: "Netgear R7000 how to set static ip").
   2. If you're willing and somewhat tech savvy, you might also be able to figure it out on your own.
      1. Start by navigating to your router's admin page. The IP for this is typically located on a sticker on the back of your ISP's provided router (along with the admin page's default username and password), but you can also find it by running the command "ipconfig" in command prompt on a Windows PC. Your router's IP will be listed after "default gateway" (https://i.imgur.com/S2Ndc0w.png)
      2. Log in to the admin page either with the Iogin credentials listed on the back of the router, or by googling the model number of the router along with "default password". Some routers use a randomly generated default password, so googling will not work for those.
      3. Once logged in, look for a tab labeled "DHCP Reservation", "Static IP Assignment", or something along those lines. (https://i.imgur.com/FeMjd4V.png) You may have to go to the Advanced menu to access this. (https://i.imgur.com/6l4kIqH.png)
      4. Enter the MAC address we grabbed earlier with Angry IP scanner, and then enter/select your desired static IP address (make sure you're using something not taken by another device on your network). (https://i.imgur.com/znUTbKv.png)
      5. Hit Apply (or whatever the equivalent is for your router) 
6. Re-plug the power connection for your Raspberry Pi, to allow it to restart and fetch it's newly assigned IP.
7. To access the Raspberry Pi over SSH we will need to download and connect to it with an SSH client
   1. Download, install and then launch the SSH client of your choice.
      1. We will be using PuTTY because it's simple, but any SSH client will do: https://lmg.gg/8KVmQ (https://i.imgur.com/POLV3i4.png)
   2. Enter the newly assigned static IP address of your Raspberry Pi into PuTTY, and click "Open" (https://i.imgur.com/BegMcKC.png)
   3. After it prompts you with "login as:" enter "pi" (https://i.imgur.com/jfULCu5.png)
   4. Then for password, enter "raspberry". You should now be logged in over SSH.  (https://i.imgur.com/Q058Sbw.png)
8. Now that we're logged in over SSH, start by changing the default password, and updating the Raspberry Pi.
   1. To change the user password enter the command "passwd" and press enter.
      1. You'll then be prompted to enter the current password (this is "raspberry" so enter that)
      2. Then enter your desired new password
   2. To update the Raspberry Pi, run the command "sudo apt update" - this is going to update the package list to tell us if anything needs to be update. (https://i.imgur.com/ECpLG93.png)
      1. Then, to actually upgrade the packages now that the package manager knows which ones need updating, run "sudo apt upgrade -y". (https://i.imgur.com/EYfDhkC.png)
9. Our Raspberry Pi is now updated, set to a secure password and ready to install Pi-Hole onto!

 

Stage 2 - Pi-Hole Install/Setup (this is where the tutorial portion in the video starts)

1. With our RasPi's OS, internet, and SSH ready to go, we can now install Pi-Hole. 
   1. Copy the Pi-Hole install command from their website, paste it into the SSH client, and click Enter to run it: https://lmg.gg/8KVm9 (https://i.imgur.com/P20CP2I.png)
   2. The installer will spit out some status updates until you're brought to the configuration screen (https://i.imgur.com/t0DHzHo.png)
   3. Press Enter until you get to the "Choose An Interface" page. The default "eth0" interface for Ethernet users should be selected by default. Press Enter to continue.
      1. ("wlan0" should be selected if you're using WiFI - keep in mind WiFi installation is not supported in this tutorial, but if you have some decent Google-Fu you should be able to figure it out)
   4. On the next screen, select your upstream DNS provider. This is where requests will be forwarded if they're not blocked by Pi-Hole (ie. if they're not found in it's block/black lists). We will be using Google DNS, and if you don't know what this means, stick with that. Press Enter to continue.
   5. The following screen allows you to select which of the default block list's you'd like to use. We will leave these all on, but you can use your arrow keys and space bar to (de)select any of them as you wish. Press Enter to continue.
   6. Next up, it will ask you if which IP protocols you want to block ads over, leave this at the default unless you know what you're doing. Press Enter to continue.
   7. The next screen will list the IP address of the Raspberry Pi and the IP of your router, assuming you've set a static IP, just click Enter to continue.
      1. If you get a screen about an IP conflict, just ignore it and click Enter to continue.
   8. You'll then be asked about the web interface, web server, and logging modes. Leave these all at default by clicking Enter.
   9. After all that, Pi-Hole is going to do a bunch of stuff, and it might take a couple minutes so sit back until you're greeted with an "Installation Complete!" page. This will list the IP and password for the Pi-Hole web interface.
2. Copy the IP into your browser, and log with the listed password. Huzzah! You now have a functioning Pi-Hole installation  

