Raspberry Pi - Pi-Hole DNS and Ad-Block Protection

posted Feb 3, 2021, 11:50 AM by Andrew Chadick   [ updated ]
A "Raspberry Pi" is a very tiny, but complete, small form factor computer. These devices can be always on servers, it just depends on how you choose to use them.
"Ubuntu" - is an Open Source Linux Operating System - that has both graphical desktop and command line server versions.
"Pi-Hole": Think firewall-like software, that works with your Network and/or WIFI Router to protect your network's DNS and while it's at it, it has an ad-blocker functionality that can protect every computer, tablet, device and phone connected to your Wired and Wireless networks. Pi-Hole is accessed and configured through a web page on your own network.

The community that makes up the Raspberry Pi world, has made installing and configuring these devices a snap to set up and run.

The linux operating system setup is super easy, you just install the Ubuntu Server OS via the ubuntu.com website, select your raspberry pi unit, and run the utility to install it to an SD card.
Once Ubuntu Server is installed to the SD card, insert the SD into your raspberry pi, and boot up; use the credentials "ubuntu" as the user and "ubuntu" as the default password to get in, then configure it with a much better password. Run "sudo apt-get update"  and press enter.  Then when updated, run  "sudo apt-get upgrade"   and press enter.  Type/Select "Y" to upgrade.  
Just run these two commands every month to keep the device up to date.  The update notifications for the Pi-Hole software come from its own web interface. Drop into terminal on your Pi device; The update command is:   pihole -up

Once booted into Ubuntu Server, and your OS is updated, then, using the same terminal interface given to you -- install "Pi-Hole" with one command:
"$ curl -sSL https://install.pi-hole.net | bash"

Just follow the prompts during install. Make sure to use your favorite upstream DNS option. If you are interested, OpenDNS provides an extra layer of security even if you don't choose one of their protection plans,  you can still use it for free. Or, if you don't mind being tracked through the internet, Google DNS is considered one of the most complete, and probably the fastest responding option. 

Then go into your Wi-Fi routers' web configuration page (settings) and tell it to only use the raspberry pi's IP as your DNS as provided to you through this install process. That's the gist of it.  

Your current Wi-Fi router will ping this device each time someone enters a URL or opens some web address. There is nothing on the computer, tablet or phone level to configure.  If the URL matches something on the bad list, it simply won't go there.  If it doesn't find the URL on the list, then it will reach upstream to your choice of DNS.  If the DNS says it's ok, then the page will be sent to your device.

The next thing you will do is sign in to your Pi-Hole web command interface using the onscreen credentials found after the install. Make sure to use the group list(s) identified below as the Ad List/Restricted Domains lists, and after pasting it in, add it to the device with the Update Gravity Option, then click the bar to "Update" so that it uses the downloaded lists.

Source Links:

If you use Google WIFI Mesh in your organization/home: Use this article to help configure your setup... Use Option #2 to force the router to use the Raspberry for DHCP and DNS. https://www.mbreviews.com/pi-hole-google-wifi-raspberry-pi/ This article is good for several reasons, just read it, it gives you an idea of how to deal with pointing your services.

Ad List/Restricted Domains List: (with over 600,000 restricted domains). - Very Restrictive List. You may need to add a bunch of exceptions in order to visit some commonly used sites such as social media, and have them work effectively. However; this list is very close to an all-inclusive list. It protects against Adware, Malware, Advertisements, Pop Up Ads, Banners, Malicious sites, Hijacked domains, and some criminal networks, to include some command and control networks. Take this link, add it to your DNS blocking list (AdList), then for regular updates see the Basic List below and add that as a second link to your list. It is updated with changes every week. Both of these links will give you the best in DNS security for this device.

The Basic List / Malicious Sites // Malware List: This is a list that is just the worst of the worst domains listed. It's not for blocking ads and banners, just malicious domains. You can use this list in conjunction with your own lists or others online to augment it. (Updated weekly with new domains).
(This list currently contains just over 3,000 blocked/malicious domains.

Just a few words about this software and the Ad List. This software helps protect your network, by intercepting domain names entered in to browsers, clicked in emails, or accidentally typed and hit enter or Go by mistake. This software will compare what is presented to it, to the list it has on file. If there are no matches, it will go "upstream" to OpenDNS. Open DNS will then respond back with the server IP/or name that is requested, and the computer in your network will go there.
What this device won't do, is stop a computer in your network from going to a specific computer on the internet using an exact IP address. This device is not a full fledged firewall. It's an inexpensive system that gives a layer of protection, and it's very easy to use and configure. It's not going to stop you from wrecking your network if you aren't being careful. It will however help with mistakes, and help by intercepting some things that were accidents.
Also Note: You can "allow" anything that the list blocks. Just run the option to Query the Log, on the far right there is a button that allows you to add something to the block list, or if it's already blocked, you can add it to the allow list.
This list of malicious domains is not all inclusive, it's just a really good source of domains that your machines should not be visiting. however, as with all things, there are exceptions. If you need to make an exception... go in and make it.

CISA - Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS