1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Linux PiHole setup advice

Discussion in 'Software' started by Sentinel-R1, 8 Feb 2021.

  1. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    I've just set up a pihole on my home network, and whilst it's working reasonably well with the default list by Steven Black, there's still some ads getting through.

    I was wondering if any of you use pihole and could offer advice on adlists and general setup to maximise the benefits without hindering the browsing experience.

    Cheers.
     
  2. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,492
    Likes Received:
    567
    What DNS servers are you using. Some ISPs route certains domains through "internal" (to the ISP) IPs to avoid certain blocklists. I saw this a lot in the US while using DNS66 on my Android phone, but not so much here in the Netherlands.
     
  3. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    I've set the IP of the pihole as my DNS within Unifi so all devices on the network use the pihole - and then within the pihole, I've set CloudFlare as the DNS as they have slightly more privacy friendly policies with regard to logging of DNS queries.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    You can avoid this by using DNS-over-HTTPS (or any of the other DNS-over-something-that-isn't-DNS alternatives). For Pihole, you do it using Cloudflare's cloudflared.
    I use the following lists, in addition to Black's:

    https://phishing.army/download/phishing_army_blocklist_extended.txt
    https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
    https://urlhaus.abuse.ch/downloads/hostfile/
    https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
    https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
    https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
    https://blocklistproject.github.io/Lists/phishing.txt
    https://blocklistproject.github.io/Lists/abuse.txt
    https://blocklistproject.github.io/Lists/scam.txt
    https://v.firebog.net/hosts/Easylist.txt
    https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
    https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
    https://adaway.org/hosts.txt

    In total, that blocks around 724,000 domains, and I see about 22 percent of my network's queries filtered - though the overwhelming majority of those blocks aren't adverts but tracking, primarily from devices like the kids' Amazon Fire tablets trying to phone home every 20 minutes...

    I also run uBlock Origin, DuckDuckGo's extension, PrivacyBadger, and Decentraleyes in the browser, on top of the network-level filtering. Oh, and my DNS goes over DoH to Cloudflare's 1.1.1.2 and 1.0.0.2, which do abuse blocking at their end.
     
    Yaka and Sentinel-R1 like this.
  5. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    Perfect, thanks Gareth. I'll add those to pihole and see what the experience is like.

    Do you find any issues with media or smart TVs? I've read that some users have introduced issues with Netflix, Prime etc with certain pihole configs.
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    I don't have a smart TV, but I do stream Netflix, Amazon Prime Video, BBC iPlayer, and Disney+ on a PS4 and an Xbone - not had a single problem.
     
    Sentinel-R1 likes this.
  7. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    That's good to know. I'll go ahead and get those adlists updated then, much appreciated.

    Did you make any other changes to the pihole default config that you would recommend?
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    Other than switching to DNS-over-HTTPS, I don't think so.
     
    Sentinel-R1 likes this.
  9. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    I'm aready using CloudFlare as the upstream DNS within pihole, so should be good to go then. Thanks again.
     
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    Nup: that's not DNS-over-HTTPS, it's straightforward DNS - which means your ISP knows exactly what DNS queries you're making ('cos they're not encrypted) *and* can hijack queries as per @yuusou above.

    You need to manually install cloudflared, set it running on Cloudflare's DoH servers, and then disable all upstream DNS on the Pihole apart from localhost on whatever port you've got cloudflared using. Sounds complicated, but really isn't - should only take a few minutes.
     
  11. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    Ah ha! Right, I shall give that a go too then. Thanks for explaining that, as that's quite a big difference to what I previously understood (or not as it seems!).
     
  12. liratheal

    liratheal Sharing is Caring

    Joined:
    20 Nov 2005
    Posts:
    12,132
    Likes Received:
    1,460
    While you're at it, look into your router and forcing all DNS traffic to your pihole - A lot more 'Smart' devices are hardcoding their DNS these days, so will bypass local DNS blackholes like PiHole.

    Also, pray you're not using Unifi kit, because doing that is a right pain in the rectum.


    Oh, and I dunno if they fixed it, but the cloudflared thing described above, I had issues with that on a Zero because it's either not maintained for the old ARM architecture, or at the time wasn't, so if you have a problem installing it, and you're using an older ARM device, that might be why!

