Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Ad Blocking With Pi Hole SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ad Blocking With Pi Hole

Network-wide ad blocking via your own Linux hardware

Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.

From the Pi-hole Overview:

Easy-to-install: versatile installer, takes less than ten minutes

Resolute: content is blocked in non-browser locations, such as ad-laden mobile apps and smart TVs

Responsive: speeds up browsing by caching DNS queries

Lightweight: runs smoothly with minimal hardware and software requirements

Robust: command line interface quality assured for interoperability

Insightful: responsive Web Interface dashboard to view and control Pi-hole

Versatile: optionally functions as DHCP server, ensuring all your devices are protected automatically

Scalable: capable of handling hundreds of millions of queries when installed on server-grade hardware

Modern: blocks ads over both IPv4 and IPv6

Free: open source software

Of Note
* Cited from docs.pi-hole.net.

The Pi-hole setup offers 8 options for an upstream DNS Provider during the initial setup.

Utilize the Pi-hole command line interface with ease.

Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS.

After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s).

Updating is as simple as running the following command: pihole -up

Pi-hole Installation

I installed Pi-hole on a Raspberry Pi 2 Model B running Raspbian Stretch (November 2018, 4.14 kernel).

Figure 1: Pi-hole on Raspberry Pi 2 Model B

There a one step automated installation method for those who want to get started quickly and conveniently, using the following command:

curl -sSL https://install.pi-hole.net | bash

There are alternative installation methods if you’re not comfortable piping to bash.

Piloting Pi-hole

Once you’ve completed installation, browse to the IP addess you established during setup. After running Pi-hole for even a few hours, it will begin to serve you as designed, and well at that.

Figure 2: Pi-hole at work

Take note of the fact that 17.9% of traffic and 532 specific queries. Pi-hole’s Gravity script is key here: “Gravity is one of the most important scripts of Pi-hole. Its main purpose is to retrieve blocklists, and then consolidate them into one unique list for the built-in DNS server to use, but it also serves to complete the process of manual whitelisting, blacklisting and wildcard update. It is run automatically each week, but it can be invoked manually at any time.”

As seen in Figure 3, Pi-hole takes exception to a number of offending domains.

Figure 3: Pi-hole blocks

192.168.248.12 is my iPhone on my local network. You can see that between Apple, Microsoft, and other domains, there’s more than a bit of content in their ad streams that is flagged as less than desirable via Pi-hole’s Block Lists.

Enjoy the use and benefits of Pi-hole, I’d really like to hear about your success stories, and how you’re running Pi-hole (what hardware platforms?).

Let me know via Twitter or email. Cheers…until next time.

Russ McRee | @holisticinfosec

Russ McRee

184 Posts
ISC Handler
I supplement with DShield lists too :)
RyanG

2 Posts
I'm running pihole on Ubuntu server 18.04. Re-purposed an old workstation. Some may need to add a few of the whitelists that are out there. Several legitimate referrers occasionally will get blocked.
jono

10 Posts
Ive been using PiHole on my home network on a Pi3+ for a while and it hasn't missed a beat.

Worth pointing it to SANS own suspicious domain feeds, which are in a compatible format to help add another layer of defence against malicious activity.

Link:https://isc.sans.edu/suspicious_domains.html
Kurtz30

1 Posts
I've been running pihole installed on a Raspberry Pi3+ for the past few months and it's been bulletproof and mostly transparent. It routinely blocks in excess of 15% and makes browsing cleaner because I don't need to see the ads that it's blocking. I have been impressed with usability. When I have had questions, the community appears to be very active and responsive. I have always found my answers within the pihole community.

You need to be conscious that while you are browsing there may be some legitimate content blocked. This usually presents itself as a blank or non-responsive page. In that case you will need to whitelist the domain so that Pihole admits the content.
patman

1 Posts
Been running my Pi-hole at home for over a year and love it. However, there's one major issue that never seems to get covered in the discussions.

I run a VPN client on all my clients for increased privacy & security...and when that VPN client is working correctly (i.e. not leaking DNS requests), all DNS requests go to their resolvers not the local Pi-hole so you're back to getting ads again.

It seems you have a choice. Use a VPN with all the advantages it provides and get bombarded with ads again or disable the VPN, lose the advantages it provides but have a better ad-free experience.

Not sure if anyone has any ideas on this conundrum
Ned

1 Posts
I've been using PiHole on a Raspberry Pi 3B+ running Raspbian for a few weeks now and it looks good. I'm using it on my home network, using a Raspberry Pi that was already acting as a file server and network music player. I like how it makes websites load faster on my phone, as well as providing a second level of ad blocking on my PC. I like the fact that they use their own custom version of dnsmasq so that the software is not affected by updates from the distribution vendor. It is very easy to use.
Anonymous
You should be able to install VPN client software on your pi-hole and use it as your gateway to route all your browsing and DNS lookups over the VPN.
Anonymous
Pi-Hole is an awesome project, is priced right, and runs well on cheap hardware. Even better, the dev is a nice guy: he even sent me stickers!
Will E.

1 Posts
CentOS 7.x installation setup: handlers.sans.edu/gbruneau/…
Guy

446 Posts
ISC Handler
I've been running Pi-Hole on a Beaglebone Black for a few years now and it's awesome. I definitely recommend it.
KPryor

9 Posts
That's a nice alternative, although I'm always disappointed with how-to documents that start with "Disable SELinux".
Anonymous
Quoting KPryor:I've been running Pi-Hole on a Beaglebone Black for a few years now and it's awesome. I definitely recommend it.


Did it take a lot of time and effort to adjust to Pi-Hole on a Beaglebone Black, KPryor?
Anonymous
I've been using Pi-hole for my work, and 10-20% blocking is normal. Once in a great while I have to whitelist something, but it mostly works.

For anyone wanting to know which upstream DNS provider to use, I did some tests last April 2018, and Quad9 came out the winner overall with the most bad stuff blocked (but still only ~20%). The free version of Opendns did horrible in blocking bad stuff, and Comodo had so many problems, often failing to return any answer, that I can't recommend them. I hope to do a follow-up test this year.

To Quad9's credit, after I published my results I got contacted by them asking for my results and how I found the sites, to which I shared my raw data and methods. Hopefully they used that to improve their filtering. No other DNS provider bothered.
R

36 Posts
Is it easy to reconfigure to produce blackhole lists for Bind?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!