Block everything evil using Pi-hole

Fight against tracking, spying and ads

Until recently I was using my own solution to block Trackers, Ads and other unwanted network traffic. My solution works pretty well for years. Now I have replaced it by Pi-hole which is an open-source software which can run nicely on a cheap Raspberry Pi.

Pi-hole is easy to install, easy to use and offers a great user interface that gives you a great overview of what’s going on on your network and easy black- and whitelist maintenance.

Pi-hole also offers an API which will be integrated in NetworkToolbox soon.

What Pi-hole does

Pi-hole simply replaces your default DNS Server which is usually the DNS Server of your Internet Service Provider (ISP). A DNS Server will be used to translate a domain name (e.g. google.com) to an IP Address (e.g. 216.58.205.238). For domains on a black-list, Pi-hole simply return an invalid IP Address (0.0.0.0) so that such an address will not be contacted.

This way, traffic to unwanted tracking, spying websites and weblinks providing Ads can be blocked.

This not just increases privacy, but it also speeds up your browsing experience quite noticeable.

It works for all devices on your network, even Smart TVs, iPad, iPhone, Toaster (if connected to the Network).

What Pi-hole does not

Pi-hole is not a regular Ad-Blocker. It also doesn’t capture/intercept network traffic, nor is it a firewall. It just blocks access to certain internet domains.

So you will still see some Ads on websites where the Ad comes from another trusted website or even from the same website. But these can be considered as relatively harmless.

Traffic capturing usually slows down network traffic and firewalls are quite complex to maintain.

But Pi-hole is easy to use, even speeds up internet access and for me, it blocks almost everything I wish to block which is about 50% of my total internet network traffic.

Installing Pi-hole

In the past, software was usually installed individually by downloading, configuring and running the software. Nowadays there is Docker. Docker is a piece of Software that let’s you download pre-configured software packages (docker images) mostly provided by the Software supplier or the community. Docker images extremely simplifiers the installation process. Unlike virtualization solutions, Docker images are running at full speed and natively on each platform.

Docker can be maintained using the command line, but it’s much easier to use a graphical user interface called Portainer which itself can be installed as docker image.

1. Setup your Raspberry Pi

You can use an existing, already setup Raspberry pi or setup a new one. There are many resources on the web which describe how to setup a Raspberry Pi so I don’t create another one here. Just browse and pick one that best fits for you.

However, here are some reminders/suggestions:

  • I suggest using the small Raspbian Stretch Lite image
  • The default credentials are Username: pi and Password: raspberry
  • For the first start you will need a keyboard/monitor because SSH is disable by default. If you don’t have a keyboard/monitor, you can enable SSH by creating an empty file called ssh (without extension) on the /boot partition of your SD-Card.
  • You should assign a fixed IP address for your Raspberry Pi
  • Don’t forget to start sudo raspi-config and
    • Change the default password
    • Expand the File System
    • Change your local timezone

2. Install Docker

After connecting to your Raspberry Pi using SSH, enter the following commands:

curl -sSL https://get.docker.com | sh

and

sudo gpasswd -a pi docker

Now, better reboot by entering:

sudo reboot

3. Install Portainer

Now, back on SSH enter the following commands to install Portainer on Docker:

docker volume create portainer_data
docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer

To check if Portainer is running, enter:

docker ps

You should see something like:

4. Run and setup Portainer

Assuming your Raspberry Pi is at 192.168.1.100, open your Browser and enter http://192.168.1.100:9000 which brings up the admin Setup Screen where you need to enter a username and pick a password for the administrator.

Next, you need to select “Local” and click on “Connect”.

5. Install and set-up Pi-hole

In the left navigation pane, click on “Containers” and “Add Container”. Enter a Name for the Container (e.g. Pihole) then enter the name of the Docker image that needs to be used. Here, enter pihole/pihole which will be changed to pihole/pihole:latest if recognized.

I recommend to just open the necessary ports here. For this click on “map additional port” and enter the ports as shown below (note port 53 is mapped for both TCP and UDP):

Next, under Advanced container settings, select Volumes then click on “map additional volume” and enter the values as shown below (note: to enter the host value you need to click on the bind button)

Now you need to set a few Environment variables for Pi-hole. For this click on “Env” and “add environment variable” to add the Variables as shown below. For the TZ value, pick the right value from this website. For WEBPASSWORD, you need to enter a Password which is later used to administer Pi-hole.

Finally click on “Restart Policy” and select “Unless stopped”

Now click on “Deploy the container”. After a while, the Pi-hole container should be up and running and “Healthy”.

Now, you should be able to open the Pi-hole Admin page by visiting your Raspberry Pi’s IP Address and adding /admin to it (e.g. http://192.168.1.100/admin)

Now, click on Settings to change some initial settings as shown below:

Here, Quad9 and Cloudflare are selected as “Upstream” DSN Servers. These are the DNS Servers Pi-Hole is using if a domain is not blacklisted. Using the “Use DNSSEC” setting will even encrypt such queries to these DNS Servers.

6. Activating and using Pi-hole

The last step to do is to instruct your Router to use your Raspberry Pi Pi-hole Server as DNS Server. Most routers have a corresponding setting in their Web admin interface similar to this:

In this case, you need to enter the IP Address as “Static DNS 1”.

There are additional options described on the Pi-hole website but in most cases, you should be able to find such a setting in your Router.

Once that’s done, you should see more and more domains which were blocked on the Pi-hole dashboard.

7. What else?

Maintain your black and whitelists

There are several blacklist sources pre-configured which should be fine. It makes no sense to add all available blocklists as they are often redundant and may even contain domains you don’t want to block.

The best thing to fine-tune Pi-hole is by looking under “Query-log” and see if there are any green unblocked domains where you can’t find any reason for and to try to put them on the blacklist by clicking the button on the right side.

If it turns out that something is no longer working, just try to whitelist a previously blocked domain and see if this solved the problem.

Use Pi-hole from outside your home

While this works pretty well on your local network, you can also take advantage of this solution while on the road. For this, you just need to setup a so called VPN and configure to use this VPN on your mobile device. This will even safeguard your connection if you are using a poorly secured hotel WiFi access point. My suggestion is to use the softether VPN which can also be setup on a (or the same) Raspberry Pi. Softether supports L2TP/IPSec and no additional software is needed on your iPhone or iPad.