Difference between revisions of "Pihole"
Unnilennium (talk | contribs) (Created page with "{{WIP box|unnilennium}} This is a small how-to on how to install and configure a pihole with your SME Server 10. There are multiple way to configure this, but we will descri...") |
|||
(13 intermediate revisions by 2 users not shown) | |||
Line 15: | Line 15: | ||
I strongly suggest you to use pi-imager and set ssh to use only your ssh key, set your keyboard, a password etc. You could do for the wifi, but suggest keeping the good old reliable cable. | I strongly suggest you to use pi-imager and set ssh to use only your ssh key, set your keyboard, a password etc. You could do for the wifi, but suggest keeping the good old reliable cable. | ||
− | |||
=== Configure a static IP === | === Configure a static IP === | ||
− | Initial | + | Initial logging in might be harder as you will need to find the IP of this new toy. You could refer to dhcp logs or arp from your SME. Then I strongly suggest you to get the MAC address of the interfaces and use the server-manager to set a static IP for this host. You will need a static IP later to get this working. Also having an easy hostname to remember will help : pihole.mydomain.com |
=== Install pihole === | === Install pihole === | ||
Line 29: | Line 28: | ||
#read and be confident of the content first, or simply just run : | #read and be confident of the content first, or simply just run : | ||
sudo bash basic-install.sh | sudo bash basic-install.sh | ||
− | </syntaxhighlight> | + | </syntaxhighlight>Follow the Installer, you will have a reminder about the static IP, if you have set the IP accordingly in SME Server with a hostname you can ignore the step of configuring it again in the installer as dhcpd will always give the ip configured this way. |
− | '''Select Custom for the Upstream DNS Provider'''. This is where we will '''use SME Server as upstream Server''' ! Why do we choose that ? see section below. | + | '''Select Custom for the Upstream DNS Provider'''. This is where we will '''use SME Server as upstream Server''' ! Why do we choose that ? see section below. Use SME Server Local interface IP (mostly something like 192.168.X.1) |
Select your desired lists. | Select your desired lists. | ||
Line 45: | Line 44: | ||
=== Setup your pihole for a SSL certificate === | === Setup your pihole for a SSL certificate === | ||
{{Note box|TODO}} | {{Note box|TODO}} | ||
+ | |||
+ | === Tweak pihole using cli === | ||
+ | As per the instruction of https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf, log as pi user to your pi and do<syntaxhighlight lang="bash"> | ||
+ | #disable wifi and bluetooth on 3B, 3B+, 3A+, 4B and Zero W | ||
+ | echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt | ||
+ | echo "dtoverlay=disable-bt" | sudo tee -a /boot/config.txt | ||
+ | sudo systemctl disable hciuart | ||
+ | |||
+ | #utilities | ||
+ | sudo apt -y install crudini vim | ||
+ | |||
+ | # add few lists | ||
+ | cd ~ | ||
+ | wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/NextDNS.sh | ||
+ | wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/AdguardTeam.sh | ||
+ | wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/firebog.sh | ||
+ | wget wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/quidsup.sh | ||
+ | #we do not use ipv6 | ||
+ | #https://raw.githubusercontent.com/jpgpi250/piholemanual/master/IPv6check.sh | ||
+ | sudo chmod +x /home/pi/NextDNS.sh /home/pi/AdguardTeam.sh /home/pi/firebog.sh /home/pi/quidsup.sh | ||
+ | |||
+ | # insert other lists. | ||
+ | sudo pihole-FTL sqlite3 /etc/pihole/gravity.db | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('http://someonewhocares.org/hosts/hosts', 1); | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('http://v.firebog.net/hosts/Easyprivacy.txt', 1); | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt', 1); | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list.txt', 1); | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('file:///home/pi/quidsup/notrack-blocklist.txt', 1); | ||
+ | insert or ignore into adlist (address, enabled) | ||
+ | values ('file:///home/pi/quidsup/notrack-malware.txt', 1); | ||
+ | .quit | ||
+ | |||
+ | # take into accoutn all the list we added | ||
+ | pihole -g | ||
