# Guide: Global Network DNS blacklisting (Pi-Hole)



## Solaris17 (May 22, 2017)

Hey Everyone! Decided to make a guide on how to leverage DNS blackholing or "blocking"/"filtering" on your network. I will cover a few different aspects and approaches and like most of my other guides an honest PRO and CON list on why or why you shouldn't utilize something like this to help protect your network.

Today we will be focusing on the open source software Pi-Hole and while this is what I will base this guide off of I will try my best to more importantly create an understanding as to what this is and why it can help you.

To get started a quick primer is in order.

*What is DNS Blackholing?*​When we talk about DNS we kinda need to understand what it does. When you input something in your browser say www.google.com your computer needs to take the letters and words you just made and turn it into something the computer understands. So your computer takes google.com and asks other servers on the internet, DNS servers to help out. These servers have a big list. This list contains the names of websites and more importantly the corresponding IP address the numbers that PCs use as the street address for whatever you put in your browser. The list literally looks alot like this.


```
google.com  216.58.219.174
```

So wait. What does this all mean? Its simple. Websites can contain harmful data. It could be drive by downloads of junkware. It could be malware spread through Ads on the site. Maybe you clicked a link and it opened more than one tab or window. So how can we fix this?

There are a few different ways. however all of them with pitfalls of some kind. However, DNS blackholing can help us by blocking the domain responsible for ADs or malware and a few extra benefits.

Such as?

We chose Pi-hole because we will be setting up a network level DNS blacklist. Which means we will be protecting and blocking DNS queries on every device on the network. From phones, tablets, PCs and even TVs network level DNS blackholes protects any network connected device regardless of make and OS.

Now that you have the gist of what we are talking about lets dive right into the cool stuff. If you have followed along so far great! thanks! Let's take a peek at some of the PROs and CONs to DNS blacklisting.


*Security awareness and mitigation*
The most important thing to stay aware of is that security is a multilayered beast. While conventional AV is a good tool to help ward against infection among other things like common sense and good practice, we must always take into consideration the risk we put ourselves at by what we aren't protecting against. DNS is very much an overlooked layer in the consumer field.

More importantly than ever we need to be considering these more obscure layers that we have long taken for granted. When we look at the threat landscape we see more and more web based infections and exploits with web browsers, extensions and web technologies such as Flash and Java being taken advantage of everyday resulting in more and more infections in the wild.

I think that if enough correct decisive information, suggestion and more importantly discussion is had about these topics we can have a good working knowledge of the threats that our PCs and Identities face everyday in a ever more connected world.


*Advantages to DNS blackholing*
Protection against malicious domains
Protection against further infection
Protection against data collection
Faster web experience



*Disadvantages to DNS blackholing*
False positives can block legitimate sites
Unpleasant browsing experience when things are blocked
Page load failures can be hard to diagnose


Now that's out of the way you should have a pretty good idea of what we are getting into. I will provide more information along the way as with my other guides. As with all my material I will update it as it becomes necessary or relevant so check back for a quick read to see if anything has changed. Feel free to PM me for more of an explanation. As always when posting on TPU I do so as myself and do not officially represent any company.


*Installation*​To run this we need a device, a PC or a appliance like a raspberry PI or similar embedded computer. We need this unit to run 24/7 to act as our network's DNS server. Below I will outline some of the methods we can accomplish this and there respective installation instructions. Most units will need to run linux specifically the debian code base.


Linux



Spoiler: Linux



For this one, I will be instructing you on installing pi-hole on Ubuntu Server 17.04. The machine is a simple 512mb RAM single core machine with 20GB of disk space. Nothing fancy, and it doesn't need to be. I will be posting all instruction via terminal or command line for those more familiar with the term.

Now since we will be using Ubuntu, let me link you to a install guide. It's a bit out of scope to cover in this guide but feel free to ask questions and I can try to answer the more specific ones.

