Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github Acronyms

LinkedIn

Filter out annoying ads and malware sites on your home network using PiHole.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

DNS: Public and local (PiHole)

  1. When on a CLI (Command Line Interface) Terminal,
  2. a nslookup command to lookup a
  3. host name,
  4. if your operating system is configured for it, to a Public DNS server which
  5. go through a Recursive DNS workflow that begins with a query to
  6. get the address of the service handling the TLD (Top-level Domain) at the end of the host name, such as “.com”, etc.
  7. That DNS server queries the TLD service which references its
  8. Authorative names servers which return the IP address for the domain.
  9. The website for domain name owners to register domain names and associate IP addresses is maintained by Domain Name System registrars (such as GoDaddy).

  10. When an internet browser such as Google Chrome or Firefox,
  11. you give an IP address,
  12. the request goes through your local router.
  13. Routers that use IPv4 send ARP (Address Resolution Protocol) requests and routers using IPv6 send NDP (Neighbor Discovery Protocol) requests through
  14. hops through the public internet (Data Link layer) until
  15. the website at the IP address is reached. If it’s listening, you get sent its response.

  16. In today’s hostile world, we are concerned whether websites we visit have become malicious.
  17. Public DNS servers are suspect because they are run by private interests. So they have been caught selling logs of your traffic history, even if you say they don’t.
  18. The Quad9 DNS service is run by Scotland Yard and other law enforcement.
  19. They maintain their own blocklists of domain names which they don’t serve to their users. So by configuring Quad9 as your local DNS, you get some protection from known criminal websites.
  20. But many don’t think that is enough protection because public blocklists collected by others contain millions of websites deemed malicious or serve annoying ads.
  21. It is recommended that you maintain your own private blocklist for parental control.

    Here is how you do that.

  22. An add-in such as ublock (by Raymond Hill) can be installed on Firefox browsers to block ads based on its own private blocklist. But each browser and app has its own add-in.
  23. So we want protection on all apps looking up all host name lookups.
  24. We need to get away from the typical default configuration of a local DNS server using sketchy public DNS service.
  25. Instead of DHCP, we change the configuration to use
  26. static IP address to the local server you setup, called PiHole to filter traffic according to
  27. updates of blocklists by the “gravity” utility.
  28. A private allowlist is also maintained.

  29. Traffic that have not been filtered out are passed to a local DNS service called “unbound” instead of either the default sketchy public DNS services to do the TLD and Authorative lookups.

  30. That service needs to be invoked automatically upon reboot, and be controlled by a
  31. automation CLI script that installs Python and other services such as DoH (DNS over HTTPS) protocol for better privacy by encrypting communications.

  32. To use your custom private blocklists while traveling, install a
  33. self-hosted VPN.

Blocks needed

Those with a connection to the public internet need to:

  • Block annoying ads
  • Block malicious websites
  • Block ports

See my notes on DNS

The Pi-Hole server provides a recursive DNS server called “UnBound”.

VIDEO: Unifi Ad Blocker.

blocking ads makes for quicker browsing.

ECS (Extended Client Subnet) defines a mechanism for recursive solvers to send partial client IP address information to authoritative DNS name servers. ECS may result in reduced privacy when it is used by CDNs (Content Delivery Networks) and latency-sensitive services to give geo-located responses when responding to name lookups coming through public DNS resolvers. However, SNI headers also send such information.

Firewall Options

Large businesses install firewalls in their corporate networks such as from Palo Alto or Cisco.

Homes and small businesses use “consumer-grade” firewalls from brands such as Linksys, Netgear, or Draytek.

  • VIDEO: OPNSense

  • VIDEO: UniFi Dream Machine Pro (UDM-Pro) by Crosstalk Solutions

  • Firewalla is a consumer-grade firewall that is also a router. It comes assembled with software installed. Firewalla has a Purple and Gold editions. The Gold edition adds Intrusion Detection.

If you have the time and geeky inclinations, the least-cost and most customizable option is to buy a Raspberry Pi micro computer and install and configure utility software Pi-Hole.

  • Technitium DNS Server

  • AdGuard uniquely can be scheduled for a specific block of time each day with parental blocking. AdGuard can use DNSSEC (DNS over HTTPS). AdGuard can also be configured with wildcard specification. AdGuard can enable encryption using a certificate pulled from a CA every 3 months. VIDEO But assumes less advanced configurations than PiHole.

Which is better? PiHole vs AdGuard Home?

