Pi-hole DNS Filtering

Overview

Pi-hole is a very light weight, DNS filtering server. It’s so light that there are reports it can even run on a Raspberry Pi 1!

Example reasons for filtering DNS include blocking ads to filtering out harmful sites (content or malicious).

Docker-Compose

Pihole has been dockerised so you can see my example here.

If you’re running on Ubuntu, you will have to disable dnsmasq which is used to cache DNS locally. To do this edit the file /etc/systemd/resolved.conf and change the line from

#DNSStubListener=yes
to
DNSStubListener=no

save and exit the file. This will cause DNS queries to fail e.g
ping google.com -c 4

Next, edit the file /etc/resolv.conf and add the following line below the existing nameserver line:
nameserver 8.8.8.8

This will point any domains to go to Google’s DNS server. Feel free to change the 8.8.8.8 to your favourite DNS.

Advantages

Pi-hole dashboard
The Pi-hole dashboard has some nice looking graphs.

Pi-hole query log
It can be set to log every query which is very powerful to see what queries are being performed. It is very clear to see which ones were blocked and which ones were allowed as well.

Pitfalls

I enabled DNSSEC and found a few issues and surprising the lack of support some domains have. For example Tesco doesn’t support it.

Pi-hole is an all or nothing. There is no way to exclude VLANs or individual devices from the block lists.

There is no way to subscribe to white lists which seems odd considering the feature exists for block lists.

Cashback sites such as Quidco are also blocked. I suspect the link referrals are part of advert block lists.

Summary

It was very easy to setup and amazed the power it gives in a simply to configure interface. I do believe this is a power user feature as in you will need to understand the networking side and be able to troubleshoot the issues.

The query log is very powerful and I can see what is going through the network and what my ISP would see too.

I hear great results from other people using the system however the default blocklists are already causing issues for me.

My plan is to potentially remove/disable the out of the box list and start my own by setting up a Git repository. It will operate on a allow first and reactively blocking.

Another point is to setup the network to disallow overriding of DNS servers on each device.

Ubuntu 18.04: Disable dnsmasq-base and enable full dnsmasq

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Container, Infrastructure, Linux and tagged , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.