Things we need to accomplish:

Set a static IP
Set DNS servers
Install PI-Hole

After we have Ubuntu or Ubuntu Server installed lets make sure its all updated. In terminal run the following command.


```
Sudo apt-get update
```

now that we have a list of updates needed lets install them.


```
sudo apt-get upgrade
```

Now that the OS is fully patched, lets make sure the IP is static. We need to do this so that if there is a power outage your new server doesn't get a new IP address from your router. If it does your router wont know where to send DNS "lookups" and the internet will just stop working. Fear NOT! this isn't too painful!

First, we need something to edit text with. I think a program called Nano is good for most users, so lets give that a try. In terminal type:


```
sudo apt-get install nano
```

once that is done, for good measure lets do the following.


```
sudo apt-get autoremove
```

now lets get to configuring! Type the following:


```
sudo nano /etc/network/interfaces
```

You will get a print out that will look a little like this



Spoiler: Blank












At the end we will want to add values that work with your network. This example assumes you are using the 10 IP scheme. Go ahead and add this to the bottom of the document. HINT: Use arrow keys and "Enter/Return" to navigate also in Nano the carrot (^) refers to the CTRL key. so to save for example using the image above ^O would be the key combo CTRL+O and to exit CTRL+X.


```
auto eth0
iface eth0 inet static
        address 10.0.0.250
        netmask 255.255.0.0
        gateway 10.0.0.1
        dns-nameservers 8.8.8.8 4.2.2.2
```

After you have typed or pasted it in. We will save and exit nano. We then need to make sure the changes have stuck so we need to restart the networking service so it picks up the changes. If you are using a VNC/RDP/SSH client to access this you will probably lose connection and need to reconnect using the IP you specified in the "address" field.


```
sudo /etc/init.d/networking restart
```

After it completes we need to make sure that the changes stuck. Go ahead and type the following to bring up the connection stats.


```
ifconfig -a
```

You should get a print out like this. note that MY personal server is 10.0.0.19 instead of 10.0.0.250.






congrats! The network config is done! It seems like a lot but its not a lot once you get a knack for it! Lets go ahead and install pi-hole now.

According to the official documentation  it's as simple as running this in a terminal


```
sudo curl -sSL https://install.pi-hole.net | bash
```

Your done! Move on to the next sections, to learn how to configure and start using your new Pi-Hole Server!




Unix systems



Spoiler: Unix



CentOS and RHEL (RedHat) are supported by default on all current releases and can be installed using the same command linux releases use.


```
curl -sSL https://install.pi-hole.net | bash
```





Configuring your machines



Spoiler: Windows



Assuming our router is still handing out DNS we will need to manually configure our windows machine to use the Pi-Hole as our new DNS server manually.

Thankfully this is not very painful. Later we will get into disabling your routers DNS services and using the Pi-Hole exclusively.

With windows there are several ways we can go about doing this. I use the following method which doesn't vary much between OSs.

First lets right click on your network interface be it the wifi or ethernet icon and select "Open Network and Internet settings"






Next click on "Change adapter options"






You might be greeted with multiple adapters. For most people we will have 1 to 3. The main two will be the wifi adapter and the built in ethernet. For other systems you may have more than 1 of either. I'll let you use your discretion but we will be applying changes to the main adapters you use.






After you have picked one out lets right click on it and select "Properties" we will get the configuration menu for that adapter.

Highlight "Internet Protocol Version 4 (TCP/IPv4)" (Note the process is the same if you are using an ipv6 network) and click "Properties" once again.






Next we will come to the manual configuration page for our adapters IP and DNS servers. For this we will just be modifying DNS. Find DNS toward the bottom it will be the second set of configuration options. click the radial "Use the following DNS server addresses" in the first field we will enter the Pi-Hole IP address we configured before. In my case once again its 10.0.0.19. In the second field you can leave it blank or enter another DNS server of your choice such as public providers like Quad9, google or openDNS.