  • https://www.youtube.com/watch?v=c3XMAz–_Us by Hardwood
  • https://www.youtube.com/watch?v=nV5dKpGMGx4 by Tobi Teaches
  • https://www.youtube.com/watch?v=O15RD_gPz-s by Barmine

PiHole

Static IP on router

To make this work, you first need to get into your internet router to set a static (fixed) IP address instead of using one dynamically assigned by DHCP.

I gave a fixed private IP on my network where I’m redirecting all my DNS queries.


AdGuard on Raspberry Pi

with OpenWRT

Firebog List Generator

Portainers

PiHole on Raspberry Pi

https://www.wikiwand.com/en/Pi-hole

https://en.wikipedia.org/wiki/DNS_Sinkhole protects devices on a subnet from unwanted content, without installing any client-side software.

The Pi-hole® impliments a DNS sinkhole https://pi-hole.net/

PiHot optionally functions as a DHCP server, ensuring all your devices are protected automatically

over both IPv4 and IPv6

  • https://crosstalksolutions.com/raspberry-pi-4-boot-with-usb
  • https://www.youtube.com/watch?v=xtMFcVx3cHU by TechHut
  • https://www.youtube.com/watch?v=roYduABVjo8 by CoreElectronics

Get Raspberry Pi hardware

If you are having difficulty getting a Raspberry Pi:

  • Clones of Raspberry Pi
  • RPilocator.com notifies you when one comes into stock.
  • VIDEO: https://www.crosstalksolutions.com/the-worlds-greatest-pi-hole-and-unbound-tutorial-2023/ has a

Alternately, you can run Pi-hole within a Docker container.

YouTube Videos:

by Crosstalk Solutions:

  • VIDEO: “Raspberry Pi 4 Getting Started</a> by Crosstalk Solutions
  • VIDEO: “World’s Greatest Pi-hole Tutorial - Easy Raspberry Pi Project!”

  • VIDEO: “How to Block Ads Using a Pi-Hole With A Raspberry Pi” by Micro Center
  • VIDEO: “The Ultimate Pi-Hole Installation Guide for 2025!” by Mackey Tech IT Solutions
  • VIDEO: “Pi-hole Setup on Raspberry Pi Zero W Step-by-Step Guide” by CyberMaxLab
  • VIDEO: “How to install Pi-hole and PiVPN on a Raspberry Pi Must Have for Home Lab” by Barmine Tech
  • VIDEO: “How to Install Pi-Hole on Raspberry Pi” by Vincent Humble
  • VIDEO:
  • VIDEO: “Pi-hole Made EASY - A Complete Tutorial” by Tech Craft

Install PiHole on macOS

https://docs.pi-hole.net/main/basic-install/

curl -sSL https://install.pi-hole.net | bash

  1. See my articles:

    imager

  2. Navigate to a folder where you want the new repo downloaded.

  3. Deploy the software directly to a supported operating system via our automated installer:

    git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
    cd "Pi-hole/automated install/"
    sudo bash basic-install.sh
    
  4. Type your laptop’s OS password requested by the sudo command. The Pi logo should appear.

      [✓] Root user check
    
        .;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 .. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.
    

    If you see this, verify you have a working connection to the Pi.

    [i] SELinux not detected
    [✗] No supported package manager found
    
  5. Block ads everywhere, even on the go. By pairing your Pi-hole with a VPN, you can have ad blocking on your cellular devices, helping with limited bandwidth data plans.

    https://docs.pi-hole.net/guides/vpn/overview

    Set Pi-hole Admin Password

    Log into the Pi-hole

    Pi-hole Dashboard and Menus

    Add Pi-hole Block Lists

  6. Configure your router’s DHCP options to force clients to use Pi-hole as their DNS server, or manually configure each device​ to use the Pi-hole as their DNS server.

    https://docs.pi-hole.net/main/post-install

    More Pi-hole Menu Settings

    Pi-hole Settings

  7. Set a static IP address within your subnet for the PiHole. 8:58

    sudo nano -w /etc/dhcpcd.conf
    

    Un-comment under # Example static IP configuration and specify your subnet:

    interface eth0
    static ip_address=192.168.200.52/24
    static routers=192.168.200.1
    static domain_name_servers=192.168.200.1 1.1.1.1
    
    sudo reboot
  8. On the new IP address:

    Configure DNS server

    Some internet service providers (ISPs) return ads instead of 404.

    TODO: Don’t have to use Unbound.