+ | # flush local dns cache | ||
+ | ipconfig /flushdns | ||
+ | |||
+ | |||
+ | |||
+ | # watchdog | ||
+ | # Enable watchdog to send mails, whenever triggered: | ||
+ | sudo apt-get -y install watchdog | ||
+ | sudo sed -i -r 's/^#?max-load-5.*/max-load-5 = 18/' /etc/watchdog.conf | ||
+ | sudo sed -i -r 's/^#?max-load-15.*/max-load-15 = 12/' /etc/watchdog.conf | ||
+ | sudo sed -i -r 's/^#?watchdog-device.*/watchdog-device = \/dev\/watchdog/' /etc/watchdog.conf | ||
+ | sudo sed -i -r 's/^#?watchdog-timeout.*/watchdog-timeout = 15/' /etc/watchdog.conf | ||
+ | sudo systemctl restart watchdog.service | ||
+ | |||
+ | #use schedtools to optimize CPU for some process | ||
+ | sudo apt-get -y install schedtool | ||
+ | |||
+ | #install need restart | ||
+ | sudo apt-get -y install needrestart | ||
+ | sudo sed -i 's/#$nrconf{kernelhints} = .*/$nrconf{kernelhints} = 0;/' /etc/needrestart/needrestart.conf | ||
+ | sudo sed -i 's/#$nrconf{ucodehints} = 0;/$nrconf{ucodehints} = 0;/' /etc/needrestart/needrestart.conf | ||
+ | cd ~ | ||
+ | wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/needrestart.sh | ||
+ | chown +x /home/pi/needrestart.sh | ||
+ | |||
+ | # random generator | ||
+ | |||
+ | # cron entries | ||
+ | echo " | ||
+ | 30 23 * * 6 root PATH="$PATH:/home/pi/" /home/pi/NextDNS.sh >/dev/null 2>&1 | ||
+ | 30 5 * * * root PATH="$PATH:/home/pi/" /home/pi/needrestart.sh >/dev/null 2>&1" | sudo tee /etc/cron.d/pihole | ||
+ | |||
+ | #mail setup | ||
+ | sudo apt-get -y install msmtp | ||
+ | sudo ln -s /usr/bin/msmtp /usr/lib/sendmail | ||
+ | echo " | ||
+ | defaults | ||
+ | tls on | ||
+ | auth off | ||
+ | host YOURSMELANIP | ||
+ | port 25 | ||
+ | aliases /etc/aliases | ||
+ | account default | ||
+ | from pi@pi.hole"| sudo tee /etc/msmtprc | ||
+ | |||
+ | sudo sed -i '/^default:/d' /etc/aliases || true | ||
+ | pi@pihole:~ $ echo "default:YOURADMINEMAIL" | sudo tee -a /etc/aliases | ||
+ | |||
+ | |||
+ | # protect your pi | ||
+ | # we assume you already changed the default password, and configured the pi to only accept your rsa key, no password for ssh | ||
+ | sudo sed -i 's/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf | ||
+ | sudo sed -i 's/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf | ||
+ | |||
+ | sudo reboot | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Tweak pihole using web interface === | ||
+ | |||
+ | ==== windows update ==== | ||
+ | If you have windows machines that need updating , go to http://pi.hole and login. | ||
+ | |||
+ | Set in domain the following whitelist in "Domains"<syntaxhighlight lang="ini"> | ||
+ | www.msftncsi.com | ||
+ | dns.msftncsi.com | ||
+ | ipv6.msftncsi.com | ||
+ | www.msftconnecttest.com | ||
+ | ipv6.msftconnecttest.com | ||
+ | </syntaxhighlight>Go now to "Settings" and choose "DNS" tab". There you will scroll down to "Advanced DNS settings", and | ||
+ | |||
+ | * uncheck "'''Never forward non-FQDN <code>A</code> and <code>AAAA</code> queries'''" | ||
+ | * check "'''Use Conditional Forwarding"''' | ||
+ | * fill the 3 input field with your network informations | ||
+ | ** your SME network should be noted as 192.168.1.0/24 if your SME IP is 192.168.1.1 and you have a netmask of 255.255.255.0 | ||
+ | ** your SME Server LAN IP | ||
+ | ** you Primary domain. | ||
+ | |||
+ | ==== allow dns filtering for your vpn clients ==== | ||
+ | go to the pi-hole panel and select Settings/DNS. roll to the lower right, and change setting to '''Respond only on interface eth0.''' | ||
+ | |||
+ | ''<u>Only do that if your pihole is on the LAN and not directly connected to the internet.</u>'' | ||
+ | |||
+ | ==== additional tweak ==== | ||
+ | you might also read and apply some part of https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf | ||
=== Setup your SME to give pihole as DNS for your network, for machines using DHCP === | === Setup your SME to give pihole as DNS for your network, for machines using DHCP === | ||
Line 61: | Line 188: | ||
=== Setup your static IP machines to use === | === Setup your static IP machines to use === | ||
− | As explained, static ip machines that have their own network information set in their own configuration (not those that rely on dhcpd to address them | + | As explained, static ip machines that have their own network information set in their own configuration (not those that rely on dhcpd to address them and IP set on SME) have no idea of what dhcp is, and hence needs you to set the dns server with the ip of your pihole. |
