Setting up Pi-hole

[Feek]

Interestingly, Pi-hole doesn't know how to set up a static address when being installed on Ubuntu 24.04

It creates a dhcpcd.conf file but dhcpcd isn't included with Ubuntu 24.04 so creating that doesn't actually do anything. I had to set it manually by editing /etc/netplan/50-cloud-init.yaml, changing the permissions on that file and then running sudo netplan apply.

# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    version: 2
    renderer: networkd
    ethernets:
        enp1s0:
            dhcp4: no
            addresses:
              - 192.168.1.2/24
            routes:
              - to: default
                via: 192.168.1.1
            nameservers:
              addresses: [8.8.8.8, 8.8.4.4]
    wifis: {}

 

[Haggisman]

@Feek I'm glad you got it working. Did you ever try AdGuard Home? Spin one up if not, it takes barely a moment using their install script. It works on macOS, *BSD and *nix, and simply unpacks the latest release to /opt and installs a service. It comes with DoH, DoT, DoQ and DNSCrypt available by default, both up and downstream. It's much nicer to work with than Pi-Hole + FTL + Cloudflared + whatever, accepts full AdBlock syntax and is very fast. I try Pi-Hole et al. once a year or so just to see what's new, but AGH still outpaces it imo. You can set up acme.sh or similar for certs and away you go.

In other news, I'm glad to see that HaGeZi's lists have taken off so much. They were practically unknown when I started using them back when, and now he's everywhere. Good for him, they're a superbly curated set of lists.

Adguard user here - also has the benefit of having lists for parental controls, e.g. adult content, gambling etc.

Got the main instance running on my proxmox server, with a failover running on a pi zero 2w, and keepalived running to maintain seamless connectivity (has been "tested" a few times when I've knocked the server's network cable out of the switch - currently sat on the floor of my office while I'm decorating )

 

[Feek]

just buy a mini pc to run it on

I must admit, I'm tempted to do this with the pi-hole and reduce it down to a single device.

Something like

For £80 that's a bargain for a good Pi-Hole mini PC.

It's working well.

 

[MarcLister]

It's working well.

Missed your post. Glad it is working well. My RPi4 has had to be manually reset several times this week. I just lose connectivity that resolves itself when I take the power out of the Pi and wait a few seconds. It's a timely reminder to get my new NAS built and then convert my current Lenovo tiny PC into my new Pi-Hole device.

I don't know if its coincidence but since I added the Hagezi lists and took the previous lists off my blocking percentage has pretty much doubled! I used to get between 12 and 19% blocked, and I could never understand why it varied. Now I'm getting above 30%; it's 32.4% right now. I guess the Hagezi lists are blocking more sites that my browsing covers than the previous lists?

Anyway, I'm sure most of you knew about Pi-Hole v6 having been in the works for ages. Seems its almost ready! https://pi-hole.net/blog/2024/08/18/preparing-for-the-v6-release/

 

[Kainz]

Great thread. I used to run Pi on my QNAP Nas and at some point an upgrade messed it up so I had removed and forgotten about it.

This thread made me reinstall it last night again and I've got it running just fine at the moment with the Hagezi's lists mentioned earlier.

 

[Rainmaker]

I had a play with Pi-Hole v6 dev in a LXC container this morning. Much improved over the previous versions, dumped lighttpd and php and it's nice and light/responsive. They've finally integrated TLS into the webUI natively, but unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear. I'll keep an eye on it, maybe one day.

 

[Ad_Augendae]

Would be nice to see one.one.one.one popup in your iftop, but I guess for now it's cloudflared or what your router offers!

 

[Steveocee]

Would be nice to see one.one.one.one popup in your iftop, but I guess for now it's cloudflared or what your router offers!

Can you not set your own reverse entry for 1.1.1.1 > one.one.one.one on the host or if pihole has any static entries?

 

[Ad_Augendae]

Can you not set your own reverse entry for 1.1.1.1 > one.one.one.one on the host or if pihole has any static entries?

Sorry let me rephrase that, I would like to see pihole with native DoH, but for the moment I'm using DoH on my hAP ax2 with adlists.
I like the graphing/stats, not so much watching what everyone is doing.

 

[Steveocee]

Sorry let me rephrase that, I would like to see pihole with native DoH, but for the moment I'm using DoH on my hAP ax2 with adlists.
I like the graphing/stats, not so much watching what everyone is doing.

How is the hap handling the lists (more so the updates)? Are you running a lot or few?

 

[Ad_Augendae]

500.000 works a treat for my home setting, It's well worth a try!

