Raspberry Pi-holeby Christoph Dähne on 18.11.2021
Pi-hole is a local DNS which blocks domains used for ads and tracking. The current default blocklist contains over 93,000 entries which the Pi-hole resolves to 0.0.0.0 thus making the domain inaccessible (for everyone using your Pi-hole as DNS). Installation is straight forward as you see in the installation instruction.
# login to your Raspberry # (see previous blog post) sudo su # download and execute install script curl -sSL https://install.pi-hole.net | bash # follow the steps in the wizard
This is the easy part. I recommend to install the Web UI. You can access it via the IP of your Raspberry server, e.g. http://192.168.12.34/admin. You can also use a local domain name, such as raspberry.lan or similar. I'll cover this in a later blog post. If everything works, you can already query your Pi-hole DNS using the following command.
# execute on your local machine dig @192.168.12.34 sandstorm.de
You should see a result like the following.
; <<>> DiG 9.10.6 <<>> @192.168.12.34 sandstorm.de ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40539 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sandstorm.de. IN A ;; ANSWER SECTION: sandstorm.de. 51 IN A 18.104.22.168 ;; Query time: 51 msec ;; SERVER: 192.168.12.34#53(192.168.12.34) ;; WHEN: Wed Nov 17 20:07:47 CET 2021 ;; MSG SIZE rcvd: 57
Now comes the tricky part: in order to enable the Pi-hole for all devices in the network (even those which have not joined yet) you have to configure your DHCP (probably in your router) to send the Pi-hole IP as default DNS to all clients. Please search the settings of your DHCP (and the web). I cannot help you on this since routers are rather different. My Amplifi HD router allows to set the DNS via a smartphone app but does not send the configured DNS via DHCP — unless you disable some caching option you can only see in the Web UI and not in the smartphone app.
After you changed your DHCP settings and your client received the new DHCP information, querying a blocked domain should look like this.
dig trace.svc.ui.com ; <<>> DiG 9.10.6 <<>> trace.svc.ui.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36035 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;trace.svc.ui.com. IN A ;; ANSWER SECTION: trace.svc.ui.com. 2 IN A 0.0.0.0 ;; Query time: 50 msec ;; SERVER: 192.168.12.34#53(192.168.12.34) ;; WHEN: Wed Nov 17 20:17:09 CET 2021 ;; MSG SIZE rcvd: 61
Note that the Pi-hole is rather strict by default and something might not work anymore. You can always allow certain domains. Personally I added some to enable my YouTube history again, namely:
Individual clients in your LAN can opt-out by overriding the DNS provided via DHCP. Those clients are unaffected by the Pi-hole.
Thanks for reading!