Finally click "Ok" and "Ok" again to save your changes.





Spoiler: OSX



OSX like Windows is very simple. We will use System Preferences for this example.

First click the "System Preferences" icon in your dock. If settings is not in your dock simply click the magnifying glass icon in your tool bar and search for it. The system preferences icon will look like a grey gear cog.






Once the system preferences panel opens up find and click on "Network"






After you click on network the interface configuration screen will open. Thankfully OSX makes this easy in all of its current supported editions the in use interfaces have a green dot next to them so no guess work!

From here we select the interface we want to modify by clicking on it in the left hand pane. Next we will then click the "Advanced" button inside the right hand pane to modify that specific adapter. We dont need to mess with IPs here unless you know what you are doing. We just need to modify DNS.






After you click "Advanced" click on the "DNS" tab on the top bar. This will allow us to add a new DNS address. Single or double click in the DNS box on the left hand side, alternativly you can press the '+' button towards the bottom. Next enter the IP address we configured earlier for the Pi-hole. In my case it is 10.0.0.19.






Thanks it! Now click "Ok" on the current screen followed by "Apply" on the previous screen which should no longer be grayed out to save the settings.

Congrats you are now using your Pi-hole on this machine!





Spoiler: Linux



For linux most users generally use something based off of the Debian code base. Namely Debian, Ubuntu and Mint. To that end the setup is similar, so in our example we will configure a static DNS server using Ubuntu 18.04. Please not depending on release version and flavor some steps will differ slightly but generally these 3 main distributions are close enough for you to contextually navigate the menu system.

First at our desktop lets click our network icon to reveal our network adapters. In recent debian distributions like those mentioned above this is very easy. Like OSX is will indicate what adapter is in use. Even further in Linux' case is will only show the adapters currently in use. Click on the type of connection you have and then click "Wired or Wireless Settings" after the menu expands.






It should automatically select the settings page for the adapter selected. If not you can manually choose it by clicking on the adapter you would like to modify on the left hand pane. Next we will click the gear cog next to the adapter we chose. To make it even more clear Ubuntu will even tell you if this adapter is "Connected" meaning online so its less confusing.






After you click on the gear cog that adapters configuration can now be modified. Click the "IPv4" tab along the top of the window. Next we will turn off automatic DNS by flipping the switch too "Off" above the DNS field. After that is done we can enter the IP address of our DNS server. In my case it is 10.0.0.19.






Now we can continue by hitting Apply at the top right of the window! Congrats! you have set the DNS server to your Pi-hole on Linux!


----------



## Solaris17 (May 22, 2017)

*Configuration*​

Router config (general)



Spoiler: Router DNS



While its all fine and dandy to have your Pi-hole setup and your machines configured what about phones or smart TVs? Thats right! These devices can have add blocking as well but to do this we will need to disable DNS on your router so that only the Pi-hole will handle the web lockup requests. If your router is allowed to do it, it will just send the lookup request to whatever DNS server it uses, generally the ISPs which offer no filtering, or even worse they cant *modify your requests*!

However this isn't something that can be globally covered. Thankfully it is generally easy as long as you know what to search for. Below I have included some links to popular router manufacturers DNS change procedures. You may need to search for your model of router so you can get the login information and model, generally on a sticker at the bottom.

Netgear

Linksys

D-Link

TP-Link

General

Please note that the router may need to be rebooted after. Some of the links only describe how to change the DNS servers. *DO NOT* change the DNS server to your Pi-hole! Just *disable* DNS by turning the service off. If a button or drop down is not easily accessible that provides this refer to your manual.




Settings



Spoiler: Best practice



Best practice for the most part like anything network infrastructure related is to not touch it unless absolutely necessary. These services are configured from the box to just run and never stop and Pi-hole is based on the same principles. From Linux to the DNS mechanisms used there is generally no need to intervene. These services are much simpler than you think with your router or configurations creating most of the problems users encounter.

