(Guide) Network Ad Blocker aka PiHole

arunmcops

Disciple
Since I have been using Raspberry Pi for converting my USB MFD Inktank 310 Series as a Network Printer and Network Scanner with the help of these guides here and here. Same Pi can also be used for setting up network wide ad blocker.
This guide is about setting up PiHole on home network.
Log in to your raspberry pi and run this command in terminal:
Code:
curl -sSL https://install.pi-hole.net | bash
1. The Pi-hole installer should begin. You will have to use a similar console style navigation of tabs, arrow keys and enter/space bar to navigate the options. If you get stuck at any point, pick the default.
pih-inst1.png


2. Pi-hole needs a static IP to function properly so assign a static IP Address. If your device has more than one network interface, you will be prompted to pick an interface. We are using the wired interface, this should be named enxxx or eth0. Ethernet is recommended here for reliability.

15925570141.png

15925570611.png

3. Next, you will be asked to pick a DNS provider.
pih-inst2.png


4.Enable 3rd party blocklists.
15925571541.png


5. Leave Protocols as default.
15925571911.png


6. Confirm the static IP configuration.
15925572271.png


7. Confirm web interface.
15925572931.png


8. Finally, you will be presented with a screen saying that the installation is complete. Please note down the password displayed on this screen because this will be the password that we will use to login to the web dashboard.
15925574691.png


Configuring network-wide ad-blocker settings :​

Now that you have enabled Pi-hole on the Raspberry Pi, let’s go ahead and enable this throughout the entire home network.


Step 1
Login to your router by entering the default username and the password provided by the router manufacturer.
Normally the default ip address for a router is 192.168.1.1 , but it will vary sometimes. Check the router specifications to obtain the IP.

Step 2
Locate the DHCP Server Configuration page and add the IP address of the Raspberry Pi as the primary DNS Server.

15925586681-1030x543.png


Step 3
Then set Secondary DNS Server as 1.1.1.1. This is for the Cloudflare DNS
Step 4
Apply your changes

Pi-Hole Dashboard​


Now Pi-hole is running on your entire network!
Let’s move on to viewing our network statistics from the browser
Step 1
Open your favorite browser and type the IP address of the Raspberry Pi followed by “/admin” in the search bar.
15925578081.png

Step 2
Enter the password generated by the Pi-hole setup before and log in.
Step 3
Now you can see which ads are being blocked and various other features in this dashboard. You can also blacklist certain websites so that you can control which websites to allow through your network.

15925549041-1030x593.png


Any suggestion in the guide are welcome. If someone can suggest any other uses of raspberry Pi, I would like to implement it in my Home Network and post a guide accordingly.



.
 

Attachments

  • 15925574691.png
    15925574691.png
    332 KB · Views: 138
Very good work and effort, also you can add some more ad-lists

as for suggestions of other uses of pi:

#plex server
#retropi
#small nas
#air quality monitor
#audio streaming (Spotify connect/Apple airplay/BT)
#netmon
#smart surveillance
#smart mirror (my personal favourite)
#cnc stuff
#notifier for various web services
#a loads other neverending ideas

Do post if you'll like to work on any further project!
 
Would this setup block Youtube ads as well? they've started to get annoying recently. There'd be multiple ads in a sequence if you don't skip the first one. I also want to block the ads on my Redmi phone.

Hey just FYI, google is trying to bypass the DNS based adblockers by using their amp framework.
 
@arunmcops you are doing a great service to the community here at TE
Kudos mate

When free and if you are interested do share a noob friendly guide to install ana personal mail server, samba and may be kodi on the raspberry pi, along with pihole.

Have a great year bud.
 
Excellent guide
@arunmcops pls add unbound to it , that would complete it in my perceptive
Pls add pihole -a -p to change password . Its really difficult to remember the default
Would this setup block Youtube ads as well? they've started to get annoying recently. There'd be multiple ads in a sequence if you don't skip the first one. I also want to block the ads on my Redmi phone.

Hey just FYI, google is trying to bypass the DNS based adblockers by using their amp framework.
No
U can add blocklist but most don't work
 
Last edited:
Very good work and effort, also you can add some more ad-lists

as for suggestions of other uses of pi:

#plex server
#retropi
#small nas
#air quality monitor
#audio streaming (Spotify connect/Apple airplay/BT)
#netmon
#smart surveillance
#smart mirror (my personal favourite)
#cnc stuff
#notifier for various web services
#a loads other neverending ideas

Do post if you'll like to work on any further project!
Sure.. all these are great uses of Pi.
Excellent guide
@arunmcops pls add unbound to it , that would complete it in my perceptive

No
U can add blocklist but most don't work
I will be adding unbound setup, may be , by tonight. May a separate guide on AdGuard setup.
 
Excellent guide. I would make one suggestion, to not add another dns on your dhcp server(your router etc). Just keep the pihole address as the ONLY dns server. It may make your pihole less effective, also mentioned by pihole guides.

 
In continuation to Pihole setup here , we will now use UnBound along with PiHole.

What is unbound?​

Unbound is a validating, recursive, caching DNS resolver developed by NLnet Labs, VeriSign Inc., Nominet, and Kirei.
You can learn here .

Setting up Pi-hole as a recursive DNS server solution​

Install the Unbound recursive DNS resolver:
Code:
sudo apt install unbound

For recursively querying a host that is not cached as an address, the resolver needs to start at the top of the server tree and query the root servers, to know where to go for the top level domain for the address being queried. Unbound comes with default builtin hints. Remember to update this file every 6 months.

