So I built: Pi-hole



  • So I built a Pi-hole

    0_1540810572160_2018-10-29 06_55_31-Window.png
    On Vultr no less at that. Simple enough. But Is that all you need for ad blocking? It seems no - Pi-hole only does so much.

    I removed the Adblock extensions from Chrome and tested - there are / where ads on sites I generally go to;

    • News Sites
    • Reference Sites
    • etc,..

    While Pi-Hole is working - there are some limits; at least as it is installed with just the defaults. So, what is the real main benefit of running a Pi-Hole system if you are still going to need the browser end Adblock extensions?



  • Pihole has a set of list that it can use to dns block a lot of the really bad advertising sites.

    If you've just built, there are no default lists blocked. So you'll have to add your lists first.

    Pihole isn't a stop all, but it can quickly stop a massive amount of the dangerous or annoying ads.



  • @DustinB3403 said in So I built: Pi-hole:

    Pihole has a set of list that it can use to dns block a lot of the really bad advertising sites.

    If you've just built, there are no default lists blocked. So you'll have to add your lists first.

    Pihole isn't a stop all, but it can quickly stop a massive amount of the dangerous or annoying ads.

    WTF? No blacklists by default? Put down the meth.

    Of course it has blacklists by default.



  • @gjacobse said in So I built: Pi-hole:

    So I built a Pi-hole

    0_1540810572160_2018-10-29 06_55_31-Window.png
    On Vultr no less at that. Simple enough. But Is that all you need for ad blocking? It seems no - Pi-hole only does so much.

    I removed the Adblock extensions from Chrome and tested - there are / where ads on sites I generally go to;

    • News Sites
    • Reference Sites
    • etc,..

    While Pi-Hole is working - there are some limits; at least as it is installed with just the defaults. So, what is the real main benefit of running a Pi-Hole system if you are still going to need the browser end Adblock extensions?

    Like everything, it is about layers. Pi-Hole kills many things. When I browse news websites on my iPad at home it is amazing all the whitespace I see.



  • Dumb question πŸ˜ƒ
    How are you using this on a VM on Vultr and browsing from Home? Are you proxy'n all your traffic through it?



  • @hobbit666 Point your home DNS to your pihole on vultr.



  • @hobbit666 said in So I built: Pi-hole:

    Dumb question πŸ˜ƒ
    How are you using this on a VM on Vultr and browsing from Home? Are you proxy'n all your traffic through it?

    This makes no sense.

    You don’t need a proxy to view the web interface.

    You never send your internet traffic to a pi-hole. That is not what it does.

    You simply point your local DNS to it, either per device or in your router.



  • @JaredBusch said in So I built: Pi-hole:

    You never send your internet traffic to a pi-hole. That is not what it does.
    You simply point your local DNS to it, either per device or in your router.

    This is my issue then πŸ™‚ that's what i thought they were for, Ad blocking and content filtering.



  • @JaredBusch said in So I built: Pi-hole:

    @DustinB3403 said in So I built: Pi-hole:

    Pihole has a set of list that it can use to dns block a lot of the really bad advertising sites.

    If you've just built, there are no default lists blocked. So you'll have to add your lists first.

    Pihole isn't a stop all, but it can quickly stop a massive amount of the dangerous or annoying ads.

    WTF? No blacklists by default? Put down the meth.

    Of course it has blacklists by default.

    I read that they changed it so that you had to enable individual blacklists. Hrm now I need to find the post.



  • @NerdyDad said in So I built: Pi-hole:

    @hobbit666 Point your home DNS to your pihole on vultr.

    Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

    However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.



  • @DustinB3403 said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    @DustinB3403 said in So I built: Pi-hole:

    Pihole has a set of list that it can use to dns block a lot of the really bad advertising sites.

    If you've just built, there are no default lists blocked. So you'll have to add your lists first.

    Pihole isn't a stop all, but it can quickly stop a massive amount of the dangerous or annoying ads.

    WTF? No blacklists by default? Put down the meth.

    Of course it has blacklists by default.

    I read that they changed it so that you had to enable individual blacklists. Hrm now I need to find the post.

    It has some by default... but you can also add your own



  • @hobbit666 said in So I built: Pi-hole:

    Dumb question πŸ˜ƒ
    How are you using this on a VM on Vultr and browsing from Home? Are you proxy'n all your traffic through it?

    It's DNS, just point to it.



  • @hobbit666 said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    You never send your internet traffic to a pi-hole. That is not what it does.
    You simply point your local DNS to it, either per device or in your router.

    This is my issue then πŸ™‚ that's what i thought they were for, Ad blocking and content filtering.

    They are, via DNS like Umbrella or Strongarm.io



  • @DustinB3403 said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    @DustinB3403 said in So I built: Pi-hole:

    Pihole has a set of list that it can use to dns block a lot of the really bad advertising sites.

    If you've just built, there are no default lists blocked. So you'll have to add your lists first.

    Pihole isn't a stop all, but it can quickly stop a massive amount of the dangerous or annoying ads.

    WTF? No blacklists by default? Put down the meth.

    Of course it has blacklists by default.

    I read that they changed it so that you had to enable individual blacklists. Hrm now I need to find the post.

    There are no longer default white listed items.