However in cases like Pi-hole where security is the focus it isn't a terrible idea to set some of these configurations from the get go. All of these general options in the release of Pi-hole used in this guide (4.0) are all available in one place.

Start by logging into your Pi-hole using the username and password you configured when you installed it. You can get to this page by typing the IP address of your Pi-hole into your browsers URL bar. Alternatively if your PC is already set to use the Pi-hole you can get to it by typing Pi.hole and login that way.

Now that you are logged in lets click on "Settings" in the left hand pane. Afterwards clock the "DNS" tab at the top of the right hand pane. This is the page where we can configure how Pi-hole handled DNS requests.






For the most part you will want your settings configured to the following.

- Listen only on interface eth0 where "eth0" is the name of your link. Its ok if the name is different.
- Never Forward non-FQDNs
- Never forward reverse lookups for private IP ranges
- Use DNSSEC

When using DNSSEC it is important to know you need to use a compatible DNS provider, thankfully Pi-Hole includes a few which they go over in the description.





Spoiler: Scenario usage



Pi-hole can be used to block Ads and malicious domains on a network level instead of per device when configured to be your network DNS server like outlined above. Additionally with DNSSEC supported DNS filtering providers like Quad9 not only are your queries being filtered with the Pi-hole you are also filtering content at the DNS provider level. This helps ensure and additional level of protection if you wish.




Updates



Spoiler: Addition of black lists



Black list additions are easy way to include and even exclude domains that your Pi-hole filters. This can help alleviate problems or offer further protection. Now while the default lists for Pi-hole are automatically updated for you below I will show you how to whitelist blacklist and add additional lists as you please, just note incorrect configuration can lead to inaccessible web pages or network outages.

The first is to find good lists. While there are a TON available I prefer to use the Wally3K lists. wally3k is a part of the Pi-hole team and contributes curated lists to the community.

I prefer the Ticked Lists since they are curated lists of domains that generally don't cause false positives. While other lists even those not by wally3k can give you more blocked domains they can also block legitimate traffic and functions.

First login to your Pi-hole using your configured IP address or by navigating to Pi.hole if your machine is already configured to use it. Next we will go to settings on the left hand pane and then click the "Blocklists" tab on the right hand pane which will allow us to modify blocklist management.






At the bottom of the list we can add our own lists like the ticked list or our own single domains. In cases like the ticked list we can copy all of them and simply paste the entire list. In some cases the list is a URL to a text document. In these cases we can just post the url to the text list since pi-hole is smart enough to parse it.






After you are done just hit "Save and Update" and it will immediately add the new domains to the black list and incorporate them into the built in 24 hour update pi-hole already does. Pretty nifty right?


----------



## Solaris17 (May 22, 2017)

*Usage*​

Examples of sites before and after



Spoiler: Block Testing



Test was done in google chrome with no adblock plugin enabled and DNS set to google 8.8.8.8. Test website is ooklas speedtest.net. Pi-hole is using default lists in addition to the wally3k ticked lists. No other domains have been manually black or white listed.



Spoiler: Before:













Spoiler: After: Pi-hole enabled













Spoiler: After: Pi-hole W/ Ublock Origin















Basic how-to view logs and trouble shoot odd problems



Spoiler: Misconfigurations



Odd issues due to mis-configuration can occur that make your browsing experience less enjoyable. Thankfully troubleshooting isn't too difficult. Here I will explain some basic troubleshooting techniques that can be used to restore the browsing behavior you want.

First and foremost is reading the query log. This will allow us to see a list of what is being blocked or if it is being blocked. To check the log just login to your Pi-hole using the IP you configured or the default DNS redirect. Once you have done that in the left hand pane click on "Query Log" and you will be presented with a log of the recent DNS queries. Please take note there can be a lag time so attempt to access the site again if you don't see it again so it pushes to the log a bit quicker. This will let you see what the Pi is doing with it.