=== Setup SME firewall /router firewall to filter/redirect DNS request === | === Setup SME firewall /router firewall to filter/redirect DNS request === | ||
− | {{Note box|TODO}} | + | {{Note box|TODO - See Below - but note still under developement}} |
+ | https://wiki.koozali.org/DNS_Block | ||
− | == Why using SME Server as upstream server, and pihole only given by the dhcpd service to LAN == | + | === Why using SME Server as upstream server, and pihole only given by the dhcpd service to LAN === |
In other words, why not doing the opposite and set SME to rely on pihole? | In other words, why not doing the opposite and set SME to rely on pihole? | ||
Line 73: | Line 201: | ||
# you do not want to rely on an external DNS service pooling requests sending them to pihole, redirecting them to your local services. There are chances that DNSBL will fail with a result too many requests. | # you do not want to rely on an external DNS service pooling requests sending them to pihole, redirecting them to your local services. There are chances that DNSBL will fail with a result too many requests. | ||
# you might want to be able to have some machines relying on SME result without pihole filtering. | # you might want to be able to have some machines relying on SME result without pihole filtering. | ||
+ | |||
+ | === Testing your Pi-hole installation === | ||
+ | <syntaxhighlight lang="shell"> | ||
+ | nslookup flurry.com | ||
+ | </syntaxhighlight> | ||
+ | Should return 0.0.0.0 if Pi-hole is working. | ||
== References == | == References == | ||
Line 81: | Line 215: | ||
* https://discourse.pi-hole.net/t/installing-pi-hole-on-existing-apache-server/43968/3 | * https://discourse.pi-hole.net/t/installing-pi-hole-on-existing-apache-server/43968/3 | ||
* https://github.com/jpgpi250/piholemanual | * https://github.com/jpgpi250/piholemanual | ||
+ | * https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf | ||
[[Category:Howto]] | [[Category:Howto]] | ||
[[Category:Dns]] | [[Category:Dns]] |
Latest revision as of 15:32, 29 December 2022
This is a small how-to on how to install and configure a pihole with your SME Server 10.
There are multiple way to configure this, but we will describe at least one that could fit most uses.
Where to install pihole ? it could be on a dedicated VM, a docker image (or any other alternative, or on a dedicated bare metal system such as a raspberry pi. You do not need something too powerfull so an old Raspberry pi B with 1GB should be a start as 512 GB is the minimal according to pihole site.
Install Pihole on a dedicated raspberrypi
Install OS
First step would be to install your OS on a dedicated SD card. You need something at least 8GB, as pihole needs 2-4 GB space and minimal raspbian needs 1.4GB after install is finished.
Get pi-imager or download your image and burn it to the SD card (https://www.raspberrypi.com/software/operating-systems/).
I strongly suggest you to use pi-imager and set ssh to use only your ssh key, set your keyboard, a password etc. You could do for the wifi, but suggest keeping the good old reliable cable.
Configure a static IP
Initial logging in might be harder as you will need to find the IP of this new toy. You could refer to dhcp logs or arp from your SME. Then I strongly suggest you to get the MAC address of the interfaces and use the server-manager to set a static IP for this host. You will need a static IP later to get this working. Also having an easy hostname to remember will help : pihole.mydomain.com
Install pihole
First remember to update your system. If raspberry OS then do once logged in :
sudo apt update
sudo apt upgrade
#answer Y
Then following pihole website simply do :
wget -O basic-install.sh https://install.pi-hole.net
#read and be confident of the content first, or simply just run :
sudo bash basic-install.sh
Follow the Installer, you will have a reminder about the static IP, if you have set the IP accordingly in SME Server with a hostname you can ignore the step of configuring it again in the installer as dhcpd will always give the ip configured this way.