    I had an issue with Xbox achievements popping with the Pihole, apparently some of the XBL services are blocked on the default lists.

    I have had issues with The Escapist and their CDN, brid.tv & pico.tools are in my list, and I'm quite sure that's just for Escapist content.

    As for lists I use;

    https://github.com/deathbybandaid/p...scribable-Lists/CountryCodesLists/Germany.txt - Likely useless to you, if you're not in Germany.
    https://dbl.oisd.nl/ - Fairly comprehensive, includes a lot of the default stuff too though, so YMMV

    These I must have had a reason for, but have honest to god forgotten what it was;

    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
    https://mirror1.malwaredomains.com/files/justdomains
    http://sysctl.org/cameleon/hosts
    https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
    https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
    https://hosts-file.net/ad_servers.tx


    I explicitly whitelisted these domains for XBL (There might be some other MS domains.. I can't remember what else I whitelisted..);

    mobile.pipe.aria.microsoft.com
    halowaypoint.com
    vortex.data.microsoft.com
    telemetry.svc.halowaypoint.com
    playfabapi.com
    www.msftncsi.com
    outlook.office365.com
    products.office.com
    c.s-microsoft.com
    i.s-microsoft.com
    login.live.com
    login.microsoftonline.com
    g.live.com
    dl.delivery.mp.microsoft.com
    geo-prod.do.dsp.mp.microsoft.com
    displaycatalog.mp.microsoft.com
    clientconfig.passport.net
    v10.events.data.microsoft.com
    v20.events.data.microsoft.com
    client-s.gateway.messenger.live.com
    xbox.ipv6.microsoft.com
    device.auth.xboxlive.com
    title.mgt.xboxlive.com
    xsts.auth.xboxlive.com
    title.auth.xboxlive.com
    ctldl.windowsupdate.com
    attestation.xboxlive.com
    xboxexperiencesprod.experimentation.xboxlive.com
    xflight.xboxlive.com
    cert.mgt.xboxlive.com
    xkms.xboxlive.com
    def-vef.xboxlive.com
    notify.xboxlive.com
    help.ui.xboxlive.com
    licensing.xboxlive.com
    eds.xboxlive.com
    www.xboxlive.com
    v10.vortex-win.data.microsoft.com
    settings-win.data.microsoft.com
     
    Sentinel-R1 likes this.
  13. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    Thank you very much! Those whitelists may be particularly useful for me too, so very much appreciated.
     
  14. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    Yaka and liratheal like this.
  15. liratheal

    liratheal Sharing is Caring

    Joined:
    20 Nov 2005
    Posts:
    12,132
    Likes Received:
    1,460
    Noted!

    I knew one of the lists would be default, but as mentioned, the memory is fuzzy having had this running for longer than ten minutes.
     
  16. Sentinel-R1

    Sentinel-R1 Chaircrew

    Joined:
    13 Oct 2010
    Posts:
    2,150
    Likes Received:
    268
    Thanks to everyone for the recommendations. Over the last 24hrs, the adlists and whitelist suggestions have increased the amount of blocked traffic with no noticeable detrimental effect to browsing.

    I’ll get round to DoH later this week or weekend! So far, so good. Wish I’d sorted this PiHole out sooner!
     
  17. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    14,411
    Likes Received:
    3,205
    Aaaaah, *that's* why it's stopped working:

    upload_2021-2-19_9-21-16.png

    Can't find any evidence of the so-called "free, non-commercial version of our threat intel, ShadowNet" existing anywhere, though.
     
    Yaka and Sentinel-R1 like this.
  18. lxrysprtmscl

    lxrysprtmscl Minimodder

    Joined:
    8 Sep 2008
    Posts:
    149
    Likes Received:
    6
    I haven't used PiHole since 2019 and am solely relying on browser level blocking because of ever-changing living arrangements, but these are a few of the sites I pulled my lists from back in the day.

    Lists are in alphabetical order, otherwise in no particular order:
    Collection of various lists

    And perhaps this wiki may be useful, as well?
     
    Sentinel-R1 likes this.

Share This Page