Code:
wget -O root.hints https://www.internic.net/domain/named.root
sudo mv root.hints /var/lib/unbound/


Configure unbound​


Edit the config file by
Code:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
And add the following contents (copy-paste):
Code:
server:

    # The  verbosity  number, level 0 means no verbosity, only errors.
    # Level 1 gives operational information. Level  2  gives  detailed
    # operational  information. Level 3 gives query level information,
    # output per query.  Level 4 gives  algorithm  level  information.
    # Level 5 logs client identification for cache misses.  Default is
    # level 1.
    verbosity: 0
   
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
   
    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
   
    # Use this only when you downloaded the list of primary root servers!
    # Read  the  root  hints from this file. Make sure to
    # update root.hints evry 5-6 months.
    root-hints: "/var/lib/unbound/root.hints"
   
    # Trust glue only if it is within the servers authority
    harden-glue: yes
   
    # Ignore very large queries.
    harden-large-queries: yes
   
    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    # If you want to disable DNSSEC, set harden-dnssec stripped: no
    harden-dnssec-stripped: yes
   
    # Number of bytes size to advertise as the EDNS reassembly buffer
    # size. This is the value put into  datagrams over UDP towards
    # peers. The actual buffer size is determined by msg-buffer-size
    # (both for TCP and UDP).
    edns-buffer-size: 1232
   
    # Rotates RRSet order in response (the pseudo-random
    # number is taken from Ensure privacy of local IP
    # ranges the query ID, for speed and thread safety).
    # private-address: 192.168.0.0/16
    rrset-roundrobin: yes
   
    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data anymore
    cache-min-ttl: 300
    cache-max-ttl: 86400
   
    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on.
    serve-expired: yes
   
    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes
   
    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes
   
    # Refuse id.server and hostname.bind queries
    hide-identity: yes
   
    # Report this identity rather than the hostname of the server.
    identity: "Server"
   
    # Refuse version.server and version.bind queries
    hide-version: yes
   
    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no
   
    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4M
   
    # Send minimum amount of information to upstream servers to enhance privacy
    qname-minimisation: yes
   
    # Deny queries of type ANY with an empty response.
    # Works only on version 1.8 and above
    deny-any: yes

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup
    minimal-responses: yes
   
    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    # This flag updates the cached domains
    prefetch: yes
   
    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes
   
    # One thread should be sufficient, can be increased on beefy machines. In reality for
    # most users running on small networks or on a single machine, it should be unnecessary
    # to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # more cache memory. rrset-cache-size should twice what msg-cache-size is.
    msg-cache-size: 50m
    rrset-cache-size: 100m
 
    # Faster UDP with multithreading (only on Linux).
    so-reuseport: yes
   
    # Ensure kernel buffer is large enough to not lose messages in traffix spikes
    so-rcvbuf: 4m
    so-sndbuf: 4m
   
    # Set the total number of unwanted replies to keep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 100000
   
    # Minimize logs
    # Do not print one line per query to the log
    log-queries: no
    # Do not print one line per reply to the log
    log-replies: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: no
    # Do not print log lines to inform about local zone actions
    log-local-actions: no
    # Do not print log lines that say why queries return SERVFAIL to clients
    logfile: /dev/null
   
    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Check unbound config file for errors​

This is optional. Check the config file for errors by
Code:
unbound-checkconf /etc/unbound/unbound.conf.d/pi-hole.conf
it should return
Code:
no errors in in /etc/unbound/unbound.conf.d/pi-hole.conf

Start unbound service and check whether the domain is resolving. The first query will be slow but the subsequent queries will resolve under 1ms.
Code:
sudo service unbound start
dig github.com @127.0.0.1 -p 5335

Important steps:

In order to experience high speed and low latency DNS resolution, you need to make some changes to your Pi-hole. These configurations are crucial because if you skip these steps you may experience very slow response times:
Open the configuration file and make sure that cache size is zero by setting cache-size=0. This step is important because the caching is already handled by the Unbound Please note that the changes made to this file will be overwritten once you update/modify Pi-hole.
Code:
sudo nano /etc/dnsmasq.d/01-pihole.conf

When you're using unbound you're relying on that for DNSSEC validation and caching, and pi-hole doing those same things are just going to waste time validating DNSSEC twice. In order to resolve this issue you need to untick the Use DNSSEC option in Pi-hole web interface by navigating to Settings > DNS > Advanced DNS settings.

Test validation​


You can test DNSSEC validation using
Code:
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335

The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

Configure Pi-hole​


Configure Pi-hole to use unbound as your recursive DNS server:

1610560363092.png


1610560404511.png


See. No ads on page...
1610560654589.png


Pi-hole status..
1610560718391.png


Hope this guide helped you all.

If this guide helped you in any way, kindly like it.
 
Excellent guide. I would make one suggestion, to not add another dns on your dhcp server(your router etc). Just keep the pihole address as the ONLY dns server. It may make your pihole less effective, also mentioned by pihole guides.

that's right, but let me tell you one thing the first time I set up my pi-hole a while ago I connected my pi to a wall socket which (who knows how in this world was not connected to any power backup) and light might have gone cause everything was on backup except that stupid pi, all devices linked to that pi were not able to access the internet

TLDR: make sure your router and pi are connected to the same power outlet:tearsofjoy: or both have power backup!
 
@arunmcops , Do you recommend using DHCP server feature of pihole? Or should we just let the router take care of DHCP stuff? What are the pros and cons?
 
So basically what I understood is, that you may not need to use pihole's dhcp feature if you router is already doing it.
Only use pihole for dhcp in case the dhcp settings are locked in router and you're not able to set dns option there.
Please correct me if I'm wrong.

And if this is the case, I don't need to touch any settings on my router since pihole is working as expected as a dns server and router is handling dhcp well.
 
Back
Top