 

Stage 3 - Setting Up Pi-Hole to Run on Your Devices / Whole Network

1. To enable Pi-Hole on a device-by-device basis, you'll need to manually set the DNS IP address in your device settings. 
   1. For each of these, substitute the IP in the tutorial for the IP of your Raspberry Pi
      1. How to set DNS on an iPhone: https://lmg.gg/8KVmw
      2. How to set DNS on Android phones (your phone manufacturers skin may slightly vary): https://lmg.gg/8KVmh
2. To enable Pi-Hole on a Router level, meaning it will work on all your devices automatically, you'll need to configure your router's DHCP server's default DNS settings.
   1. This process is going to vary wildly based on which router/DHCP server you use, so we'd recommend Googling your router's model name/number (can be found on the back) + "how to set DNS servers" (ex: "Netgear R7000 how to set DNS servers").

 

Stage 4 - Using Pi-Hole + Common Whitelisting

1. To enable some common whitelisted false-positives run the command listed here: https://github.com/anudeepND/whitelist
2. For some great info on the Pi-Hole web interface read the lower portion of this tutorial: https://www.smarthomebeginner.com/pi-hole-tutorial-whole-home-ad-blocking/#Configuring_Your_Router_8211_Whole_Home_Ad_Blocking 

[Danny Rushton]

I've never had any luck doing this on my isp provided router and am too cheap/broke to buy a new one.

[TheFox720p]

Just installed it and it works very well. Great tutorial for a linux noob like myself.

[GameMaster2030]

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here. 

Also if you want to use your DNS server away from home you can follow this official guide here. But setting it up to have a VPN and DNS server there are some changes that we need to do that don't follow the guide. 

1. Under "installation", you can skip the install pi-hole part since you should already have installed pi-hole. (For more experienced linux users: the port of the openvpn server can be anything. But make sure the port isn't already in use or that your ISP blocks it when port forwarding. Can be handy to bypass port blocks by using port 433 or 80)
2. Skip finding the IP under "Setup OpenVPN Server" and change `10.8.0.1` to the ip of your RPi(Raspberry Pi) which you already have if you followed Jake's guide.
3. Before creating an user follow this:
   1. Run command: `openvpn --genkey --secret ta.key`
   2. Edit the config file and add this line: `tls-auth ta.key 0` 
      (This adds an encryption layer between the client and the server, so some extra security)
4. You can probably skip "Firewall Configuration" since Raspbian doesn't have a firewall pre-installed and you also don't have installed any
5. Follow these parts of "Optional: Dual operation: LAN & VPN at the same time"
   1. Add this line to your `/etc/openvpn/server/server.conf`: `push "route 192.168.2.0 255.255.255.0"` but change `192.168.2.0` to your subnet which you can find in your ip, for example if your ip is: `192.168.1.43` you replace `192.168.2.0` with `192.168.1.0` and with `192.167.8.28` you replace it with `192.167.8.0`. But if your IP is for example `10.8.0.7` you'll probably need to replace the whole line with `push "route 10.8.0.0 255.255.0.0"`.
   2. Run this command: `pihole -a -i all`
   3. After this port forward `1194` or the port you decided to use on your router, you can find guides online. 

Let me know if you find a mistake in this.

[Crunchy Dragon]

1 hour ago, Danny Rushton said:

I've never had any luck doing this on my isp provided router and am too cheap/broke to buy a new one.

It worked for me on my ISP provided router.

 

The catch was some ISPs won't let you set a network-wide DNS server, so I had to manually set my Pi as the DNS server in the systems on my network.

[azariah]

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

You'll also need to save the rules with the following commands.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.

