Setting up Pi-hole

Feek · 17 Aug 2024 at 23:11

Interestingly, Pi-hole doesn't know how to set up a static address when being installed on Ubuntu 24.04

It creates a dhcpcd.conf file but dhcpcd isn't included with Ubuntu 24.04 so creating that doesn't actually do anything. I had to set it manually by editing /etc/netplan/50-cloud-init.yaml, changing the permissions on that file and then running sudo netplan apply.

Code:

# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    version: 2
    renderer: networkd
    ethernets:
        enp1s0:
            dhcp4: no
            addresses:
              - 192.168.1.2/24
            routes:
              - to: default
                via: 192.168.1.1
            nameservers:
              addresses: [8.8.8.8, 8.8.4.4]
    wifis: {}

Haggisman · 18 Aug 2024 at 14:12

Rainmaker said:
@Feek I'm glad you got it working. Did you ever try AdGuard Home? Spin one up if not, it takes barely a moment using their install script. It works on macOS, *BSD and *nix, and simply unpacks the latest release to /opt and installs a service. It comes with DoH, DoT, DoQ and DNSCrypt available by default, both up and downstream. It's much nicer to work with than Pi-Hole + FTL + Cloudflared + whatever, accepts full AdBlock syntax and is very fast. I try Pi-Hole et al. once a year or so just to see what's new, but AGH still outpaces it imo. You can set up acme.sh or similar for certs and away you go.

In other news, I'm glad to see that HaGeZi's lists have taken off so much. They were practically unknown when I started using them back when, and now he's everywhere. Good for him, they're a superbly curated set of lists.

Adguard user here - also has the benefit of having lists for parental controls, e.g. adult content, gambling etc.

Got the main instance running on my proxmox server, with a failover running on a pi zero 2w, and keepalived running to maintain seamless connectivity (has been "tested" a few times when I've knocked the server's network cable out of the switch - currently sat on the floor of my office while I'm decorating

)

Feek · 18 Aug 2024 at 17:46

Armageus said:
just buy a mini pc to run it on

Feek said:
I must admit, I'm tempted to do this with the pi-hole and reduce it down to a single device.

Armageus said:
Something like

MarcLister said:
For £80 that's a bargain for a good Pi-Hole mini PC.

It's working well.

MarcLister · 20 Aug 2024 at 22:52

Feek said:
It's working well.

Missed your post. Glad it is working well. My RPi4 has had to be manually reset several times this week. I just lose connectivity that resolves itself when I take the power out of the Pi and wait a few seconds. It's a timely reminder to get my new NAS built and then convert my current Lenovo tiny PC into my new Pi-Hole device.

I don't know if its coincidence but since I added the Hagezi lists and took the previous lists off my blocking percentage has pretty much doubled! I used to get between 12 and 19% blocked, and I could never understand why it varied. Now I'm getting above 30%; it's 32.4% right now. I guess the Hagezi lists are blocking more sites that my browsing covers than the previous lists?

Anyway, I'm sure most of you knew about Pi-Hole v6 having been in the works for ages. Seems its almost ready! https://pi-hole.net/blog/2024/08/18/preparing-for-the-v6-release/

Kainz · 21 Aug 2024 at 15:24

Great thread. I used to run Pi on my QNAP Nas and at some point an upgrade messed it up so I had removed and forgotten about it.

This thread made me reinstall it last night again and I've got it running just fine at the moment with the Hagezi's lists mentioned earlier.

Rainmaker · 21 Aug 2024 at 17:21

I had a play with Pi-Hole v6 dev in a LXC container this morning. Much improved over the previous versions, dumped lighttpd and php and it's nice and light/responsive. They've finally integrated TLS into the webUI natively, but unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear.

I'll keep an eye on it, maybe one day.

Ad_Augendae · 22 Aug 2024 at 11:04

Would be nice to see one.one.one.one popup in your iftop, but I guess for now it's cloudflared or what your router offers!

Steveocee · 31 Aug 2024 at 10:37

Ad_Augendae said:
Would be nice to see one.one.one.one popup in your iftop, but I guess for now it's cloudflared or what your router offers!

