Electrical-Forenics Home ray@RayFranco.com                       601.529.7473
   © Dr. Ray Franco, PhD, PE  -  208 Fairways Dr., Vicksburg, MS 39183

Pi-hole - OS-64 "Bullseye"

Pi-hole can block most 3rd parity ads. It will not block ads that are served from the same server that holds the contents e.g. Google Services, YouTube, Facebook. It also will not block the popup that appears on every stackexchange.com page wanting you to enable cookie!

This site has ads galore, and pihole blocks all of them:
 
Linux Hints Find Tutorial

These sites also have numerious ads, and Pi-hole blocks most of them:
 
Linux itsfoos.com
 
Linuxuprising,com
 
Some of the worst sites that serve adds, are tutorials on Linux and those that answer Linux questions.

Pi-Hole Setup

You can install Pi-hole with the following command:
 
curl -sSL https://install.pi-hole.net | bash
 
or the following two commands:
 
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh

In order to use Pi-hole as a DNS server, I had to configure Firewalld:
sudo firewall-cmd --zone=internal --add-service=dns -- permanent

The Raspberry Pi does not a graphical Network Manager so I had to change the /etc/resolv.conf file. I copied /etc/resolvconf.conf to resolv.config, and changed the named servered IP to the static IP of the Raspberry Pi.

Pi-hole installs the web server "php", and you access its console via the web sever. In order to access Pi-hole's console, I had to configure Firewalld:
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 -- permanent # whitelist local computers
sudo firewall-cmd --zone=internal --add-service=http --permanent

From examing the crontab file for Pi-hole, /etc/cron.d/Pihole, Pi-hole updates the add source one week on Sunday at random in the early morning. It looks like it also runs an update checker and may be updating itself. Pi-hole also creates log files.

Recursive DNS Server - Unbound

Pi-hole can do more than filter adds. I added the recursive doman name server (dns) "unbound". Mostly, I followed the instructions at: https://docs.pi-hole.net/guides/dns/unbound, which was last updated on December 28, 2021. The following is a PDF version of the referenced page that details what I did: details . The instructions include two commands for validating that unbound is working correctly:
 
dig sigok.verteiltesysteme.net @127.0.0.0.1 -p 5335
 
dig sigfail.verteiltesysteme.net @127.0.0.0.1 -p 5335
 
It was not initially clear to me what the output of the instructions should look like. They should look like this.

The configuration file for unbound is given above documention. To check that this file is valid, run:
 
sudo /usr/sbin/unbound-checkconf

Raspberry Pi Router

My goal is to turn the Raspberry Pi into a router with Pi-hole. The same goal as Reference 1.

From what I read on the Internet, OpenWRT is a software router that will run on the Raspberry Pi. However, its a custom embedded Linux distro. Therefore, I do not believe it will recieve the security updates that a distro based off of Debian would. In addition, it might not have the flexibility to add other components such as Pi-hole, unbound, and a Network Sniffer. It was released in 2004 so it should be very stable. The network engineer with a pony tail in Reference 4, uses OpenWRT. He also uses a USB wireless wifi antenna to a add a second wireless interface!

A Raspberry Pi router will face the big bad Internet and security is a major concern. In Reference 1, the guy uses iptables with rules that I do not know how to implement using firewalld, and I do not want to learn iptables. All the talk now is about the pfSense firewall, which one author said was not yet available for the Rpi. The best I can tell, it is an open source network security firewall that sells "Netgate" hardware with pfSense. Netgate is the copyright holder of pfSense. An alternative to pfSense is OPNsense, which is an open source firewall and routing software developed by Deciso. A company in the Netherland that makes hardware and sells suport packages for OPNsense. PfSense is a fork of m0n0wall, and OPNsense is a fork of pfSense. When m0n0wall closed down in 2015, its creator referred its developer community to OPNsene. Both pfSense and OPNsense were designed to run on x86-64 platforms and not arm processors.