Setting up Pi-hole

[Feek]

I've got two of those little mini Dells already, one's an i5-7500T which I think was originally a 5th gen but I upgraded the CPU and when it's running, I can hear the fan most of the time. The other one is an i7-13700T and I sometimes hear that when it's running. They're both normally switched off and run ham radio software when I specifically need a Windows PC. The second one was supposed to replace the first one but I've got a couple of things I've not been able to shift over so that's why I still have two

I suppose a third wouldn't be out of the question.

 

[MarcLister]

As far as I'm aware, I've not had anything blocked that shouldn't be.

Couldn't get my work helpdesk to load this morning. Checked the site in another browser and same thing. Tried the site on my work laptop and it's fine. Once I was sure the Pi-Hole hadn't crashed I realised it must have been one of the new lists I started using last week. Sure enough I found that the .support domain was in the commonly mis-used TLDs list. I added .support to the whitelist, re-enabled the list and all good now.

 

[Feek]

Is that a generic .support or a specific domain? If the latter, I'd contact him and ask for it to be removed.

 

[MarcLister]

It's a specific domain for my work's helpdesk. I think it makes sense for .support to be on the list. I've easily added an exception for my work helpdesk so don't see the need to make a fuss. Unless there's a good reason to?

 

[Feek]

I don't consider reporting a false positive to be a fuss

 

[MarcLister]

I don't consider reporting a false positive to be a fuss

Ah, think I misunderstood you. The listing in the relevant file was "||support^". That got my work helpdesk blocked. The actual domain that I use wasn't itself blocked, just the TLD it uses.

 

[Feek]

Gotcha, no, not a lot you can do about that one.

 

[MarcLister]

Gotcha, no, not a lot you can do about that one.

Indeed. Easily fixed once I established my Pi-Hole was running and accessible via my work laptop using a VPN client, it was just a few clicks to add an exception for .support. I then realised it might be better to put my work's helpdesk domain in rather than a blanket .support as I only use .support TLD for work so no need to completely open myself up to any issues from non work .support domains.

 

[Feek]

I found a false positive in the threat intelligence full feed, reported it before I went to bed and it was resolved by this morning. That is a big list, I may switch to the medium version.

 

[Ad_Augendae]

Over the last few weeks, I've been playing with the adlists used. For ages, all I had was the Hagezi light list but I thought it'd be interesting to start increasing it. I went to the medium list and tested it, then I went to the pro list. That was all good so I've added extras.

I now use the following:

Hagezi Pro list

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt

Hagezi threat intelligence feed full

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt

Hagezi fakes

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/fake.txt

Hagezi pop-ups

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/popupads.txt

Hagezi badware hoster

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/hoster.txt

Hagezi known malicious top level domains

https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/spam-tlds-adblock.txt

I have two items in my whitelist and that's to allow clickable links from google searches (this is legacy, may not be needed any more) and a handful of manual blacklist items, just stuff I don't want on my network.

As far as I'm aware, I've not had anything blocked that shouldn't be.

I'll give these a try, the tif file is around 700,000 entries so that pushes my cache upto 100MB with all of them. I'll let you know if I have any trouble.
Cheers.

ip/dns/adlist/print
Flags: X - disabled
 0   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt" ssl-verify=no match-count=0 name-count=726379

 1   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt " ssl-verify=no match-count=276 name-count=161330

 2   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/fake.txt " ssl-verify=no match-count=0 name-count=29761

 3   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/popupads.txt " ssl-verify=no match-count=3 name-count=79880

 4   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/hoster.txt " ssl-verify=no match-count=0 name-count=1831

 5   url="https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/spam-tlds-adblock.txt " ssl-verify=no match-count=0
     name-count=106

Edit:
Those don't work for me, although hits are registering, after I flushed my local cache and router cache and loaded hosts based lists it's now working again,
meaning I can only use the hosts based url's so spm-tlds,hoster,popupads and fake are adblock only format. well I don't see the others in the hosts format anyway. But i could have missed something!

 

[Feek]

Did you guys try DoH with pihole yet?

