D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Pi-Hole


On 07/02/17 19:53, Simon Avery via list wrote:
> I've had this running for a little while now - quite impressed.
> https://pi-hole.net/
> Nothing groundbreaking here - it's a DNS proxy that doesn't resolve
> blacklisted domains. What is good is that it'll work for an entire
> network, is super easy to set up, has a pretty web interface and 98,000
> blocked domains in maintained lists. (You can whitelist/blacklist as
> you'd expect). It's just a simple idea done well.

I'd like to put in a good word for this project as well: whilst it
certainly isn't ground breaking - just yet another blacklisting DNS
proxy, nothing to see here - it's been done right. Simple, elegant,
highly effective.

What if you want to try it out but don't happen to have a spare
hypervisor box/server/unused PC or RPi lying around to run it 24/7? What
if, for example, you just have your main linux box but you wouldn't mind
testing it out risk-free for a bit? Well I'm glad you asked!

For the following example I used an Ubuntu 16.04 (VM) as I figured
that's what most people would probably be using, but the steps are
simple and easily adapted to any other sane distro, probably without any
modification. To make it really easy I've even assumed completely out of
the box networking, meaning DHCP and NetworkManager.

So, here is how to quickly implement and test out a disposable pi-hole
DNS proxy without knackering your main linux PC: container time.

1: Install the pre-reqs which are basically docker and git

# sudo apt install git
# sudo curl -sSL https://get.docker.com/ | sh

For the docker step the usual warnings about running random scripts as
root apply of course - answer the questions and let it install a much
newer docker than in the default repos. Add your account to the docker
group and log out and back in again for the change to take, otherwise
prefix sudo to all docker commands.

# sudo usermod -aG docker $USER

2: The pi-hole instance we're going to run in a minute can't do it's
thing without running a DNS server (obviously) and it also will provide
a neat web administration/reporting interface too, so it's going to want
to bind to ports 53 (DNS) and 80 (http) on your computer. There are
quite probably things running on those ports already so check:

# sudo netstat -tulpn | egrep ":53 |:80 "

The output will show if you have listening processes already on those
ports - stop any running webserver with systemctl first. I had to clear
a running nginx instance out of the way:

# sudo systemctl stop nginx

There will also be the default dnsmasq instance which is a special case
as it is respawned by NetworkManager so back up the conf first:

# sudo cp /etc/NetworkManager/NetworkManager.conf

Prevent NetworkManager from resurrecting dnsmasq:

# sudo sed -i 's/dnsmasq/default/g' /etc/NetworkManager/NetworkManager.conf

Make sure dnsmasq isn't still hogging port 53:

# sudo systemctl stop dnsmasq
# sudo killall dnsmasq

That's all the setup done - if you have a static IP set or aren't using
NetworkManager you'll be able to skip some of those steps anyway but the
basic idea is the same: just make sure those two ports are free and you
don't have a conflicting local DNS instance running.

Check out the repo and start up docker service:

# git clone https://github.com/diginc/docker-pi-hole.git
# sudo systemctl start docker

And finally run the script that does all the rest of the work for you:

# cd docker-pi-hole && sudo ./docker_run.sh

That's it! Check out the new docker instance and make sure it's alive:

# sudo docker images
# sudo docker top pihole
# sudo docker logs pihole

You can connect to it's built in webserver for a control panel and lots
of pretty real time graphs - just point a webserver at:

Run the new containerized pihole's built-in script to update it's
massive DNS blocklists:

# sudo docker exec pihole pihole updateGravity

Now it's ready for use and you can simply point any device on your
subnet at the IP address of your PC for DNS services (change the DNS
server IP that your router is dishing out via DHCP to make this
automatic for everything) and voila: no ads whatsoever. It really is
very good as well, on average the instances I'm running block between 10
and 20% of ALL DNS queries. Make sure you temporarily disable any
adblockers on your devices to really test it's working as stated or even
better, surf the internet on a device that doesn't/can't have an
adblocker installed.

To immediately see the effect on the actual PC you just set up the
docker pihole instance on, just update your DNS settings to point at
your own IP so in effect this just means edit /etc/resolv.conf. Because
we manually stopped NetworkManager scribbling all over it by respawning
dnsmasq earlier this means adding the line:


Change the IP to your own obviously. If there is already a nameserver
value then either overwrite it or add the new line *above* it.

This is super-easy and safe to test even on a lone/principle PC that you
don't want to risk messing up: even if you're not confident with this
sort of thing as long as you can copy and paste ok you'll be up and
running in no time. Even if something goes wrong or you bork a step and
even lose networking somehow, the only thing you need to do to
completely recover is reverse the NetworkManager edit and reboot. The
docker service won't automatically restart but all your normal network
services will, dnsmasq will overwrite your DNS tweaks and everything
will be completely back to normal.

# sudo cp /etc/NetworkManager/NetworkManager.conf.ORIG
# sudo reboot

If you do decide after testing out the pihole magic at work that you
need to have a fulltime one (and you quite possibly will!) but want to
keep it running on the same PC instead of a RPi, VM, spare PC or
whatever, you could probably do a lot worse than keeping it in docker
right where it is. Sandboxed and containerized a busy pi-hole docker
instance consumes all of ~147Mb of disk space and about the same amount
of RAM and when the docker image updates it's all handled seamlessly
with a couple of commands. You'd probably want to make a couple of other
obvious changes such as ensuring your PC has a static IP and disabling
anything such as NetworkManager from spawning DNS or overwriting confs
automatically. Running this as a docker instance is *far* more
convenient and efficient than putting it even in a dedicated VM.

In fact it's so efficient that if you've got a RPi2 or 3 lying around or
even if it's already doing network service or streaming things for you,
the minimal overhead of docker + pihole container means you can follow
basically the same steps to run it on the RPi without disrupting
whatever else it's doing, which is pretty cool. I'm testing a few RPi3s
already in the field running Kodi media servers in living rooms and
because they're linux it's been trivial to adblock their whole home
networks "for free". Add docker, pull and run the pihole image,
configure to run 24/7 and update the the DNS entry for the DHCP server
on the router. Excellent.

Didn't really mean to write a howto but nevermind - I started off
replying to Simon's initial post because he's right you know, pihole
*really* is pretty great and I've been using it a lot recently too. Then
I thought I'd just briefly add in some basic instructions for a quick 'n
dirty test in docker and here we are I guess. Hopefully someone might
find this useful and/or interesting!

I might as well add pihole also works well in business environments - it
will happily serve a busy network of <50 clients running (dedicated this
time) on a RPi3 as a DNS proxy. It plays well with a pfsense for example
as a forwarder although you might have to fiddle briefly with DNS
rebinding check settings, I did.

Feel free to ask any questions if you want to try it out or if you do,
and it doesn't work for some reason.

The Mailing List for the Devon & Cornwall LUG
FAQ: http://www.dcglug.org.uk/listfaq