From this page we can search for the URL if you don't feel like manually clocking through pages using the search field at the top right. You can also whitelist or blacklist a specific URL from the log page.

After you have white listed or black listed your URL to speed up the change (delegation) we can do the following procedure.

While logged into the Pi-hole clock on "Settings" in the left hand pane then select the "System" tab in the right hand pane. Fine the button "Restart dnsmasq" and click it.

The DNS service controlling the Pi-hole will now restart and flush.



Spoiler: dnsmasq











Next we can flush the Operating Systems DNS cache (Windows).

Open a Command prompt as Administrator.
Type the following command into the prompt and press enter


```
ipconfig /flushdns
```

Finally we can flush the independent cache of our browser.

Chrome:
In the URL bar type the following

```
chrome://net-internals/#dns
```
Next press the button labled "Clear Host Cache"

Firefox





Spoiler: Problematic Domains



If you have manually added a domain to the white or black list and run into issues do not got into the query logs and white or black list it to correct the problem this will not work.

Instead in the Pi-hole control panel in the left hand pane navigate to the offending list by clicking "Whitelist" or "Blacklist" from the menu.

From here we should easily be able to see the offending URL both the white and black list display information similarly so the process is the same. Find the offending domain and delete the entry manually using the trashcan icon to the right of the entry.






You can use the methods of refreshing the DNS cache described in the previous spoiler tag to regain access or blocking of the domain in question.



*Comparison vs Adblockers*​When it comes to DNS Blackholing you may not know you are already using one. Thats right! Ad-Blockers such as AdBlock, ublock Origin, Adblock plus and other extensions are already very popular and widely used. So what makes Pi-Hole and other services different?​​Well the first and probably most obvious is that ad blockers generally use "element blocking" in conjunction with DNS blocking. This means that while adblockers also DNS block they can also interact with your browser and stop the actual ad code from loading. This helps prevent big voids of nothing from showing up in a website. Like a big white box where an ad was supposed to be.​​The second is Adblockers allow you to block new ads in real time. This is usually done by right clicking on an ad and telling it to block it. It follows up with a few questions to make sure its getting it right and then you're done.​​The third is that adblockers depending on author will only allow you to block using a few definition lists. Sometimes one and sometimes several, however generally they only start with one or two lists. You have to add the rest.​​The last and probably biggest difference is while adblockers add the ability to block ad elements, they unfortunately do not help protect entire networks. Since adblockers work on a per browser model each device needs to be setup with one. This can also be impossible to do on some devices.​


----------



## Solaris17 (Sep 9, 2018)

and complete! sorry it took so long!


----------



## Salty_sandwich (Oct 11, 2018)

anyone using cloudflare ? DNS 1.1.1.1 / 1.0.0.1
seems faster than google
im using atm supposed to be anti tracking or something along those lines

EU always under 10ms 

https://www.dnsperf.com/#!dns-resolvers


----------



## Solaris17 (Oct 11, 2018)

I am works well!


----------



## Athlonite (Oct 11, 2018)

> *DO NOT* change the DNS server to your Pi-hole! Just *disable* DNS by turning the service off. If a button or drop down is not easily accessible that provides this refer to your manual.



why is there some sort of problem using a router for Pi-Hole's DNS services


anyone using cloudflare ? DNS 1.1.1.1 / 1.0.0.1 

using both their IPv4 & IPv6 DNS servers for a while now they also do DNSSEC aswell


----------



## Liquid Cool (Oct 11, 2018)

This is the kind of thread I'd personally like to see more of on TPU.  Just a "little" less video cards and cpus(along with all the arguing that goes with it) and more useful tech. 

If anyone needs ideas?  Top VPN's, Setting up a VPN, premium router tips & tricks,  pfsense...is it worth it?, managing the .host file etc etc.  The list is endless.  What's your niche? Teach others about it.  I sure didn't think I was going to read an article about pi-hole when I logged in tonight.  Quite pleased to see this.