 

So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.

[GameMaster2030]

10 hours ago, azariah said:

So something I've encountered whilst running pi-hole on and off over the last 12 months on a Raspberry Pi 3, then 3+, and now in a docker container in unRaid, is that some https enabled sites become interminably slow to load while using pi-hole and a lot of guides jump to a self-signed ssl cert for the pi-hole. The idea is that rather than getting an add the page get's a dummy web page from pi-hole but obviously this an man in the middle (MitM) attack which isn't ideal.

 

I recently found this solution which I've been utilising with my docker setup for a couple of weeks now and it's been great. Here's the link https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-pi-hole-and-how-to-fix-it/ but in a nutshell, you just set a firewall rule on your pi-hole that blocks certain requests on port 80 and 443 using the following rules.

 

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

You'll also need to save the rules with the following commands.

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Obviously, you need iptables installed which for the docker image you'll find they aren't by default but the official docker image uses Debian so it's a trivial step to install it. Interestingly this does work to block Google's QUIC ad system which was designed to bypass this sort of adblocking solution.

 

So yeah, turns out you can't just send all dns queries to 0.0.0.0 (null) and they have to be redirected somewhere. And because they're redirected somewhere the browser will just sit there and wait for the connection to timeout. Thankfully the solution is simple, just not well documented unfortunately.

Hmm, interesting. I'll try that since I do know certain video platforms that require you wait since the player is waiting for the ad domains to timeout.

[Donozo]

On 8/19/2019 at 4:40 PM, TheFox720p said:

Just installed it and it works very well. Great tutorial for a linux noob like myself.

I got mine going as well, dashboard shows its blocking but, haven't really noticed the blocking. I have it connected to the router via dns changes it showing on dashboard fine any good test website that it should be blocking?

 

[Flyfishermansam]

On 8/16/2019 at 2:11 PM, jakkuh_t said:

 

Stage 3 - Setting Up Pi-Hole to Run on Your Devices / Whole Network

1. To enable Pi-Hole on a device-by-device basis, you'll need to manually set the DNS IP address in your device settings. 
   1. For each of these, substitute the IP in the tutorial for the IP of your Raspberry Pi
      1. How to set DNS on an iPhone: https://lmg.gg/8KVmw
      2. How to set DNS on Android phones (your phone manufacturers skin may slightly vary): https://lmg.gg/8KVmh

the link for how to change on an android phone is for an old version of android

[GameMaster2030]

On 8/22/2019 at 8:39 AM, Flyfishermansam said:

the link for how to change on an android phone is for an old version of android

On all newer versions it's still the same steps. Even Android P, which I have myself.

[FarvaSCW]

On 8/19/2019 at 6:47 PM, GameMaster2030 said:

For anyone who also cares about privacy I would recommend setting up DNS over HTTPS, that way all your requests are encrypted. You can find the official guide here. 

So I am flowing your guide but I am a total noob with command line, and I am getting stuck at this part (Proceed to create a configuration file for cloudflared by copying the following in to /etc/default/cloudflared. This file contains the command-line options that get passed to cloudflared on startup.), tried copying the commands under that getting a command not found error, again total noob I'm sure I am missing something easy, but can't figure it out if anybody could help that would be amazing.

[FarvaSCW]

Never mind after googling some basic Linux commands I got it figured out, works great now, and I was totally missing some basic steps in the process.

[TechnicalPyro]

Love this software been working with the project for almost three years. 

Really enjoyed the video was a very well done guide

[Velcade]

13 minutes ago, TechnicalPyro said:

Really enjoyed the video

What channel was the video on? I can't seem to find a pi hole tutorial vid from LTT.

[TechnicalPyro]

10 minutes ago, Velcade said:

What channel was the video on? I can't seem to find a pi hole tutorial vid from LTT.

from what i can tell will be on the LTT main channel FP early release is out

[Vandorlot]

Thanks I already tried doing this a while back but im very unlinux savy so it didn't work out and i quit.

[steelo]

I've done this in the past and it worked great as far as blocking unwanted ads.

 

The reason why I no longer use it though is it seemed to severely bottleneck the connection speed of my devices.

[TechyBen]

5 minutes ago, steelo said:

I've done this in the past and it worked great as far as blocking unwanted ads.

 

The reason why I no longer use it though is it seemed to severely bottleneck the connection speed of my devices.

It only changes DNS lookup (where the address is), not download/throughput code/routing. So no. However, sometimes things may not work on it... but that's the same for any DNS (ISP or third party like Google/opendns etc).

[steelo]

24 minutes ago, TechyBen said:

It only changes DNS lookup (where the address is), not download/throughput code. So no. However, sometimes things may not work on it... but that's the same for any DNS (ISP or third party like Google/opendns etc).

I guess I'm a bit confused how it actually works. So traffic is first routed to the rpi, it processes and filters out the spam and routes it to the device? Doesn't it slow the data down simply because all data has to go through the rpi and it also takes time to process? I can wait an extra .05 seconds for a webpage to load, my main concern is that it is going to make online gaming painful.

[Cynagen]

20 minutes ago, steelo said:

I guess I'm a bit confused how it actually works. So traffic is first routed to the rpi, it processes and filters out the spam and routes it to the device? Doesn't it slow the data down simply because it has to take time to process? I can wait an extra .05 seconds for a webpage to load, my main concern is that it is going to make online gaming painful.

What's happening is the DNS requests are being directed to the Pi-Hole, not the actual traffic, that's another solution entirely that requires WAY more horsepower, and you're right in that if done through a RPi would nuke speeds and pings.

There's a couple ways to go about blocking ads like they mentioned in the video, per device or across an entire network if configured correctly. There are multiple ways to block ads at the network level, this is just the fastest and easiest way to do it with the least amount of resources. Online gaming should not be affected, any visible slowdowns in behavior on apps on a phone or on the PC are going to be related to the DNS interruption when trying to request for ads and the code handling this eventuality poorly (typically the culprit is poor advertising plugin coding). It wouldn't be any different than disconnecting the ethernet or wifi or flipping the device to airplane mode in this instance.

[Flyfishermansam]

On 8/25/2019 at 2:45 AM, GameMaster2030 said:

On all newer versions it's still the same steps. Even Android P, which I have myself.

oh, it must be a samsung thing then, i had to do it a differant way

[SOCOM_HERO]

I considered doing this, but why not just change the DNS on your router to AdGuard DNS?

 

It also won't work outside the home on mobile unless you're rooted using AdAway.

[_Grid21]

On 8/16/2019 at 2:11 PM, jakkuh_t said:

removed for line spam - @jakkuh_t

I can't get my desktop to use Pi-Hole. I am using CloudFlare in my DNS settings of my Pi-Hole, and when I go to look at the network list, it says my device is not using Pi-Hole" Does it matter that my raspberry Pi is on a switch? It does see all of my devices, it's just controlling them to filter ads. 

[SuperCookie78]

44 minutes ago, Cynagen said:

What's happening is the DNS requests are being directed to the Pi-Hole, not the actual traffic, that's another solution entirely that requires WAY more horsepower, and you're right in that if done through a RPi would nuke speeds and pings.

There's a couple ways to go about blocking ads like they mentioned in the video, per device or across an entire network if configured correctly. There are multiple ways to block ads at the network level, this is just the fastest and easiest way to do it with the least amount of resources. Online gaming should not be affected, any visible slowdowns in behavior on apps on a phone or on the PC are going to be related to the DNS interruption when trying to request for ads and the code handling this eventuality poorly (typically the culprit is poor advertising plugin coding). It wouldn't be any different than disconnecting the ethernet or wifi or flipping the device to airplane mode in this instance.

i am bit confused too. So If you were to follow the DNS request without pi-hole it would go from you computer to router to modem to external DNS server then the inverse path with the IPv4 address. But with Pi-hole I am totally confused. and is the static ip for your whole personal network or just the pi-hole device? and if it is the whole network couldn't that let hackers try and find a hole in your netwrok?

[Kizune]

LTT became lazy preparing slides with technical information. IP that looks like 123.456.789.0 ? We laughed at it when movie "Hackers" came out. I was not expected that kind of f-ups from LTT. Come on guys?