Can you not set your own reverse entry for 1.1.1.1 > one.one.one.one on the host or if pihole has any static entries?

Ad_Augendae · 31 Aug 2024 at 11:06

Steveocee said:
Can you not set your own reverse entry for 1.1.1.1 > one.one.one.one on the host or if pihole has any static entries?

Sorry let me rephrase that, I would like to see pihole with native DoH, but for the moment I'm using DoH on my hAP ax2 with adlists.
I like the graphing/stats, not so much watching what everyone is doing.

Steveocee · 31 Aug 2024 at 11:10

Ad_Augendae said:
Sorry let me rephrase that, I would like to see pihole with native DoH, but for the moment I'm using DoH on my hAP ax2 with adlists.
I like the graphing/stats, not so much watching what everyone is doing.

How is the hap handling the lists (more so the updates)? Are you running a lot or few?

Ad_Augendae · 31 Aug 2024 at 11:50

500.000 works a treat for my home setting, It's well worth a try!

Code:

/ip/dns/adlist/print                                                                                                 
Flags: X - disabled                                   
 0   url="https://raw.githubusercontent.com/hagezi/dns-blocklists/main/hosts/pro.txt" match-count=7473 name-count=508159

/ip/dns/print       
                      servers:
              dynamic-servers:
               use-doh-server: https://cloudflare-dns.com/dns-query
              verify-doh-cert: yes
   doh-max-server-connections: 2
   doh-max-concurrent-queries: 100
                  doh-timeout: 6s
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 100000KiB
                cache-max-ttl: 1w
      address-list-extra-time: 0s
                          vrf: main
           mdns-repeat-ifaces:
                   cache-used: 59262KiB
                  
/ip/dns/static/print
Columns: NAME, TYPE, ADDRESS, TTL
# NAME                TYPE  ADDRESS         TTL
;;; defconf
0 therouter.lan       A     192.168.88.1    1d
1 cloudflare-dns.com  A     104.16.248.249  1d
2 cloudflare-dns.com  A     104.16.249.249  1d

ChrisD. · 31 Aug 2024 at 12:06

Rainmaker said:
unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear

Precisely the reason why anyone concerned about privacy or tracking should not be using PiHole. It's a bit of a joke that the devs haven't implemented yet.

squerble · 3 Sep 2024 at 11:08

Rainmaker said:
I had a play with Pi-Hole v6 dev in a LXC container this morning. Much improved over the previous versions, dumped lighttpd and php and it's nice and light/responsive. They've finally integrated TLS into the webUI natively, but unfortunately still no upstream support for encrypted DNS providers, so everything's still being sent out in the clear. I'll keep an eye on it, maybe one day.

Thanks for the heads-up on this. It's the biggest reason I switched to AdGuard Home in a docker container. Wondering if my Pi2 (currently running only PiHole) would be up to running another instance of AdGuard Home as a secondary/backup for my network.

I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

ChrisD. · 3 Sep 2024 at 11:21

squerble said:
I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

Rainmaker · 3 Sep 2024 at 11:55

squerble said:
Thanks for the heads-up on this. It's the biggest reason I switched to AdGuard Home in a docker container. Wondering if my Pi2 (currently running only PiHole) would be up to running another instance of AdGuard Home as a secondary/backup for my network.

I think I'm at the point where I will block all DNS traffic out of my network, relying on the AGHs to get results over port 443.

RasPi 2 would smash AGH, the requirements are minuscule. I'm running our family network (home and remote clients, ~150k queries per day) on a single core Alpine LXC container that's taking up 240MB of RAM for the whole system, and load average is almost 0.

Rainmaker · 3 Sep 2024 at 11:56

ChrisD. said:
There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

Yeah agreed. I'd personally 'hijack'/redirect DNS rather than outright block it.

squerble · 3 Sep 2024 at 12:25

ChrisD. said:
There's likely going to be some obscure device which is using hard coded DNS lookups which could break, wouldn't surprise me at all.

I can set the rule up on my UniFi gateway but as an allow + logging, then have a quick look through the log after a week or so. I'm sure I could find if anything is leaking (and also give me a bit of time to see if I can hijack/reroute the DNS via the gateway

).