How To Pi-Hole

Install

curl -sSL https://install.pi-hole.net | bash

Gravity Lists

• https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
• https://mirror1.malwaredomains.com/files/justdomains
• http://sysctl.org/cameleon/hosts
• https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
• https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
• https://hosts-file.net/ad_servers.txt
• https://smokingwheels.github.io/Pi-hole/allhosts
• http://someonewhocares.org/hosts/hosts
• https://www.malwaredomainlist.com/hostslist/hosts.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt

Fix static IP assignment

• Edit the file /etc/network/interfaces
• Make sure you have lines that look something like:

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
	address 192.168.1.2
	netmask 255.255.255.0
	gateway 192.168.1.1

Fixing HTTPS Issues That Cause Slow-Loading Pages

Pi-hole is only handling the DNS queries and doesn’t know about the other protocols that are taking place. But we can use iptables to manage these protocols to prevent time-outs allowing Pi-hole to work it’s magic.

There are several iptables rulesets you can put in place to optimize your Pi-hole’s performance; to prevent your Pi-hole from timing out over HTTP/HTTPS requests on ports 80 and 443, resulting in a faster browsing experience.

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

These changes won’t be applied permanently unless you save them:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Enable the block page

• Edit the file /etc/pihole/pihole-FTL.conf
• Add the line:

BLOCKINGMODE=IP

More about blocking modes

Pi-hole FTLDNS supports two different methods for blocking queries. Both have their advantages and drawbacks. They are summarized on this page. The blocking mode can be configured in /etc/pihole/pihole-FTL.conf.

This setting can be updated by sending SIGHUP to pihole-FTL (sudo killall-SIGHUP pihole-FTL).

Pi-hole’s unspecified IP blocking (default)

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=NULL

Blocked queries will be answered with the unspecified address

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       0.0.0.0
doubleclick.net.        2       IN      AAAA    ::

Following RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, section 2.5.2, the address 0:0:0:0:0:0:0:0 (or :: for short) is the unspecified address. It must never be assigned to any node and indicates the absence of an address. Following [93]RFC1122, section 3.2, the address 0.0.0.0 can be understood as the IPv4 equivalent of ::.

Advantage

• The client does not even try to establish a connection for the requested website
• Speedup and less traffic
• Solves potential HTTPS timeouts as requests are never performed
• No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine)

Disadvantage

• Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI

Pi-hole’s IP (IPv6 NODATA) blocking

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=IP-NODATA-AAAA

Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your setupVars.conf file). Blocked AAAA queries will answered with NODATA-IPV6 and clients will only try to reach your Pi-hole over its static IPv4 address

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       192.168.2.11

Advantage

• Shows blocking page from which blocked domains can be whitelisted
• Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes

Disadvantage

• Requires a webserver to run on your Pi-hole
• May cause time-outs for HTTPS content even with properly configured firewall rules

Pi-hole’s full IP blocking

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=IP

Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your setupVars.conf file)

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       192.168.2.11
doubleclick.net.        2       IN      AAAA    fda2:2001:4756:0:ab27:beff:ef37:4242

Advantage

• Shows blocking page from which blocked domains can be whitelisted

Disadvantages

• Requires a webserver to run on your Pi-hole
• May cause time-outs for HTTPS content even with properly configured firewall rules
• May cause problems with alternating prefixes on IPv6 addresses (see IP-AAAA-NODATA)

Pi-hole’s NXDOMAIN blocking

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=NXDOMAIN

Blocked queries will be answered with an empty response (no answer section) and status NXDOMAIN (no such domain)

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

Similar advantage to NULL blocking, but experiments suggest that clients may try to resolve blocked domains more often compared to NULL blocking.

Command aliases

It might be useful to add these aliases to your ~/.bashrc file:

alias wl="pihole -w"
alias bl="pihole -b"
alias wild="pihole -b --wild"
alias ew="sudo vim /etc/pihole/whitelist.txt"
alias eb="sudo vim /etc/pihole/blacklist.txt"

Then, for example, if you want to whitelist example.com, you can just type

wl example.com