No, I really don't care about that.

I have now. I've installed Pi-hole on the little Dell that's mentioned above and I followed this guide to set it up before I even installed the Pi-hole. I didn't want to try it on an already configured Pi-hole in case it all went titsup.

The process described on that guide doesn't work for getting cloudflared on with Ubuntu but I assume it'll work correctly on Raspbian. Everything else was OK though.

All appears to be working.

 

[Ad_Augendae]

I have now. I've installed Pi-hole on the little Dell that's mentioned above and I followed this guide to set it up before I even installed the Pi-hole. I didn't want to try it on an already configured Pi-hole in case it all went titsup.

The process described on that guide doesn't work for getting cloudflared on with Ubuntu but I assume it'll work correctly on Raspbian. Everything else was OK though.

All appears to be working.

I've not tried it on a amd64/32 bit based system Feek I would start here https://github.com/cloudflare/cloudflared
I'll set one up tomorrow and try and help, it's pretty simple though, It's just a proxy and when done you point your pi-hole @ 127.0.0.1#5353

 

[Feek]

I've not tried it on a amd64/32 bit based system Feek I would start here https://github.com/cloudflare/cloudflared
I'll set one up tomorrow and try and help, it's pretty simple though, It's just a proxy and when done you point your pi-hole @ 127.0.0.1#5353

No need, it's all done. If you see the guide I linked, everything is there, it's just that the repository address thing is a little different for Ubuntu.

 

[Ad_Augendae]

No need, it's all done. If you see the guide I linked, everything is there, it's just that the repository address thing is a little different for Ubuntu.

Yeah I guess you pointed at the arm.deb etc, all good

 

[Feek]

Doesn't work on Ubuntu.

echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee  /etc/apt/sources.list.d/cloudflared.list

Does work on Ubuntu.

echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list

 

[Ad_Augendae]

Superb, let us know how you get on!

 

[Rainmaker]

@Feek I'm glad you got it working. Did you ever try AdGuard Home? Spin one up if not, it takes barely a moment using their install script. It works on macOS, *BSD and *nix, and simply unpacks the latest release to /opt and installs a service. It comes with DoH, DoT, DoQ and DNSCrypt available by default, both up and downstream. It's much nicer to work with than Pi-Hole + FTL + Cloudflared + whatever, accepts full AdBlock syntax and is very fast. I try Pi-Hole et al. once a year or so just to see what's new, but AGH still outpaces it imo. You can set up acme.sh or similar for certs and away you go.

In other news, I'm glad to see that HaGeZi's lists have taken off so much. They were practically unknown when I started using them back when, and now he's everywhere. Good for him, they're a superbly curated set of lists.

 

[ChrisD.]

Yeah, Adguard Home is much nicer, I tried both a few years ago.

 

[Ad_Augendae]

@Feek Try other providers as well, quad9.com lookup is a bit quicker than cloudflare in my testing.
192.168.0.254 is my router and 192.168.0.8 in the pi-hole on pi4, the first test both are using upstream https://1.0.0.1/dns-query and the second set of tests
192.168.0.254 is still using upstream https://1.0.0.1/dns-query with the pi 192.168.0.8 swapped to https://dns.quad9.net/dns-query
All other tests are over port 53
So thats DoH vs DoH vs standard dns with my router winning the cache argument!

Both cloudflared...

192.168.0.8 swapped to quad9

I use this format in the below file for quick swap by moving the # to disable the dns I'm not using.

sudo nano /etc/default/cloudflared
# CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
CLOUDFLARED_OPTS=--port 5053 --upstream https://dns.quad9.net/dns-query  --upstream https://dns.quad9.net/dns-query

when your done

sudo systemctl restart cloudflared

I'm not getting into the other there is a whole thread on it!

 

[Feek]

I've already set up Quad9 as the primary and Cloudflare as the secondary

Not really interested in looking at Adguard Home, I don't have the ability to just spin stuff up here and what I've got works perfectly well, especially as I don't mind a bit of tinkering.