Select Custom for the Upstream DNS Provider. This is where we will use SME Server as upstream Server ! Why do we choose that ? see section below. Use SME Server Local interface IP (mostly something like 192.168.X.1)
Select your desired lists.
Select yes for the admin interface, and lighthttpd.
For privacy domain do according to your local law, and your needs see : https://docs.pi-hole.net/ftldns/privacylevels/
Relax and see the installer do the job.
Note the Password and go to your Web interface to enjoy the result.
Setup your pihole for a SSL certificate
Tweak pihole using cli
As per the instruction of https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf, log as pi user to your pi and do
#disable wifi and bluetooth on 3B, 3B+, 3A+, 4B and Zero W
echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt
echo "dtoverlay=disable-bt" | sudo tee -a /boot/config.txt
sudo systemctl disable hciuart
#utilities
sudo apt -y install crudini vim
# add few lists
cd ~
wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/NextDNS.sh
wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/AdguardTeam.sh
wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/firebog.sh
wget wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/quidsup.sh
#we do not use ipv6
#https://raw.githubusercontent.com/jpgpi250/piholemanual/master/IPv6check.sh
sudo chmod +x /home/pi/NextDNS.sh /home/pi/AdguardTeam.sh /home/pi/firebog.sh /home/pi/quidsup.sh
# insert other lists.
sudo pihole-FTL sqlite3 /etc/pihole/gravity.db
insert or ignore into adlist (address, enabled)
values ('http://someonewhocares.org/hosts/hosts', 1);
insert or ignore into adlist (address, enabled)
values ('http://v.firebog.net/hosts/Easyprivacy.txt', 1);
insert or ignore into adlist (address, enabled)
values ('https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt', 1);
insert or ignore into adlist (address, enabled)
values ('https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list.txt', 1);
insert or ignore into adlist (address, enabled)
values ('file:///home/pi/quidsup/notrack-blocklist.txt', 1);
insert or ignore into adlist (address, enabled)
values ('file:///home/pi/quidsup/notrack-malware.txt', 1);
.quit
# take into accoutn all the list we added
pihole -g
# flush local dns cache
ipconfig /flushdns
# watchdog
# Enable watchdog to send mails, whenever triggered:
sudo apt-get -y install watchdog
sudo sed -i -r 's/^#?max-load-5.*/max-load-5 = 18/' /etc/watchdog.conf
sudo sed -i -r 's/^#?max-load-15.*/max-load-15 = 12/' /etc/watchdog.conf
sudo sed -i -r 's/^#?watchdog-device.*/watchdog-device = \/dev\/watchdog/' /etc/watchdog.conf
sudo sed -i -r 's/^#?watchdog-timeout.*/watchdog-timeout = 15/' /etc/watchdog.conf
sudo systemctl restart watchdog.service
#use schedtools to optimize CPU for some process
sudo apt-get -y install schedtool
#install need restart
sudo apt-get -y install needrestart
sudo sed -i 's/#$nrconf{kernelhints} = .*/$nrconf{kernelhints} = 0;/' /etc/needrestart/needrestart.conf
sudo sed -i 's/#$nrconf{ucodehints} = 0;/$nrconf{ucodehints} = 0;/' /etc/needrestart/needrestart.conf
cd ~
wget https://raw.githubusercontent.com/jpgpi250/piholemanual/master/needrestart.sh
chown +x /home/pi/needrestart.sh
# random generator
# cron entries
echo "
30 23 * * 6 root PATH="$PATH:/home/pi/" /home/pi/NextDNS.sh >/dev/null 2>&1
30 5 * * * root PATH="$PATH:/home/pi/" /home/pi/needrestart.sh >/dev/null 2>&1" | sudo tee /etc/cron.d/pihole
#mail setup
sudo apt-get -y install msmtp
sudo ln -s /usr/bin/msmtp /usr/lib/sendmail
echo "
defaults
tls on
auth off
host YOURSMELANIP
port 25
aliases /etc/aliases
account default
from pi@pi.hole"| sudo tee /etc/msmtprc
sudo sed -i '/^default:/d' /etc/aliases || true
pi@pihole:~ $ echo "default:YOURADMINEMAIL" | sudo tee -a /etc/aliases
# protect your pi
# we assume you already changed the default password, and configured the pi to only accept your rsa key, no password for ssh
sudo sed -i 's/#net.ipv4.conf.default.rp_filter=1/net.ipv4.conf.default.rp_filter=1/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv4.conf.all.rp_filter=1/net.ipv4.conf.all.rp_filter=1/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv4.conf.all.accept_redirects = 0/net.ipv4.conf.all.accept_redirects = 0/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv6.conf.all.accept_redirects = 0/net.ipv6.conf.all.accept_redirects = 0/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv4.conf.all.send_redirects = 0/net.ipv4.conf.all.send_redirects = 0/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv4.conf.all.accept_source_route = 0/net.ipv4.conf.all.accept_source_route = 0/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv6.conf.all.accept_source_route = 0/net.ipv6.conf.all.accept_source_route = 0/' /etc/sysctl.conf
sudo reboot
Tweak pihole using web interface
windows update
If you have windows machines that need updating , go to http://pi.hole and login.