Thanks for going to the trouble Solaris17.  It looks like it took some time to put together...well worth the read.

,

Liquid Cool


----------



## blobster21 (Oct 11, 2018)

I'm happily running my pi-hole for severals years now

Marking this thread as a must read for later.


----------



## Salty_sandwich (Oct 11, 2018)

Solaris17 said:


> I am works well!



yeah I have set the DNS to cloudflare on the router rather than leave it set with my ISP's default DNS server.


----------



## Solaris17 (Oct 11, 2018)

Athlonite said:


> why is there some sort of problem using a router for Pi-Hole's DNS services
> 
> 
> anyone using cloudflare ? DNS 1.1.1.1 / 1.0.0.1
> ...



Kind of. So basically it depends entirly on the router capabilities or the firmware on it.

Basically in most SMB and up routers there are two options.

Enter the DNS servers for the WAN link (these generally appear if you are using a static IP from your ISP)

and the second are the DNS servers for the LAN.

The first is used so your router can check for FW updates/maintain a link to the outside worl on its own, for routers that support it. 

On cheaper routers however, they only give you 1 set that does both. In these cases it generally is the DNS servers for the WAN but the router behind the scenes passes them to the LAN. This makes the page look less cluttered but renders internal DNS servers useless since the router will respond.

To get around the problem of your router losing external connectivity for itself if your homemade DNS server goes down, but to prevent it from giving DNS servers to machines on your network, generally you can disable DNS and or DHCP server. This controls the LAN side, so even if you cant set them manually you can disable your router ability to pass them to the LAN network.

in which case the pi or your internal DNS server will pickup the request.

Hope that clears it up.


----------



## Salty_sandwich (Oct 11, 2018)

Solaris17 said:


> Kind of. So basically it depends entirly on the router capabilities or the firmware on it.
> 
> Basically in most SMB and up routers there are two options.
> 
> ...



heeh so does that mean because I have set my ISP's supplied router's WAN DNS to 1.1.1.1 it will no longer get firmware updates ?


----------



## Solaris17 (Oct 11, 2018)

Salty_sandwich said:


> heeh so does that mean because I have set my ISP's supplied router's WAN DNS to 1.1.1.1 it will no longer get firmware updates ?


Nope doesn’t mean that at all.


----------



## Salty_sandwich (Oct 11, 2018)

Solaris17 said:


> Nope doesn’t mean that at all.


ahh ok cheers


----------



## Space Lynx (Sep 28, 2022)

@Solaris17 I am considering a pihole at the router level, or possible a raspberry pi for a vpn, apparently its not very hard to make your own free vpn with a pi? do you know if that is relativey secure?


----------



## Solaris17 (Sep 28, 2022)

CallandorWoT said:


> @Solaris17 I am considering a pihole at the router level, or possible a raspberry pi for a vpn, apparently its not very hard to make your own free vpn with a pi? do you know if that is relativey secure?



Well, I am not certain that it will do what you want. Most of the time when people mention pihole (DNS) and VPN what they really want is to "look" like they are in a different country for content or otherwise.

These are two fundamentally different things though. pihole (this thread) is about blocking network traffic on a DNS level.

piVPN (a different project and topic all together) is about setting up a public VPN server on a pi so that when traveling you can connect to your home network.

However: some people really DO want to run a VPN and pihole. Because by extension if you connect to the VPN it will use your DNS server (pihole) to help block traffic. This is the normal usecase but it will not let you be seen as an Italian ISP user for example.

To answer the latter, yes. pivpn can be used with pihole and pivpn is secure the two major technologies you can choose to use are wireguard and openvpn both are commonly used everywhere in the industry and both have immense support in the form of tutorials or community topics.

EDIT:: oh man all the pics in this guide are broken, ill need to fix them.


----------