    The list of supported DNS servers and their primary and secondary IP addresses (V4 and V6) are defined in the .sh script:

        DNS_SERVERS=$(
        cat <<EOM
    Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
    OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
    Level3;4.2.2.1;4.2.2.2;;
    Comodo;8.26.56.26;8.20.247.20;;
    Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
    Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
    Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
    Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
    EOM
    )
    

    1.1.1.3 & 1.0.0.3 blocks phising/malware/adult content filtering.

    8.8.8.8 from Google was rated as the quickest, probably because it doesn’t block as comprehensively.

    Add blocklist from Firebog

  9. Into Pi-Hole’s Adlist Group Management, add URLs of sites that Firebog knows to be suspicious, advertising, tracking & telemetry, malicious, etc.

  10. Click “Update Gravity”.

    Temporarily Disable Pi-hole 23:45

  11. Create a shell file to call to obtain password cache:

    cat /etc/pihole/setupVars.conf | grep WEBPASSWORD
    
  12. Bookmark this URL on your browser or Stream Deck to temporarily disable Pi-Hole by authenticating with the hashed value of WEBPASSWORD.

    http://192.168.200.52/admin/api.php?disable=300&auth=PWHASH

    for 300 seconds

    Configure other devices to use Pi-hole as DNS

  13. In Settings, Interface settings, uncheck default “Allow only local requests”.
  14. Check “Respond only on interface eth0”.

  15. Instead of changing each device (laptop), set the DNS to the Pi-Hole DNS, set the DHCP: DNS 1 and DNS 2.

    Audit log

  16. Click the “Audit Log” menu item.

    Backup

  17. In Tools, click “Backup”.
  18. Copy the backed up file to a USB drive and/or cloud.
  19. If you’re running 2 Pi-Holes, install the backup onto the 2nd Pi-Hole. Sync using:

    https://github.com/vmstan/gravity-sync

    Install Unbound DNS route proxy

  20. Install Unbound service to make DNS queries anonymously:

    sudo apt install unbound -y
  21. Download the text

    ??? pi-hole.conf
  22. Edit wall of text:

    sudo nano -w /etc/unbound/unbound.conf.d/pi-hole.conf
  23. Start Unbound service:

    sudo service unbound start
  24. View Unbound service status (active?):

    sudo service unbound status
  25. Test DNS lookup:

    dig crosstalksolutions.com @127.0.0.1 -p 5335
  26. 30:36 Setup firewall rules to ignore DNS queries to the DNS set on individual devices.

    Test Pi-hole Ad Blocking

  27. Test Ad-Blocking

Docker

curl -sSL https://get.docker.com | sh
  1. Add user pi to docker group:

    sudo usermod -aG docker pi
    
  2. Setup portainer.io to manage Docker containers on default port 9000:

    sudo docker run --restart always -d -p 9000:9000 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data portainer/portainer-ce:linux-arm
    

NAS drive on Raspberry Pi

https://www.youtube.com/watch?v=gyMpI8csWis

Chron jobs

Update the Pi-hole

Run a chron (crontab) job to Once a week or month to apply updates (if one becomes available):

  1. Edit in /etc/cron.d/pihole

    30 2 * * 1   root    /usr/bin/curl -sSl https://raw.githubusercontent.com/mmotti/pihole-regex/master/install.py | /usr/bin/python3  >> /var/log/piholeupdate 2>&1
     
    30 2 * * 1   root    cd /usr/local/src/whitelist/scripts && git pull&& ./whitelist.sh >> /var/log/piholeupdate 2>&1
    

    Do regular speedtests

  2. Every hour run:

    VIDEO: openspeedtest.com server run within a Docker image downloaded.

    sudo docker run --restart=unless-stopped \
     --name=openspeedtest -d -p 80:8080 openspeedtest/latest
     

    Change the port to something other than 8080 if your prefer.

  3. Display

    https://github.com/Brandawg93/Pi-Hole-Monitoring

  4. Run on browser at URL http://192.168.200.122

    Record to a file.

    Instead of a chip, get an SSD drive.

  5. View analysis: Are evenings more overloaded?


More

VIDEO: “Is adding 3 MILLION domains to your Pi-Hole Block List a good thing?” by Techno Tim

References

https://docs.pi-hole.net/

https://www.reddit.com/r/pihole/

https://www.youtube.com/watch?v=jlHWnKVpygw


More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators
  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling
  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft
  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering

More on Security

This is one of a series on Security:

  1. Security actions for teamwork and SLSA
  2. DevSecOps

  3. Code Signing on macOS
  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security
  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp
  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)
  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)
  16. Chaos Engineering

  17. SOC2
  18. FedRAMP
  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform
  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners
  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications
  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing
  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)