Set in domain the following whitelist in "Domains"
www.msftncsi.com
dns.msftncsi.com
ipv6.msftncsi.com
www.msftconnecttest.com
ipv6.msftconnecttest.com
Go now to "Settings" and choose "DNS" tab". There you will scroll down to "Advanced DNS settings", and
- uncheck "Never forward non-FQDN
A
andAAAA
queries" - check "Use Conditional Forwarding"
- fill the 3 input field with your network informations
- your SME network should be noted as 192.168.1.0/24 if your SME IP is 192.168.1.1 and you have a netmask of 255.255.255.0
- your SME Server LAN IP
- you Primary domain.
allow dns filtering for your vpn clients
go to the pi-hole panel and select Settings/DNS. roll to the lower right, and change setting to Respond only on interface eth0.
Only do that if your pihole is on the LAN and not directly connected to the internet.
additional tweak
you might also read and apply some part of https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf
Setup your SME to give pihole as DNS for your network, for machines using DHCP
You will need to install Dhcpmanager contrib on your SME Server. Follow the procedure under install:
yum --enablerepo=smecontribs install smeserver-dhcpmanager
Go to your server-manager, and then to the panel "dhcpd", then
- set First DNS server with the pihole IP
- set Second DNS server with the pihole IP (yes twice, see below)
- leave Third DNS Server empty.
- set to enable personalized DNS servers.
Then click on save/restart, this will restart the dhcpd service with new settings.
By default SME Server will put itself as backup dns service if you only fill the pihole, this will act as a failsafe in case of pihole behing down, but could allow some requests not processed by pihole if too slow to answer,
Setup your static IP machines to use
As explained, static ip machines that have their own network information set in their own configuration (not those that rely on dhcpd to address them and IP set on SME) have no idea of what dhcp is, and hence needs you to set the dns server with the ip of your pihole.
Setup SME firewall /router firewall to filter/redirect DNS request
https://wiki.koozali.org/DNS_Block
Why using SME Server as upstream server, and pihole only given by the dhcpd service to LAN
In other words, why not doing the opposite and set SME to rely on pihole?
- you want your local services on your SME have access to a proper DNS unfiltered result.
- you want qpsmtpd get DNS result depending on your localisation (spam and DNSBL...)
- you do not want to rely on an external DNS service pooling requests sending them to pihole, redirecting them to your local services. There are chances that DNSBL will fail with a result too many requests.
- you might want to be able to have some machines relying on SME result without pihole filtering.
Testing your Pi-hole installation
nslookup flurry.com
Should return 0.0.0.0 if Pi-hole is working.
References
- https://www.raspberrypi.com/software/operating-systems/
- https://docs.pi-hole.net/main/prerequisites/#supported-operating-systems
- https://github.com/pi-hole/pi-hole/#one-step-automated-install
- https://discourse.pi-hole.net/t/installing-pi-hole-on-existing-apache-server/43968/3
- https://github.com/jpgpi250/piholemanual
- https://jpgpi250.github.io/piholemanual/doc/Block%20Ads%20Network-wide%20with%20A%20Raspberry%20Pi-hole.pdf