{"id":1827,"date":"2021-07-03T21:16:13","date_gmt":"2021-07-04T01:16:13","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=1827"},"modified":"2021-07-03T21:16:13","modified_gmt":"2021-07-04T01:16:13","slug":"pi-hole-a-black-hole-for-advertisements","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2021\/pi-hole-a-black-hole-for-advertisements\/","title":{"rendered":"Pi-Hole &#8211; a Black Hole for Advertisements"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1833\" src=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/pi-hole.png\" alt=\"\" width=\"1200\" height=\"371\" srcset=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/pi-hole.png 1200w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/pi-hole-500x155.png 500w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/pi-hole-1024x317.png 1024w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/pi-hole-768x237.png 768w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Pi-hole\">Pi-hole<\/a> was first released back in 2015, I&#8217;m not certain when I became aware of it but given my interest in the Raspberry Pi I&#8217;m pretty sure I heard about it fairly soon afterwards. I did find this tweet from 2016<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/t.co\/7M8SONbPv6\">https:\/\/t.co\/7M8SONbPv6<\/a> &#8211; a raspberry pi based ad blocking solution. Clever, uses pi-based DNS server to block, provides stats etc. <a href=\"https:\/\/twitter.com\/hashtag\/rpi?src=hash&amp;ref_src=twsrc%5Etfw\">#rpi<\/a><\/p>\n<p>&mdash; Roo (@andrew_low) <a href=\"https:\/\/twitter.com\/andrew_low\/status\/706843078167011328?ref_src=twsrc%5Etfw\">March 7, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Now while I was aware of the project, I didn&#8217;t start running it for a while. It was only at some point during my <a href=\"https:\/\/lowtek.ca\/roo\/2016\/server-upgrade-part-1-the-build\/\">containerization of my server<\/a> that I started to run pi-hole in a container (Oct 2018 give or take a bit)<\/p>\n<p>Running it as a container isn&#8217;t too hard &#8211; but you&#8217;ll probably have to <a href=\"https:\/\/askubuntu.com\/questions\/907246\/how-to-disable-systemd-resolved-in-ubuntu\">turn off the DNS server<\/a> than is running already to avoid the port conflict.<\/p>\n<p>Here is the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Make_(software)\">Makefile<\/a> I was using to manage my pi-hole deployment.<\/p>\n<pre class=\"lang:default decode:true \">#\r\n# pi-hole\r\n# https:\/\/hub.docker.com\/r\/pihole\/pihole\/\r\n#               \r\nIPV4 := $(shell ip route get 8.8.8.8 | awk '{ print $$(NF-2); exit }')\r\nIPV6 := $(shell ip -6 route get 2001:4860:4860::8888 | awk '{for(i=1;i&lt;=NF;i++) if ($$i==\"src\") print $$(i+1)}')\r\n                \r\n# ServerIP is required for pi.hole to resolve locally\r\nbuild:          \r\n        docker create \\\r\n                --name pihole \\\r\n                --dns=127.0.0.1 \\\r\n                --dns=8.8.8.8 \\\r\n                -p 53:53\/tcp -p 53:53\/udp \\\r\n                -p 8080:80\/tcp \\\r\n                -v \"$(CURDIR)\/pihole\/:\/etc\/pihole\/\" \\\r\n                -v \"$(CURDIR)\/dnsmasq.d\/:\/etc\/dnsmasq.d\/\" \\\r\n                -e ServerIP=\"$(IPV4)\" \\\r\n                -e ServerIPv6=\"$(IPV6)\" \\\r\n                -e WEBPASSWORD=secretPassword \\\r\n                --restart=unless-stopped \\\r\n                pihole\/pihole:latest\r\n        \r\n# Start the container\r\nstart:  \r\n        docker start pihole\r\n        \r\n# Update image\r\nupdate:\r\n        docker pull pihole\/pihole\r\n        - docker rm -f pihole-old\r\n        docker rename pihole pihole-old\r\n        make build\r\n        docker stop pihole-old\r\n        make start\r\n\r\nrollback:\r\n        docker stop pihole\r\n        docker start pihole-old\r\n        docker rm pihole\r\n        docker rename pihole-old pihole\r\n<\/pre>\n<p>Unfortunately &#8211; something happened to my configuration \/ state &#8211; such that I could not update my container without it hanging. Fortunately having the rollback target let me quickly restore the previous version. I&#8217;ve tested the makefile on another temporary machine and it appeared to work, so it should be a reasonable base if you wanted to go the container route.<\/p>\n<p>One of the problems of running in a container is the networking in general. I struggled with the mapping of the web UI access as the same machine is also running my public facing <a href=\"https:\/\/lowtek.ca\/roo\/2019\/wordpress-migration\/\">web server<\/a>. While I could map the DNS port (53) and access it over IPv6 &#8211; all of the IPv6 traffic appeared as if it were coming from the docker network vs. from the source machines.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1834\" src=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/container-pi-hole.png\" alt=\"\" width=\"1200\" height=\"588\" srcset=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/container-pi-hole.png 1200w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/container-pi-hole-500x245.png 500w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/container-pi-hole-1024x502.png 1024w, https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2021\/07\/container-pi-hole-768x376.png 768w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/p>\n<p>This takes away from one of the great values of running pi-hole &#8211; the additional insight it gives you to what your various devices are doing on the network. With the docker networking mess, I was missing all of the IPv6 traffic effectively (because I couldn&#8217;t tell the devices apart).<\/p>\n<p>After stalling on the decision, and some explorations on how I could use <a href=\"https:\/\/lowtek.ca\/roo\/2020\/docker-and-macvlan-networking-ipv4\/\">macvlan support in docker<\/a> to give a container a unique (from the host) IP address &#8211; I just bought some nice hardware to solve the problem. Setting that hardware up is covered in the <a href=\"https:\/\/lowtek.ca\/roo\/2021\/raspberry-pi-ubuntu-server\/\">previous post<\/a>.<\/p>\n<p>Now we can install <a href=\"https:\/\/pi-hole.net\/\">pi-hole<\/a>. I would encourage you to read the script before just piping it into bash, however in the big picture we&#8217;re going to trust the folks that wrote this code to also provide updates &#8211; and those updates could be evil too.<\/p>\n<pre class=\"lang:default decode:true \"># Very scary but easy way to install\r\ncurl -sSL https:\/\/install.pi-hole.net | bash<\/pre>\n<p>The script is interactive, you&#8217;ll need to answer some questions to perform the install. I found it interesting that the setup script doesn&#8217;t ask for IPv6 DNS severs, but does allow you to specify customer IPv4 servers. During the setup it looks like it is changing my network setup to be a static IP address. Post install script I know I&#8217;m going to have to tweak things.<\/p>\n<p>Since the default web password is generated, you probably want to set one.<\/p>\n<pre class=\"lang:default decode:true \">pihole -a -p<\/pre>\n<p>Visiting the web interface under &#8220;Settings-&gt;DNS&#8221; I added my upstream IPv6 DNS servers. I&#8217;m using the <a href=\"https:\/\/www.cira.ca\/cybersecurity-services\/canadian-shield\/configure\">CIRA DNS<\/a> and if you&#8217;re a Canadian I would encourage you to do the same.<\/p>\n<p>On the same settings page I enabled conditional forwarding and specified my local lan range and main router which is running my DHCP server. It was pointed out to me that <a href=\"https:\/\/discourse.pi-hole.net\/t\/top-client-queries-show-ipv6-ula-instead-of-hostname\/47994\/2?u=roo\">additional configuration is required for IPv6 conditional forwarding<\/a>, I haven&#8217;t done this yet.<\/p>\n<p>My <a href=\"https:\/\/openwrt.org\/\">OpenWRT<\/a> router provides multiple IPv6 addresses and the setup script detected IPv6 address isn&#8217;t the right one.\u00a0 Poking around, it appears <code>\/etc\/pihole\/setupVars.conf<\/code> contains the information and I just need to tweak it. Generally you should not change that file by hand, but I did for this one thing and it fixed the problem.<\/p>\n<p>As I feared, the setup script changed my <code>\/etc\/dhcpcd.conf<\/code> to reflect a static IP address. I may later change this but I had already effectively tweaked the DHCP server to answer the same static address.<\/p>\n<p>At this point &#8211; I have a working pi-hole, I just need to configure some clients to point there.<\/p>\n<p>As mentioned above, I run OpenWRT as my router.\u00a0 There are 2 places we need to configure to point all DNS queries to the pi-hole. This can be done by modifying how it responds to DHCP requests &#8211; as it will provide the DNS server as part of that transaction.<\/p>\n<p>An alternative approach to this would be to set your upstream DNS server to be the pi-hole. I didn&#8217;t take this approach because I was concerned about DNS loops and networking was a lot more complicated when things were in a container, the approach I&#8217;ll cover is what worked with the container version as well.<\/p>\n<p>Changing the DNS entry that is provided by the DHCP exchange is easy to find in the config file <code>\/etc\/config\/dhcp<\/code> file &#8211; there are two lines in a section that looks like:<\/p>\n<pre class=\"lang:default decode:true \">config dhcp 'lan'\r\n\toption interface 'lan'\r\n\toption start '100'\r\n\toption limit '150'\r\n\toption leasetime '12h'\r\n\toption dhcpv6 'server'\r\n\toption ra 'server'\r\n\toption ra_management '1'\r\n\tlist dhcp_option '6,149.112.121.30'\r\n\tlist dns '2620:10A:80BB::30'<\/pre>\n<p>Finding the place in the <a href=\"https:\/\/openwrt.org\/docs\/guide-user\/luci\/start\">LuCI<\/a> UI to add these always causes me to stumble around for a while. The two options <code>list dhcp_option<\/code> and <code>list dns<\/code> are in slightly different places.<\/p>\n<p>The IPv4 setting can be found under <code>Network-&gt;Interfaces<\/code>, edit your Lan interface. Then pick the <code>Advanced<\/code> tab. We need to add a dhcp option <code>6,149.112.121.30<\/code>.<\/p>\n<p>Then select the <code>IPv6 Settings<\/code> tab. Here we add to the <code>Announced DNS Servers<\/code> section <code>2620:10A:80BB::30<\/code>.<\/p>\n<p>Once you&#8217;ve done this your pi-hole will start getting traffic from devices that get an address on your network. You may have to wait for the devices to update their connections.<\/p>\n<p>I noticed that IPv6 addresses were not reverse mapping &#8211; but specifically asking my router for the bad addresses seems to indicate that it also can&#8217;t reverse map, so maybe there is an OpenWRT problem here. Also &#8211; it seemed to get better after a while, and more address-&gt;name mappings were discovered. I <a href=\"https:\/\/discourse.pi-hole.net\/t\/top-client-queries-show-ipv6-ula-instead-of-hostname\/47994\/1\">asked in the pi-hole forum<\/a> about this behaviour.<\/p>\n<p>It turns out that this is an <a href=\"https:\/\/discourse.pi-hole.net\/t\/ip-addresses-on-the-dashboard-are-not-replaced-by-names-from-the-network-table-if-they-cannot-be-associated-with-a-mac-address-immediately\/47021\">ordering problem<\/a>. Pi-hole won&#8217;t look up a failed address again, but it does build the network table and bind things together by MAC address. The work around is to modify your <code>\/etc\/pihole\/pihole-FTL.conf<\/code> to have <code>REFRESH_HOSTNAMES=ALL<\/code>. There is a slight downside to this that every hour there will be a storm of reverse DNS lookups as all hosts are refreshed.<\/p>\n<p>A few final observations.<\/p>\n<ul>\n<li>The magic DNS name pi.hole now works on my network. This brings you directly to the pi-hole dashboard.<\/li>\n<li>Tools-&gt;Network shows lots more useful information. In docker you didn&#8217;t get MAC addresses and generally things were more chaotic.<\/li>\n<li>Pi-hole is blocking more than 1\/3 of the DNS lookups. Sure some of this is because the ad-software is probably failing and trying again, but still that&#8217;s a lot of DNS queries.<\/li>\n<li>I discovered the <a href=\"https:\/\/docs.pi-hole.net\/database\/gravity\/groups\/\">Group Management<\/a> feature, and this seems to be a way to allow clients to <a href=\"https:\/\/docs.pi-hole.net\/database\/gravity\/example\/\">opt out of ad blocking<\/a>. This is super useful as previously I was just changing the DNS on the clients.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pi-hole was first released back in 2015, I&#8217;m not certain when I became aware of it but given my interest in the Raspberry Pi I&#8217;m pretty sure I heard about it fairly soon afterwards. I did find this tweet from 2016 https:\/\/t.co\/7M8SONbPv6 &#8211; a raspberry pi based ad blocking solution. Clever, uses pi-based DNS server &hellip; <a href=\"https:\/\/lowtek.ca\/roo\/2021\/pi-hole-a-black-hole-for-advertisements\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Pi-Hole &#8211; a Black Hole for Advertisements&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12,20],"tags":[],"class_list":["post-1827","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to","category-pi-hole"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1827"}],"version-history":[{"count":7,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1827\/revisions"}],"predecessor-version":[{"id":1837,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1827\/revisions\/1837"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}