/ip/dns/adlist/print                                                                                                 
Flags: X - disabled                                   
 0   url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt" match-count=7473 name-count=508159

/ip/dns/print       
                      servers:
              dynamic-servers:
               use-doh-server: https://cloudflare-dns.com/dns-query
              verify-doh-cert: yes
   doh-max-server-connections: 2
   doh-max-concurrent-queries: 100
                  doh-timeout: 6s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 100000KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
           mdns-repeat-ifaces:
                   cache-used: 59262KiB
                  
/ip/dns/static/print
Columns: NAME, TYPE, ADDRESS, TTL
# NAME                TYPE  ADDRESS         TTL
;;; defconf
0 therouter.lan       A     192.168.88.1    1d
1 cloudflare-dns.com  A     104.16.248.249  1d
2 cloudflare-dns.com  A     104.16.249.249  1d

 

[ChrisD.]

unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear

Precisely the reason why anyone concerned about privacy or tracking should not be using PiHole. It's a bit of a joke that the devs haven't implemented yet.

 

[squerble]

I had a play with Pi-Hole v6 dev in a LXC container this morning. Much improved over the previous versions, dumped lighttpd and php and it's nice and light/responsive. They've finally integrated TLS into the webUI natively, but unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear. I'll keep an eye on it, maybe one day.

Thanks for the heads-up on this. It's the biggest reason I switched to AdGuard Home in a docker container. Wondering if my Pi2 (currently running only PiHole) would be up to running another instance of AdGuard Home as a secondary/backup for my network.

I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

 

[ChrisD.]

I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

 

[Rainmaker]

Thanks for the heads-up on this. It's the biggest reason I switched to AdGuard Home in a docker container. Wondering if my Pi2 (currently running only PiHole) would be up to running another instance of AdGuard Home as a secondary/backup for my network.

I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

RasPi 2 would smash AGH, the requirements are minuscule. I'm running our family network (home and remote clients, ~150k queries per day) on a single core Alpine LXC container that's taking up 240MB of RAM for the whole system, and load average is almost 0.

 

[Rainmaker]

There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

Yeah agreed. I'd personally 'hijack'/redirect DNS rather than outright block it.

 

[squerble]

There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

I can set the rule up on my UniFi gateway but as an allow + logging, then have a quick look through the log after a week or so. I'm sure I could find if anything is leaking (and also give me a bit of time to see if I can hijack/reroute the DNS via the gateway ).

 

[alex24]

I'm having loads of trouble with Pihole DNS resolution on iOS and MacOS devices and particularly, Safari. I've disabled private relay, I've disabled the tracker & website blocking in Safari, I've disabled "Limit IP Address Tracking' on the WiFi connections, I've cleared DNS cache etc...

Sometimes it works, sometimes it doesn't. I started around the time I moved away from my MikroTik router and onto this terrible Virgin Media Hub 5x. Since it doesn't allow setting DNS from the DHCP server, I've had to add my DNS server manually to the WiFi settings. I've kept my UniFi APs. The Hub 5x doubles as a fibre ONT and currently cannot operate as a modem only. The main issues I see are:

1. Local server hostname resolution doesn't work (I have a domain that PiHole redirects locally to the server IP) some of the time. When it doesn't resolve, it tries to get to the domain externally (which I own through CloudFlare, but there is nothing hosted externally) and I get the CloudFlare error page instead of what's on port 80/443 of my server. The server isn't externally accessible obviously.
2. Local CNAME setup for the above hostname that I use in conjunction with Traefik to access other services on the server hardly ever works on Safari.
3. Some domains just fail to resolve. Public ones. They work when moving to 4G connection.

On MacOS, Firefox works most of the time with the local resources, but still has issues with some public ones. I also observed some of this happening when roaming from one AP to another, so I've disabled one of my APs and it's helped a little, but I'm still seeing the issue. Using DNS lookups in terminal usually, but not always, resolves. I can't see a pattern. Local server sometimes works, sometimes not.

I'm thinking there's multiple things at play here:
1. Safari and Apple devices are not behaving themselves and respecting DNS config, despite disabling all obvious options. Maybe they are trying to still use private relay (which I understand is Apple DoH?)?
2. The new Virgin Media router is doing some sort of DNS hijack or interference of its own, sometimes, meaning some things don't ever hit the Pihole.
3. Pihole is responding but the response is getting hijacked by the new router also?

The Hub 5x has hardly any user controls, so fixing anything there is unlikely. I can't see any way to inspect or setup logs for DNS traffic either.

I thought I could try running Pihole as the DHCP server also, which I can disable on the router, but not sure if this will really make a difference.

I thought also maybe I should move to a DoH solution (e.g. AdGuard or Technitium - anyone using that?) then maybe I can bypass some of these issues? Although local DoH is kind of pointless it may allow me to avoid some of the hijacking if that's the cause but getting DoH to work on Apple devices (which most of my network is) could be a complex issue, not sure. Probably should be using outbound DoH anyway, which I don't think Pihole can do yet.

Any thoughts on how I could properly and logically troubleshoot this and maybe consider a change of setup to help get it back under control? Nothing worse than randomly flaky devices that I can't see a pattern to.