  • @gjacobse said in So I built: Pi-hole:

    @NerdyDad said in So I built: Pi-hole:

    @hobbit666 Point your home DNS to your pihole on vultr.

    Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

    However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

    Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.



  • If this is just a DNS thing, what prevents someone from just changing the DNS settings on their device to bypass it? I am asking because I am actually curious.



  • @Donahue said in So I built: Pi-hole:

    If this is just a DNS thing, what prevents someone from just changing the DNS settings on their device to bypass it? I am asking because I am actually curious.

    Have your firewall only to allow pihole dns



  • @Donahue said in So I built: Pi-hole:

    If this is just a DNS thing, what prevents someone from just changing the DNS settings on their device to bypass it? I am asking because I am actually curious.

    DNS based security is for preventing honest mistakes or blocking malicious sites. It's not for stopping malicious employees looking for work arounds. Honestly, nothing really stops those, not in the real world. So trying to stop it is a lost cause and mostly just presents a challenge to people to look for ways around it. HR stops malicious stuff, this is to prevent accidents and is all normal businesses need.

    You can easily, though, stop people from changing their DNS and limit DNS traffic only to the Pi-Hole, though, if you want another step.



  • I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.



  • @Donahue said in So I built: Pi-hole:

    I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

    Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.



  • @scottalanmiller said in So I built: Pi-hole:

    @Donahue said in So I built: Pi-hole:

    I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

    Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

    right, this seems more like a web filter, which is still nice to have from time to time. But I would agree that web filters are more like a bandaid for HR issues. I say that also having mine turned on with my Fortigates.



  • @Donahue said in So I built: Pi-hole:

    @scottalanmiller said in So I built: Pi-hole:

    @Donahue said in So I built: Pi-hole:

    I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

    Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

    right, this seems more like a web filter, which is still nice to have from time to time. But I would agree that web filters are more like a bandaid for HR issues. I say that also having mine turned on with my Fortigates.

    I feel like filters are generally a bandaid, yes. But I like the Pi-Hole approach because it stops accidental things. Its' not like locking things down and freaking out about people doing things that they shouldn't be doing. It's about stopping Betty in accounts from clicking the wrong link on Google and being taken to a hijacked advertisement, or lowering the bandwidth used on the network by not allowing DoubleClick tracking ads through, or not having so many unnecessary images load on web pages... things like that.

    Pi-Hole is "make life easier for your users" level security, not "distrust your users and lock them down" security.



  • @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    @NerdyDad said in So I built: Pi-hole:

    @hobbit666 Point your home DNS to your pihole on vultr.

    Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

    However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

    Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

    No - nothing like that. I just expect that when rebooted the IP may change.



  • @gjacobse said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    @NerdyDad said in So I built: Pi-hole:

    @hobbit666 Point your home DNS to your pihole on vultr.

    Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

    However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

    Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

    No - nothing like that. I just expect that when rebooted the IP may change.

    Vultr is a VPS provider. They don't change IP addresses of deployed systems.

    What are you talking about?



  • @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    @NerdyDad said in So I built: Pi-hole:

    @hobbit666 Point your home DNS to your pihole on vultr.

    Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

    However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

    Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

    No - nothing like that. I just expect that when rebooted the IP may change.

    Vultr is a VPS provider. They don't change IP addresses of deployed systems.

    What are you talking about?

    Having not used them before - yes @NTG and @scottalanmiller does. but not myself. I didn't know. If it doesn't change,.. it doesn't. Nothing else I need to do.... moving on.



  • so - I have this show up.. since my system is open.

    0_1540851467593_2018-10-29 18_16_20-Window.png

    0_1540851512657_2018-10-29 18_18_15-Window.png

    Should they be blacklisted? or allowed?



  • @gjacobse said in So I built: Pi-hole:

    so - I have this show up.. since my system is open.

    0_1540851467593_2018-10-29 18_16_20-Window.png

    0_1540851512657_2018-10-29 18_18_15-Window.png

    Should they be blacklisted? or allowed?

    That's not what that blacklist means. I am assuming those IP addresses are not yours.



  • @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    so - I have this show up.. since my system is open.

    0_1540851467593_2018-10-29 18_16_20-Window.png

    0_1540851512657_2018-10-29 18_18_15-Window.png

    Should they be blacklisted? or allowed?

    That's not what that blacklist means. I am assuming those IP addresses are not yours.

    They are not. And you are right. In this case, not blacklist.. FW maybe..



  • @gjacobse said in So I built: Pi-hole:

    @JaredBusch said in So I built: Pi-hole:

    @gjacobse said in So I built: Pi-hole:

    so - I have this show up.. since my system is open.

    0_1540851467593_2018-10-29 18_16_20-Window.png

    0_1540851512657_2018-10-29 18_18_15-Window.png

    Should they be blacklisted? or allowed?

    That's not what that blacklist means. I am assuming those IP addresses are not yours.

    They are not. And you are right. In this case, not blacklist.. FW maybe..

    Correct. If that is what you want, then you need to look at restricting access to the Pi-Hole instance in the first place.

    There is a thread on that here somewhere. But That is more work than it is worth IMO.

    What I would do is setup the Vultr Firewall and add an allow for your network. Use ARIN to look up the range your ISP uses. Then add a drop all for all other traffic on port 53.

    If you expand this to family, add their IP block as well.

    Not 100% solid, but much less likely to be randomly hit.