[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 07/02/17 19:53, Simon Avery via list wrote: > I've had this running for a little while now - quite impressed. > > https://pi-hole.net/ > > Nothing groundbreaking here - it's a DNS proxy that doesn't resolve > blacklisted domains. What is good is that it'll work for an entire > network, is super easy to set up, has a pretty web interface and 98,000 > blocked domains in maintained lists. (You can whitelist/blacklist as > you'd expect). It's just a simple idea done well. I'd like to put in a good word for this project as well: whilst it certainly isn't ground breaking - just yet another blacklisting DNS proxy, nothing to see here - it's been done right. Simple, elegant, highly effective. What if you want to try it out but don't happen to have a spare hypervisor box/server/unused PC or RPi lying around to run it 24/7? What if, for example, you just have your main linux box but you wouldn't mind testing it out risk-free for a bit? Well I'm glad you asked! For the following example I used an Ubuntu 16.04 (VM) as I figured that's what most people would probably be using, but the steps are simple and easily adapted to any other sane distro, probably without any modification. To make it really easy I've even assumed completely out of the box networking, meaning DHCP and NetworkManager. So, here is how to quickly implement and test out a disposable pi-hole DNS proxy without knackering your main linux PC: container time. 1: Install the pre-reqs which are basically docker and git # sudo apt install git # sudo curl -sSL https://get.docker.com/ | sh For the docker step the usual warnings about running random scripts as root apply of course - answer the questions and let it install a much newer docker than in the default repos. Add your account to the docker group and log out and back in again for the change to take, otherwise prefix sudo to all docker commands. # sudo usermod -aG docker $USER 2: The pi-hole instance we're going to run in a minute can't do it's thing without running a DNS server (obviously) and it also will provide a neat web administration/reporting interface too, so it's going to want to bind to ports 53 (DNS) and 80 (http) on your computer. There are quite probably things running on those ports already so check: # sudo netstat -tulpn | egrep ":53 |:80 " The output will show if you have listening processes already on those ports - stop any running webserver with systemctl first. I had to clear a running nginx instance out of the way: # sudo systemctl stop nginx There will also be the default dnsmasq instance which is a special case as it is respawned by NetworkManager so back up the conf first: # sudo cp /etc/NetworkManager/NetworkManager.conf /etc/NetworkManager/NetworkManager.conf.ORIG Prevent NetworkManager from resurrecting dnsmasq: # sudo sed -i 's/dnsmasq/default/g' /etc/NetworkManager/NetworkManager.conf Make sure dnsmasq isn't still hogging port 53: # sudo systemctl stop dnsmasq # sudo killall dnsmasq That's all the setup done - if you have a static IP set or aren't using NetworkManager you'll be able to skip some of those steps anyway but the basic idea is the same: just make sure those two ports are free and you don't have a conflicting local DNS instance running. Check out the repo and start up docker service: # git clone https://github.com/diginc/docker-pi-hole.git # sudo systemctl start docker And finally run the script that does all the rest of the work for you: # cd docker-pi-hole && sudo ./docker_run.sh That's it! Check out the new docker instance and make sure it's alive: # sudo docker images # sudo docker top pihole # sudo docker logs pihole You can connect to it's built in webserver for a control panel and lots of pretty real time graphs - just point a webserver at: http://1.2.3.4/admin Run the new containerized pihole's built-in script to update it's massive DNS blocklists: # sudo docker exec pihole pihole updateGravity Now it's ready for use and you can simply point any device on your subnet at the IP address of your PC for DNS services (change the DNS server IP that your router is dishing out via DHCP to make this automatic for everything) and voila: no ads whatsoever. It really is very good as well, on average the instances I'm running block between 10 and 20% of ALL DNS queries. Make sure you temporarily disable any adblockers on your devices to really test it's working as stated or even better, surf the internet on a device that doesn't/can't have an adblocker installed. To immediately see the effect on the actual PC you just set up the docker pihole instance on, just update your DNS settings to point at your own IP so in effect this just means edit /etc/resolv.conf. Because we manually stopped NetworkManager scribbling all over it by respawning dnsmasq earlier this means adding the line: nameserver 192.168.1.50 Change the IP to your own obviously. If there is already a nameserver value then either overwrite it or add the new line *above* it. This is super-easy and safe to test even on a lone/principle PC that you don't want to risk messing up: even if you're not confident with this sort of thing as long as you can copy and paste ok you'll be up and running in no time. Even if something goes wrong or you bork a step and even lose networking somehow, the only thing you need to do to completely recover is reverse the NetworkManager edit and reboot. The docker service won't automatically restart but all your normal network services will, dnsmasq will overwrite your DNS tweaks and everything will be completely back to normal. # sudo cp /etc/NetworkManager/NetworkManager.conf.ORIG /etc/NetworkManager/NetworkManager.conf # sudo reboot If you do decide after testing out the pihole magic at work that you need to have a fulltime one (and you quite possibly will!) but want to keep it running on the same PC instead of a RPi, VM, spare PC or whatever, you could probably do a lot worse than keeping it in docker right where it is. Sandboxed and containerized a busy pi-hole docker instance consumes all of ~147Mb of disk space and about the same amount of RAM and when the docker image updates it's all handled seamlessly with a couple of commands. You'd probably want to make a couple of other obvious changes such as ensuring your PC has a static IP and disabling anything such as NetworkManager from spawning DNS or overwriting confs automatically. Running this as a docker instance is *far* more convenient and efficient than putting it even in a dedicated VM. In fact it's so efficient that if you've got a RPi2 or 3 lying around or even if it's already doing network service or streaming things for you, the minimal overhead of docker + pihole container means you can follow basically the same steps to run it on the RPi without disrupting whatever else it's doing, which is pretty cool. I'm testing a few RPi3s already in the field running Kodi media servers in living rooms and because they're linux it's been trivial to adblock their whole home networks "for free". Add docker, pull and run the pihole image, configure to run 24/7 and update the the DNS entry for the DHCP server on the router. Excellent. Didn't really mean to write a howto but nevermind - I started off replying to Simon's initial post because he's right you know, pihole *really* is pretty great and I've been using it a lot recently too. Then I thought I'd just briefly add in some basic instructions for a quick 'n dirty test in docker and here we are I guess. Hopefully someone might find this useful and/or interesting! I might as well add pihole also works well in business environments - it will happily serve a busy network of <50 clients running (dedicated this time) on a RPi3 as a DNS proxy. It plays well with a pfsense for example as a forwarder although you might have to fiddle briefly with DNS rebinding check settings, I did. Feel free to ask any questions if you want to try it out or if you do, and it doesn't work for some reason. Cheers -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq