How To Pi-Hole

Install ¶

curl -sSL https://install.pi-hole.net | bash

Gravity Lists ¶

• https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
• https://mirror1.malwaredomains.com/files/justdomains
• http://sysctl.org/cameleon/hosts
• https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
• https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
• https://hosts-file.net/ad_servers.txt
• https://smokingwheels.github.io/Pi-hole/allhosts
• http://someonewhocares.org/hosts/hosts
• https://www.malwaredomainlist.com/hostslist/hosts.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt

Fix static IP assignment ¶

• Edit the file /etc/network/interfaces
• Make sure you have lines that look something like:

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
	address 192.168.1.2
	netmask 255.255.255.0
	gateway 192.168.1.1

Fixing HTTPS Issues That Cause Slow-Loading Pages ¶

Pi-hole is only handling the DNS queries and doesn’t know about the other protocols that are taking place. But we can use iptables to manage these protocols to prevent time-outs allowing Pi-hole to work it’s magic.

There are several iptables rulesets you can put in place to optimize your Pi-hole’s performance; to prevent your Pi-hole from timing out over HTTP/HTTPS requests on ports 80 and 443, resulting in a faster browsing experience.

iptables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp-port-unreachable

ip6tables -A INPUT -p tcp --destination-port 443 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p udp --destination-port 80 -j REJECT --reject-with icmp6-port-unreachable
ip6tables -A INPUT -p udp --destination-port 443 -j REJECT --reject-with icmp6-port-unreachable

These changes won’t be applied permanently unless you save them:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Enable the block page ¶

• Edit the file /etc/pihole/pihole-FTL.conf
• Add the line:

BLOCKINGMODE=IP

More about blocking modes ¶

Pi-hole FTLDNS supports two different methods for blocking queries. Both have their advantages and drawbacks. They are summarized on this page. The blocking mode can be configured in /etc/pihole/pihole-FTL.conf.

This setting can be updated by sending SIGHUP to pihole-FTL (sudo killall-SIGHUP pihole-FTL).

Pi-hole’s unspecified IP blocking (default) ¶

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=NULL

Blocked queries will be answered with the unspecified address

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       0.0.0.0
doubleclick.net.        2       IN      AAAA    ::

Following RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture, section 2.5.2, the address 0:0:0:0:0:0:0:0 (or :: for short) is the unspecified address. It must never be assigned to any node and indicates the absence of an address. Following [93]RFC1122, section 3.2, the address 0.0.0.0 can be understood as the IPv4 equivalent of ::.

Advantage

• The client does not even try to establish a connection for the requested website
• Speedup and less traffic
• Solves potential HTTPS timeouts as requests are never performed
• No need to run a webserver on your Pi-hole (reduces complexity when running other web services on the same machine)

Disadvantage

• Blocking page cannot be shown and whitelisting has to be performed from the dashboard or CLI

Pi-hole’s IP (IPv6 NODATA) blocking ¶

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=IP-NODATA-AAAA

Blocked queries will be answered with the local IPv4 addresses of your Pi-hole (as configured in your setupVars.conf file). Blocked AAAA queries will answered with NODATA-IPV6 and clients will only try to reach your Pi-hole over its static IPv4 address

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       192.168.2.11

Advantage

• Shows blocking page from which blocked domains can be whitelisted
• Serves IPv4-only replies and hence mitigates issues with rotating IPv6 prefixes

Disadvantage

• Requires a webserver to run on your Pi-hole
• May cause time-outs for HTTPS content even with properly configured firewall rules

Pi-hole’s full IP blocking ¶

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=IP

Blocked queries will be answered with the local IP addresses of your Pi-hole (as configured in your setupVars.conf file)

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

;; ANSWER SECTION:
doubleclick.net.        2       IN      A       192.168.2.11
doubleclick.net.        2       IN      AAAA    fda2:2001:4756:0:ab27:beff:ef37:4242

Advantage

• Shows blocking page from which blocked domains can be whitelisted

Disadvantages

• Requires a webserver to run on your Pi-hole
• May cause time-outs for HTTPS content even with properly configured firewall rules
• May cause problems with alternating prefixes on IPv6 addresses (see IP-AAAA-NODATA)

Pi-hole’s NXDOMAIN blocking ¶

/etc/pihole/pihole-FTL.conf setting:

BLOCKINGMODE=NXDOMAIN

Blocked queries will be answered with an empty response (no answer section) and status NXDOMAIN (no such domain)

;; QUESTION SECTION:
;doubleclick.net.               IN      ANY

Similar advantage to NULL blocking, but experiments suggest that clients may try to resolve blocked domains more often compared to NULL blocking.

Command aliases ¶

It might be useful to add these aliases to your ~/.bashrc file:

alias wl="pihole -w"
alias bl="pihole -b"
alias wild="pihole -b --wild"
alias ew="sudo vim /etc/pihole/whitelist.txt"
alias eb="sudo vim /etc/pihole/blacklist.txt"

Then, for example, if you want to whitelist example.com, you can just type

wl example.com